Ransomware attacks have skyrocketed during the pandemic. The health care sector has been particularly hit hard as telemedicine and remote work introduced new attack vectors, and economic setbacks led to furloughed cybersecurity staff. Unfortunately, advanced cyberattacks like ransomware can have serious consequences for a hospital, ranging from canceled medical procedures, rerouting of patients, complications from delayed care and even death.
At Dayton Children’s Hospital, we believe the zero-trust framework is the right approach to defend connected assets, protect identities and safeguard resources against malicious activity such as ransomware. According to Gartner, interest in zero-trust grew more than 230% in 2020, and the market is expected to reach over $22 billion this year.
One of the biggest obstacles to zero-trust adoption is the misconception about what a zero-trust architecture means and viewing it as an “all or nothing” proposition. Many cybersecurity/IT professionals do not know where to start, which leaves many organizations extremely vulnerable. At Dayton Children’s, we have learned a lot from our zero-trust journey that other health care organizations (and other non-health care organizations) can benefit from—reduced risk, protection against network breaches and a more consistent and robust security process.
Understanding Zero-Trust Principles
Cybercriminals use malware to exploit vulnerabilities in IT infrastructure and medical devices to access patient information, steal identities or compromise the devices themselves, endangering patients. To prevent malicious activity, zero-trust is an inversion of the old “trust and verify” concept into “don’t trust, always verify.” Instead of allowing unfettered access, a zero-trust approach to security provides least-privilege access to resources only after validating a user’s and a device’s identity. With zero-trust principles, security teams need to not only verify a user’s identity to grant least-privilege access to the appropriate resources, but also continuously monitor this access. Strong identity and access management processes are essential to ensuring user identities and assets are not compromised in any way.
These same principles can also be extended to unmanaged devices including IoT, IoMT and OT. In a health care organization, medical IoT devices are critical to patient care, but so are video cameras and HVAC systems that play a role in health care operations. A zero-trust architecture prevents any new connected device from connecting to a network until it’s verified and granted access. Zero-trust operates under the assumption that no device can be trusted, and leverages least-privilege access, behavioral analytics and network microsegmentation to reduce the risk of permitting unauthorized access that can open the gate for ransomware.
Here are some key considerations for getting started with a zero-trust architecture:
- Leadership support: While people naturally think of the technical requirements first, the most important (and often overlooked) prerequisite to building zero-trust is support from the top. Projects this impactful and resource-consuming will not be successful without an adequate budget, planning and leadership support.
- Education on zero-trust: Ensure your involved team members (network, cybersecurity, etc.) are educated on zero-trust—what it is, how to implement it and how to manage it, which requires further planning, budgeting and dedication from the leadership team.
- Technology requirements: Verify that your current technology supports a zero-trust architecture (ZTA). If your organization is running on older technology or doesn’t have the technology in-house to create and enforce policies, those purchases will need to occur before you can implement ZTA.
- Visibility into devices and flows: Comprehensive visibility is critical to zero-trust. This includes not only real-time classification of all devices connected to your network but also mapping of communication flows. By baselining what is normal, you can ensure devices are communicating with the right systems and more easily surface anomalous behavior.
- Identity and access management: Monitoring and protecting user and asset identities and credentials is essential to ensuring they have not been compromised in any way. Organizations must verify the user and device to grant access to the appropriate resources. This process can take various forms, especially if it’s happening outside of the traditional network perimeter. In hospitals, for example, medical staff can tap RFID badges to gain access to restricted areas or substances, then receive a notification and confirm their identity on a mobile device.
It’s Not ‘All-or-Nothing’
Getting started with zero-trust can feel a bit overwhelming. But remember that it’s not an “all or nothing” proposition. Health care security organizations can begin with the most important assets first, then re-prioritize based on their progress and evolving risks.
At Dayton Children’s Hospital, our zero-trust initiatives began with asset discovery. To be able to protect the network, we needed a full inventory of everything connected to it. As a hospital, we deal with a significant amount of confidential PHI data, and we need to know where it exists within our network so we can secure it. We used a purpose-built connected device security platform to automate and accelerate the asset discovery process, identify devices with risks, and baseline device behavior.
Once we understood what assets were on the network, including their behavioral patterns and where protected health information (PHI) lived, we moved quickly to assessing risk by defining criteria to prioritize which assets to protect with a zero-trust policy:
● If compromised, does this device or system impact patient safety?
● Can we run security software on this device?
● Does the device pose a high risk for an attack?
Devices and systems that fit the criteria above moved to the top of our list. By determining which devices and systems were most vulnerable and posed the greatest risk, we were able to implement zero-trust incrementally and forge a viable path to rolling out the policies across our infrastructure.
Winning the Fight against Ransomware with Zero-Trust
Since implementing a zero-trust architecture, we’ve been able to thwart attempted business email compromise attacks, detect and deny illegitimate ERP access attempts and quarantine compromised devices to quickly mitigate threats and stop lateral movement of malicious attacks. While ransomware isn’t going away—and hospitals will always be among the organizations that are most vulnerable to an attack—implementing zero-trust policies on our most critical devices and assets has enabled us to strengthen the security posture of Dayton Children’s Hospital’s infrastructure to better protect the organization and the patient population we serve.