How Zero Trust Strengthens Healthcare Data Security

February 1, 2022

Healthcare organizations already need to meet strict compliance requirements under the Health Insurance Portability and Accountability Act (HIPAA). However, as more health systems adopt medical Internet of Things (IoT) devices and wireless operations, HIPAA’s Security Rule no longer sets the minimum baselines for protecting data. A zero trust approach strengthens a healthcare organization’s security posture and puts more robust controls in place to protect these new enabling technologies. 

What Does Zero Trust in Healthcare Look Like?

In a world where providing the best patient care also includes caring for data, healthcare organizations need to move away from the “trust but verify” security model. Today, they need to assume that every user, network, system, device, and piece of data has already been breached. A zero-trust security model requires continuous user and device authorization and authentication before allowing them to connect to the organization’s network. 

Generally speaking, healthcare organizations need to ensure that they protect all ePHI by applying zero trust security to:

  • Devices
  • Networks
  • Data
  • Workloads
  • Users

This becomes increasingly difficult as health information no longer resides in traditional systems but across multiple types of connected devices and locations. 

Safeguarding Your Healthcare Organization’s Data with a Zero Trust Approach

The proliferation of devices makes this process challenging as many lack the authorization and authentication capabilities necessary for zero trust. For example, the new types of devices that might be connecting to a healthcare organization’s networks can include:

  • Home caretakers
  • Wearables
  • Health apps
  • Diabetic devices
  • Smart wheelchairs
  • Smart belts
  • Patient monitoring systems

While medical IoT enables better patient health outcomes, these devices also lack standardized security controls built into the traditional electronic medical record (EMR) systems. 

Additionally, healthcare organizations now share ePHI with different professionals outside their networks as well, including:

  • Home caretakers
  • Diagnostic labs
  • Specialists

As more users and devices need access to the data, the security risks increase. For example, in May 2021, the Federal Bureau of Investigation (FBI) released a warning that the Conti ransomware was targeting healthcare and first responder networks, noting that 16 attacks had impacted more than 400 organizations worldwide.  

Staying HIPAA Compliant with Zero Trust

HIPAA compliance is usually top of mind for healthcare organizations as violations can lead to fines or even jail time. 

With zero trust, providers and hospitals can put more robust controls in place that also enable them to meet the Security Rule and Privacy Rule requirements more effectively. 

Security Rule and Zero Trust

The general requirements under the security rule include establishing and maintaining reasonable and appropriate safeguards that:

  • Ensure ePHI confidentiality, integrity, and availability
  • Identify and protect against reasonably anticipated threats
  • Protect against reasonably anticipated, impermissible uses or disclosures
  • Ensure workforce education and compliance

Two primary technical safeguards that zero trust enables are access control and transmission security. While access controls are challenging, transmission security is even more difficult. With new devices and users sharing ePHI, the risks of malware and ransomware increase exponentially. 

Privacy Rule and Zero Trust

While the Security Rule offers a clearly defined set of goals, the Privacy Rule is a bit more distributed. Fundamentally, the Privacy Rule works by limiting who across an organization can access, edit, and view ePHI. 

The Privacy Rule focuses on permitted uses and disclosures, but it fails to offer the same types of defined safeguards as the Security Rule. However, it’s important to remember that under the Privacy Rule, covered entities are permitted to use and disclose ePHI for limited purposes including:

  • Giving patients access
  • Enabling treatment, payment, and health care operations, 
  • Supporting permitted uses and disclosures
  • Ensuring public interest and benefit
  • Providing limited data sets for research, public health, or health care operations

However, as part of a robust zero trust strategy, providers, hospitals, and business associates also need to ensure that they mitigate the risks associated with double-extortion ransomware attacks that can lead to disclosures outside the permitted types. 

The Other Benefits of Zero Trust in Healthcare

With ePHI at the core of HIPAA compliance and mitigating risk, using a data-centric or content-centric zero trust strategy provides value for all healthcare organizations. 

Data-Centric Security

Zero trust is data-centric, meaning that it focuses on healthcare organizations transmitting data across locations and devices. Recognizing that traditional perimeters no longer exist, zero trust enhances security by shifting to user and device security. 

However, a truly data-centric zero trust strategy needs to assume that files are also compromised. Malware and ransomware use file elements to hide malicious code. When users access a malicious site or download a compromised document, they execute the malicious code. Data-centric zero trust strategies secure file transfers by only allowing safe file elements to transfer across systems and networks.

Increased Visibility

With zero trust, healthcare organizations gain greater visibility through network segmentation, giving them better control over the users and devices connecting to their networks. With less access to each segment, they can gain greater visibility into which networks have risky access and users may be compromised. 

Additionally, all devices need to maintain secure configurations as part of the continuous authentication and authorization process. Healthcare organizations using medical IoT devices and mobile devices need to take a data-centric approach that assumes all files have already been compromised since these devices may not be manageable with traditional endpoint security technologies. 

Although the first step should always be to validate device security prior to granting network access, this may not work for mobile or IoT devices. A zero trust data security model gives healthcare organizations a way to ensure that only safe files transfer between these devices and their systems. The additional file security layer that a zero trust data security model offers enhances security for some of the most difficult to manage devices

Workload-First

Zero trust models set security policies at the workload level, often using next-generation firewalls (NGFW) that place protections closer to the applications. Normally, organizations use NGFW to microsegment their applications, mitigating the risks associated with lateral movement across networks. While these policy enforcements focus on network traffic, they fail to consider the files themselves. 

Applications share data and files so that people can collaborate. In healthcare, a lab might upload data to a web portal then share that data with a provider. However, that web portal and the file can be compromised by malware. With a zero trust data security model, healthcare organizations ensure that only clean files transfer between the applications, minimizing privacy, security, and compliance risks. 

Identity-Aware

Being identity-aware means limiting user and device access according to the principle of least privilege. Most organizations augment their microsegmentation strategies with software-defined wide-area networking (SD-WAN) and secure access service edge (SASE). These enable healthcare organizations to control who and what access files, but they lack the ability to support file security. 

Using a file security solution supplements zero trust by focusing on an area of security that identity and access management alone fail to protect. By supplementing the identity-aware architecture with zero trust data security solutions, healthcare organizations limit the risk that authorized and authenticated users and devices will transfer malware to systems and networks with compromised files. 

Automation

Automation is fundamental to ensuring appropriate user and device access. From setting access controls to validating secure device configurations, zero trust relies on leveraging automation to protect data. 

Ensuring appropriate file security as part of zero trust should also incorporate the appropriate technologies. Device security relies on preventing compromised files from undermining the other security controls that healthcare organizations have in place. By incorporating zero trust data security automation into the overarching strategy, organizations augment their other technologies, adding another layer of protection and reducing security gaps

How Votiro Can Help Your Healthcare Organization Take the First Step

Votiro Cloud’s content disarm and reconstruction technology gives healthcare organizations a way to establish additional layers of defense that enable their zero trust strategies. Our technology searches for the safe file content elements that are known-safe and belong, rather than taking a signature-based approach that scans for known suspicious elements. With our SaaS-delivered solution, healthcare organizations can ensure safe file transfers without requiring users to download and install an agent. 

Our API-centric solution can be integrated easily into existing services, applications, and processes. We scan for the safe elements in a file as it is transferred, helping protect against malware that could be delivered through content delivered to even mobile or IoT devices. With Votiro, healthcare organizations can reduce ransomware and malware attacks that target their ePHI, helping mitigate data breaches, privacy, and compliance risks. 


To learn more about implementing Votiro and securing your files, please schedule a demo today.