Why Zero Trust Security Models are Critical in Community Hospitals
Why Zero Trust?
Securing today’s healthcare environment continues to be a significant challenge for IT and security leadership. Every access point that hosts, accesses, or stores healthcare information has potential risks that need to be protected. The new perimeter that has evolved along with technology, cloud services, and an ever-increasing mobile workforce has redefined the perimeter beyond the typical physical boundaries that most healthcare organizations have designed defenses to protect.
Traditional firewalls and Virtual Private Networks (VPNs) have their place, but lack the visibility and integration to support the end-to-end coverage and proactive response capabilities that protect against threats to Protected Health Information and the access to vital healthcare applications and services.
What is Zero Trust?
Traditional security models and their supporting technologies must evolve to protect and detect threats and mitigate or avoid the risk to the networks more effectively. The traditional defense-in-depth model has relied on the protection of the perimeter. A Zero Trust framework can protect people, devices, applications, and data regardless of their location.
In most security models today in healthcare, the assumption is that everything behind the firewall is safe and once authenticated, it’s appropriate to grant access to resources. The Zero Trust model verifies every request for access as if the network were uncontrolled, with the approach to “never trust, always verify.”
The guiding principle of Zero Trust is to first verify explicitly, always authenticate based on user identity, location, device health, and data classification. The next principle is to always assume least privileged access and that there is a breach until it can be proven otherwise, so that all sessions are addressed with the “never trust and always verify” criteria.
Zero Trust and Security Policies
Well-defined policies make up the foundation of any viable security program. Defining what is critical to the healthcare organization, who can access resources, where they can access them from, role-based access controls, and acceptable use, are just a few of the different policies that need to be clearly defined. Zero Trust is designed to automate the adherence to these defined policies to ensure proper application of the policy requirement and ensure proper compliance.
There are some specific details that need to be addressed to implement a Zero Trust model. This can be especially difficult for community and rural hospitals to implement. Having a trust service provider to assist can make a significant impact on implementing Zero Trust. The following are just a few areas that are critical to this model:
Identity and Access Management (IAM) – When any individual or device attempts to access a resource, there needs to be a well-designed identity management workflow, and solution in place.
Asset Management – having a complete inventory of assets and their role is critical to managing the IT environment as well as securing access via a Zero Trust model
Application services – Regardless of whether application services are managed and delivered on–premises or cloud-based, proper controls that align with policy and procedures need to be in place APIs (Application Programming Interface) and interfaces also need to be properly managed.
Data Stewardship – Protecting data is at the core of any properly defined security program, classifying data, and having clear data owners and stewardship empowers the healthcare organization with insight into its data protection and data retention requirements. Ensuring encryption both at rest and in transit is also a core requirement.
Infrastructure Management – Ensuring an effectively managed infrastructure that’s patched and hardened, as well as properly monitored, is critical.
Network Management – The pipes that we all use to connect to internal and external resources must be secure, monitored, and managed. Network design that leverages segmentation, and end-to-end encryption for example is another core requirement.
The Roadmap to Zero Trust
Evolving your organization to a Zero Trust model is a journey, not a destination, Burwood can help your organization navigate this journey with expertise and methodologies to assess your current state and create a roadmap toward achieving a Zero Trust model.
Taking a phased approach to Zero Trust that targets the specific areas based on your current maturity, resource availability and priorities will be important to consider. In some cases, updating and enforcing policies can make a significant difference. The key is understanding your first steps by developing a roadmap to implement Zero Trust and improve your ability to protect your caregivers, reduce risk and build a trusted IT environment.
We invite you to explore the following resources to learn more: