HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

58% of Healthcare Organizations Have Implemented Zero-Trust Initiatives

There has been a marked increase in the number of healthcare organizations that have implemented zero trust initiatives, according to the 2022 State of Zero Trust Security report from Okta. In 2022, 58% of surveyed organizations said they had or have started implementing zero trust initiatives, up 21 percentage points from the 37% last year. Further, 96% of all healthcare respondents said they either had or are planning to implement zero trust within the next 12 to 18 months, up from 91% last year.

The traditional approach to security sees devices and applications within the network perimeter trusted, as they are behind the protection of perimeter defenses; however, that approach does not work well in the cloud, where there is no perimeter to defend. The philosophy of zero trust is, “never trust, always verify”. Zero trust assumes that every device and account could be malicious, regardless of whether it is inside or outside the network perimeter. With zero trust, all devices, accounts, applications, and connections are subject to robust authentication checks, the principle of least privilege is enforced, and there is comprehensive security monitoring.

“Zero Trust is a solid guiding principle, but getting there is a complex proposition, requiring multiple deeply integrated best-of-breed solutions working seamlessly together,” explained Okta in the report. “Every company has a different starting situation, different resources, and different priorities, leading to unique journeys to reach the same destination—true Zero Trust security.”

Zero Trust Adoption in Healthcare

There has been a significant increase in medical and IoT devices, applications, and cloud-based resources, which has significantly increased the attack surface, and this has made it much harder for security teams to defend against cyberattacks using traditional security approaches. Zero trust offers a solution and the majority of healthcare organizations that have not yet implemented zero trust initiatives say they have a plan in place to implement zero trust within the next 6 to 12 months.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

98% of healthcare respondents said identity plays a meaningful role in their zero trust strategy, with 72% rating it important and 27% rating it critical, with the most pressing projects being extending Single Sign-on for employees and securing access to APIs. Currently, only 6% of healthcare respondents said they have context-based access policies in place, but 40% said they will be rolling these out within the next 12-18 months, with all healthcare respondents planning to extend SSO, MFA, or both to SaaS apps, internal apps, and servers in the coming 12-18 months.

The most critical factors for controlling and improving access to internal resources were device trust, geographic location, and trusted IP address, followed by time of day or working hours-based access, and whether the resource trying to be accessed is highly sensitive. Healthcare organizations are also transitioning away from password-based authentication. Password use fell from 94% of healthcare organizations in 2021 to 85% in 2022, with push authentication adoption increasing from 16% in 2021 to more than 40% in 2022.

“Adoption of a Zero Trust framework provides a methodology that makes it easier for organizations to continually assess their security posture and the relative maturity of their model, and pinpoint the right security solutions to accelerate their progress at every phase of their journeys,” explained Okta. However, there are challenges for healthcare organizations, and the biggest one is the current talent and skill shortage. “In light of the talent/skill shortage faced around the world, organizations need to find solutions that help them progress along their Zero Trust journeys without creating the need for additional budgets, headcount, or training resources,” suggests Okta. “They need to find solutions that integrate with their existing security ecosystems to extract the most value.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.