Navigate Zero-Trust Security in Healthcare

Understand zero-trust principles and examine leading vendor architectures.

Executive Summary

Your Challenge

Healthcare CIOs and CISOs recognizing the value of pursuing a zero-trust security strategy encounter several challenges including:

• Winning over a skeptical clinical audience in applying the principles of zero-trust: never trust, always verify, assume breach, and verify explicitly.
• Difficulties in the ability to identify, track, and verify all devices in their healthcare network.
• Moving away from a perimeter-based security architecture to a zero-trust architecture while demonstrating that this change will support the provision of healthcare.

Common Obstacles

Zero-trust cannot be achieved without overcoming significant obstacles such as:

• Identifying the most logical place to start. Because zero-trust is complex from an architectural perspective, there is no clear checklist or path to move forward.
• According to McKinsey, 69% of CIOs surveyed are using more than 10% of their new-project spend dollars to address technical debt (2020).
• Most healthcare security architectures are perimeter-based and complex to manage.

Info-Tech’s Approach

Achieving zero-trust is an iterative process that involves a range of capabilities and requires stakeholders to be committed to improving a healthcare organization’s security culture. Use Info-Tech’s approach to:

• Understand what zero-trust is and how its principles can be applied to your organization.
• Find out how healthcare organizations are performing and what security initiatives they are prioritizing to become zero-trust.
• Examine the security architectural frameworks that Microsoft and Google have applied to their environments to adopt zero-trust.

Zero-trust must benefit the healthcare organization first, because the road to zero-trust is an iterative process that relies on the IT security team to be thoughtful in determining how moving to a zero-trust model will affect core processes and patient care. This means that deploying a zero-trust model is not a one-size-fits-all approach.

Your challenge

This research is designed to help organizations who need to:

• Understand and clarify the benefits of zero-trust for your organization. Zero-trust is inherently a security methodology that places the security mindset first. Within healthcare there is a push to include more connected Internet of Medical Things (IoMT) devices, augmented reality, and robotics within care pathways.
• Verify that operations are maintaining security best practices. Prevention is only one element of successful security operations. IT security teams must be able to detect and analyze the environment in case of incident response.
• Risk to healthcare organizations is real. IBM Security and the Ponemon Institute reported that healthcare data breaches and ransomware can incur costs on average of US$9.23 million per incident. (HealthITSecurity, 2021).
• IT must convince clinical leaders to add more security controls that go against the grain of reducing friction in workflows while demonstrating these controls support the business. If implemented properly, zero-trust embeds security into existing processes.

34%

Data privacy has become a high-priority for security professionals. 34% of survey respondents indicate that privacy is a core responsibility.
Source: Cisco via IAAP, 2021.

560

560 healthcare facilities in the United States reported ransomware incidents in 2020.
Source: Emsisoft, 2021.

Zero-trust presents an opportunity for health IT leaders to modernize

80% Lower Cost

Legacy solutions require constant maintenance from an infrastructure, service, and configuration perspective.

Organizations that have deployed cloud-based zero-trust systems have found that it is useful in reducing operational expenditures related to configuration and licensing.

Source: Okta

Be realistic about the barriers that make zero-trust difficult to implement:

Health IT security architectures were not built with zero-trust in mind. Most organizations rely on a perimeter-based security defense posture that defines trusted areas. Shifting to zero-trust requires specific configuration policies that collapse trusted perimeters so that no person, application, or piece of data is inherently trustworthy.

Know where to start: zero-trust is not only complex from an architectural perspective, but also there is no clear checklist to follow when revising your security posture to adopt zero-trust.

In a recent study, 80% of IT decision makers identified that legacy systems and technical debt represented a significant pain point (Enterprise CIO, 2018). There is a palpable need to modernize their legacy solutions, because legacy systems are more difficult to protect and expensive to maintain.

Organizational complexity traditional on-prem solution can cost up to 80% more than a unified, cloud-based identity directory.

Health IT security teams perform better than industry peers

Identity and access management (IAM) and data are two sub-policy metrics where Healthcare IT preforms slightly lower than industry peers.

Source: Info-Tech Security Governance Benchmark Report, 2022

Case Study: Identify and mitigate IoT and IoMT cyber risk within a hospital network

“Patients’ safety and records matter most. To protect them, we had to get a handle on every connected thing, despite an exploding number of IoT devices.” — Kashif Parvaiz, Chief Information Security Officer, University Health Network

Environment

Over 40,000 wired and wireless devices were used within University Health Network (UHN), located in Toronto, Ontario, which supports over 20,000 employees in four acute care hospitals and various outpatient sites.

