In NIST SP 800-207, The National Institute of Standards and Technology (NIST) defines zero trust (ZT) as “a new model for cybersecurity” where a Zero Trust architecture (ZTA) is an enterprise cybersecurity architecture that is based on zero trust principles and designed to prevent data breaches and limit internal lateral movement.” One fundamental tenet is that the enterprise must assume no implicit trust and continually analyze and evaluate the risks, and then enact protections to mitigate them.
While organizations in every industry are making security fortification a core focus right now, the healthcare sector in particular must always remain ever so vigilant. It’s easy to see why:
These factors make healthcare organizations high value targets for the many and growing threat actors who seek to capture this sensitive information and hold it hostage as part of a ransomware attack.
Simply put, you can never be too careful, and you must always be mindful of risks. There’s no such thing as too much caution when it comes to authenticating users and ensuring that data never slips into unauthorized hands. This, of course, is the principle behind zero trust.
Zero trust has been a buzzword in the security space for a while now, but in healthcare, it’s much more than just buzz. There’s a tangible multi-step process that goes into establishing a zero-trust model with healthcare data. According to Forrester, this process includes:
Explicitly verifying the identity of every single user that accesses sensitive data including PHI.
Using a “least privilege” approach to data accessibility where each user is granted only the access needed based on policy, work role, etc.
Adopting an “assume breach” philosophy, whereby IT is always wary of potential data breaches and ready to remediate them.
Establishing a zero-trust policy is challenging, though. That’s always been the case, but it’s especially true now, as so many employees (and patients!) are operating remotely. This means their devices are remote as well, and they’re often unmanaged. It’s a challenge for healthcare organizations to bring all those devices and all those endpoints together into one secure ecosystem that IT can oversee effectively.
The first step to establishing a zero-trust model is to get complete visibility into your connected devices. This includes not only the desktops, laptops, and smartphones that your employees are using, but also a wide range of connected medical, IoMT, and IoT devices in use throughout clinical departments. Beyond simple visibility, zero trust also requires getting buy-in from stakeholders and ensuring that your entire team is on board with your organization’s security plans.
A great way to get started is with Cisco security solutions. With Cisco’s Secure Access by Duo in your toolbox, you can ensure that only the right users and secure devices are able to access your applications and data. You can protect your healthcare organization against the likelihood of phishing, compromised credentials, ransomware, and other cybersecurity threats.
The conventional methods of securing healthcare organizations are insufficient and inadequate. Employees and patients alike are too remote and unmanaged, and the number and sophistication of cyberthreats out there continue to grow. That’s why our team at Zones – alongside our fantastic security partners like Cisco – are working to help you adapt and continuously monitor your security strategies so you can mitigate threats now and in the future.
To start crafting a zero-trust strategy for the health of your organization, read our eBook. We know what it takes to lead you forward and keep you on top of things in this ever-changing security world.