July 31, 2020 -Healthcare has and will likely always be a prime target for cyberattacks, given its valuable data and the need for constant data access to ensure continuity of care. While awareness around these issues has drastically improved, the need for a zero trust in healthcare will be crucial moving forward given the sectors staffing gaps, limited resources, and other challenges.
Recent reports have spotlighted the industrys security challenges and its failure to keep pace with the ever-evolving threat landscape.IBMfound healthcare leads in annual data breach costs at $7.13 million, a rankingitsheld for 10 consecutive years.
Meanwhile,Ordr researchshows that many IoT and medical devices allow for the use of social media platforms, which were recalled by the Food and Drug Administration. Many providers and COVID-19 vaccinedevelopersare operating on platforms with serious, unpatched security vulnerabilities, while the sector, as a whole, continues to feverishly struggle with adequatepatch managementand inventory.
Buthackersarent waiting for providers to catch up: as healthcare continues to struggle with often basic security challenges, the threat actors are simply moving the needle at a much faster pace.
The COVID-19 pandemic, in particular, has truly highlighted theseverityof the situation. Threat actors are actively targeting those developingtreatments and vaccines, often pairing withforeigngovernments forespionagepurposes.
DHS CISA, theFBI, and security researchers are continuously working to keep the industry informed, urging quick remediation. But speed and healthcare cybersecuritydontoften align.
Given the disparities,itsimperative that the sector address these challenges now. Ideally,zerotrust infrastructure could remediate issues with credential theft,authentication, authorization, and even a heavy reliance on Virtual Private Networks (VPNs).
But with limited staffing and resources,itsimportant to ask: just how feasible would a zero trustmodelbe in the healthcare sector?
NIST describes zero trustas an evolving set of network securityparameters designed to narrow defense perimeters from its current wide state, to more individualized resources. The model focuses on protecting resources, instead of network segments.
Zero trust was designed in response to enterprise trends, such as remote users and cloud-based assets not located directly within the enterprise network.
Azero trustarchitecture (ZTA) uses zero trust principles to plan enterprise infrastructure and workflows, according to NIST. Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet).
Authentication and authorization (both user and device) are discrete functions performed before a session to an enterprise resource is established, it added. Zero trust focus on protecting resources, not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.
The first US federal Chief Information Security Officer, GregTouhill, an adjunct professor at Carnegie Mellon University's Heinz College, explained the model first came about in 2004 with a lead researcher with the Jericho Forum, a group of multinational user companies dedicated to the development of open standards.
The same threat actors who bricked the Ukrainian power grid are able to use that same tactic and procedure to brick medical devices.
Theoverall enterprisenetwork was initially designed with a perimeter-based model, protected by antivirussoftwareand firewalls. But those researchersconcludedthat the traditional perimeter has been rapidly overcome by events, mobile computing, laptops, and now, iPhones and tablets.
Administrators weremerely attemptingto getall ofthese devices to workandconnect, as well asauthenticated: security was not always top of mind.
OPAQ Chief Technical Officer Tom Cross explained that in the early years, security was primarily a security guard sitting at a front desk, stopping people from getting into the building. As it progressed, and more items were connected to the network, those security efforts have evolved in an attempt to keep pace with the decentralized network.
The model continued to evolve through 2010, when the term zero trust truly landed,Touhillexplained. From that strategy, user profiles are designed to authenticate and only provide access to what the user is authorized to see.
Mobility was poking too many holes in the perimeter,Touhillnoted. Jericho came in and said we need anew model, that doesnt presume everything is trusted a model that authenticates first, and then only connects to what youve allowed it to see.
At its core, the idea is to go in and assume everything is not rosy, he continued. Dont trust from the inside and dont trust from the outside. Authenticate before granting access andtake an identity-centric control to granting access to information.
Many organizations have moved to the cloud or are leveraging SaaS applications. Often,employees are not in the office,although the appstheyreaccessing exist on the enterprise network, Cross explained. As a result, traffic is routing through the office network,evenwhen the user is physically located elsewhere.These issues can lead to a host of authentication issues and increase the risk of exploit.
Chris Williams, Cyber Solution Architect, Capgemini North America explained that the core concept of zero trust is to treat the enterprise network like its the internet, assuming there are compromised machines or users on your enterprise network, as well as malicious actors all of the time.
Enterprises must assume those actors are constantly working to gain access to the rest of the enterprise for further exploits.
So, you dont trust anything: The network doesnt trust the machine unless the machine has been identified and authenticated. The applicationdoesnttrust the user unless the user has been identified and authenticated. The database doesnt trust the transaction unless the transaction has been properly authorized and approved, Williams said.
There is an audit trail for everything, so you can perform analysis for incident detection and response, he added.
However,SaifAbed, Cyber evangelist and Clinical Cyber Defense Systems CEO, explained that this model can only be done effectively when the organization understands who their users are, their assets,and how they interactwith each device during normal business operations and exceptional circumstances.
At its core, the idea is to go in and assume everything is not rosy.
The first step will be the most time-consuming, but it involves mapping environments, explained Abed. Enterprises must risk assess different assets from medical devices to network infrastructure, while categorizing usergroups and critically understanding their behaviors and interactions.
Healthcare organizations cant move further along in thezero trustprocess until this process is adequately accomplished, he added. Only then canleadership consider making bigger investments in technology that could support azero trustmodel: people and processes must first be understood.
