GuidePoint Security on Healthcare Zero Trust

As a follow-on to this spring’s Executive Order for Improving the Nation’s Cybersecurity, the White House Office of Management and Budget released a draft blueprint for a so-called Zero Trust approach to fending off hackers. As federal agencies and the healthcare industry evaluate and begin to implement this Zero Trust approach, many are going to find they are years behind being ready to deploy and make the changes necessary. 

When it comes to Zero Trust, the first baselining we need to do is understand that the traditional network perimeter is no more. The second thing that we must understand is that Zero Trust is not a product… it’s an approach to security that enables organisations to identify high value assets and data within the network and ultimately protect this information beyond traditional cybersecurity methods. Additionally, and maybe just as importantly, it’s about enabling business agility and automating processes so that the security controls are essentially transparent to users whose focus is first and foremost on patient care.

Where do most organisations stand in terms of Zero Trust Adoption?

So let’s examine where healthcare organisations are today in their Zero Trust journey. Shifting to a Zero Trust approach is not about a wholesale replacement of the infrastructure - it’s more of an incremental journey for modernising the IT and security environment. What we know cannot happen is having security controls that impact patient care and limit a doctor or nurse by delaying or denying access to specific devices and data that could result in life or death scenarios. You can't have a doctor use a unique login every time he or she needs to access an application because this could really impact their ability to provide patient care. 

As you go along your Zero Trust journey you will go from a manual, static environment to a fully automated environment that can make decisions based on your behaviour in real time to determine access. While mapping out security requirements, it’s important to build in as much automation as possible, so that controls are transparent to the end users. Hypothetically, maybe requiring that unique login every several hours is more of an acceptable risk balance. Healthcare organisations must weigh these types of considerations and risks when it comes to balancing security and operations.

The challenge here is that segments of a healthcare organisation might be further along this path than others. What must be considered is that there are typically lots of older systems set up within flat network architectures and manual processes. So the adoption curve also must include modernization of the technology because without that, automation will be limited which is key to making this all work. Also important to understand, is the cost of such modernization:

• Shifting from traditional moat and castle security perimeter controls to security based around identity access management
• Micro-segmenting the network to minimise risk
• Moving data and apps to the cloud
• Protecting IoMT - Internet of Medical Things
• Telemedicine Adoption

This all can’t be done at once, so it’s important to build out a strategy and roadmap based on where the organisation is today and where it wants to go. Defining the organisation’s high value assets to determine what systems and applications really need this enhanced protection - these are the minimum requirements. The environment is typically very dynamic and now there are more network connected medical devices that doctors rely on for providing patient care. From a security perspective, not all medical devices are equal and they need to be understood and treated separately. Organisations have to build a great inventory of what they have in the environment and what each device does - and from there being able to understand the risk if a device was breached or if a doctor couldn’t access the device or data. 

It needs to consider not only the technology, but the people and processes - remember it’s about enabling productivity in a secure manner. Interoperability between technologies, process flows. So by making these changes, how will it impact users in their day-to-day jobs?

What cultural shifts need to happen for Zero Trust to become a reality?

When it comes to cybersecurity, the traditional legacy systems approach operated with implicit trust.  Zero Trust implements a least privilege per-request access. If you don’t require access, you don’t get access. Zero Trust is a shift from a location-centric model to a data-centric model and provides granular access control based on least privilege. Education is needed on why the Zero Trust shift is needed. Additionally, there are technology and requirement changes, with healthcare records being online, new medical IOT devices, and also older technology too. 

In order to help spur that cultural shift, Zero Trust must be put through the lens of “How can we make everything simpler for the users?” Doctors and nurses (the users of the devices and data) are critical users and they’re first and foremost focused on patient care. This is why it’s critical to educate them on how to use these new tools and process improvements from the perspective of helping them to be more efficient in their jobs. 

With the pandemic, many healthcare organisations now offer telemedicine. How do we enable telemedicine/healthcare from anywhere? Zero Trust must enable a new world where healthcare can be provided from anywhere… anytime … securely. Whether it’s devices that enable a doctor to provide patient care from anywhere or that provide patient information back to a doctor, how can we streamline these activities and ensure the sensitive information is protected? Getting all of those involved in thinking about these things and providing their input to ensure that security doesn’t impact productivity, but actually can help enable it. 

What stakeholders are needed within a healthcare organisation?

Since Zero Trust is an approach, it cuts across the entire organisation. The executive team, with the CIO or CISO as the lead, must pull in doctors, office administrative staff, IT and infosecurity teams to understand the needs and impact from each department. This cannot be done successfully in a vacuum! This strategy and feedback loop must consist of a cross-section of different roles to understand the impact to users, to understand the process flows and to make sure that all aspects are considered both from a security and an operational perspective. 

Zero Trust is a hot topic in cybersecurity and a methodology that requires a crawl, walk, run plan to implement. Mapping out the high value assets, the greatest risks, and understanding the impact to those responsible for patient care are the key considerations with which to start. Employing a strategy that pulls in stakeholders from across the organisation and focuses on how to automate processes, increases interoperability across different devices and systems, and provides centralised visibility will put a healthcare organisation on a path to Zero Trust success.