Industry Coverage icon

Navigate Zero-Trust Security in Healthcare

Understand zero-trust principles and examine leading vendor architectures.

Unlock a Free Sample
  • Understand and clarify the benefits of zero-trust for your organization. Zero-trust is inherently a security methodology that places the security mindset. Within healthcare there is a push to include more connected Internet of Medical Things (IoMT) devices, augmented reality, and robotics within care pathways.
  • Winning over a skeptical clinical audience in applying the principles of zero-trust: never trust, always verify, assume breach, and verify explicitly.
  • Difficulties in the ability to identify and track and verify all devices in their healthcare network.
  • Moving away from a perimeter-based security architecture to a zero-trust architecture while demonstrating that this change will support the provision of healthcare.

Our Advice

Critical Insight

Zero-trust must benefit the healthcare organization first, because the road to zero-trust is an iterative process that relies on the IT security team to be thoughtful in determining how moving to a zero-trust model will affect core processes and patient care. This means that deploying a zero-trust model is not a one-size-fits-all approach.

Impact and Result

Achieving zero-trust is an iterative process that involves a range of capabilities and requires all stakeholders to be committed to improving a healthcare organization’s security culture. Use Info-Tech’s approach to:

  • Understand what zero-trust is and how its principles can be applied to your organization.
  • Learn about how healthcare IT teams are approaching security initiatives and why they are choosing to prioritize zero-trust as a framework to secure their technology assets.

Navigate Zero-Trust Security in Healthcare Research & Tools

1. Navigate Zero-Trust Security in Healthcare – A guide to help improve a healthcare organization’s security culture.

Zero-trust is an ideal because it is a standard defined by theoretical simplicity.

Healthcare organizations seeking to apply zero-trust principles within their current security environment must be prepared to iteratively update their policy enforcement points.

Unlock a Free Sample

Navigate Zero-Trust Security in Healthcare

Understand zero-trust principles and examine leading vendor architectures.

Executive Summary

Your Challenge

Healthcare CIOs and CISOs recognizing the value of pursing a zero-trust security strategy encounter several challenges including:

  • Winning over a skeptical clinical audience in applying the principles of zero-trust: never trust, always verify, assume breach, and verify explicitly.
  • Difficulties in the ability to identify, track, and verify all devices in their healthcare network.
  • Moving away from a perimeter-based security architecture to a zero-trust architecture while demonstrating that this change will support the provision of healthcare.

Common Obstacles

Zero-trust cannot be achieved without overcoming significant obstacles such as:

  • Identifying the most logical place to start. Because zero-trust is complex from an architectural perspective, there is no clear checklist or path to move forward.
  • According to McKinsey, 69% of CIOs surveyed are using more than 10% of their new-project spend dollars to address technical debt (2020).
  • Most healthcare security architectures are perimeter-based and complex to manage.

Info-Tech’s Approach

Achieving zero-trust is an iterative process that involves a range of capabilities and requires stakeholders to be committed to improving a healthcare organization’s security culture. Use Info-Tech’s approach to:

  • Understand what zero-trust is and how its principles can be applied to your organization.
  • Find out how healthcare organizations are performing and what security initiatives they are prioritizing to become zero-trust.
  • Examine the security architectural frameworks that Microsoft and Google have applied to their environments to adopt zero-trust.

Zero-trust must benefit the healthcare organization first, because the road to zero-trust is an iterative process that relies on the IT security team to be thoughtful in determining how moving to a zero-trust model will affect core processes and patient care. This means that deploying a zero-trust model is not a one-size-fits-all approach.

Your challenge

This research is designed to help organizations who need to:

  • Understand and clarify the benefits of zero-trust for your organization. Zero-trust is inherently a security methodology that places the security mindset first. Within healthcare there is a push to include more connected Internet of Medical Things (IoMT) devices, augmented reality, and robotics within care pathways.
  • Verify that operations are maintaining security best practices. Prevention is only one element of successful security operations. IT security teams must be able to detect and analyze the environment in case of incident response.
  • Risk to healthcare organizations is real. IBM Security and the Ponemon Institute reported that healthcare data breaches and ransomware can incur costs on average of US$9.23 million per incident. (HealthITSecurity, 2021).
  • IT must convince clinical leaders to add more security controls that go against the grain of reducing friction in workflows while demonstrating these controls support the business. If implemented properly, zero-trust embeds security into existing processes.

34%

Data privacy has become a high-priority for security professionals. 34% of survey respondents indicate that privacy is a core responsibility.
Source: Cisco via IAAP, 2021.

