The following is a guest article by Peter Newton, Senior Director of Products and Solutions at Fortinet
Personal medical and financial data is incredibly valuable, which is why healthcare organizations are high-value targets for cybercriminals. The most common way attackers infiltrate networks is by stealing user credentials, making identity and access management absolutely critical for the medical industry.
Zero-trust security strategies have emerged as a strong way to reduce the risk of a data breach. Traditionally, network security has assumed that once a user has logged in to the network, they are safe to access any and all resources inside. On the other hand, zero trust treats anything or anyone trying to connect to the network as a potential threat, grants access to only the resources needed for a user’s function, and continuously verifies a user’s identity and security posture.
This means that even if a bad actor has gained access to the network, the security features in place would catch suspicious behavior in real-time, stopping a breach in its tracks.
Risks Unique to the Healthcare Industry
The healthcare sector is especially vulnerable to attacks because of its reliance on electronically stored protected health information (PHI), including records, scans, and bills. The medical devices that have revolutionized patient care, like infusion pumps and monitors, can serve as entry points for attackers if they aren’t properly secured.
Additionally, remote appointments and virtual consultations have further complicated healthcare security.
On top of all this, the healthcare industry is highly regulated, and organizations need to know where PHI is stored and who has access to it in order to ensure they are in compliance.
Set Yourself Up for Zero-Trust Success
Zero-trust strategies and solutions, including zero-trust network access (ZTNA), help reduce the risk of a breach and can even support compliance efforts. But like any new technology, ZTNA requires forethought and planning before deployment. Without this, zero-trust solutions can disrupt clinical operations and undermine their potential value to an organization.
Here are things to keep in mind when creating a zero-trust strategy and selecting solutions for your healthcare organization:
Promote a Shift in Mindset
IT leaders should talk openly and often about the strengths of zero trust to get as much buy-in as possible before rolling out changes. Hint: When communicating with the broader organization, it might be better to avoid using the term “zero trust.” Although security professionals understand what it means, others can be confused or take offense at the suggestion that they are not trustworthy. We recommend using “treating the inside like the outside” or “continuous verification.”
Get Ahead of Transition Hurdles
Adoption of any new technology generally meets resistance. Choosing a solution with a unified agent that addresses both VPN and ZTNA can ease the transition to ZTNA. (Even if you migrate to a ZTNA model, there may be times when users still need a VPN, so it’s worthwhile to use a single solution for both.)
Prioritize a Single Vendor with a Platform Approach
Zero-trust technologies often involve multiple functions working together. ZTNA is one part of a zero-trust strategy and needs to fit into a broader zero-trust architecture that needs to include identity, IoT device control, and micro-segmentation. Prioritize a solution that’s part of a platform approach where ZTNA and other zero-trust technologies work seamlessly together.
Look for Flexible Management Options
One of the benefits of leveraging a single vendor is that all zero-trust functionality can be managed through a unified console. However, many zero-trust offerings require organizations to use cloud-based management, which isn’t necessary for all healthcare organizations as some PHI can’t touch the cloud due to compliance requirements. Look for a zero-trust offering that includes both cloud and on-premises management options so you can choose what works best for your needs.
Cover all Locations and Devices
Your zero-trust solutions need to have a consistent user experience no matter the location. Your strategy should cover hospitals, offices, and remote clinicians performing virtual care and back-office functions, as well as all related devices.
Take it Slow
Rolling out a zero-trust strategy can seem like a massive challenge, but that’s no reason to forgo it completely. Start with a plan and learn as you go. Remember that identity is the foundation of any zero-trust project. Understanding who is allowed to do what will help you limit the data and applications a user can access according to the needs of their job.
The Importance of Healthcare Cybersecurity
Healthcare cybersecurity is vital and is becoming more important every day because medical organizations are continuing to rely on hospital information systems like electronic health records (EHRs) and physician order-entry systems. As the threat landscape expands and attackers find clever new ways to infiltrate networks, zero-trust strategies will play an increasingly important role in any modern healthcare security strategy.
About Peter Newton
Peter Newton is a Senior Director of Products and Solutions at Fortinet, where he oversees the Zero-Trust Solutions, including ZTNA. He brings 20 years of experience with computer networking and security, working at both chip-level and system-level solutions for companies including AMD, Netgear, Silver Spring Networks, and Fortinet. Peter holds a Bachelor’s of Science in Electrical Engineering from Rice University and a Master’s in Business Administration from the University of Texas at Austin.
