Why the healthcare cloud may require a zero trust architecture

One of the most pressing health information technology issues today is the challenge of securing organizations that operate in the cloud.

Healthcare provider organizations are increasingly turning to the cloud to store sensitive data and safeguard confidential assets, as it saves them money on infrastructure and IT operations.

In fact, research shows that the healthcare cloud computing market is expected to grow by $ 33.49 billion between 2021 and 2025, registering a compound annual growth rate of 23.18%.

For many healthcare professionals, the move to cloud computing seems inevitable. But it also brings security risks unique to the age of ransomware. Indeed, the move to the cloud does not sanctify organizations from risk.

More than a third of healthcare facilities were affected by a ransomware attack in 2020, and the healthcare industry remains a prime target for cybercriminals due to the wealth of sensitive information it stores.

IT health news spoke with PJ Kirner, CTO at Illumio, a cybersecurity company, to discuss securing a cloud environment in healthcare and how the zero-trust security model can be key .

Q. Healthcare provider organizations are increasingly turning to the cloud. It’s clear. What security challenges does the cloud pose for healthcare provider organizations?

A. While the growth of the cloud for healthcare has some benefits – for example, more information sharing, lower costs, and faster innovation – the proliferation of multi-cloud and hybrid cloud environments has also made the security of the cloud more difficult. cloud for healthcare providers in multiple ways. And things are likely to remain complicated.

Unlike businesses that can migrate entirely to the cloud, healthcare facilities with physical addresses and physical equipment – such as hospital beds, medical devices – will remain permanently hybrid.

While the move to hybrid may seem like a transitional state for some organizations, most healthcare organizations will find that they must continually adapt to a permanent hybrid state – and all the evolving security risks that come with it. ‘accompany.

In a cloud environment, it is often difficult to see and detect security risks before they become problems. Hybrid multicloud environments contain blind spots between types of infrastructure that allow vulnerabilities to infiltrate, potentially exposing an organization to external threats.

Healthcare providers who share sensitive data with third-party organizations in the cloud, for example, can also be affected if their partner suffers a breach. Additionally, these heterogeneous environments also involve more stakeholders who can influence how a business operates in the cloud.

Since these stakeholders may be in different silos depending on their specialties and organizational needs (for example, the expertise needed for Azure is not the same as the expertise needed for AWS), this makes infrastructure even more difficult to protect.

If you’re a healthcare provider, you deal with sensitive information on a daily basis, such as personally identifiable information and health records, all of which are prime real estate for bad actors hoping to turn a profit.

These high-value assets often live in data centers or cloud environments, which an attacker can access once they have crossed the perimeter of an environment. For this reason, as more healthcare organizations migrate to the cloud, we will also see more and more attackers taking advantage of the loopholes and vulnerabilities inherent in this complex environment to access data. sensitive.

Q. When it comes to securing healthcare facilities in the cloud, you say adopting a zero-trust architecture – an approach that assumes a breach and verifies every connection – is vital. Why?

A. We live in an age where cyber attacks are a given, not a hypothetical inconvenience. To embrace zero trust, security teams must first change their perception of cybersecurity; it’s not just about keeping attackers out, it’s also about knowing what to do once they are in your system. Once security teams adopt a “take responsibility for a breach” mindset, they can begin their zero trust journey in meaningful ways.

Zero trust policies enforce least privilege access controls, providing only the information and access that a user needs. This makes it considerably more difficult for an attacker to reach his target in any attempt to breach.

In practice, this means that a ransomware cannot spread once it enters a system, because by default it does not have the access it needs to get far beyond the initial point of entry. .

Visibility is another crucial element of a zero trust architecture. As I mentioned, it’s hard to see everything in a cloud environment and spot risks before they happen. Weak spots in an organization’s security posture often show up in gaps between types of infrastructure, such as between cloud and data center, or between one cloud service provider and another.

With enhanced visibility – for example, visibility that spans your hybrid, multi-cloud, and data center environments – however, organizations are able to identify niche risks at the edge of environments where different applications and workloads. interact, which gives them a more holistic view of any activity.

This information is vital for cyber resilience and for the success of a zero trust strategy. Only with better information can we better manage and mitigate risk.

In a year when more than 40 million patient records have already been compromised by attacks, it is more imperative than ever for healthcare facilities to conduct accurate assessments of the integrity of their security posture.

We will see more and more healthcare organizations take advantage of the zero trust architecture as the new year approaches and reflect on how the cybersecurity landscape has changed in 2021.

Q. Zero trust strategies have gained traction over the past year, especially in tandem with the Biden administration’s federal seal of approval. From your perspective, what do you think it will take for more CISOs and CIOs in the healthcare sector to become zero trust?

A. While awareness and emphasis on zero trust strategies has grown over the past year, organizations still have a long way to go to implement their strategies. By 2020, only 19% of organizations had fully implemented a least privilege model, although nearly half of IT managers surveyed believed zero trust was essential to their organizational security model.

Unfortunately, a ransomware attack is often the red flag that ultimately prompts CISOs and CIOs to rethink their security model and adopt a zero trust architecture. We have seen an upsurge in cyber attacks on hospitals during the pandemic, threatening patient data.

By leveraging zero-trust solutions for breach containment, healthcare facilities can mitigate the impact of a breach, so that an attacker cannot access patient data even if they initially manage to breach. the system.

Healthcare teams are starting to understand that proactive cybersecurity is key to avoiding outcomes that can be even worse than compromised data: If a hospital system is hit by a ransomware attack and needs to shut down, they are forced to refusing patients, neglecting health care needs.

Healthcare CISOs and CIOs are starting to realize that the traditional security measures they’ve put in place – just perimeter detection and protection – are not enough to make them resilient to a cyber attack.

Even if you haven’t been breached yet, you see attacks having a serious impact on other hospital systems and realize that it could happen to you, too.

Healthcare CISOs and CIOs who recognize the limitations of a legacy security model against today’s ransomware threats will understand the need to adopt a strategy that assumes a breach and can isolate attacks, which is what essence of the zero trust philosophy.

Twitter: @SiwickiHealthIT
Email the author: [email protected]
Healthcare IT News is a publication of HIMSS Media.

Comments are closed.