Is momentum finally building for the ‘zero trust’ security strategy?
The rise in cyberattacks, a shift in federal strategies and legislative efforts all could be catalysts for the updated cybersecurity approach.
The “zero trust” cybersecurity strategy, which has been around for more than a decade, has seen significant adoption in many sectors. But relatively few healthcare organizations have fully adopted the model.
However, momentum for adopting the strategy in healthcare could grow as a result of the growing risk of cyberattacks – including ransomware incidents –the ongoing shift to the zero trust approach in the federal government and new legislative initiatives, among other factors.
Radical shift in approach
The main concept behind the zero trust security model is "never trust, always verify,” which means that devices should not be trusted by default – even if they are connected to a corporate network or were previously verified. The strategy involves implementing user and device authentication every time system access is requested, but it goes far beyond the use of any one security technology.
The healthcare sector, like many others, has long used a security strategy based primarily on protecting the corporate perimeter. But cloud computing has made a “perimeterless” security approach more appropriate. And the zero trust model is particularly appropriate in healthcare because of a dispersed workforce, the rising use of personal devices, the growth of connected medical devices and the push toward interoperability. All of these factors, after all, increase the risk that cybercriminals can enter networks and find pathways to critical medical information.
Government as a catalyst
The movement to the zero trust strategy in healthcare is not yet mandated. Last year, however, President Joe Biden signed an executive order calling for federal government agencies to shift to a zero-trust architecture.
The ongoing movement by technology vendors to comply with zero trust contract requirements of federal agencies will result in changes to their products, and that tech shift eventually will lead healthcare providers to embrace zero trust, says Paresh Patel, vice president of management consulting and the cyber lead for CGI Federal, an information technology consultancy.
Vendors “are putting measures in place that will become part of the fabric of how they do business,” he adds. “Healthcare will benefit from this and see it as a step in the right direction. It’s just a catalyst for change.”
In late March, Senators Bill Cassidy, R-La. and Jacky Rosen, D-Nev., introduced the Healthcare Cybersecurity Act, which would require the Cybersecurity and Infrastructure Security Agency (CISA) to work with the Department of Health and Human Services to improve security within the healthcare sector. This legislation, if enacted, could eventually be yet another catalyst for the adoption of the zero trust strategy.
The proposed law would require CISA to help develop security resources for healthcare, gather and disseminate information on potential threats, and enable better education on those threats. The Act also would require CISA to conduct a formal assessment of healthcare cybersecurity risks, particularly threats to medical devices and electronic health records, as well as gauge shortages of security workers in healthcare.
Meanwhile, President Biden in March signed into law the Strengthening American Cybersecurity Act, which, among other things, would require “critical infrastructure entities” to report to CISA major cyber incidents – which it defines as those leading to disruption of business operations or compromises to confidentiality – within 72 hours of discovery. The entities also must notify CISA within 24 hours of making a ransomware payment. Implications for the healthcare sector are not certain and whether these requirements will be layered on top of HIPAA rules.
Why zero trust makes sense
Healthcare’s longstanding “castle and moat” perimeter-based approach to security clearly is outdated given the current environment, says Patel.
Under this old model, after a user or device gains access to a network, they are deemed to be trustworthy and can access data and systems at will. In the zero trust model, users and their devices must be securely authenticated each and every time they request system access.
This approach, Patel says, makes sense in light of such factors as clinicians using their own smartphones to interact with clinical systems, the proliferation of often poorly protected connected medical devices and the emergence of API-based health apps designed to improve interoperability.
Because so many devices that weren’t developed with security in mind are now accessing healthcare systems, they can become an avenue for attackers to infiltrate a network, Patel explains.
Mac McMillan, CEO of CynergisTek, a cybersecurity consultancy, says the zero trust strategy, when appropriately adopted, helps to prevent malware from coming into a network from unauthorized devices. “It just makes it harder for the bad guys to come – it’s a better model for today, with dispersed systems, remote users and so many people coming in,” he says.
Also, role-based access to systems, which restricts access to the most sensitive data to those who really need it, helps enhance security. McMillan says role-based access is an essential component of a zero trust approach because it enables organizations “to establish access at a more granular level.”
No ‘silver bullet’
But the switch to zero trust represents a radical change of approach for provider organizations. Although role-based access, multifactor authentication and other technologies can play important roles in implementing the zero trust model, organizations must guard against assuming that any one technology can be used to create a zero trust environment.
A Department of Health and Human Services presentation on zero trust in healthcare notes: “Security isn’t accomplished by deploying a single tool or platform; the approach usually involves technologies from an array of categories, including device security, network security, data security, workload security, identity and access management, visibility tools and orchestration platforms.”
“Zero trust is one of those never-ending investments” that requires multiple security technologies, says Gus Malezis, CEO of Imprivata, a security tech company.
He predicts that rising security pressures will push many healthcare organizations to fully embrace zero trust over the next 24 months. After initial adoption, healthcare organizations will face ongoing work, which “we see as improvements, but not radical heavy lifts,” Malezis says.
Zero trust approaches are expected to offer some relief from recently soaring premiums for cyber insurance, which have risen dramatically in response to increased threats and attacks in the healthcare sector.