How hospitals need to shift their thinking about trust
It's a scary world out there. The explosion of internet-connected devices have been matched only by the volume and sophistication of attacks they are susceptible to. For a hospital IT manager, the stakes here are exceptionally high.
Protected Health Information still remains one of the most highly-sought after targets for digital theft, and hospitals are the main repository of that information. Compliance requirements like HIPAA or HITECH, meant to combat these kind of attacks, have become stricter and pose another set of constraints and challenges on IT administrators.
"Traditional security approaches follow a model where it was enough to keep everything secured inside behind a defined perimeter," says Amanda Rogerson, senior product marketing manager at Duo Security, now part of Cisco.
Now, however, administrators need to "assume that every part of your network is potentially hostile, as if it were directly on the internet, and treat access requests accordingly," she said.
This new posture of "never trust, always verify" is called, aptly, Zero Trust.
It anticipates the existence of cloud programs that may be housed out of network, or the trend of hospital staff using their own mobile devices for work purposes. Rogerson says that because the number of threat surfaces has increased, it is important to "establish trust for every access request, regardless of where the request is coming from."
Zero Trust is not a replacement for an existing security apparatus as much as it is an augmentation to the systems a hospital already has in place. This shift in thinking brings in things like Multi Factor Authentication (MFA) and other policies that recognize any attempt to access the network may be a malicious intrusion.
Nor does this approach mean a slew of new barriers in a workflow where seconds can count. Rogerson says that many of the authentication processes can run in the background of a trusted device, automating the bulk of the work. "Additional user action is only required when they don't meet the trust requirements established by the access controls in place," she said.
This new approach to security may seem draconian in name or overwhelming in scope of that it intends to secure, but it doesn't need to be either. Heightened attention to device validation can go hand in glove with a seamless user experience. At the same time, these policies provide organizations better visibility "across users, devices, containers, networks, and applications," said Rogerson.
"Healthcare organizations, unfortunately, have some of the most complex infrastructures to protect, and these systems can literally put lives on the line if they are unavailable or compromised. Implementing zero-trust security should be the next security practice that all organizations adopt - it is the prescription for a more secure future," she said.
Amanda Rogerson will offer more detail during her HIMSS20 session, "Zero-Trust Approach for the HealthCare Workforce." It's scheduled for Tuesday, March 10, from noon-1 p.m. in room W204A.