Zero trust is difficult to implement, but it's especially challenging in the health sector, says Zach Martin, senior policy advisor for Venable. (Army)

Zero trust, the process of narrowing defense perimeters to more individualized resources, is an ideal model for the modern threat landscape. But in healthcare, key challenges with expansive inventory and the need for ready access may inhibit the shift to stronger access controls.

To Zach Martin, senior policy advisor for Venable, zero trust in healthcare can be achieved by foundational policies that maintain effective device and application security, along with addressing how the tech integrates with the existing identity and access management system.

“Zero trust is difficult, no matter the market,” said Martin, who authored the Health-ISAC’s recent white paper delving into the nuances of zero trust in healthcare. “It’s the architecture and other elements that are different than people are used to.”

Traditionally, the mindset was that firewalls were the pinnacle of security. But modern security requires a more nuanced approach. “It’s tough,” said Martin. ”You can get the most well-funded, well-resourced organization, and you'll still have challenges in implementing zero-trust architecture.”

Martin has been working with the Health-ISAC’s identity committee for several months as an advisor. Provider organizations have been asking more about zero trust and how it applies to the healthcare environment, its feasibility, and some of the specific healthcare challenges. The white paper aims to address those key areas.

“You’re not going to implement zero trust overnight,” said Martin. “It’s not the way this works. You have to take a phased approach” that begins with verifying the tech operating on the network, the policies to support identity and security, and the current authorizations and user privileges.

In short, providers must ask “a lot of foundational questions” before talking with vendors or consultants to begin the key implementation elements outlined in the Health-ISAC paper.

Only after the information is gathered around device inventory, applications, integration, and the role of multi-factor authentication can providers take the next step of discussing next steps with their identity and access management and clinical application vendors to examine the scope of options specific to their organization.

Addressing MFA and access control challenges

Stakeholders often note the difficulties in employing MFA in healthcare due to the complexity of the environment, the sheer number of access points, and concerns about further burdening providers who need efficient access to ensure patient care.

“It’s a complicated thing because you don't want to make caregivers jump through extra hoops in order to get access to bring care to patients,” said Martin.

But there are other ways to employ strong authentication outside of traditional plug-in tech, OTP, or biometrics, he explained. There are other environmental or other attributes that can perform similar authentication controls, such as geolocation of the IP address or device information.

And that’s where policy comes into play: Is the person caring for this patient actually in the hospital? Are they accessing the services from a Wi-Fi sensor located on the floor near the patient?

Through risk engines and other environmental attributes to determine user profiles and authenticate, leaders can block access when a user is trying to access a patient health record from an IP address based in another country or at a time of day the user is typically off-work. 

Without the right policies, these red flags can be overlooked.

“There are all sorts of other things that can be used outside of traditional MFA when it can't be deployed,” said Martin. However, MFA can be achieved in a way “that’s seamless to the end user” that doesn't require users to bring out a phone, hit a button on their device, or take off their gloves to do biometric authentication.

Provider organizations need to have the policies in place that backup or support whatever technology they plan to eventually deploy, such as MFA implementation or least privilege. Those elements begin on paper, and it’s a requirement for providers who want to begin the zero-trust journey long before implementing the technology.

Modern identity and access management systems can support authorization and least privilege. As Martin noted: “It's just a matter of implementing the tech and putting the elements in place.”

Healthcare has a number of different applications that are out there, so security leaders are tasked with ensuring the implemented tools “can integrate with a centralized management system” that can monitor and leverage fine-grained authorization, “so if there's something suspicious happening, it can be blocked out.”

Zero trust: not possible for every market

“Zero trust isn't necessarily going to work for every single market or every single organization, but it's something to consider,” said Martin.

But even if a provider organization isn’t able to complete the full journey into the security model, bolstering access to various applications and tools is paramount. And there are elements to zero trust, particularly around access management, which can go a long way even when alternative processes can’t be achieved.

For Martin, healthcare entities considering a zero-trust journey should first pilot the model in an office setting to determine whether it’s a feasible capability for a broad, more complex caregiver environment. A small pilot program can determine the possibilities, what works for the organization, and whether a broader program can be achieved.

At the end of the day, key challenges with procurement and IoT devices may hinder the process. But that doesn’t mean security leaders shouldn’t begin to chip away at these issues.

With IoT device security, it again boils down to policies. Providers need to strengthen and evaluate their inventory of devices on the network and ensure authentication is possible and that users are authorized.

For example, “the wireless telecom device caregivers wear around their necks shouldn't be able to escalate their privileges to where they're able to access patient information,” he explained. The majority of attacks stem from elevated privileges, strong user profiles and policies can reduce those risks.

Device procurement is another area with policy-based solutions. Martin stressed that entities should have a policy that requires all buying decisions for software and tools to meet established security requirements and ensure devices are procured from reputable vendors that can support a zero-trust architecture.

“It's a matter of not buying something because it looks cool and could work. It's also making sure that it meets the security requirements on the back end,” said Martin. That way leaders don’t inadvertently open “a backdoor that enables somebody to do something they shouldn't be doing.”

Organizations must talk to their current vendors and consultants to determine their current capabilities and then “figure out how to change” current policies and perhaps tech to improve the current state of authorization and access challenges.

“Fine-grained authorization” is possible in healthcare. But it starts with policy. In a key example, it begins with user access and ensuring that clinicians and other workforce members only have access to the information needed to perform their role. It’s an issue often overlooked in the healthcare environment.