October is Cybersecurity Awareness Month
Throughout the month we will take on cybersecurity subjects that continue to be challenging in healthcare today and ask our experts to weigh in.
Topic 2: Zero Trust
Experts say one of the best approaches to fighting cybercrime for healthcare organizations is Zero Trust, a security framework that relies on strong authentication and authorization for every device and every person before any access or data transfer takes place on a private network. According to an Okta report, 47% of healthcare organizations have a zero trust initiative in place, and 38% have plans to begin one in the next six to 12 months.
We asked what recommendations for those that have plans to adopting strategies? And what recommendations do they have for the 15% of the organizations not in the mix of having or adopting strategies?
David Bailey, EMBA, CISSP, Vice President, Consulting Services, Security, Clearwater
LinkedIn: David Bailey
Healthcare organizations planning to adopt a Zero Trust strategy should prioritize addressing legacy systems that may lack modern security features, ensuring they can support strong identity and access management. Given the complexity of healthcare environments, organizations must map out their IT ecosystems and enforce network segmentation while integrating strong authentication protocols. It’s also critical to assess third-party vendors and ensure they align with Zero Trust principles to minimize security risks. For those not yet adopting Zero Trust, starting small with key elements like multi-factor authentication and tightening third-party access controls can provide immediate security improvements while planning for future integration.
David Finn, Executive Vice President, Governance, Risk, Compliance, First Health Advisory
LinkedIn: David (Samuel) Finn
Zero-trust is a security framework that requires a comprehensive approach to security that ensures every access request is verified and monitored. Just as MFA only accomplishes the full goal if it covers all access, Zero-trust done around specific systems can become a chink in the armor.
Zero-trust is about identifying and verifying the identity of users and devices. So, you will have to have strong authentication (like MFA) and ensure that only authorized personnel can access sensitive data and systems. Unfortunately, this is not typically a strength for most providers – sometimes for very legitimate business reasons, such as understaffing or lack of training on specific systems.
One of the basic premises of ZT is least privilege access, where users get only the minimum level of access needed to perform their job. But this is also a weakness in healthcare. When a caregiver needs to get to a specific system or even a specific patient in a system, this premise can become a roadblock. It also relies on other aspects of security like continuous monitoring and analytics; network segmentation and even micro-segmentation; data encryption (at rest and in motion); endpoint security; training; and ongoing audits and assessments to ensure compliance with ZT principles. All these aspects require people, processes, and technology – and that likely means money. I applaud any organization undertaking ZT initiatives. It will be a heavy lift in healthcare, but every step is progress.
If you’re not yet moving toward a Zero-Trust framework, there are still some steps you can take to boost your cybersecurity risk posture:
- Strengthen the identity and access management processes/tools you do have including MFA and roles-based access controls.
- One of the easiest things to do is step up regular security training: Conduct regular training for all staff focusing on recognizing phishing attempts, best online practices and the importance or recognizing and reporting suspicious activity.
- Network segmentation can help limit the spread of malware and isolating critical systems and data from less secure areas is always a good idea.
- There’s also the regular list of things you know you should be doing: advanced threat detection; patch management and updates; encryption; third-party risk management; robust and secure backup and recovery solutions; and, perhaps most importantly, plan and update incident response plans and conduct drills to ensure staff is prepared to respond appropriately and effectively to cyber incidents.
Addressing these challenges requires a comprehensive approach that includes regular training, robust security policies, effective incident response plans, and running regular exercises, as well as simulated phishing exercises to reinforce that training and awareness of new issues.
We see a tremendous uptick in Multi-Factor Authentication (MFA) in the sector, but it tends to be on the remote-access systems that people think are at the most risk, such as EMRs, financial systems, or other clinical systems. Where we don’t often see it is on the email itself, which becomes the front door. You always must have the basics in place: email filtering and security; regular software updates and patching, and, of course, monitoring tools and analytics looking at email traffic and end-user behavior.
Chad Holmes, Security Evangelist, Cynerio
LinkedIn: Chad Holmes
The improving adoption rates of Zero Trust methodologies are a positive sign, but still have a very long way to go. These approaches are conceptually simple, but become incredibly complex in reality, particularly when patient care must take priority over protections which may be reasonable in other industries. For example, in-process surgical procedures often can not run the risk of delays due to 2FA or password resets. Further, there is increased awareness that Zero Trust efforts are not one-time engagements, but instead a fundamental shift in how networks and the assets on them are managed. This means budget, staffing and resource planning must be updated as the levels of effort are better understood.
