On May 12, US President Joe Biden issued an executive order that required every Federal Government agency to develop a plan for adopting Zero Trust Architecture as a major part of increased efforts to improve the Nation’s cybersecurity. This underlines the importance of Zero Trust and its role in the ongoing battle against cyber threats. But what exactly is zero trust, why is it important and what does it all mean for healthcare providers?
What is Zero Trust
Zero Trust is a cybersecurity concept introduced by Forrester more than ten years ago. In its essence, it's a "never trust, always verify" paradigm, where no device or person is considered secure, and every interaction needs to be verified.
Applying the Zero Trust model in healthcare delivery organizations requires identifying each connected device, user, or resource. It also means authenticating them to the corporate network and granting them the minimal access they require to function, based on a trust policy defined specifically for them.
When it comes to unmanaged devices, such as connected medical devices or Internet of Things (IoT) devices, Zero Trust typically translates to contextual micro-segmentation. It relies on very strong identification of devices and fine-tuned policies that allow access to/from their verified eco-system. Additionally, it restricts all other interactions.
Why Zero Trust
The Zero Trust model started to gain traction when it became clear that the “castle and moat” model was no longer effective. The modern corporate network is so distributed, heterogenous, and complex that it can no longer be protected by enforcing policies on the perimeter alone. There are good reasons for that, namely:
- The network is heavily accessed by 3rd parties (vendors) who manage their own devices yet expose the network to cyber risks as well as threats that specifically target 3rd party corporate IT networks. They could expose the organization to cyber risks through their vendor support connection or through their software update process (i.e., like what happened in the SolarWinds incident).
- Remote devices connecting through SASE and VPN services are connected to home networks. Home networks are naturally less protected than the corporate ones and tend to promote their threats on top of the secure connection.
- BYOD devices that hop between the internal networks and the internet are exposed to personal, less protected, email accounts and malicious applications.
- There’s an increasing number of corporate assets (workloads) that are being migrated to the cloud or replaced by Software as a Service (SaaS).
- The number of cybersecurity breaches is rising almost exponentially. Getting compromised is no longer a matter of if; but when. Cyber-attack methods vary from phishing emails opening backdoors on user endpoints, to internet facing services compromised due to their vulnerability, to worms simply coming through 3rd party VPN connections.
- In addition to software vulnerabilities, insider threats are another concern. Users that were granted access to critical resources and information can willingly or unwillingly expose them to attackers.
Challenges of Implementing Zero Trust for Healthcare Providers
Implementing Zero Trust is challenging in any corporate environment, but even more so for hospitals. Their networks tend to have a much higher number of unmanaged devices - connected medical devices, and IoT devices - that drive clinical workflows. These devices are mission critical for a hospital, yet most of them are running unpatched or outdated software. Some of these connected devices are exposed to network stack vulnerabilities such as Ripple/20 or Urgent/11 – vulnerabilities that can be exploited by simply having basic interaction with the device. Others can be exploited by Remote Desktop Protocol (RDP) vulnerabilities (e.g., BlueKeep, DejaBlue). These vulnerabilities are taking advantage of the fact that RDP is widely used inside healthcare organizations and is regularly utilized by many connected devices.
We must work together to define a proper standard for all medical device intercommunication and maintain a unified operating system embedded with security mechanisms. This will help lift the medical device industry forward to potentially become a leader in IoT cybersecurity.
A recent Ipsos study that was co-sponsored by CyberMDX and Philips found that the majority of US hospitals were unprotected. Specifically, 52% of respondents admitted their hospitals were not protected against the Bluekeep vulnerability, and that number increased 64% for WannaCry and 75% for NotPetya.
In addition, a typical hospital will have a few hundred vendors that run some type of software on its network, datacenter, or medical devices, thus greatly expanding its cyber-attack surface.
Larger hospitals also have multiple sites - combinations of hospitals and smaller clinics - and this introduces additional complexity.
There are a number of challenges for implementing Zero Trust in all enterprises, including hospitals. Firstly, the lack of connected device data and network insight is a problem because you need to see what you need to protect. Without knowing what connected devices you're fielding, what components they're embedded with, what software they're running, and what their normal network communications/workflows look like, and with whom, it's a lost cause.
Another prominent obstacle impeding the adoption of Zero Trust is the fear of breaking things. Because of the diversity of connected devices, it’s hard to both be on top of each device group and to define what should be allowed according to its baseline. In healthcare, device mobility introduces another layer of challenges. For example, an infusion pump could start the day with a patient at hospital A and end the day with that patient at hospital B, after that patient was transferred via ambulance. Policies need to be robust enough to handle these mobility scenarios.
A third significant obstacle is the lack of scalable enforcing technology. There are plenty of suitable technologies available today (e.g., NAC systems, internal segmentation firewalls, distributed firewalls, etc.) Yet, deploying these solutions and selecting the right enforcing points is not straightforward. Many “good enough” compromises could and should be taken here for the sake of scalability.
We already covered visibility and technology, yet people and processes are just as important. Any Zero Trust effort requires the collaboration of the security team, the clinical engineering team, and the network team. The goal here is to reach a single source of truth that all stake holders could adopt and rely on during the process.
Lastly, as a Zero Trust implementation requires running a process of mapping, fine-tuning, testing enforcement and monitoring – this translates into having to invest resources that are not always available. Automation and a gradual approach to implementation are two ways to tackle resource limitations.
Stay tuned for our follow up on this blog where we’ll move from the “what” to the “how” of actioning a Zero Trust strategy …
For More Information:
If you want to learn more, below are several sources for your reference.