560

560 healthcare facilities in the United States reported ransomware incidents in 2020.
Source: Emsisoft, 2021.

Zero-trust presents an opportunity for health IT leaders to modernize

80% Lower Cost

Legacy solutions require constant maintenance from an infrastructure, service, and configuration perspective.

Organizations that have deployed cloud-based zero-trust systems have found that it is useful in reducing operational expenditures related to configuration and licensing.

A Stacked bar graph is depicted, which displays the cost for legacy solutions to that of the Zero Trust solution.  Both Bars show the same cost for App Integrations; and Patching, upgrades, outages, while the Legacy solution includes cost for Service Ops and Annual Support, and Infrastructure.Source: Okta

Be realistic about the barriers that make zero-trust difficult to implement:

Health IT security architectures were not built with zero-trust in mind. Most organizations rely on a perimeter-based security defense posture that defines trusted areas. Shifting to zero-trust requires specific configuration policies that collapse trusted perimeters so that no person, application, or piece of data is inherently trustworthy.

Know where to start: zero-trust is not only complex from an architectural perspective, but also there is no clear checklist to follow when revising your security posture to adopt zero-trust.

In a recent study, 80% of IT decision makers identified that legacy systems and technical debt represented a significant pain point (Enterprise CIO, 2018). There is a palpable need to modernize their legacy solutions, because legacy systems are more difficult to protect and expensive to maintain.

Organizational complexity traditional on-prem solution can cost up to 80% more than a unified, cloud-based identity directory.

Health IT security teams perform better than industry peers

This image contains a bar graph comparing Security Governance and Management Maturity between the Healthcare Industry, and All other Industries

Identity and access management (IAM) and data are two sub-policy metrics where Healthcare IT preforms slightly lower than industry peers.

This image contains a bar graph comparing Security Governance and Management Maturity between the Healthcare Industry and all other Industries by Core Area.  the sub-categories include: Risk Analysis; Compliance Management; Auditing; Vulnerability; Event and Incident Management; Policy and Process Governance.

This image contains a bar graph comparing Security Governance and Management Maturity between the Healthcare Industry and All other Industries by Sub-policy and Process Area.  The Sub-categories being compared are: Network; Host security for Services; End-user Devices; Applications; Applications; Data; IAM; and Physical.  The sub-categories Data and IAM are circled by a Red box

Source: Info-Tech Security Governance Benchmark Report, 2022

Case Study: Identify and mitigate IoT and IoMT cyber risk within a hospital network

“Patients’ safety and records matter most. To protect them, we had to get a handle on every connected thing, despite an exploding number of IoT devices.” — Kashif Parvaiz, Chief Information Security Officer, University Health Network

Environment

Over 40,000 wired and wireless devices were used within University Health Network (UHN), located in Toronto, Ontario, which supports over 20,000 employees in four acute care hospitals and various outpatient sites.

49.6% of devices found in the audit were related to healthcare and labs.

The remaining devices fell into supporting administration and physical security:

  • 15.3% Physical security
  • 13.7% Office-related devices
  • 12% Building automation
  • 5.7% Multimedia and related devices

Challenge

Reduce the impact to patient care and ensure that patient records are secure.

Comply with industry regulations and successfully pass audits amid the widespread presence of legacy infrastructure and technical debt.

Develop and maintain an accurate catalog of assets to support ongoing security operations and maintenance.

Improve device visibility within the network by efficiently identifying devices and understanding where they were being used and where they were located within the network.

Results

Identified 40,000 wired and wireless devices within the network.

66% more devices were discovered than expected.

Rapid real-time visibility across all network connected things within four weeks of working on this initiative.

Device identification was an intentional goal to better understand the number of IoT and IoMT devices, which puts UHN on the pathway to pursue zero-trust segmentation.

Source: Forescout, 2021

Zero-trust helps healthcare IT security teams manage risk across multiple domains.

Zero-trust

Devices

  • Clinical tools
  • Tablets
  • IoMT

Applications

  • EMR/EHRs
  • Billing
  • Scheduling

Identities

  • Clinical teams
  • Administrative teams
  • Patients

Data

  • Patient records
  • Lab results
  • Patient details

Zero-trust benefits

Health IT security professionals will benefit from adopting zero-trust, but they must be clear about the overarching benefits that healthcare organizations will receive as a result of moving to a zero-trust model.

