Sometimes the most effective way to sell an idea is by discussing the benefits it offers. But when it comes to data security solutions, the best strategy is often showing what happens if it isn’t implemented.
Zero-trust falls into the latter category.
A prime example occurred at Dayton Children’s Hospital when a business associate was impacted by ransomware. Fortunately, the security team had taken the necessary steps to ensure “everything was locked down and segmented,” and as a result, were able to block the outbound traffic, said Christopher Kuhl, who serves as CISO and CTO. “If we weren’t segmented, we could have been in real trouble.”
That level of segmentation is just one component of zero-trust, a security approach that’s becoming increasingly popular — and, some might argue, necessary — in healthcare. During a recent webinar, Kuhl and co-panelists Christopher Frenz (CISO and AVP of IT Security at Mount Sinai South Nassau) and Jonathan Langer (Co-founder and CEO, Medigate) discussed the benefits of going down the zero-trust road and the hurdles that need to be cleared.
“Zero trust has become more relevant than ever, because if you look at the recent cyberattacks, one thing that determines how well a hospital withstands these attacks is how segmented the network is,” said Frenz. The organizations that sustain the most damage, he added, are those with “completely flat networks where one compromised computer rapidly turns into an entire network of compromised computers.”
That’s where zero-trust comes in. But, like any security strategy, it must approached cautiously and deliberately.
“There’s sometimes a tendency to jump the gun; to move quickly and show progress, which is a good thing, but a really important step is just coming up with a strategy,” said Langer. “Where do I want to start? What grouping can I do in terms of micro-segmentation? What’s the common denominator?”
It’s a lot to process, which is why Frenz recommends a staged approach. The first step, he noted, is to identify all of the assets on the network. And although it may sound simple, “it’s actually quite a challenge to figure out where everything is, what devices you have, and what are the IP addresses. It’s a time-consuming process.”
Next comes determining how the assets on your network speak to each other. With PACS, for example, security teams need to know which medical devices communicate with it and which workstations in the environment communicate with the PACS server, so they can then map out the different traffic flows.
It’s a step that can’t be taken lightly, Frenz stated. “That’s actually going to be your biggest challenge with zero trust and where I advise you spend the most time.” If zero-trust is implemented too rapidly, devices aren’t able to communicate properly, which can disrupt clinical workflow. Rather, the best course is to “take your time,” he said, noting that the implementation at his previous organization, Interfaith Medical Center, was spread out over two years. “It was not a quick roll out. It was staged and timed to ensure we learned all the traffic flows before any rules were put in place,” Frenz added. “The last thing you want is to make people resistant to security.”
With that in mind, he advised starting with low-hanging fruit — for example, basic systems like Domain Name Service (DNS) and Dynamic Host Configuration Protocol (DHCP) where most network engineers understand the ports and protocols. This strategy allows the team to “learn the new tools while minimizing the risk of breakage.”
From there, organizations can move on to VDI desktops, which are basically clones of each other, said Frenz. “Once you figure out one set of policies that works for a desktop, you can then apply that to a large number of devices. It was a great way to wrap up protection.”
Finally, he recommended saving the most complex systems for last, and avoiding setting up major systems like PACS and EHR at the same time.
Navigating the hurdles
The steps outlined above can provide a solid foundation for implementing a zero-trust approach. However, there are more considerations that CISOs and other leaders should keep in mind before, during, and after the process.
- Assume you’ll be breached. With healthcare systems so interconnected, and based on how the architecture is set up with external applications, “You have to assume that, at some point in time, you will be breached,” said Langer. “If you’re able to contain the spread to a limited scope and a limited area in the network, the overall damage is going to be lower and you’ll be faster to respond to an incident.” That factor, he noted, is what makes zero trust — or at least, segmentation — so critical in protecting mission-critical devices.
- Visibility matters. One of the biggest hurdles in achieving zero trust is a lack of visibility, according to Langer. “If you can’t identify the devices and the workflows, zero trust remains an obscure notion. You have to do the work and map the flows — put in time to get that visibility.” Whether that happens manually or through automation, it needs to be done in a way that inspires confidence, he added. “You need confidence in the fact that the visibility that you’re obtaining is indeed accurate and granular.”
- Staff education. As with many initiatives, it’s imperative staff receives consistent education. And that, noted Kuhl, means ensuring they understand what micro-segmentation looks like, how to implement it, and how to effectively create policies. “With anything new coming into our environment, we start building out segmentation and getting those policies applied,” he added. At Dayton Children’s, his team has identified three main criteria that a device must meet to get segmented: does it impact patient care, can antivirus protection be run on it, and it is expensive? If all three are met, “we work on getting that segmented and getting policies implemented.”
- Selling to C-suites. This can be a challenging aspect of zero-trust, but it doesn’t have to be, said Langer. “The message should be about what the process looks like. Not in technical terms, but in process terms of what it is, where do we start, what are the steps, and most importantly, what is it going to achieve and what’s the value?” The value, he noted, is in risk reduction. “That’s the message I’d convey to the C-level.” Kuhl agreed, adding that CISOs need to be able to explain how a zero-trust approach can help the organization achieve the goal of protecting data — and as a result, improving care.
- Don’t let perfect be the enemy of good. The old adage most certainly applies when it comes to zero-trust, according to Frenz. “Everything you can do to begin to improve segmentation to a more granular level is going to result in a measurable improvement. Just because it’s difficult and it may not be achievable to do it to the extent you desire, it doesn’t mean you shouldn’t start down that road,” he said. “With each element of segmentation you add, you’re going to be better off than you were before.”
That, according to Kuhl, is perhaps the most important takeaway. Implementing zero-trust is a complex, time-consuming process that requires high-level buy-in and support. But without it, patients are at risk; and therefore, it has to be done. “It’s one of those things we need to do in healthcare.”
To view the archive of this webinar — Evaluating a Zero-Trust Approach to Healthcare Security (Sponsored by Medigate) — please click here.