Cyber Startup Observatory

The Global Cyber Innovation Network

Leave a Comment

Zero Trust Healthcare

Zero Trust and The Dangers of Implicit Trust in Healthcare

Author: Olusola Ayodele, Senior Director, Cybersecurity @ 54gene

Over the past decade, cyber threats to the healthcare industry have increased. This is primarily due to the sensitivity of the data it handles, poor cybersecurity and data privacy practices, such as implicit trust, and the overall reliance on technology. All these make the healthcare industry a prime target for cybercriminals. In 2021, nearly 46 million US residents were affected by healthcare data breaches.

Cyberattacks are of critical concern for the healthcare sector, as the attacks can threaten the security of systems and information as well as the patients’ health and safety. The growing number of healthcare-related cyberattacks indicates that the healthcare sector lacks sufficient security controls and practices to defend against these threats. Implicit trust in healthcare is a practice that makes the healthcare sector most vulnerable to cyberattacks.

The article discusses the dangers of implicit trust in healthcare and the need for zero trust in the healthcare industry.

Understanding Implicit Trust in Healthcare

Traditionally, healthcare security operates on the assumption that everything inside an organization’s network should be trusted implicitly. This means once users, including threat actors, are on the network, they can move laterally in the network and access sensitive data due to a lack of explicit security controls.

Implicit trust is an assumption that internal users, whether authenticated or not, are inherently trustworthy. It has resulted in many costly data breaches, with attackers moving laterally across the network once they make it past the perimeter. In Dec 2021, unauthorized access or disclosure was the common cause of healthcare data breaches in the United States.

Here is a list of a few implicit trust practices that pose a significant risk of data breaches and regulatory violations in healthcare.

  • Assuming a user is legitimate does not make their device immune to cyberattacks. Their devices may be compromised, particularly if the user is outside the corporate network or using a personal device to connect to the corporate network (BYOD).
  • An initially secure device can become compromised later if the trust is implicit and assumed following a single authentication.
  • Malicious actors can beat traditional perimeter defenses, often using legitimate credentials.
  • Nowadays, users can connect to the corporate network from hostile networks, such as infected home networks or public WiFi; this can pose a significant risk to the healthcare network.

The Need for Zero Trust in Healthcare

The Sophos State of Ransomware in Healthcare 2022 report revealed a 94% increase in ransomware attacks on healthcare, with 66% getting hit by ransomware in 2021. It becomes challenging for healthcare organizations to secure patient data while providing uninterrupted patient care. Not only do they have to secure sensitive information, but they also have to comply with multiple industry regulations. E.g., HIPAA.

Since healthcare organizations handle highly sensitive personal and financial information, including patient records, insurance information, and payment data, practicing implicit trust poses a significant risk of data breaches and other cyberattacks. To avoid these risks, healthcare organizations should consider implementing a zero-trust model, which emphasizes the importance of careful control and verification every time a user or device requires access to sensitive data and systems.

A zero trust approach to security is based on explicit trust, which means instead of trusting all users and devices on a network by default, access to network resources is granted based on strict identity verification and continuous risk assessment.

The zero trust approach assumes that all network traffic, whether internal or external, is only trustworthy once proven, minimizing the attack surface by limiting access to authenticated users only. It can provide the following benefits to healthcare organizations.

Improved security: By assuming all network traffic is untrusted and limiting access, zero trust can help prevent data breaches and protect sensitive data in healthcare.

Better visibility and control: Zero trust provides healthcare organizations full visibility and control into their networks and data, enabling them to identify and respond to security threats quickly.

Improved patient trust: Since a zero-trust approach to security helps protect patient data, it improves patient trust in the security of their personal information.

Regulatory compliance: As zero trust enables healthcare organizations to protect sensitive information, it helps them comply with regulations such as HIPAA, which requires secure handling of protected health information (PHI).

Implementing Zero Trust in Healthcare

While implementing zero trust architecture is associated with continuously authenticating users and devices using different practices, a comprehensive approach to building zero trust in any healthcare organization encompasses users, applications, and infrastructure.

  • Users - Applying a zero trust approach to authenticate users, which includes strong authentication of user identities, such as application of least access policies, MFA, and verification of user device integrity.
  • Applications - The next step is to remove implicit trust from applications. The concept involves continuously authenticating and monitoring applications at runtime to validate their behavior.
  • Infrastructure - Finally, everything in your infrastructure network, including routers, cloud, switches, IoT, and supply chain, must be secured using zero trust network access (ZTNA).

Challenges of Zero Trust

While a zero-trust approach is critical in theory, it may be difficult to implement in practice. Let’s discuss some challenges that may come up while implementing zero trust.

  • Users and roles fluidity: The user base accessing company resources has become wide and varied, with increasing access points. Setting policies for each group of individuals may be time-consuming to define and maintain.
  • Proliferation of devices: Due to BYOD practices, IoT equipment, and other communication protocols, it becomes difficult to track and secure them on an ongoing basis.
  • The exponential growth of applications: While the growth in applications and services boosts productivity, it poses other challenges for security teams. Due to the huge growth and variety of applications running on devices, it becomes difficult to make clear policies.
  • Distributed data & services: Edge-based systems pose a significant challenge to the zero trust model, as the healthcare organization may have to secure them as individual networks, making their controls and policies individually.

Conclusion

The healthcare industry is significantly vulnerable to cyber threats for different reasons, implicit trust being one of them. To protect against sophisticated cyber threats, healthcare organizations should consider adopting a zero-trust model. By eliminating the assumption of implicit trust and adopting a zero-trust approach to security, healthcare organizations can significantly reduce the risk of data breaches, insider threats, and regulatory violations.

Follow Us

 

Zero Trust Healthcare

>
Send this to a friend