The Health-ISAC released zero-trust guidelines for cybersecurity professionals in the healthcare sector. (Photo by Leon Neal/Getty Images)

Challenges with adopting a zero trust security model in healthcare boil down two two key issues: the rapid expansion of IoT devices and authentication complexities tied to “the roaming nature of some healthcare workers,” according to a new white paper from the Health-ISAC.

These hurdles must be addressed before making the shift to zero trust, as “implementing a zero trust architecture is not as simple as going to one vendor and picking a solution off the shelf.”

As previously reported, zero trust is ideal for healthcare but the majority of provider organizations have struggled to make the jump due to system complexities and other roadblocks.

But as the Department of Health and Human Services continue to make strides in interoperability, which heavily relies on APIs, zero-trust adoption should be a priority in order for hospitals to better adapt to sprawling networks.

Identity is the “core of zero trust,” including multi-factor authentication, authorization governance, and “the proper provisioning of roles and attributes for access,” Health-ISAC noted. “Access rules need to be as granular as possible to enable least privilege and all subjects, assets, and workflows need to be explicitly authenticated and authorized.”

For example, zero trust ensures that employees only have access to elements needed to perform their required job functions. The model ensures the network is segmented based on least privilege access, providing minimal access based on trust policies tailored to the user.

The paper aims to support chief information security officers in healthcare to better understand zero-trust security and the recommended approach to the model’s architecture to build an identity-centric approach to cybersecurity. 

Health-ISAC notes the guide is designed to educate CISOs on zero trust and its needed foundation, along with basic tenets, common challenges to zero-trust migrations and how to start the shift. The guide was written for entities of all sizes and maturity levels with hopes these CISOs will understand the importance of an identity-centric approach to cybersecurity.

Security leaders will find a definition for zero trust, implications of the security model, and specific steps to implementing zero trust within the healthcare environment. The paper also adds zero trust components to the Health-ISAC Framework for Managing identity released in 2020.

The framework has been updated with zero trust concepts and “incorporate additional controls to deliver core elements of a zero trust architecture,” including standards for securing communications, asset monitoring, perimeters for granting access, policy-based authorization, and adding devices to target systems and resources.

Healthcare CISOs can leverage the guide to assess the specific challenges their organization may face in attempting to adopt the model. Health-ISAC is also requesting feedback from industry stakeholders.

“The criteria may seem daunting at first but will ultimately lead to better security for the organizations in the long term,” Health-ISAC concluded. “Gone are the days of letting someone in the front door, giving them a role with access privileges and then having them go about their merry way.”