IT Benefits

  • Reduce IT effort: Zero-trust enables security by design, meaning reduced demands on IT for managing services for RDP and VPN and for responding to requests for more flexible access to resources.
  • Improve visibility and security: Zero-trust involves mapping, contextualizing, and monitoring resources, thus reducing the time to detect and respond to incidents.
  • Reduce security solution complexity: Rather than try to fill in gaps in the traditional network security, security purchases become part of a strategic technical design that eliminates IT security’s technical debt.
  • Strengthen data protection: A fully implemented zero-trust solution makes it harder for attackers to access, encrypt, or steal digital assets such as medical health records.

Organization Benefits

  • Reduce technical debt: According to a 2016 IEEE Software report, a conservative estimate of the average costs of technical debt amount to $361,000 per every thousand lines of code. Zero-trust can accelerate the phasing out of legacy technology and kick-start network modernization.
  • Work from anywhere: Recent workplace demographic shifts have enabled employees to work from home; zero-trust environments support secure access and availability of workflows.
  • Improved user experience: Zero-trust reduces the security fatigue associated with an uncoordinated security technical strategy.
  • Continuous compliance: Adopting zero-trust means that there are no trust zones, and therefore, a need to set up a system of constant verification of users and devices.

Understand the principles of zero-trust

Move away from existing perimeter-based security framework to a never trust, always verify ideal.

1 Never Trust, Always Verify

The main goal of zero-trust is to secure corporate resources by eliminating persistent trust in everything:

  • Identities
  • Devices
  • Applications
  • Infrastructure
  • Network
  • Data

2 Assume Breach

This is a mindset that means your organization should operate on the assumption that your environment has already been breached. The environment should be architected to minimize the effects of a breach with controls to prevent lateral movement and reduce damage.

3 Verify Explicitly

Identities can be forged, and access can be duplicated; therefore, verification is needed. Verification is essential and can be compared to the process that a bank takes to confirm your identity before you can make decisions about your account. Multiple modes of verification, both dynamic and static, must be produced to give access to resources.

Static Dynamic
  • Passwords
  • Biometrics
  • Security tokens
  • Risk-based access
  • User and entity behavior analytics

Info-Tech Insight

Zero-trust is a strategy that foregoes reliance on perimeter security and moves controls to where users access resources. It consolidates security solutions and saves operating expenditures, but it also enables business mobility by securing the digital environment at all layers.

Implementation approaches

Vendor perspectives have shaped the development of zero-trust.

  • John Kindervag defined the concept of zero-trust in 2010. Kindervag then became the CTO at Palo Alto Networks, where he further expanded zero-trust as a practical response to manage organizational risks. zero-trust relies on using next generation firewalls (NGFWs) as policy enforcement points.
  • NIST has further defined zero-trust principles and has created a framework that is not limited to a set product like a firewall or identity and access; rather NIST has advocated for a strategic mindset that can be applied to a variety of organizations.
  • Microsoft and other zero-trust vendors have developed frameworks that are adaptations of the standards outlined by NIST.
  • Google’s BeyondCorp initiative took the principles of zero-trust and applied them through a strict strategy of company-managed devices connected through an access proxy. The proxy determines access to resources based on contextual data that includes the user, role, device certificates, device inventory, and location.

This is an image of a Grid Matrix, with the following company names shown: Top Left - NIST; Top Right - Microsoft; Bottom Left - Google Beyondcorp; Bottom Right - Palo Alto Networks.

Zero-trust ideal

  • Organizations seeking to adopt zero-trust as the strategy that drives their cybersecurity program must understand the basic architecture of what zero-trust means.
  • A zero-trust framework applied to a security architecture will prevent unauthorized access to resources through granular access policies.
  • Zero-trust relies on developing a policy for every scenario so only authorized and verified identities and devices can access resources. Perimeter security is not dead; rather, it is put on top of every resource as a policy decision or policy enforcement point. Zero-trust is achieved only when there are controls layered on top of each resource active within the IT environment.

Zero-trust is an ideal because it is a standard defined by its theoretical simplicity.

Healthcare organizations seeking to apply zero-trust principles within their current security environment must be prepared to iteratively update their policy enforcement point.

This image depicts zero-trust ideal.  It includes 3 points, connected by two zones.  The far left point is labeled: Endpoints.  The left Zone is labeled: Untrusted Zone.  The middle point is labeled: Policy Decision/Enforcement Point(PDP/PEP).  The right Zone is labeled: Implicit Trust Zone.  The far right point is labeled: Resources (System, Data, or Application)

NIST: Zero-trust’s high-level architecture

Zero-trust is not one product but multiple capabilities working together simultaneously.

