Understanding and Overcoming the Challenges Unique to Healthcare
These days, you can’t talk about cybersecurity without talking about zero trust. That’s why when we discussed what we wanted to spotlight for National Cybersecurity Awareness Month (NCSAM), zero trust seemed to be an obvious topic. But given all the noise around zero trust, there is still not much clarity on what it is and what it means, particularly for the healthcare industry. As such, I hope the below guide will be helpful for those looking to better understand zero trust, and crucially, how it can help protect the technology which forms the bedrock of clinical care. I will discuss:
- What zero trust looks like for healthcare delivery organizations
- The challenges to establishing a zero trust model
- How to overcome those challenges
- Practical steps to get started
What Zero Trust Looks Like for Healthcare
More than a buzzword, zero trust is a cybersecurity model, based on the premise that nothing―no devices (managed or unmanaged) or users (identities)―in the network can be trusted. In a recent CHIME session that I did with Chase Cunningham, VP, Principal Analyst for Security and Risk for Forrester, he defined the three core principles for zero trust as:
- Verify explicitly
- Use least privilege access
- Assume breach
These principles form the basis for applying zero trust in any network. Within healthcare specifically, it means that anytime anyone, from practitioners and staff to patients and guests, needs access to resources on the network, they first need to verify they are who they say they are (verify explicitly).
Once verified, the healthcare delivery organizations must check to ensure they are authorized to access that resource, typically by applying pre-defined policies that automatically consider the context of the request, such as the device the user is using, their role in the organization, the task, etc., and enforce appropriate controls, which can allow, block, step up authentication, etc., to ensure the user is only granted access to what they need (least privilege), and nothing more.
If that user needs something else, they can’t simply use their existing access to get it (assume breach). They have to go through the process (policy) to prove they should have it. This ensures users or devices that have been compromised can’t be leveraged to move freely throughout the network, which can drastically reduce, if not eliminate, a number of internal threat vectors, such as lateral movement, VPN infiltration, and account takeovers, among others.
Challenges to Establishing Zero Trust
The biggest challenge that healthcare delivery organizations face when trying to establish and maintain a zero trust stance for their clinical network is the fact that so much of their environment is made up of unmanaged devices. These are medical, IoMT and IoT devices that are used in the day to day operations of the hospital―they range from IV pumps, patient monitors and MRI machines to security cameras.
The problem with these unmanaged devices is that IT and security teams have little to no visibility into what they are and how they are being used. Active Directory and centralized identity access management (IAM) solutions can’t be used to enforce corporate policies, and endpoint enforcement solutions are generally not an option because agents cannot be installed on most of these devices. In addition, because these devices tend to be closed systems running legacy software and proprietary protocols, they are indecipherable to most general-purpose network access solutions, like your NAC. As a result, the devices remain invisible to the network. And it is hard – if not impossible – to protect what you don’t know about.
Requirements to Overcome Challenges
Since there is no established, centralized way to easily create a zero trust stance for clinical networks, it is going to take something different. The approach we have seen work for health systems is a network-based method where policies are enforced and controls are implemented at the network-level. This means the network is segmented to enforce the least privilege access for all the different devices found in the environment. When done right, this significantly impedes attackers – if one does get into the network, they will be limited (to that segment) in terms of the resources they can access – effectively blocking them from propagating throughout the environment.
This approach, however, can have its own set of challenges. The diversity of devices and multitude of workflows (communication patterns) that exist within clinical networks is unlike anything on any other type of network. Getting policy enforcement right takes medical expertise that is able to identify the detailed makeup of each of these devices while simultaneously understanding how they are meant to operate. The worst thing that can happen is the accidental blocking of communications that end up interrupting the delivery of patient care. That’s why the clinical workflows and interdependencies of each device need to be understood, specifically, so controls can be precisely applied to ensure risks are addressed, without impacting care.
Practical Steps to Get Started
It can be difficult to track all the moving parts needed to incorporate a zero trust strategy, but it is certainly doable if you can achieve the following:
- Get complete visibility into all connected medical, IoMT and IoT devices in your environment. By complete, I mean detailed, down to the make, model, serially-attached components, embedded software, protocols, etc. that are part of that device.
- Get buy in from all relevant stakeholders. It is going to take input from IT, security, biomed and clinical engineering teams. Make sure that everyone is aware and on board with the objectives.
- Find solutions that can automate as much as possible. As noted, there are a lot of moving pieces and parts, so finding solutions that understand at a granular level what these devices are and how they should be operating within the clinical network is key to being able to automate the ongoing discovery and enforcement you will need to sustain zero trust.
It can be a commitment, but when done right, zero trust can significantly reduce your attack surface and mitigate your risks, so you can protect the integrity and availability of your patient data and care. For more practical tips or to see how Medigate is helping health systems around the world establish and maintain a zero trust stance, please contact us.