What is Zero Trust in Healthcare?
By Gil Vidals, , HIPAA Blog, Security
“Trust no one.”

From the classic sci-fi series X-Files to a myriad of crime fiction novels, the phrase “Trust no one” adds a sinister chill to suspense and mystery dramas. For if even your closest ally can turn out to be your enemy, you need eyes everywhere – even in the back of your head.

In a caring profession like healthcare, we’d like to believe we’ll always be safe. And while a certain level of trust is necessary for business and personal relationships, when it comes to data security, the philosophy of Zero Trust actually helps protect us in two ways: against our own propensity for error, and the attacks that may come in a dangerous world.

So what is Zero Trust Security?

The phrase, first coined by a Forrester Research analyst named John Kindervag back around 2010, was a breakthrough in the consideration of risk surrounding network and data security.

Kindervag’s idea of “never trust, always verify” was based on the idea that the classic “castle-and-moat mentality” of network perimeter security was no longer sufficient to protect an organization since it failed to address the risks that might come from “inside the castle.”

For instance, imagine if an enemy spy secretly manages to infiltrate your camp and take up residence in your “castle.” Since they’re already on the inside, the perimeter defenses (firewalls, etc.) do nothing to prevent any harm that they might instigate.

This is exactly how hackers operate. With a cleverly crafted phishing attack, they can fool your “trusting” employees into clicking a link and divulging their credentials, essentially opening the door (letting down the drawbridge) to the network for the hacker.

Once inside your corporate firewalls, they may lay seemingly dormant for long periods of time, siphoning off trade secrets or depositing their malicious payload of malware into your system with no resistance. In this way, they get a “two for one” payoff: stealing proprietary information and eventually locking up your system to hold your data for ransom.

How then does Zero Trust work?

Cyber Solution specialist Chris Williams boils a Zero Trust approach down to this:

“You don’t trust anything: The network doesn’t trust the machine unless the machine has been identified and authenticated. The application doesn’t trust the user unless the user has been identified and authenticated. The database doesn’t trust the transaction unless the transaction has been properly authorized and approved.”

Would this work though, if, in our above example, the hacker already had your credentials through phishing? It would if a secondary layer of authentication was in play, such as two-factor authentication. Only the individual who received the secondary one-time passcode would enter the system.

To drive the point home, think about the multiple levels of security you go through at an airport: You won’t get through TSA checks without first downloading your boarding pass and then showing your passport or license. There’s simply no trusting your word on the matter.

Next, you (and your luggage) get screened for any potentially harmful objects – no trust here, either.

Finally, you only get access to your particular flight through your designated terminal departure gate (similar to a segmented network) – but even then you won’t get on the plane without first being verified (“authenticated”) and checked in to your assigned seat.

It took a major attack like 9/11 to raise security to this level. And while it may not protect us 100%, these security improvements have made us safer when we fly.

That said, wrapping your arms around the multiplicity of applications, users, and devices in a healthcare organization can be challenging. Numerous applications may be on-premise or in the cloud, and accessed by users from various geographic locations as workforces also become more distributed.

As noted by the HHS Cybersecurity Program,

Given the interconnected nature of the future with IoMT devices, augmented reality, robotics, and more, it is clear that the current perimeter-based security model that most healthcare organizations use will no longer be effective. To stay ahead of these trends, healthcare organizations must continue to invest in the basics while making a fundamental shift from the castle-and-moat approach to a Zero Trust model.

What are some key steps toward a Zero Trust approach in healthcare?

Clearly, the more technical and collaborative an organization is, the more difficult it can be to implement Zero Trust. Designing Zero Trust into the system during a digital transformation to the cloud, as opposed to attempting a “retrofit” of existing systems, is ideal. Getting buy-in from every level of the enterprise – from CIO and CISO on down – will also be key.

A strong policy of least access (for whoever will access sensitive networks and data) will be a hallmark of Zero Trust. This is especially critical with HIPAA compliance in view, but the approach should even be more granular than this.

“It’s, “No. 1, let’s understand who the user is,” says Bill Mann, senior vice president at Centrify Corp. “Let’s really make sure this is [for example] Bill and let’s make sure we understand what endpoint Bill is coming from – is it a known secure endpoint and what is the security status of that endpoint? And now let’s have a conditional policy, a policy [specifying] someone can have access to something.”

So what are some important technologies and methodologies that will aid this “inside to out” approach to Zero Trust security? They will typically include:

  • micro/network segmentation for granular policy application
  • endpoint hardware type and function (device health)
  • firmware versions
  • OS versions and patch management
  • multi-factor authentication and identity access management (IAM)
  • orchestration
  • analytics
  • incident detections: suspicious activity and attack recognition
  • encryption
  • secure email
  • password management
  • file system permissions, and more.

In terms of implementation, the following practical steps offered by Jonathan Langer present a helpful starting place:

1. Get complete visibility into all connected medical, IoMT, and IoT devices in your environment. By complete, I mean detailed, down to the make, model, serially attached components, embedded software, protocols, etc. that are part of that device.

2. Get buy-in from all relevant stakeholders. It is going to take input from IT, security, Biomed, and clinical engineering teams. Make sure that everyone is aware and onboard with the objectives.

3. Find solutions that can automate as much as possible. As noted, there are a lot of moving pieces and parts, so finding solutions that understand at a granular level what these devices are and how they should be operating within the clinical network is key to being able to automate the ongoing discovery and enforcement you will need to sustain Zero Trust.

The New Normal for Healthcare

It may be that many of the above technologies and approaches are already present in healthcare organizations now operating with cloud-based environments and services. If so, a continual assessment of people and user groups, identity, and authentication of devices should be happening – all with an end-view toward the core needs of patients and caregivers.

This is the “new normal,” the future of healthcare.

It will come as a relief to our clients to know that HIPAA Vault’s Zero Trust approach to security is present in all of our HIPAA-compliant solutions. From our secure hosting to compliant WordPress and email, we design-in features like access controls and two-factor authentication.

End-to-end encryption, intrusion detection, and 24/7 scanning and blocking also add to our multi-layered approach designed to “trust no one” but only approved and authenticated users.

HIPAA Vault is a leading provider of HIPAA compliant solutions, enabling healthcare providers, business organizations, and government agencies to secure their protected health information from data breaches, threats, and security vulnerabilities. Contact us at 760–290–3460 or www.hipaavault.com.