What you need to be thinking about when implementing a zero trust strategy for healthcare
Unless you have been living under a rock, which given the times we’ve been living in would be completely understandable, you’ve probably been inundated by all the hype around Zero Trust. We’re guilty of promoting it ourselves, describing its importance and its many benefits a number of times, in a number of ways (articles and webinars). And while I stand behind all those discussions and materials, I do want to take a step back and acknowledge that implementing Zero Trust, particularly within health systems, is neither straight-forward nor simple.
There is no “easy” button or single solution that will get you to a Zero Trust stance, rather it takes a myriad of people, processes, tools, and technologies working together across the health system to create and continuously evolve an effective Zero Trust strategy for a healthcare provider. So, I want to take a moment to clarify what Zero Trust is (and isn’t) for healthcare, define the concept of Clinical Zero Trust (CZT), describe why it’s important, and then point you to a practical implementation framework that will help you get you started.
Before we dive into Clinical Zero Trust for healthcare, let’s start by revisiting the concept of plain old Zero Trust. Zero Trust is a philosophy that assumes your environment has been breached, so you should “trust nothing, verify everything.” Makes sense and sounds good in theory, but what happens when you go to put that concept into action? Tons of vendors will tell you they have the Zero Trust solution you’ve been looking for, but there is no such thing as a “Zero Trust company or product”. Zero Trust is a strategy, not a technology, it’s an end goal, not a feature or capability.
To get to a Zero Trust stance takes a combination of things (people, processes, and technologies), working together towards the common goal of keeping everything in your business running as it should. It is based on the assumption that you can make access decisions according to the identity and rights of users and data (e.g., User ”A” can connect to these five devices and nothing else), to give them the least privileges possible to securely do their job. That way, if an attacker compromises a user or device, they are limited in what damage they can do, which contains the attack, shuts down many internal attack vectors, and greatly minimizes the potential impact of a breach.
There are a number of resources that can help you figure out how to architect your IT network to build a Zero Trust environment (I recommend starting with Forrester’s “Zero Trust Security Playbook for 2021”). These traditional Zero Trust strategies will work for your back office operations, where you have many of your financial and personal health information (PHI) records. However, these traditional strategies will not help you protect your clinical settings, where patient care is actually delivered.
This is where Clinical Zero Trust comes in. “CZT” shifts the focus from protecting access to devices and data to protecting physical workflows (care protocols), which are made up of all the people, processes, and medical devices involved in delivering care.
Unlike traditional office environments, most of the devices in clinical settings are not associated with any specific user or data, so traditional Zero Trust principles can’t be applied. Think about IV pumps, monitors, scopes, MRIs, etc.—they aren’t tied to a particular person, there is no user attached or logged into them from a digital perspective (even if there is a person physically attached to it). In addition, these devices are not static tools. They are constantly being moved, sometimes from patient to patient, other times with the patient, in the course of delivering care. So, the concept of Zero Trust needs to be recalibrated to handle the specific requirements of the clinical setting to protect the continuum of patient care versus any particular device.
Clinical Zero Trust ensures the patient comes first because it is a strategy designed around an end goal of protecting the delivery of care, not devices. Consider what it would mean if access to a ventilator was blocked or an IV pump was prevented from communicating with a patient monitor, simply because it was moved, powered up, or made a new connection. Clinical Zero Trust strategies help health systems implement effective security controls around care protocols to maintain their integrity and flow and without getting in the way of patient care.
The full extent of all the devices and processes involved in delivering care are considered, which can ultimately help health systems optimize efficiencies and improve outcomes. This is foundational to enabling the operational transformations and efficiencies that health systems are looking for as they move to more connected medicine. Smart hospitals and health systems are only possible if they can be secured. CZT can be a facilitator to that adoption, enabling care protocols to be delivered in a safe way that meets the needs of patients, staff and the business.
Because CZT is about protecting physical processes (care protocols), not the specific devices or data involved in that process, it means that everything involved in administering a procedure or delivering care needs to be accounted for. Biomed and clinical engineering teams already function this way when they build care protocols, which rely on a variety of staff, devices and systems, that can be executed daily to provide a prescriptive outcome; now, security needs start thinking in these same terms.
The process will take a lot of collaboration between business, biomed and security stakeholders, which can generate its own challenges and rewards, but in the end it will enable the implementation of a successful CZT strategy with all the benefits mentioned. The planning and roll out of that CZT strategy can be broken down into five phases:
Identify everything operating in the clinical setting
Map the use of entities to understand how they are involved in care and business protocols
Engineer the environment to protect the integrity and flow of each protocol
Monitor the environment to understand the impact of the policies you plan to enforce
Automate the implementation wherever possible to maximize the benefits of a CZT stance
For more information on these phases, check out Medigate’s white paper on Clinical Zero Trust, or you can also look out for the upcoming series of blog posts that will cover in detail what’s easy, what’s hard, and what’s required to complete each phase.
In the meantime, if you would like to start talking about creating a CZT strategy for your health system, please book a meeting here.