How 'zero trust' networks can help hospitals strengthen cybersecurity
With continuously evolving cyberattacks and new threats emerging all the time, information security professionals are devising new ways of protecting their networks.
Add ‘zero trust networks’ to that list of options.
Zero-trust is an architectural approach to networking that operates on the principle of not believing any one part of a network is safer than any other.
So long traditional flat networks
Traditional network designs use the concept of zones. The zone furthest out, the Internet, is untrusted, and more trust gradually is given to network zones the closer in they are. Thus, a user on the internal network might be able to look at anything and everything once they are inside.
These sometimes are called flat networks, and many of the largest data breaches were on flat networks. Attackers could move from one end of the network to the other without losing access or being challenged.
Zero-trust is designed to eliminate the outside/inside paradigm and recognizes that every attack is an insider attack when attackers can harvest credentials and pose as insiders, said Jeff Pollard, a principal analyst who specializes in cybersecurity at Forrester Research.
“The primary reason zero-trust makes so much sense today is that our networks no longer have an outside,” Pollard explained. “The perimeter has disappeared and organizations of all sizes have multiple third-party connections, data-sharing agreements, hybrid cloud deployments and remote users. Relying on a model that assumes if you are inside the network you must be OK is a recipe for disaster.”
How much security do hospitals need?
Many healthcare organizations must allow multiple parties inside the environment to manage healthcare records or other systems, remotely support agreements on imaging equipment, wirelessly operate vending machines, and afford patients access to their information, Pollard said.
“Each of those alone eliminates a safe zone,” he said. “With that, using zero-trust is the perfect approach.”
To demonstrate the level of protection that is necessary in network security today, consider the following analogy, said Perry Price, CEO of Revation Systems, a cloud-based communication systems firm.
“Where bank vaults with big steel doors and a combination lock were sufficient to protect banks from robbers, today’s cash drawers aren’t, and they’re at risk for being broken into – meaning that the rules regarding who can access assets and when they can access them have drastically shifted,” Price said. “The same type of tightening is occurring in the world of network security today, with zero-trust networks becoming required for organizations to truly protect their data.”
Trust only what you know
Healthcare now has the multitudinous Internet of Things to contend with when it comes to networking.
“For starters, this means an explosion in the number of devices connected in every environment,” Forrester’s Pollard said. “Now every user, every product and every process in our organizations could have an IP address and network connectivity. For hospitals that struggled with too many alerts or too many devices, it’s only going to get more difficult.”
IoT apps and machines, in fact, are creating an expanded attack surface for cybercriminals – more devices, more connections and more data everywhere.
“That’s why zero-trust helps,” Pollard said. “Go from too many unknowns to trusting only what you know.”
And in today’s increasingly chaotic world of cyber-attacks, not trusting a network may be one’s safest bet.