Health systems adopt zero trust approach to secure networks, devices

"Zero trust flips the security model: Instead of 'trust but verify,' organizations 'always verify but never trust,'" one security expert explains.
By Nathan Eddy
03:52 PM

Healthcare providers are increasingly moving towards a "never trust, always verify" approach, also known as the "zero trust" security model, in order to protect networks and devices against an expanding threat landscape.

As one of the most targeted and breached industries, and the one holding on to the most sensitive type of data, zero trust networks can help hospitals strengthen cybersecurity inside and outside of the network.

"The key objective is achieving a state where you are making sure every transaction is being conducted by an entity with the authority to do it," said Dr. Saif Abed, founding partner and director of Cybersecurity Advisory Services.

"This process of making sure that both those within and outside your network are being held accountable is a very powerful way to get control of a network."

He explained that taking a zero trust approach ensures that you are validating the behavior of an endpoint and reducing the risk it presents to itself, other endpoints and ultimately patient safety.

"We have so many devices now within a network that it can be a real nightmare to manage and keep track of them all," Abed noted. "Misconfigurations, default settings and inherent vulnerabilities make it all too likely that these endpoints will be exploited as a means to attack a network."

Because these IoT medical devices are sharing information with so many other endpoints, they can be powerful vectors for damage, he cautioned.

"We have to remember that their objective, as it should be, is to deliver effective patient care," Abed noted. "Badly deployed security practices that hinder this will be bypassed and that behavior will become entrenched."

He said it is therefore critical that security professionals engage with the clinical frontline to understand their workflows before they implement a heavier-handed approach, no matter how secure it sounds on paper.

Sam Kassoumeh, COO and cofounder of SecurityScorecard, said the concept of zero trust is advantageous whenever a resource is connected to a public network, or whenever an expected user-base is large enough that a percentage of traffic will always be malicious – either through misuse or unauthorized access.

"Zero trust flips the security model: instead of 'trust but verify.' organizations 'always verify but never trust,'" he explained.

Kassoumeh pointed out that healthcare providers use more mobile applications every year, and the embedded applications in medical IoT often lack security.

"A zero trust model makes sure that healthcare organizations can monitor all attempts at exploiting the vulnerabilities inherent in these web applications and connections," he said. "If they can monitor the devices connecting to their networks, they can get visibility and alerts around security risks."

In essence, zero trust gives healthcare a way to treat these risky devices the same way it treats its traditionally secured devices, incorporating them into its continuous monitoring strategies.

"Network-connected medical devices usually have a specific job to do, unless a malicious actor inserts malware that changes how they act," Kassoumeh said  "For example, an insulin monitoring IoT device only takes in blood glucose information and reports it. To use it, the malicious actors need to alter it, remotely exfiltrate information or deploy additional malware, such as crypto miners."

With zero trust, healthcare organizations have the potential to monitor IoT medical devices, because any anomalous activity would be detected and reported/blocked before it could proliferate.

"Healthcare is often a reactive and compliance-driven industry and needs to move towards a proactive approach," Kassoumeh said. "So while healthcare IT workers know what to do, getting the buy in to switch their mentality may require additional preparation."

He explained stumbling blocks for moving toward zero trust revolve around balancing "functionality" with "security." If something is too secure, it won't function. If something is too functional, it won't be secure.

"Healthcare workers need to prepare for increased multi-factor authentication and decreased device sharing as part of this functionality and security balance," he said. "Both of these become problematic in time-sensitive situations such as emergency rooms where access may need to be immediate as part of saving a life."

That means creating the balance between security awareness, functionality and security needs to be addressed fully as part of a zero trust strategy.

Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, explained that, in industries with particularly sensitive volumes of data and broad surface attack areas, such as healthcare, what you want to be able to do in the eyes of the public and regulators is prove that you are taking a bold step towards greater security.

"When people say zero trust, they're basically saying they're going to do security at a very high level, and they can say they are looking at everything: your hypothesis is, everything is broken."

He noted that from a security perspective, healthcare historically has been a "slow-moving train" and only recently has security improved – due to massive data breaches.

Ponemon also pointed out that there's "quite a bit of pressure" on the healthcare industry to improve security in the face of threats like the hacking of IOT devices, and because the consequences of security failure are vast.

He said there's been a reorientation towards building better security protocols for hospitals, but currently it's more of a mix of strategies, and that overall, healthcare security has to become wider, deeper and more significant. That means a zero trust approach.

"In order to build the right security protocols, you need that zero trust system," he said. "You can't build to a low-probably threat level as you would have in the past."

Nathan Eddy is a healthcare and technology freelancer based in Berlin.
Email the writer: nathaneddy@gmail.com
Twitter: @dropdeaded209