Consider the control areas and examples below for how they map to this high-level architecture.

  • Identities: Users require identities with defined roles, access privileges, and controls such as multi-factor authentication and single sign-on.
  • Devices: Devices also have identities, require endpoint protection and detection, and should also have access privileges defined.
  • Applications: Applications must be segmented by workflow and administrative access limited.
  • Infrastructure: Your infrastructure is set up with monitoring and alerts.
  • Network: Your internal network is not considered an implicit trust zone.
  • Data: Provide encryption in transit and at rest with whitelisted policies on how that data can be accessed and used.

This is an image of NIST's Zero-Trust's high level architecture.  Policy Engine; Policy Administrator; Supporting Components; Continuous Diagnostics and Mitigation (CDM) Solution; Industry Compliance; Threat Intelligence; Activity Logs; Supporting Components; Data Access Policy; Public Key Infrastructure (PKI); Identity and Access Management Solution; Public Key Infrastructure (PKI); Security Information and Event Management (SIEM) Solution; Policy Enforcement Point; User/Device; Enterprise Resources

Adapted from 2nd Draft of NIST SP 800-207

Microsoft: Zero-trust high-level architecture

This is an image of Microsoft's Zero-trust High Level Architecture. The main headings are: Unverified network: A user must request access to a Microsoft resource from any device type; Access conditions: A check is made to determine if a user or device meets all security conditions; Organization’s Resources

Source: Microsoft.com, 2022

Google BeyondCorp: Zero-trust high-level architecture

This is an image of Google Beyondcorp's Zero-Trust's high level architecture.

Source: USENIX, 2014

Palo Alto Networks: Zero-trust high-level architecture

This is an image of Palo Alto Network's Zero-trust High Level Architecture.  Access Proxy - External Applications: Databases; Applications; Web; Internet Users; Remote Employees.  Access Proxy - Internal Applications: Databases; Applications; Web; System Administrators; Internal Employees; Common IT Services.

Source: PaloAlto Networks

Zero-trust implementation advice

Define your objectives before architecting your zero-trust environment.

Design from the inside-out rather than from the outside-in.

Plan to achieve a centrally managed platform rather than distinct, multiple tools.

Lifecycle of a zero-trust deployment

This is an image of the cycle of a Zero-trust deployment.  Build Cybersecurity Resilience; Risk Prioritization; Deployment and Review; Assessment.

Source: adapted from NIST SP 800-207

Technologies to support your organization’s zero-trust journey

Consider adding new solutions to your infrastructure stack.

  • Next-Generation Firewall (NGFW): Combines a traditional firewall with other network device filtering functions like application firewalls. NGFW uses in-line deep packet inspection and intrusion prevention systems to protect your network, decrypts traffic, and helps with micro-segmentation.
  • Zero-Trust Cloud Services: Assists your organization to enable remote workers with access to internal private applications while by-passing bottlenecks or threats associated with virtual private networks (VPNs).
  • Data Loss Prevention (DLP): Solutions assist the management of data use and access through enabling a regular practice of detecting and preventing data breaches, exfiltration, or destruction of sensitive data like electronic medical records.
  • Continuous Monitoring Systems: Aid in ensuring that critical systems like clinical decision support and data from clinical records are always secure; from a surveillance perspective, it is the IT security team’s role to monitor and protect this data.
  • Understand Access Requirements: It is vital that healthcare organizations understand what employees require access from an application and information standpoint. When granting privileges, it is important to consider the employee’s role and to grant privileges to assist them with their job but not to blindly grant access to all applications or environments.
  • Consider Your Culture: A company’s culture supports the success of any security initiative. A workforce that is motivated to support the goals and objectives of a security shift is critical in the adoption of zero-trust; risks are multi-faceted and can come from both inside and outside the organization.

Related Info-Tech Research

Secure Your High-Risk Data

  • A multi-faceted approach to the challenges around comprehensive data security. This research incorporates foundational technical elements, compliance considerations, and supporting processes and policies.
  • An overview of technical and supporting process controls to evaluate and to enhance data security.

Simplify Identity and Access Management

  • Select and implement the right IAM vendors with the desired features of your organization.
  • Produce vendor RFPs and shortlist vendors to help ensure that selected vendor solutions offer capabilities required by the organization.

Build Your Security Operations Program From the Ground Up

  • This blueprint will walk through the steps of developing a flexible and systematic security operations program relevant to your organization.
  • A centralized security operations process actively transforms security events and threat information into actionable intelligence, driving security prevention, detection, analysis, and response processes.

