/cdn.vox-cdn.com/uploads/chorus_asset/file/24016885/STK093_Google_04.jpg)
/cdn.vox-cdn.com/uploads/chorus_asset/file/24808816/Starfield__The_Settled_Systems___Supra_Et_Ultra_____Starfield__The_Settled_Systems___Supra_Et_Ultra_2023_7_25_94252.263_1440p_streamshot.png)
The security challenges facing healthcare organizations are getting more difficult. Cyber criminals are more organized than ever and are also using techniques employed by legitimate IT companies, such as project management and custom development best practices. Few organized cybercrime organizations have achieved a level of expertise comparable to that of an efficient penetration testing unit.
According to Black Kite’s 2023 Third Party Breach Report, healthcare was the industry most affected by attacks in 2022. Last year, 34.9 percent of attacks targeted the healthcare industry, up from 33 percent in 2021.
To address these growing threats, many healthcare organizations are adopting a zero-trust approach to security, requiring all users inside and outside of an organization’s network to be authenticated, authorized, and continually validated for security configuration and posture. Applications need to be granted access in order to happen. Figures.
This trend is being encouraged from many directions. President Biden’s 2021 executive order is a key driver that established a zero-trust strategy for the federal government. The policy requires agencies to meet specific safety standards by the end of 2024. The Cybersecurity and Infrastructure Security Agency released the latest update to its Zero Trust Maturity Model in April, adding new guidance for organizations looking to implement this approach.
Adoption by the federal government has spurred widespread zero-trust implementation in the private sector, as executives and boards including healthcare put pressure on IT teams to address security threats. “The adoption of zero-trust architecture by government is really driving momentum in the business sector,” says John Candillo, CDW Field CISO.
Reading: CDW’s white paper “Getting a Zero-Trust Architecture Right for Security and Governance.”
Understanding Zero Trust Is Essential To Healthcare Success
As they engage in efforts to implement a zero-trust approach, healthcare organizations and their IT teams must recognize that this is a process, not a destination. The steps an organization takes toward zero trust will evolve as a number of factors change, including the organization’s business needs, the threats it faces, and the security solutions it uses.
“There are a number of great solutions that can help,” says Jeremiah Salzberg, chief security technologist at CDW. “But it’s important to remember that zero trust is more of an architectural strategy than a specific product or technology.”
The benefits of zero trust go beyond a better security posture, says Jeremy Weiss, an executive security strategist at CDW. Applying zero-trust principles can help healthcare organizations reduce their technical debt and build more efficient operational processes. Because the approach employs network segmentation, application developers can work securely at faster speeds than they otherwise could.
The process of implementing zero trust also provides more clear visibility into IT environments than most healthcare organizations, says Salzberg.
Health IT teams are able to better see the dependencies between different systems and applications and understand how they communicate and interact. “We’ve seen some improvement in overall stability and efficiency in environments where they’ve moved to a zero-trust architecture,” Salzberg says.
click on the banner below To dive deeper into zero trust and its benefits for healthcare.
Three Key Elements of Zero Trust
As they work toward implementing a zero-trust approach, health IT teams should focus on three essential elements:
- Visibility: IT teams need to know what data an organization has, where it resides, where it is transmitted, how it is used and who has access to it.
- Identification: An organization must be able to determine with confidence the identity of users who are accessing specific sets of data, particularly patient data
- Government: An organization must have rules for what data it holds, how it is accessed and transmitted, who is granted access, and how they prove their identity. In addition, the organization must have mechanisms in place to enforce these rules.
With many healthcare organizations moving data and workloads to the cloud, especially in software as a service deployments, maintaining visibility and control can be a significant challenge.
“It’s hard to understand what’s really in your environment, which system is talking and which system is really talking,” Salzberg says. “This exhaustive analysis has always been and will continue to be a challenge, but it is fundamental to zero confidence.”
to explore: How to approach connected-device security from a zero-trust perspective.
A variety of tools can help organizations establish elements of zero trust, including multifactor authentication, segmentation and microsegmentation, single sign-on solutions, secure web gateways, and encryption. As they work to deploy these and other tools in a zero-trust environment, health care organizations must recognize that this approach is an ongoing effort.
“Zero trust is something organizations want to incorporate into how they build and implement new applications and begin the work of transitioning old applications to the new model,” Salzberg says.
“Some people think it’s like a light switch that you can just turn on, that you can just do that and have zero faith,” Candillo says. “It’s definitely not that. It’s building a foundation and getting the tools and applying them in an environment where it makes sense.