That said, there are some amazing technologies designed specifically to speed Zero Trust adoption in healthcare environments, including Cynerio’s Healthcare Cybersecurity Platform. These offerings are designed to deploy quickly, map networks, identify connected devices, create segmentation policies, test those policies, and minimize the effort needed to review and deploy those technologies. Any hospital exploring Zero Trust options should actively reach out to Cynerio (and our competitors) to understand the cutting edge technologies and approaches available to them.
Neil Jones, CISSP©- Director of Cybersecurity Evangelism, Egnyte
LinkedIn: Neil K. Jones
Zero Trust programs are an effective way to improve cybersecurity protection, but they require proactive management on an ongoing basis.
For the 85% of organizations that are adopting Zero Trust strategies, my recommendations are as follows:
- For Zero Trust initiatives to make a real impact, you need to look beyond your employee base to all users who access your infrastructure, including business partners, third-party contractors, interns, etc. Without a comprehensive approach, a single user that isn’t included in the program could put your entire IT infrastructure into jeopardy.
- Data access should be based on users’ “business need to know.” For example, a Marketing employee should have access to their payroll information, but not to the payroll information for the company as a whole. More expansive access to payroll information should be reserved for groups such as Human Resources, Finance and your executive team. Although this might seem like a far-fetched example, the business reality is that user permission mismatches occur all of the time.
- A proverbial “Achille’s Heel” for many organizations that adopt Zero Trust frameworks is that they carefully manage users’ access to data while they’re working for or collaborating with the company, but they aren’t so careful about disabling users’ access when users leave the company or move on to different projects. Inactive accounts are very attractive to potential cyberattackers, so IT access should be terminated when users no longer require access, and data access permissioning should be updated when users move to different roles.
For the remaining 15% of organizations that don’t have a Zero Trust program in place, my recommendations are as follows:
- If budgetary constraints are preventing you from adopting such a program, there are fairly simple and inexpensive ways to manage Access Control, including routinely updating your Active Directory contacts, for example.
- Remind your executive team about the potential risks associated with permissive user policies, including the possibility of data breaches and remote attacks that could disable your organization for an extended timeframe.
- Consider a formal audit of users’ access to sensitive content, which is likely to reveal that your sensitive data is way more exposed than you might realize.
Finally, I prefer to look at this as a “trust but verify” approach, rather than a “zero trust” approach, because fundamental trust of your users is imperative to business productivity and organizational success.
Karthik Kanakaraj, Enterprise Architect, HSBlox
LinkedIn: Karthik Kanakaraj
Zero Trust works on the principle that no user, device, or application should be trusted by default, even if they are within the network perimeter. A key first step in applying this model is the implementation of micro-segmentation to ensure that interactions between entities are highly secured by isolating different parts of the network. Continuous network traffic monitoring and anomaly detection are important to proactively identify and prevent potential breaches, unauthorized access attempts, malware infections, and other suspicious activities. Controlling access to data and managing authentication, authorization, encryption, and least-privilege access controls are critical aspects of information security in the field of healthcare, closely aligned with SOC 2 Type II and HITRUST compliance certifications. Multi-Factor Authentication (MFA) is a pivotal tool in achieving Zero Trust Security. MFA requires users to submit two or more forms of authentication that fall under these four categories: Knowledge (PIN), Inherence (biometrics like fingerprint, voice, etc.), Device possession (USB key, token, etc.) and Location (via GPS tracking). The flexibility available to increase the number of factors required to authenticate identity makes MFA a core component of Zero Trust Architecture and is a must for any organization dealing with healthcare data.
Nick Kathmann, CISO, LogicGate
LinkedIn: Nicholas Kathmann
Zero Trust is one of the most misunderstood topics in cybersecurity – it has been used in a variety of different ways by a broad range of vendors, creating confusion in the market over what it actually means. At its core, it simply means authenticate, authorize, and continuously validate every request to every service. This is a great strategy and does work when you control all aspects of the technology stack, however in the medical field it’s not always that simple.
In the medical field, there is a tremendous level of vendor lock-in and technology selection as a result. There just aren’t that many EMRs out there, nor are there thousands of MRI/CAT/XRay machine vendors competing with each other. Each of these technology choices comes with its own specific implementation methodologies, prescribed architectures, and supported IAM mechanisms. This can dictate architecture decisions as important as Active Directory trust strategies, and can lead to a plethora of different subsystems within a healthcare organization that have differing levels of zero trust implementation, if any at all, and a mix of IAM support.
