Health-ISAC has publicized a white paper to help guide healthcare CISOs planning to employ zero trust security architectures.
The standard security approach is to set up border defenses in order to keep unauthorized persons out. Although this security strategy has helped companies well in past times, it isn’t useful online where there’s no border to protect. Additionally, the threat scenario is quickly shifting, and malicious attackers succeed at breaking perimeter defenses a lot more. Breaching the perimeter defenses allows threat actors to move laterally inside networks undiscovered and can freely carry out various malicious activities.
A zero trust security approach still offers protection in case a malicious actor acquires access to internal systems. It makes lateral movement harder and can significantly minimize the problems that can be brought about. The meaning of zero trust is to never trust and always confirm. All traffic between devices and networks is untrusted and demands validation, authorization, and constant checking.
Health-ISAC explains that with zero trust, not just one cybersecurity solution can be implemented. It is not just going to one supplier and selecting a solution. There are a number of components that must be incorporated to set up a holistic zero trust architecture. Those parts include cloud security gateway, identity and access management, data security, workload and application security, network security, and device protection.
With the 2021 Executive Order of President Biden, government agencies are employing zero trust approaches, however, zero trust is hard to apply and it can be notably difficult for healthcare companies. Two of the major problems in healthcare result from the prevalent usage of IoT-enabled devices.
Defibrillators, oxygen pumps, nebulizers, patient monitors, and other IoT-enabled devices transfer information from patients to workstations for checking. All the devices must have a unique identity. An exact and updated inventory of the devices ought to be maintained. The devices need to be set up to connect via encrypted channels.
Secondly, healthcare employees are frequently on the go and use devices in several places, and quite often use portable devices to accomplish documentation. Using the fine-grained authorization and multifactor authentication that is required for zero trust may be a big task and may demand extra components and setup adjustments.
To support healthcare companies get over the zero trust security difficulties, Health-ISAC lately released a white paper https://h-isac.org/identity-and-zero-trust-a-health-isac-guide-for-cisos/ that guides healthcare CISOs on the implementation of zero trust architectures.
The guidance talks about what is the meaning of zero trust security and details how zero trust requires an identity-centric way of cybersecurity that involves granular authorization as well as multi-factor authentication, the rule of least privilege, all assets, subjects, and processes necessitating particular authentication and authorization.
The new guidance is based on the information in “An H-ISAC Framework for CISOs to Manage Identity” shared by Health-ISAC in 2020. It uses zero trust concepts for safeguarding all communications, keeping track of the security and integrity of assets, allowing access per session, developing policy-dependent authorization according to contextual data, and including devices to the target program and resources. The guidance specifies the steps that must be done by the healthcare CISOs to begin using zero trust infrastructures.