Implementing a Zero Trust Architecture For Medical Device Security

May 23, 2023 - A zero trust architecture can help organizations across all sectors secure their networks and keep cyber threats at bay. Zero trust is not a standalone technology or tactic, but an array of cyber defenses that operate under the principle that anything inside or outside network perimeters should not be automatically trusted.

In the case of healthcare, in addition to a typical enterprise’s systems, entities must also keep track of thousands of medical devices. The latest paper from the Cloud Security Alliance (CSA) made the case for leveraging zero trust principles to strengthen medical device security.

“Medical devices pose a significant security risk to both networks and Healthcare Delivery Organizations (HDOs), potentially compromising their operations and patient data,” the paper stated.

“As a result, security architects are forced to re-examine the concept of identity. Essentially, every connected medical device has an identity and must be under consideration within the Zero Trust Framework.”

Zero trust maturity has five pillars: identity, device, network, application, and data. CSA examined how healthcare organizations can implement zero trust for medical devices based on this maturity model.

“Before we discuss implementing zero trust for medical devices, it is essential to note that it would be very labor-intensive to attempt management manually due to the number of devices in most HDOs. HDOs need tools to manage the micro-segmentation of their network, enforce policies, identify vulnerabilities, and provide end-point detection and response,” the paper noted.

“In addition, they need a program that will enable them to see all devices. The management program should provide a complete inventory of all devices and their location. The inventory should include fingerprinting devices to inventory with sufficient specificity and detail to make effective near-realtime authorization decisions on resource requests.

Within the identity pillar, CSA suggested healthcare organizations take steps to ensure that the proper users and devices have access to the right resources at the right time. For medical devices, it is crucial that authorized users are able to access these devices when they need to, which can be a challenge as medical devices may not be able to authenticate in a consistent manner compared to other network devices.

Under the device pillar, CSA recommended that organizations focus on comprehensive device visibility, extended detection and response (XDR) technologies, and dynamic segmentation to help achieve device security using zero trust principles.

“The third pillar is the network. The network refers to open communications mediums, including internal networks, wireless, and the Internet. The network maturity model functions are segmentation, threat protection, and encryption,” the paper continued.

“HDOs need to align network segmentation and protections according to the needs of application workflows instead of the implicit trust inherent in traditional network segmentation.”

The application pillar encompasses applications that execute in the cloud and on-premise. Under this pillar, CSA recommended that organizations architect the zero trust environment to ensure that users do not have access before authorization. In addition, micro-segmentation, ongoing verification, and data encryption are crucial for application security.

Data is the fifth and final pillar. CSA suggested that organizations employ a data loss prevention (DLP) solution that considers security while data is at rest, in motion, or in use. The paper provided detailed action-items for each pillar that can be applied to medical devices in a zero trust environment.

“These security tools, as well as the HDOs current security tool, will provide a secure zero trust environment. In this environment, all devices are identified, and all access is limited and controlled. All data is encrypted, and the location is known,” the paper concluded.

“The combination of access control, isolation, and continuous monitoring provides an environment where vulnerabilities are identified, and mitigating controls are in place until the device can be remediated. While HDOs cannot eliminate risk, zero trust currently provides the best security.”