Healthcare Must Plan for Zero Trust Today to Manage Tomorrow’s Data Spread

The following is a guest article by Damian Chung, Business Information Security Officer, Netskope.

Targeted cyberattacks against the healthcare industry continue to rise. A 2021 report from HIPAA Journal showed that U.S. healthcare institutions had 616 data breaches of 500+ records in 2020—with a total of 28,756,445 total healthcare records being exposed. At the same time, hospitals and clinics racked up the highest average data breach costs among all sectors last year—$7.13 million (an increase of 10% from the previous year).

Unfortunately, a lot of healthcare customers right now don’t have additional budget dollars available to address the problem. High-margin services (like elective surgeries) are being canceled due to COVID-19, management of which remains the priority. Many healthcare organizations have been asked to make cutbacks. Even when accounting for federal funding received, COVID-19 has had a negative financial impact on more than 90% of surveyed health systems.

Health IT and security teams are being asked to spend budgets with an eye on greater efficiency. One of the ways they’re able to do this today is by embracing the cloud. Just a few years ago, many health organizations were still unsure about the cloud, because they felt they needed physical control of their data. But today, cloud services and applications are almost mandatory in healthcare environments, not least because cloud-based infrastructure is so much more cost-effective.

Zero Trust is the New Cloud

Zero Trust is a security concept that applies to your network, your data, the applications you use, and the way you interact with them, going beyond access control lists, passwords, and locked doors. I find that talking about a Zero Trust security model with healthcare CISOs today is a lot like talking about cloud services with them 10 years ago. I sometimes ask, “Do you think you can get to a Zero Trust model within healthcare?” And a lot of times the response I receive is, “No, I can’t even think about that. Zero Trust doesn’t belong in a hospital. We just can’t get to that level of granularity to be able to do it.” In other words, it scares them.

But considering how today’s health networks are rapidly evolving, the value of the Zero Trust model is already resonating with many healthcare CISOs. Another healthcare CISO I talked to recently said, “I’m going to aim for Zero Trust without actually calling it Zero Trust.” He’s building the foundation now so that in the next three-to-five years, he can make an easier shift.

This is a smart move for one key reason: health data is everywhere now. A large hospital may have more than 100,000 connected devices on their network—with about 10% being hard-to-secure bio-med devices. At one time, the data these devices collected was kept inside the hospital’s perimeter. But this is no longer the case. Medical device data is now often hosted in electronic medical records (EMRs)—which can be cloud-hosted. And this isn’t the only way that sensitive data is leaving the network.

So, without the centralized on-premises repository of yesteryear, how can hospitals ensure that their data is being kept safe?

Achieving Zero Trust 

A Zero Trust model feels like a big mountain for many organizations. It’s possible some don’t understand the steps they can be taking today toward reaching that summit. First of all, Zero Trust doesn’t literally mean “no trust.” It means having more granular control over your access to your data and where your data is allowed to go when it leaves the network. Toward that end, you need to be able to do two things:

  • Understand where your data resides and how it should be classified

  • Identify devices and users that have access to different types of data classifications

Many healthcare organizations have dismissed Zero Trust because they think that if all their data is contained in the network, then they don’t need to worry about classifying it. But it’s not a simple, closed system anymore. Data is indeed now leaving the network. Not just because of medical devices storing it in cloud-based EMRs, but also because we have greater collaboration happening behind the use of cloud applications. A doctor may be collaborating with a research group at a local university or a hospital may be trying to send their latest COVID-19 numbers to a government agency for reporting. The trend toward greater collaboration means more data spread, as data is leaving the traditional bounds of the network.

The coming and going of users and devices is another factor to consider. Doctors are not always employees of the hospital. Very often they’re contractors who may come in to render specific services to the organization. They may have their own private practice or they may be coming in from another clinic. If this is the case they may be bringing their own devices and data to the hospital, and they may want to take data with them, out of the network.

With all these potential complications, how does the organization account for all its different data, devices, users, and access points? Their data is no longer in one place, but instead, it has spread everywhere. It would be more than reasonable to feel overwhelmed by the massive scope of a problem that’s only going to get worse year-over-year. Three to five years from now, an organization’s ability to manage and consume ever-increasing volumes of data will subsequently become much more efficient. Even so,100% cloud environments are a long way off for most healthcare organizations, but if CISOs don’t start laying that foundation today to manage all forms of data, they’re going to be playing catch-up for a decade—or longer.

Smart health security departments are keeping data growth in mind as they refresh technologies in the near term. This means starting to shift toward a mindset of having better visibility of data, devices, and users—not just within the traditional network, but outside the network as well.

   

Categories