The State of XIoT Security Report: 1H 2022
Download the Report
Claroty Logo


Five Phases to Clinical Zero Trust: A Deeper Dive into Phase One and Two

Beth Ellis
/ February 15th, 2021

Part 2 of a 4 Part Blog Series

As noted last month in the first blog of this series, “Defining Clinical Zero Trust,” the process of establishing and implementing a successful Clinical Zero Trust (CZT) strategy will take a lot of collaboration between your business, biomed and security stakeholders. Ultimately, the planning and roll out of that CZT strategy can be broken down into five phases:

As with almost everything, each phase is made up of some things that can be done very easily and others that are going to be a little more challenging to accomplish. We thought we would jump in and describe what is easy and hard about each of these phases, so you know what you are really in for and can appropriately plan and set expectations.

Phase 1: Identify

The goal of this phase is to identify everything operating in the clinical setting, so you understand the landscape you are dealing with and trying to protect.

What’s Going to be Easy

The easier part of this phase is to get visibility into your digital assets. There are any number of discovery tools that can detect anything that connects to the network and identify their IP and MAC address. What’s harder is to get the details on each device that identify what that device really is. This takes uncovering the device’s:

  • Modality – type, make, and model

  • Version – OS type and version

  • Software – embedded software and protocols used

  • Unique Identifiers – serial number, hostname, MAC address

  • Location – SSID, access point (AP), AP location

  • Utilization – average usage, daily usage, etc.

This is where Medigate can help with its device visibility and data.  We can make it easy for you to get a comprehensive real-time inventory of all the connected devices in your environment, so you can start to understand the make up of your environment and ultimately your risk posture.

Once you have you visibility into the details of your devices, you can start mapping them to risky activity and known vulnerabilities to understand any threats they pose to your environment. The key is to apply healthcare specific threat intel, like H-ISAC and manufacturer-specific advisories, to accurately measure and score the risks posed by each medical, IoMT, and IoT device. The risk scoring absolutely must include criticality information, based in part on the FDA’s guide on the impact to patient care, and ultimately human life, if a machine is damaged or somehow compromised. This leads us to the elements of identification that are significantly more difficult to do...

What’s Going to be More Difficult

Identifying digital assets is the first part; understanding what those devices do is the next, arguably more important, and definitely more difficult, part of the process.  As discussed, in “Defining Clinical Zero Trust,” the potential ‘life and death’ consequences associated with disrupting anything within the clinical setting means that Zero Trust can’t be narrowly focused on protecting data or devices.

Instead, within healthcare, Zero Trust must be applied more broadly to protect the integrity of the physical workflow, which may include any number of devices or data. This means the digital assets you’ve discovered need to be tied to the physical workflows they are involved in (the care protocols). It’s all about context - it’s taking a device and connecting it to all the people, processes and other systems that rely on that device to function.

You have to answer: What’s the consequence if this device gets disconnected, breaks, or is lost? Why is it here? What are the dependencies of the device? How critical is the device to the completion of a procedure or the ongoing delivery of care? Answering these questions will help you understand the criticality of the device to the broader, physical workflow, as well as the potential risk it poses to ongoing operations and patient care.


We recommend that you engage all your business, biomedical, and security stakeholders early in this process, so you can effectively link your digital asset to the physical workflows they are involved in. Only by fusing cyber and physical together will you be able to properly manage and secure your clinical settings. If you do the work up-front to understand what’s in your and environment and why it’s there, it will help you later on (Phase 3-5) ensure you aren’t creating any additional or unnecessary risks when you implement your security measures.

Phase 2: Map

The goal of this phase is to dig deeper into everything you’ve identified to really understand how they are involved in your delivery of care or business protocols.

What’s Going to be Easy

Mapping the cyber flows to understand what a device is connecting to, how, and when, is fairly easy. There are any number of tools that can piece together a digital footprint and provide this visibility. The harder part is identifying the criticality of these cyber flows. Are they normal, necessary, and safe?

The answers to these questions can vary widely based on the level of expertise and understanding your tools have on how clinical networks work. Some solutions report on what they have observed, using machine learning and anecdotal evidence (e.g., this connection has been seen regularly over the past 3 months), to draw conclusions about whether a flow is normal or not. Others have augmented their analysis with information directly from clinical manufacturers and healthcare research teams to provide a more detailed understanding of how these devices are supposed to and actually work.

Full disclosure, Medigate, with our healthcare-focused platform, is in the later camp. We provide healthcare delivery organizations insights into their digital workflows that take into consideration the context of clinical protocols and manufacturer intended behaviors. As a result, we can help health systems start to understand the criticality and risks associated with those flows as they relate to their ability to operate and deliver patient care. We can help bridge the gap between the cyber and physical flows, which, as we’ve already noted, is necessary to properly manage and protect clinical networks. But, there is still work to be done to effectively map the cyber and physical flows to your own clinical setting.

What’s Going to be More Difficult

Understanding the cyber flows is important, but the extremely tricky part is aligning them with the physical flows. Platforms, like Medigate, can jump start the process, but often it requires walking the physical hospital floor and interviewing your practitioners and biomed engineers to understand exactly what is going on.

The goal is to document the physical workflows/care protocols, so the cyber flows around WHAT a device is doing can be directly tied to WHY that device is doing it. Mapping out all the potential steps involved in a procedure or care protocol can lead you to uncover additional devices and dependencies that may have been missed initially in the Identify phase. For instance, you may have identified the patient monitors talking to the central monitoring system, but missed the DNS or manufacturer’s server that it also communicates with. Therefore, you might find that you are looping between “Identify” and “Map” a number of times before you get it right.

The mapping phase also adds the physical boundaries to the flows, so you know where a device should be able to go. For instance, can the patient monitor be moved down the hall? Probably. Can the patient monitor go into the parking garage? Probably not. These physical boundaries help you bound the digital flows to specific access points/switches in the area.

Ultimately, the mapping phase will help you define the smallest “surface area” that can be protected by the rules/policies/actions you Engineer later on (Phase 3). You are basically looking to pinpoint where a workflow can be interrupted without impacting the quality of care or the outcome, because that’s where a control point can ultimately be inserted. The mapping basically lays the foundation for not only where policy can be applied, but also which policy can be applied to which workflows.


The main recommendation we have for this phase is patience. Don’t be disappointed if it takes longer than you would like. Ultimately, you should be prepared to continuously loop between all the devices you’ve identified and the mappings you have made between the digital and physical flows. In this case, it is about both quantity and quality – you want to do your best to identify everything, correctly. A couple of tips:

  • You can use packet sniffers to validate you have digital flows correctly.

  • Go down and actually walk the floor with the devices and talk to people who work there to understand and then document the physical workflows. You’ll be amazed at how much you can learn, and how much you may have missed!

Watch out for upcoming blogs on Phase 3, 4 and 5. For more general information, you can check out Medigate’s white paper on Clinical Zero Trust.


Featured Articles

Interested in learning about Claroty's Cybersecurity Solutions?

Claroty Logo
LinkedIn Twitter YouTube Facebook