Zero Trust Architecture in Healthcare Institutions

About:

In this executive summary, we discuss the adoption of Zero‐Trust Architecture by an XYZ healthcare organization that currently has a security program in place.  The intent of this summary is to provide a brief overview of what Zero‐Trust is; the benefits to an organization; and the considerations prior to adoption

Definition:

The National Institute of Standards and Technology (NIST) [1] defines Zero Trust Architecture (ZTA) as a security model and a cybersecurity and system management strategy that has been well coordinated with a baseline understanding of threats that exist both inside and outside the traditional network boundaries. To eliminate implicit trust in any one element, component, node, or service, and instead enforce continuous verification of the operational picture via real-time information from multiple sources, a zero-trust security model follows the concept of ‘never trust and always verify’. A ZTA model protects users, devices, network infrastructure, application workload, and data on the grounds of visibility & analytics, automation & orchestration defined for each organization.

Potential Impact:

Securing patient information is critical to all healthcare organizations. According to the American Hospital Association, for any healthcare organization cybersecurity includes patient data safety, enterprise risk, and strategic priority [2].  A Zero Trust Architecture approach would be beneficial in reducing the risk of unauthorized access to patient data. While traditional security approaches may rely on perimeter defenses and trust in users within the network, Zero Trust would assume that all users, devices, and applications are untrusted until proven otherwise. According to UpGuard and BitSight, the healthcare industry had the highest data breach costs, with an average cost of USD 10.10 million in 2022, 9.4% more than in 2021. By focusing on a more proactive approach and bringing the aspects of Zero Trust to the healthcare industry, a first step to reducing the potential of data breaches can be taken [3]. One of the first steps towards implementing ZTA in any organization is imposing Multi-Factor Authentication (MFA), which will restrict data availability to unauthorized individuals. Similarly, micro-segmenting over the network would help not only in containing a future data breach but also lead to easier and faster post-incident recovery. Along with HIPAA compliance at XYZ, a zero-trust architecture instituted by requiring strict, rigorous, and continuous identity verification to minimize trust zones and associated risks of security breaches, XYZ can reduce vulnerabilities, strengthen its information security, and prevent and/or limit successful security breaches [4].

Recommendations:

Healthcare organizations face unique challenges in transitioning to a zero-trust network architecture due to the limitations of legacy systems and medical devices on their networks. In a paper by Tyler et al., the authors provided a framework tailored specifically for the healthcare industry [5]. They pointed out that before instituting ZTA, it is important to consider the possibility that all healthcare organizations, either small-scaled or large-scaled, can struggle to finance many firewalls at once, implement a common architecture that is compatible with different operating systems, and the implementation process may take a long time because they cannot risk interrupting patient care for too long.  Another point to note is that IT support at XYZ must possess the resources to carefully analyze packet flows between devices using Wireshark, commonly known as continuous monitoring in information security jargon, to ensure that the network is behaving in accordance with the zero-trust model. Lastly, before finalizing the zero-trust model and even while using the model, current access control policies and permissions must be updated and the team should identify areas where you can enforce the principle of least privilege (PoLP) which deals with granting only a minimal level of access and permissions necessary to perform tasks in order to prevent insider threats and attacks. To summarise, although there are several critical factors to consider before implementing ZTA, this proactive and security-centric approach is essential for protecting digital assets at XYZ Healthcare.

References:

1. Rose, S., Borchert, O., Mitchell, S., & Connelly, S. (2020). Zero Trust Architecture. https://doi.org/10.6028/nist.sp.800-207

2. Vukotich G. (2023). Healthcare and Cybersecurity: Taking a Zero Trust Approach. Health services insights, 16, 11786329231187826. https://doi.org/10.1177/11786329231187826

3. Gellert, G. A., Kelly, S. P., Wright, E. W., & Keil, L. C. (2023). Zero trust and the future of Cybersecurity in healthcare delivery organizations. Journal of Hospital Administration, 12(1), 1. https://doi.org/10.5430/jha.v12n1p1

4. B. Ali, M. A. Gregory and S. Li, "Uplifting Healthcare Cyber Resilience with a Multi-access Edge Computing Zero-Trust Security Model," 2021 31st International Telecommunication Networks and Applications Conference (ITNAC), Sydney, Australia, 2021, pp. 192-197, doi: 10.1109/ITNAC53136.2021.9652141.

5. Tyler D, Viana T. Trust No One? A Framework for Assisting Healthcare Organisations in Transitioning to a Zero-Trust Network Architecture. Applied Sciences. 2021; 11(16):7499. https://doi.org/10.3390/app11167499

        

**  Please note that this executive summary was submitted as a part of the course requirement for Introduction to Information Security Management at Carnegie Mellon University (Fall 2023).