Tech & Innovation in Healthcare

Adjust your wording to avoid offending staff.

Healthcare continues to be a prime target for malicious threat actors, who hope to breach your network defenses and gain access to valuable patient information. IT professionals and healthcare administrators shouldn’t sit back and wait for an incident to occur, you should proactively shield your network from threats — both internal and external.

Get to know zero-trust framework and how it can bolster your healthcare cyber defenses.

Learn How Zero Trust Works

Zero trust is a cybersecurity term that treats everyone and every device that connects to your network as a potential threat inside and outside of the organization. Legacy systems use implicit trust to allow device and user access to the network. Implicit trust allows users, good or bad, to move freely about your network and access or transfer sensitive data. Unlike legacy systems and devices that use implicit trust when accessing the network, zero trust maintains strong defenses to help prevent breaches around the clock.

According to the National Institute for Standards and Technology (NIST), zero trust is an “evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” The agency continues to define a zero-trust architecture (ZTA) as a framework consisting of zero trust principles “to plan industrial and enterprise infrastructure and workflows.”

The goal of zero trust is to make access control enforcement as granular as possible to prevent malicious threat actors from gaining unauthorized access to data and services. Granular access controls define who has access to each part of a network and what they are permitted to do with that access.

In healthcare, establishing granular access controls are necessary to maintain compliance and protect patient data from unauthorized breaches.

Shield Healthcare Data From Hackers

The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) issued their Zero Trust Maturity Model (ZTMM) version 2.0 in April 2023. The ZTMM defines its five pillars of zero trust, which are:

• Identity: Attributes that describe any user or entity.
• Devices: Any item that can connect to a network, including computers, printers, mobile phones, IoT devices, and servers.
• Networks: Any channel used to relay messages, including wireless networks, internal networks, and the internet.
• Applications & Workloads: Computer programs, mobile apps, cloud environments, and other executable services.
• Data: Any information that is stored and protected on devices, networks, and applications.

Deploying a zero-trust security model provides users and devices in your healthcare organization with secure access and authentication. Each person’s medical and financial data is incredibly valuable to hackers, which is “why healthcare organizations and devices are high-value targets for cyber criminals,” says Peter Newton, senior director of product and solutions at Fortinet in Sunnyvale, California.

By adding zero trust to your healthcare facility’s network, every user will need to be verified before permission is granted to access critical resources. Zero trust helps prevent malicious actors from gaining access to information deep within your network. “This means that even if a bad actor has gained access to the network, the zero-trust security features in place within the network would catch suspicious behavior in real time. It deepens security and mitigates the extent of a breach,” Newton says.

Zero trust also involves ensuring mobile devices are up to date with the correct operating systems, secure web browsers, and have the most recent software patches. Multifactor authentication is also a must for users to access select or all network resources.

Overcome Zero Trust Deployment Hurdles

While zero trust has emerged as a strong security option, deploying it into your system isn’t as simple as flipping a switch. Healthcare organization cybersecurity professionals face several challenges in transitioning to a zero-trust model.

Configuration: You should consider using zero-trust solutions from a single vendor with low latency and a seamless user experience to ensure healthcare services continue to operate smoothly. “The network solutions can disrupt clinical operations if they are improperly configured, lack a unified clinician and patient experience no matter the location, or require additional point products to cover all the IT system components,” Newton says.

Phrasing: One challenge involves how staff receives the term. IT leaders should talk openly and often about the model to get everyone on board before rolling out the changes. As IT professionals speak to the organization, they may prefer different phrasing. “While security professionals understand what ‘zero trust’ means, others can be confused or take offense at the suggestion that they are not trustworthy. We recommend using ‘treating the inside like the outside’ or ‘continuous verification,’” Newton says.

Transition: Keep the current technology while adding new components until the time is right to make a full switch. New technology adoption is generally met with resistance at first, so it’s beneficial to implement zero-trust network access (ZTNA) while maintaining virtual private network (VPN) connections. “Choose a solution with a unified agent that addresses both VPN and ZTNA can also ease the transition. Even if you migrate to a ZTNA model, there may be times when users still need a VPN, so it’s worthwhile to use a single solution for both,” Newton adds.

Bottom line: Deploying a zero-trust strategy might seem daunting, but with a plan and continuous learning you can roll out the security model in a way that works for your healthcare organization. Identity is the foundation of zero trust, and understanding each person’s role will help you identify data and application access for everyone in the facility.