In the medical field, security measures can sometimes slow operations and hinder patient care, making it crucial to strike a balance between security and accessibility. Each new login portal takes time to navigate, and waiting for (and entering) a multifactor authentication (MFA) token can take several minutes. Over time, that can add up – and patients can’t always afford to wait.
While zero trust can be valuable for some healthcare professionals, such as patient concierges, it could be life-threatening if too many differing access methods are enforced on personnel responsible for life-saving care, like surgeons. The first hour after a patient suffers a traumatic incident is known as the “Golden Hour,” where timely care is critical and highly indicative of recovery.
So, how can hospitals and other care facilities achieve a healthy balance? Every solution involves tradeoffs and requires thorough assessments of potential risks to inform decisions. For example, using biometrics for MFA instead of MFA hardware tokens could speed up access without compromising security – assuming it takes into account most medical professionals will be wearing gloves!
Ultimately, the best security programs are those that enhance security without negatively impacting patient care or endangering lives. If IT teams and healthcare executives are still uncertain about adopting a zero trust approach, they should carefully assess their own technology stacks and perform a gap assessment before implementing potentially unsupported strategies.
Rob T. Lee, Chief of Research and Head of Faculty, SANS Institute
LinkedIn: Rob T. Lee
For healthcare organizations seeking to adopt zero trust models, many already know to make sure their users, devices, and applications are properly authenticated, or that regular patch management is essential. Any cybersecurity expert would tell you that. But what many organizations don’t realize is the importance of fostering a strong security culture in addition to having zero trust and other protective measures in place. Employees often view security as a barrier to creativity, but this perspective is misguided and can result in risky “workarounds.” Promote a strong security culture built on confidence in addition to robust security measures like zero trust, rather than just focusing on the latter.
For the healthcare organizations not considering Zero Trust, the risks are much higher. If transitioning to Zero Trust feels too daunting, start small with multi-factor authentication and endpoint security, which can still provide meaningful protection. Let HIPAA compliance also be a key motivator in these endeavors – as failing to enhance security measures can lead to cyberattacks and regulatory penalties.
Bridget O’Connor, COO, Fortalice Solutions
LinkedIn: Bridget S.
Adopting a Zero Trust security framework is vital for healthcare organizations. For those planning to implement it, start by assessing your security posture, identifying all devices and users, and establishing robust authentication methods like multifactor authentication (MFA). Network segmentation and continuous monitoring are also crucial.
For the 15% not pursuing Zero Trust, focus on basic security principles such as strong identity management and least-privilege access. Invest in employee training to build a security-aware culture and identify areas for improvement.
George Pappas, CEO, Intraprise Health
LinkedIn: George C. Pappas, CFCHE
Zero Trust is a powerful strategy with multiple layers of security, user friction, and potential costs. For those adopting this approach, start with the fundamentals – identify proofing, hard authentication, stricter credential management, and simplified network micro-segmentation. Keep in minds that the more you subdivide and challenge access, the higher your user friction and network management costs. Be transparent about the impact on users – implement changes gradually, communicate clearly, and explain the trade-offs your network team has made for the greater good. Listen and be open to adjustments based on user feedback.
To the organizations that have not started yet; start small. First, ensure that your network and system admin servers are locked down (one of the favorite ways hackers gain control – stoppable with some more elbow grease). Second, implement a dynamic, frequent phishing simulation across all major devices, and enforce stricter access controls for users who fail to identify phishing attempts. Third, adopt user authentication through one of the many available authenticator apps; it provides a stronger “front door” than traditional user/password and text code verification. Finally, take initial steps to segment your network into larger groupings that isolate protected health information (PHI) without significantly disrupting your current application and user workflows.
Cecil Pineda, Chief Information Security Officer and Senior Vice President, R1
LinkedIn: Cecil P.
It’s important to focus on a few key areas to ensure a strong and resilient security posture. One is enforcing multi-factor authentication (MFA) across all systems. Even for smaller applications that may not handle sensitive data, MFA is critical because cyber attackers can exploit weak or reused passwords to gain access to seemingly low-risk systems. Once inside, they can pivot to more critical parts of the network. Another is continuous awareness and training. Attackers often pose as trusted individuals, so employees must be cautious when receiving second-factor authentication requests, Regular education on these tactics, along with simulated phishing tests, can help reinforce this vigilance. Also, in addition to encouraging employees to use strong, unique passwords across systems, organizations should consider using password managers to minimize the risk of password reuse and storing credentials in insecure places like Excel files or notes on phones.
