Cybersecurity News

Zero Trust Adoption Reaches Record High in Healthcare

Okta found that 58% of surveyed healthcare organizations started implementing zero trust initiatives this year, compared to just 37% last year.

Zero Trust Adoption Reaches Record-High in Healthcare

Source: Getty Images

By Jill McKeon

- Zero trust adoption is gaining significant traction in the healthcare sector this year, Okta discovered in its latest report on the state of zero trust security.

In Okta’s 2021 report, just 37 percent of surveyed healthcare organizations had started implementing zero trust initiatives. This year’s report observed a 21 percent increase in healthcare organizations that have already begun implementing zero trust initiatives.

Additionally, 96 percent of healthcare respondents said that they already have or are planning to implement a zero trust initiative in the next 12 to 18 months, compared to 91 percent last year.

Zero trust relies on the idea that no device or user is automatically trusted before being scrutinized by a set of strict authentication processes. Rather than a single technology or strategy, zero trust is a collection of cyber defenses that examine threats within and outside of a network perimeter.  

The potential reasons for this uptick in adoption largely point to the volatility of the current cyber threat landscape. The healthcare sector has had to adapt and embrace innovative methods of securing its systems in order to appropriately counter cyber threats.

“The healthcare sector is facing an increase in cyberattacks and is a prime target due to threat actors' focus on critical infrastructure, as well as the abundance of protected health information (PHI) that is lucrative on the dark web,” Chris Niggel, Regional CSO, Americas at Okta told HealthITSecurity.

 “The rapid need to provide online healthcare resources has also created a new attack surface that already-strained IT departments need to protect, with data breaches in healthcare often stemming from attacks such as compromised credentials and phishing on internet-accessible applications. This is where zero trust and identity become especially critical in protecting against these attack methods.”

The types of zero trust projects that organizations are embarking on include cloud transformation work, implementing multifactor authentication (MFA), securing vulnerable access points, and leveraging and integrating identity and access management (IAM) platforms with other critical security solutions.

Niggel and the Okta report stressed the importance of identity’s role in zero trust. In healthcare, 98 percent of respondents said that identity played a meaningful role in their zero trust security strategies, with 27 percent calling identity “business critical.”

“As we look back at the types of attacks that have been successful against healthcare, the risks we identify can be reduced to two fronts — improper data access by external or internal actors, and access to systems through unpatched vulnerabilities,” Niggel explained.

“Identity-based Zero Trust models provide a foundation to solve for the first risk by ensuring access to sensitive data is provided only to the correct individual from approved systems. This allows healthcare organizations more resources to focus on security hygiene and understanding of their security perimeter and ensure that systems on the internet are fully patched and monitored.”

Some major projects that healthcare respondents said they expected to complete in the next 6 to 12 months include extending single sign-on (SSO) for employees and securing access to APIs. Healthcare respondents also identified three factors that they deemed most critical for controlling and approving access to internal resources in 2022: device trust, geographic location, and trusted IP.

The report’s findings exemplified the crucial role that identity plays in security and zero trust architectures as a whole. Additionally, zero trust lends itself to compliance with federal health data security and privacy standards.

 “Zero Trust models align extremely well to healthcare regulatory requirements, as at the heart of the HIPAA Privacy rule is the need to ensure that only the right identities have the right level of access to healthcare data, and identity is the core of a proper Zero Trust strategy,” Niggel reasoned.

“Due to the interconnected nature of healthcare devices, legacy perimeter-based security approaches and low-assurance factors such as passwords leave organizations susceptible to attacks. A Zero Trust framework ensures healthcare organizations enable productive work for providers, IT staff, and contingent workers alike, while ultimately protecting PHI.”

Niggel recommended that healthcare organizations that have not yet started zero trust initiatives begin by leaning into identity-based solutions such as MFA and SSO to safeguard PHI.