The concept of Zero Trust is catching up with organizations rapidly, and the healthcare industry is not averse to this concept. Hospitals are prone to security breaches, given the nature of confidential data they are privy to.
From a “trust but verify” approach to a “never trust, always verify” approach, there has been a paradigm shift in how medical agencies, hospitals and other healthcare institutions are adopting the zero trust model for managing an ever-increasing threat landscape. Through the implementation of this model, hospitals can aim to strengthen cybersecurity in and out of their network perimeters.
Hospitals are a playground for unethical hackers
Ever since the year 2016, there have been more than 172 ransomware attacks on healthcare agencies, which have cost them more than $157 million in damages itself.
For an unethical hacker, medical records can fetch up to $20,000, when sold in the identity market. Such is the power of unethical hacking in the world of cyberthreats. The medical and health care industry is not equipped to handle the overload of hackable personal data. Medical records contain personal information, like patient names, ages, SSN, and tax identification numbers, which can’t be changed in the blink of an eye.
These pieces of information might seem very basic; however, this could not be further away from the truth. As soon as the information is exposed, the turnaround time to arrive at a resolution gives hackers sufficient time to defraud patients. Simply put, the chase is on; the game of cat and mouse, between hackers and medical agencies, is an uphill battle, which does not seem to have any resolution in plain sight.
The rise of the epidemic Covid’19 has been a game-changer, as it has exposed the severity of the situation. Threat actors are constantly spinning the needle, and pairing with foreign governments, to sell the hacked records to achieve their own selfish financial motives.
As the healthcare industry continues to battle the challenges of limited staffing and dwindling financial resources, the pertinent question is, “Just how feasible would a zero trust model be in such an industry, which is riddled with undisputed disparities?”
Zero Trust – from “trust but verify” to a “never trust, always verify” approach
With zero trust, there is simply no concept of a trusted corporate device or even a network, as a matter of fact. Additionally, there is no idea of an untrusted public network or personal devices either.
The collection of data and its access depends on multiple endpoints, derived from multiple sources. A patient’s data is accumulated through a series of routes, which include hospital and lab records, insurance portals, fitness devices, health portals, amongst many others. Each of these sources is accessed by medical personnel through their phones, laptops, hospital terminals, etc.
Given the multitude of end access points, there are a lot of potential weak chain points, which become the source of a breach in the making. This could result from the access given to internal and external employees, such as third-party vendors and business partners. Add a level of external, unsecure access to this list, and the situation is a recipe for a perfect breach.
As per a US study, close to 58% of these data breaches have occurred from third parties, who had access to these information sources. Forrester concluded in one of their studies, that 41% of healthcare organisations don’t have a valid endpoint security setup, despite the large population of remote workers accessing their network.
Zero Trust – a feasible solution or not?
As this model gets implemented, access to the private networks is on a need-to-have basis, rather than a one-size-fits-all basis. As the model is designed to protect resources, instead of networking segments, it is beneficial for cloud-based assets and remote users alike.
Healthcare institutions make use of medical IoT devices every year, and such devices tend to lack the required security, which makes them an easy target for hackers. Through the zero trust model, healthcare organizations can monitor and track the devices connecting to their internal, private networks. Through regular monitoring, they can identify security risks and address them in the nascent stages, before these incidents become massive breaches.
In an ideal world, such external devices are given the same treatment as any regular, internal devices are given, which can help in implementing a continuous monitoring system. Network driven medical devices have regulated jobs to perform. For example, an IoT device for insulin monitoring only monitors blood glucose information, and further reports it as it is. Hackers can alter and remotely exfiltrate these devices, through the use of crypto miners, which can leak information.
As zero trust continues to get implemented, healthcare organizations can monitor IoT medical devices. All forms of anomalous activities are detected and further reported and blocked, to prevent misuse of stored data. Subsequently, endpoint security and secure access within devices should be ramped up; profile-driven secure access to corporate applications must be made inherent.
Some steps which can reinforce these security measures are as follows:
- Implement a robust security policy through the IT teams
- Hire a CISO as part of the IT team
- Train employees and reiterate the importance of a secure data system in the workplace
- Initiate and reinforce compliance contracts internally and externally with third-party vendors/business partners.
- Given that almost 90% of mobile healthcare apps have been hacked so far, security systems should be geared towards providing security measures on mobiles and other remote devices also.
- Monitor each and every device connecting to the central network, to ensure maximum checks and block unidentified devices/connections.
Implementing it with SDPs
Software-defined perimeters or SDP, as they are commonly known, is yet another step towards making data secure and implementing the policies of zero trust. An SDP restricts the access to a particular network and without the proper validations and proof of requirements, access will not be given to a network. Such is the power of zero trust.
The “trust but verify model” is long dead; the future of data security lies in the “never trust, always verify model”, aka, zero trust. Even though the healthcare industry is just warming up to the idea of internal/external verification procedures, there is still a long way to go.