Touhilladded that healthcare has a trove of devices, surgical robots, IoT, and computers, among other devices, which are usually unpatched or unmanaged. An inventoryand assetmanagementof these devices are crucialto begin azero trustprocess.
But many providers are drastically wrong about just how many devices exist on the network. In one example,Touhillexplained thata sample hospital said they have about 7,000 devices connected on the network. With an automated solution, they found 90,000 connected devices.
Its literally impossible to do asset management manually,Touhillstressed.
Williams explained networks must be configured to control access on a connection-by -connection basis, which include deployed authentication services that can identify users and devices on an individual basis.
In particular, modernhealthcare networks have seen explosions in the use of IT technology on clinical networks where care is delivered, Williams said. Healthcare organizations should have some segregation of clinical capabilities from IT and Internet-connected capabilities, so that Internet-based issues cannot interfere with patient care and safety.
Situations where devices and users are trusted simply because they are connected need to be identified, isolated, and locked down to the greatest extent possible, he added. Above all else, you should assess your environment to lay out a prioritized roadmap for implementation, so the most significant vulnerabilities can be addressed, and the environment can be hardened against a possible attack in a prioritized manner.
In healthcare, thezero trustprocess should center around device health and identity andaccessmanagement, explained Chace Cunningham, vice president and senior analyst at Forrester. In that way, if an attacker gains access through the network using stolen credentials, the attack cant proliferate across the network.
Attackers in healthcare whether they are exfiltrating data or launching a ransomware attack increasingly focus on scale, explained Abed. The more they can move across a network and compromise it then the more options they have in terms of the impact of their attacks.
Doing this often requires spoofing behaviors and identities to take advantage of existing trust paradigms, he added. By implementing azero truststrategy you effectively shrink the scale of opportunity for attackers to exploit existing interactions between users/devices because identities and transactions are constantly being monitored and challenged.
Zero trust also makes the IT environment more robust against smaller breaches and failures that tend to be the start of headline-grabbing compromises,Williams explained. Major cyberattacks areactually aslow process, beginning with a single server or endpoint exploit that gives control to an attacker.
Its literally impossible to do asset management manually.
The hacker can then exploit the foothold to proliferate across the network and even escalate privileges, until gaining control and accomplishing the objective.But if an organization has accomplished azero trustmodel,Williams saidthe ability toproliferate becomes increasingly difficult, as the hacker will need to obtain proper privileges and connectivity along every step of theway.
In addition, with zero trust, every step that the attacker takes will be logged for later investigation, leaving them vulnerable to detection by cyber defense monitoring systems, he said.
Its clear, all industries should be working to move into azero trustmodel to combat serious risks and cybercriminal activity. But given healthcares current struggles to keep pace, there will be a long journey ahead when attempting to make the shift.
And some organizations will find the process easier than others.
For example, Williams explained that many of those with almost entirely cloud-based environments, minimal on-premise networks, or datacenters do have many zero trust principles implemented into their IT environment, as cloud services are typically delivered over the internet and hardened using those principles.
Highly distributed environments with limited centralinfrastructure, where it is easy to isolate sites and capabilities from one anotherare ideal for zero trust, as well, he added.
Zero trust tends to be most difficult in high-tech, highly collaborative environments, like product design, where large numbers of people need access to each others applications and systems, Williams said.
In those situations, zero trust requires a high level of discipline and mature underlying infrastructure and processes, he added.Once in place, zero trust can provide excellent protection against targeted professional cyber attackers, by thwarting their ability to target sensitive data or to unleash ransomware attacks.
Zero trust is not a tool,itsa process to go through to get to the secured destination. Cross explained that an organization can never hope to eliminate every risk to create an ideal state. But the idea is to make progress to create the most secure environment possible.
For healthcare, it will begin with understanding your people, identity, and authentication,aswella full understanding of groups within the enterpriseto build a strong foundation. At the end of the day, zero trust is the way to respond and where networking is going in the future, Cross added.
The future of networking and security looks like apps in the cloud, which means strong authentication must begin now.
The feasibility of zero trust will boil down to leadership,Touhillexplained. Board members and C-level leadership must commit to solving the problem. While costly, the process of shifting into azero trustmodel will save organizations resources and money, over time.
Reports show that with ransomware,the healthcare sector has spent more than$160 millionon ransomware recovery in the last four years.
In healthcare, its not going to happen overnight,Touhillstressed. But given the spate of targeted cyberattacks on healthcare and COVID-19 data, the process needs to start as soon as possible. There are tools that can support the process, including a software-defined perimeter and single packet authorization, which complements a software-defined perimeter and is kind of like a hall pass.
Control policy enforcement will be crucial, as well. But healthcare is currently just employing blocking and tackling. With threat actors like Cozy Bear, which are known for doing more than espionage, the need for zero trust is paramount.
The same threat actors whobricked the Ukrainian power grid are able to use that same tactic and procedure to brick medical devices, saidTouhill. More and more people are wearingWi-Fi-enabled devices, and this same zero trust concept can be employed to protect that tech and all devices not originally created to be hooked up to the internet.
We're getting to a place where technology is more adaptable and more affordable, saidCunningham. To move toward this model, it requires a commitment from leadershipsaying,heres how were going to approach this thing.
Read the original:
How Zero Trust in Healthcare Can Keep Pace with the Threat Landscape - HealthITSecurity.com