Zero trust in healthcare IT networks secures all access across applications and environments, from any user, device, and location.
What is zero trust? Some might think it means, start with trust, but always verify trustworthiness. Zero trust is defined by the (US) National Institute of Standards and Technology (NIST) as “Never Trust, Always Verify”. This difference is critical as you always start with no trust. When referring to cybersecurity for Healthcare IT networks, it defines their need to secure all access across applications and environments, from any user, device, and location.
Network security has evolved
Let’s start with the traditional way of securing a network by segmenting it into two parts – inside and outside of the enterprise network. Inside the network you have implicit trust, so any authorized user and device can have access to the network and specific resources, via LAN and/or WLAN. The same approach is used for guests, such as contractors or customers – typically for Internet access only. A physical boundary between the enterprise network and the outside world is established using a firewall or Intrusion Detection System (IDS). With this approach, users and devices are generally trusted on the inside and untrusted on the outside.
It didn’t take long for cyberhackers to figure out how to access these “secure” networks from the outside. They use tactics such as phishing emails that an unwitting employee opens, which is the primary means to gain a foothold into systems and networks by installing various forms of malware. These programs can steal personal credentials for access to various applications and systems, employee and patient information, and/or lock up an entire hospital network. It also means hacking network connected (wired or wireless) medical devices which have a direct impact on patient safety and even life.
In a 2020 HIMSS survey1, 70% of respondents indicated that their hospital organizations experienced significant security incidents in the preceding twelve months. While 61% of these respondents indicated that they did not have effective mechanisms in place to detect patient safety issues related to these security incidents. This is alarming considering 80% of respondents also indicated they still have legacy systems in place, which are not well equipped to handle cyber-attacks.
Ransomware leads the way in healthcare IT network threats
The growing cybersecurity threat in healthcare is ransomware. Bad actors install malicious software designed to block access to computer systems and applications until a sum of money is paid, usually in cryptocurrency. This activity has a financial and public image impact on hospitals and healthcare providers.
A new report by The Ponemon Institute2 indicates that 43% of their respondents had experienced at least one ransomware attack, with 33% experiencing two or more. These ransomware attacks caused delays in procedures and tests that resulted in poor outcomes (70% of respondents). Additionally, 61% said the attacks saw an increase in patients transferred or diverted to other facilities, while 36% said they were responsible for increased complications from medical procedures.
The most extreme consequence ransomware can have on hospitals and health care centers is the death of patients. Out of those surveyed, 22% said it increased the mortality rates in their respective hospitals.
Healthcare providers need to use more effective means to protect their networks and their patients from these types of attacks. A zero trust network starts with trusting no user or device, from any location – either inside or outside of your network. Every user and device must be authenticated and verified, regardless of whether they are local or remote.
So, how do we do this?
The new way of securing your healthcare IT network
You start with a network architecture that supports both macro- and micro-segmentation. Macro-segmentation involves logically partitioning a network’s physical elements. By this I mean set up a virtual network for each physical network element or group of elements such as security cameras, electronic door locks and access systems into one logical/virtual group. Then you put medical devices/IoT into another group. Next, you put EMR into a third group, the finance department into a fourth, and so on. This prevents the breach of one logical segment from providing an entry point into any other logical segment.
Now that we have the physical elements/departments of the hospital virtually segmented and secured, we need to make sure that each macro-segment is also secured from within. This is where micro-segmentation comes into play. Micro-segmentation involves identifying the users and devices that access each micro-segment and defining which network resources and applications they can access and from which locations.
This is done by setting up profiles for individuals, or groups of individuals, with the same access rights. Those rights include a set of policies (or rules) that define user and device access rights within the hospital and directly relate to the principle of least privilege. This is role-based access where you only get access to the specific resources you are authorized to use. Access can include location and time-based restrictions to add more granularity to each policy.
Roles and policies should be software defined to enable a secure and dynamic environment which can enforce risk-based and adaptive policies, for all users, devices and systems.
The same needs to be done for LAN/WLAN connected devices, medical or otherwise. When a device is first connected to the hospital network, it needs to be authenticated, classified and provisioned, to securely access the network. This entire process needs to be automated as manually handling the large amount of IoT’s connecting to a hospital network is very time intensive, error prone and not practical.
What about the network backbone?
Let’s not forget about the network backbone. There’s typically implicit trust in the backbone since uplinks are not typically authenticated or encrypted. This leaves the network vulnerable to man-in-the-middle, sniffing and other attacks. The solution is to use micro-segmentation in the backbone which is defined by software and it must be dynamic and service-oriented, not statically defined, which would be impractical.
A final step is firewall/IDS integration. This step involves sharing user/device policies between the network/policy management system and each firewall/IDS. This is so any potential breach, from inside or outside of the network, can be detected by the firewall. Then a coordinated effort with the management system can quarantine a user and/or device for further assessment.
Once this is set up you need to constantly monitor the network as well as users and medical/non-medical devices to ensure that the behavior is as expected.
Evolving from a traditional/legacy network to a zero trust network is not always simple, but it can be done in a phased approach. The risks of not evolving to a zero trust network are great and as you’ve seen, can directly impact the quality of patient care and at the extreme, human life.
Learn more about ALE Healthcare solutions
I would like to acknowledge Patricio Martello for his technical expertise on zero trust networks and Heitor Faroni who offered some practical insights in a joint webinar he and I delivered for HIMSS, and which I used as the basis for this blog.