HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Health-ISAC Publishes Guidance for CISOs on Implementing Zero Trust Security Architectures

Health-ISAC has published a white paper for healthcare CISOs looking to implement zero trust security architectures to help them overcome some of the challenges commonly faced by healthcare organizations.

The traditional security approach is akin to a castle and moat, where perimeter defenses are established to keep unauthorized individuals out. While this security approach has served organizations well in the past, it is not effective in the cloud where there is no perimeter to defend. Further, the threat landscape is rapidly changing, and malicious actors are successfully breaching perimeter defenses with increasing frequency. Once the perimeter defenses are breached, threat actors can move laterally within networks undetected and are free to perform a wide range of malicious activities.

A zero trust security approach continues to provide protection should a malicious actor gain access to internal networks. It makes lateral movement much more difficult and can greatly reduce the harm that can be caused. Zero trust means never trust, always verify. All traffic between devices and systems is untrusted and requires authentication, authorization, and continuous monitoring.

With zero trust there is no single cybersecurity solution to implement. “Implementing a zero trust architecture is not as simple as going to one vendor and picking a solution off the shelf. There are several components that need to be integrated together to create a holistic zero trust architecture,” explains Health-ISAC in the guidance. Those components include identity and access management, a cloud security gateway, data security, network security, workload and application security, and device security.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Following President Biden’s 2021 Executive Order, federal agencies have been implementing zero trust strategies, but zero trust is not easy to implement and it can be particularly challenging for healthcare organizations.  Two of the biggest challenges in healthcare come from the widespread use of IoT-enabled devices.

IoT-enabled devices include defibrillators, nebulizers, oxygen pumps, and patient monitors, which transfer data from patients to workstations for monitoring. These devices all need to be given a unique identity, an accurate and up-to-date inventory of the devices must be maintained, and the devices must be configured to communicate through encrypted channels.

Secondly, in healthcare, employees are often on the move and access devices in multiple locations, and often carry portable devices to perform documentation. Implementing the fine-grained authorization and multifactor authentication that are necessary for zero trust can be a huge challenge and may require additional components and configuration changes.

To help healthcare organizations overcome the zero trust security challenges, Health-ISAC recently published a white paper that serves as a guide for healthcare CISOs on how to implement zero trust architectures.

The guidance explains what zero trust security means and explains how zero trust involves an identity-centric approach to cybersecurity involving granular authorization and prioritizes multi-factor authentication, the principle of least privilege, with all subjects, assets, and workflows requiring specific authentication and authorization.

The new guidance document builds on the advice published by Health-ISAC in 2020 – An H-ISAC Framework for CISOs to Manage Identity – and applies zero trust principles for securing all communications, monitoring the integrity and security of assets, granting access on a per session basis, creating policy-based authorization based on contextual information, and adding devices to the target system and resources. The guidance details the steps that healthcare CISOs need to take to start implementing zero trust infrastructures.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.