Bibliography

Avgeriou, Paris, Philippe Kruchten, Robert L. Nord, Ipek Ozkaya, and Carolyn Seaman. “Reducing Friction in Software Development.” IEEE Software, University of Groningen, 2016. Web.

“Cisco’s 2021 Benchmark Study Focuses on Privacy during Pandemic.” IAAP, 27 Jan. 2021. Accessed 26 Apr. 2022.

Dala, Vishal, Krish Krishnakanthan, Björn Münstermann, and Rob Patenge. “Tech Debt: Reclaiming Tech Equity.” McKinsey, 6 Oct. 2020. Accessed 28 Apr. 2022.

Designing A Zero Trust Network With Next-Generation Firewalls. PaloAlto Networks Technology Brief, n.d. Accessed 4 Apr. 2022.

Emsisoft Malware Lab. “The State of Ransomware in the US: Report and Statistics 2020.” Emsisoft, 18 Jan. 2021. Web.

Gentes-Hunt, Lisa. “Healthcare Data Breach Costs Surged During Pandemic.” HealthITSecurity, 29 July 2021. Accessed 26 April 2022.

“Implementing a Zero Trust security model at Microsoft.” Microsoft Inside Track, 10 June 2022. Accessed 26 Apr. 2022.

Is Legacy Identity Infrastructure Holding Your Enterprise Back? Okta, n.d. Accessed 27 Apr. 2022.

Lambert, Natalie. “Why CIOs Say the Cloud Isn’t Replacing on-Premises Systems.” Enterprise CIO News, 23 Jan. 2018. Web.

“Managing Healthcare Cyber Risks with zero-trust Security.” Software Testing Blog by Cigniti Technologies, 27 Aug. 2021. Web.

McKeon, Jill. “Exploring zero-trust Security in Healthcare, How It Protects Health Data.” HealthITSecurity, 22 Oct 2021. Accessed 26 Apr. 2022.

Office for Civil Rights (OCR). “Improving the Cybersecurity Posture of Healthcare in 2022.” HHS.Gov, 28 Feb. 2022. Accessed 26 Apr. 2022.

Pratt, Mary, K. “Zero-trust model case study: One CISO’s experience.” TechTarget SearchSecurity, Feb. 2020. Accessed 26 Apr. 2022.

Rose, Scott, et al. Zero Trust Architecture. National Institute of Standards and Technology, 11 Aug. 2020. https://doi.org/10.6028/NIST.SP.800-207. Accessed 26 April 2022.

Security Risk Assessment Tool. HealthIT.gov, n.d. Accessed 26 Apr. 2022.

Teerakanok, Songpon, et al. “Migrating to Zero Trust Architecture: Reviews and Challenges.” Security and Communication Networks, vol. 2021, May 2021, p. e9947347. https://doi.org/10.1155/2021/9947347. Accessed 27 April 2022.

University Health Network: Leading Canadian healthcare Provider Shrinks Cyber Risk Despite Explosion of IoT. Forescout, 2021. Accessed 27 Apr 2022.

Ward, Rory, and Betsy Beyer. BeyondCorp: A New Approach to Enterprise Security. USENIX, vol. 39, no. 6. Dec. 2014. Accessed 27 Apr. 2022.

About Info-Tech

Info-Tech Research Group is the world’s fastest-growing information technology research and advisory company, proudly serving over 30,000 IT professionals.

We produce unbiased and highly relevant research to help CIOs and IT leaders make strategic, timely, and well-informed decisions. We partner closely with IT teams to provide everything they need, from actionable tools to analyst guidance, ensuring they deliver measurable results for their organizations.

What Is a Blueprint?

A blueprint is designed to be a roadmap, containing a methodology and the tools and templates you need to solve your IT problems.

Each blueprint can be accompanied by a Guided Implementation that provides you access to our world-class analysts to help you get through the project.

Talk to an Analyst

Our analyst calls are focused on helping our members use the research we produce, and our experts will guide you to successful project completion.

Book an Analyst Call on This Topic

You can start as early as tomorrow morning. Our analysts will explain the process during your first call.

Get Advice From a Subject Matter Expert

Each call will focus on explaining the material and helping you to plan your project, interpret and analyze the results of each project step, and set the direction for your next project step.

Unlock Sample Research

Author

Jennifer Jones

Visit our COVID-19 Resource Center and our Cost Management Center
Over 100 analysts waiting to take your call right now: 1-519-432-3550 x2019