For those not yet planning to adopt such strategies, it’s critical to start small but immediately – the threat landscape in healthcare is too vast to ignore. They can begin by implementing MFA on all systems, especially legacy applications that may not have robust encryption for passwords. Many cyberattacks succeed because employees aren’t aware of the dangers, so implementing security awareness programs and emphasizing the importance of reporting suspicious activity is key. Also, many older systems are not designed with modern security in mind, so prioritizing security upgrades to protect them from being weak entry points for attackers is important.
Rodman Ramezanian, Global Cloud Threat Lead, Skyhigh Security
LinkedIn: Rodman R.
To those planning on adapting these strategies I would say, as with anything, there are associated blind spots to consider. To mitigate the vast number of growing risks, complement any Zero Trust initiative with continuous monitoring and analytics, multi-factor authentication (MFA), and, of course, identity and access management (IAM). By integrating these technologies and strategies, healthcare organizations can trust that their zero trust security is robust and that the threat of breaches is minimized.
To the 15% of organizations that have not and do not have plans to adopt Zero Trust, I would say if you are not investing in a solution that protects your data – regardless of how, where, or on what it’s accessed from – frankly they’re wasting their money and time. The fundamental tenet of Zero Trust is “never trust, always verify” so that your sensitive data and applications are securely protected. To not have this safeguard in place puts your patients’ sensitive data and organizational security at constant risk.
Heather Randall, PhD, Chief Compliance Officer, TrustCommerce, a Sphere Company
LinkedIn: Heather Randall, PhD
Implementing ZTNA can be extremely complex but offers significant advantages to organizations looking to improve their security posture. For those companies that are in process or about to begin their implementation, it is important to involve all of the stakeholders in the process and clearly define the scope and objectives of the project. Alignment and buy-in is critical for success. For those that are not implementing ZTNA, I would recommend undertaking a thorough risk analysis to demonstrate why such a project may not currently be justified, and detailing how the organization is currently monitoring and mitigating risks that may otherwise be addressed by ZTNA architecture. Even if it’s not feasible in the moment for reasons of cost or complexity, continue to re-evaluate periodically as your organization’s risk landscape evolves.
Lance Reid, CEO, Telcion Communications Group
LinkedIn: Lance Reid
While Zero Trust is a critical security framework for healthcare organizations, the numbers around actual adoption tend to be inflated. Many organizations are interested, but once they realize the costs, Zero Trust becomes a lower priority. For those who do have plans to adopt, start by setting clear goals and mapping out access for users and applications. The most significant hurdle is often an outdated network infrastructure, which requires upgrading before Zero Trust can even be implemented. Proper planning, including working with a trusted vendor partner, will ensure a smoother transition to this robust security model.
David Slazyk, Chief Information Officer, Nextech
LinkedIn: David Slazyk
Zero Trust initiatives are critical, especially in healthcare, an industry that handles large amounts of sensitive patient data. Risk mitigation is one of our best defenses against cybercrime, which is why leadership must be ready to implement the Zero Trust framework into the long-term cybersecurity strategy. My recommendation to organizations who have not yet adopted Zero Trust is to demonstrate the value of risk mitigation by showing leadership how this framework continuously assesses risk. Key decision makers and stakeholders must commit, beyond finances, to implement and exercise the Zero Trust framework and be proactive in their approach to complex, evolving cyberattacks. Healthcare organizations can no longer stay stagnant. With board and executive support for Zero Trust strategies, health leaders take vital steps toward a safer, more secure future for patient data.
Nandy Vaisman, VP of Operations & CISO, Vim
LinkedIn: Nandy Vaisman
First and foremost, start small but think big in order to best focus on your “crown jewels” first. Rome wasn’t built in a day, and neither is Zero Trust.
The next component would be to know your kingdom in order to best map out your digital realm, which includes every device, user, and data flow. This comprehensive understanding will support a smooth, gradual implementation, especially if you use pilot projects. These initial steps will naturally lead to strengthening identity management, a key foundation of Zero Trust.
Finally, staying vigilant and ensuring the entire organization is on the same page, from the interns to the CEO, is crucial. The understanding of cybersecurity goals combined with robust monitoring and verification will create an environment of safety and little confusion, so should there be an issue, work is already being done to right the wrong.
Zero Trust is becoming a standard for robust cybersecurity, so as threats evolve, focusing on protecting critical assets and assuming potential compromise is increasingly important.
For direct recommendations I wanted to keep it short and sweet. Assess your current security to understand your vulnerabilities and risks so you’re able to adapt and make changes where needed. Stay informed, make sure you are continuously learning earn about Zero Trust benefits in healthcare or your specific industry. Begin small by trying aligned practices like enhanced access controls. Consider long-term impact by thinking about regulatory trends and data protection.