Another year, another friendly ‘public service announcement’ about the healthcare sector being at particularly high risk from an IT security standpoint.  It’s a valid concern though.  The threat is real and the stakes are higher than ever. Ransomware attacks and data breaches are increasing at an alarming rate. Further, as health information (PHI), medical devices, and even refrigerators that hold life-saving vaccines and treatments are all connected to a healthcare organization’s network…what happens when that network gets hacked? It can wreak havoc on an entire health system.

So, what (if anything) can healthcare IT experts do to help combat this enemy?  Well, according to the industry analysts, there is one security trend to definitely keep your eye on in 2023.

The Case for a Zero-Trust Security Model

In early 2022, when the White House ordered Federal agencies to adopt zero-trust security by 2024, it not only signaled greater zero-trust adoption in government, but also set an example for other industries to follow. Industries like healthcare. The increase in remote work and use of mobile and cloud computing is requiring healthcare organizations to go beyond perimeter-based security and embrace a zero-trust approach.

Under the watchful eye of a Zero-Trust Security Model, no device or user is automatically trusted by default - even if they are connected to a permissioned network such as a corporate LAN and even if they were previously verified. It’s a “never trust, always verify’ architecture that acts not as a single technology or tactic, but a set of cyber defenses that collectively look for threats outside and within a network perimeter.

The implementation journey centers around two fundamental cybersecurity concepts: the principles of “minimum necessary” (which limits users to only the information they need to do their jobs) and “least privilege access” (which grants users, applications and other systems only the data access or permissions necessary to complete their tasks).

It may seem like a tall task, but there is good news: Healthcare organizations can go a long way towards getting there by leveraging many of their existing technologies and current policies around identity management; network access control; and device, application and data security to ensure:

  • Multifactor authentication, VPN software for remote access and anti-virus software has been implemented on all employee desktop and laptop computers.
  • All data has been encrypted and data loss prevention software deployed – to prevent users from accidentally exposing sensitive information online and on cloud resources.
  • Medical devices and applications that connect to healthcare IT systems online are protected by using an IoMT network security technology on-site.
  • Network access control (NAC) technology has been implemented to ensure computers are registered and allowed to join the network. The technology also checks the device’s security posture, and if needed, it automatically pushes software patches and anti-virus updates to the device before allowing it on the network.
  • A ‘microsegmentation’ tool has been deployed, which enables granular access control by building micro-perimeters throughout the network to help protect applications and sensitive data, and to ensure apps only connect to resources that they are authorized to access. (In the event of a ransomware attack, for example, those apps have a higher level of assurance that they will be protected from unauthorized access that impacts the confidentiality, availability and integrity of the system and the data.)

Healthcare organizations without proper cybersecurity safeguards are putting patient data and lives on the line. While implementing a new cybersecurity model is not a small task, and a Zero-Trust Security Model may not be the best solution for your business, it’s worth discussing with your trusted IT advisor - as the benefits outweigh any potential downsides.

If you have questions about whether a Zero-Trust Security Model is a realistic consideration for your organization, contact The Solutions Team at info@mysolutionsteam.com.