49.6% of devices found in the audit were related to healthcare and labs.

The remaining devices fell into supporting administration and physical security:

• 15.3% Physical security
• 13.7% Office-related devices
• 12% Building automation
• 5.7% Multimedia and related devices

Challenge

Reduce the impact to patient care and ensure that patient records are secure.

Comply with industry regulations and successfully pass audits amid the widespread presence of legacy infrastructure and technical debt.

Develop and maintain an accurate catalog of assets to support ongoing security operations and maintenance.

Improve device visibility within the network by efficiently identifying devices and understanding where they were being used and where they were located within the network.

Results

Identified 40,000 wired and wireless devices within the network.

66% more devices were discovered than expected.

Rapid real-time visibility across all network connected things within four weeks of working on this initiative.

Device identification was an intentional goal to better understand the number of IoT and IoMT devices, which puts UHN on the pathway to pursue zero-trust segmentation.

Source: Forescout, 2021

Zero-trust helps healthcare IT security teams manage risk across multiple domains.

Zero-trust

Devices

• Clinical tools
• Tablets
• IoMT

Applications

• EMR/EHRs
• Billing
• Scheduling

Identities

• Clinical teams
• Administrative teams
• Patients

Data

• Patient records
• Lab results
• Patient details

Zero-trust benefits

Health IT security professionals will benefit from adopting zero-trust, but they must be clear about the overarching benefits that healthcare organizations will receive as a result of moving to a zero-trust model.

IT Benefits

• Reduce IT effort: Zero-trust enables security by design, meaning reduced demands on IT for managing services for RDP and VPN and for responding to requests for more flexible access to resources.
• Improve visibility and security: Zero-trust involves mapping, contextualizing, and monitoring resources, thus reducing the time to detect and respond to incidents.
• Reduce security solution complexity: Rather than try to fill in gaps in the traditional network security, security purchases become part of a strategic technical design that eliminates IT security’s technical debt.
• Strengthen data protection: A fully implemented zero-trust solution makes it harder for attackers to access, encrypt, or steal digital assets such as medical health records.

Organization Benefits

• Reduce technical debt: According to a 2016 IEEE Software report, a conservative estimate of the average costs of technical debt amount to $361,000 per every thousand lines of code. Zero-trust can accelerate the phasing out of legacy technology and kick-start network modernization.
• Work from anywhere: Recent workplace demographic shifts have enabled employees to work from home; zero-trust environments support secure access and availability of workflows.
• Improved user experience: Zero-trust reduces the security fatigue associated with an uncoordinated security technical strategy.
• Continuous compliance: Adopting zero-trust means that there are no trust zones, and therefore, a need to set up a system of constant verification of users and devices.

Understand the principles of zero-trust

Move away from existing perimeter-based security framework to a never trust, always verify ideal.

1 Never Trust, Always Verify

The main goal of zero-trust is to secure corporate resources by eliminating persistent trust in everything:

• Identities
• Devices
• Applications
• Infrastructure
• Network
• Data

2 Assume Breach

This is a mindset that means your organization should operate on the assumption that your environment has already been breached. The environment should be architected to minimize the effects of a breach with controls to prevent lateral movement and reduce damage.

3 Verify Explicitly

Identities can be forged, and access can be duplicated; therefore, verification is needed. Verification is essential and can be compared to the process that a bank takes to confirm your identity before you can make decisions about your account. Multiple modes of verification, both dynamic and static, must be produced to give access to resources.

Info-Tech Insight

Zero-trust is a strategy that forgoes reliance on perimeter security and moves controls to where users access resources. It consolidates security solutions and saves operating expenditures, but it also enables business mobility by securing the digital environment at all layers.

Implementation approaches

Vendor perspectives have shaped the development of zero-trust.

• John Kindervag defined the concept of zero-trust in 2010. Kindervag then became the CTO at Palo Alto Networks, where he further expanded zero-trust as a practical response to manage organizational risks. zero-trust relies on using next generation firewalls (NGFWs) as policy enforcement points.
• NIST has further defined zero-trust principles and has created a framework that is not limited to a set product like a firewall or identity and access; rather NIST has advocated for a strategic mindset that can be applied to a variety of organizations.
• Microsoft and other zero-trust vendors have developed frameworks that are adaptations of the standards outlined by NIST.
• Google’s BeyondCorp initiative took the principles of zero-trust and applied them through a strict strategy of company-managed devices connected through an access proxy. The proxy determines access to resources based on contextual data that includes the user, role, device certificates, device inventory, and location.