The Home of the Security Bloggers Network
Home » Security Boulevard (Original) » Zero-Trust for Health Care in the Age of Ransomware
Ransomware attacks have skyrocketed during the pandemic. The health care sector has been particularly hit hard as telemedicine and remote work introduced new attack vectors, and economic setbacks led to furloughed cybersecurity staff. Unfortunately, advanced cyberattacks like ransomware can have serious consequences for a hospital, ranging from canceled medical procedures, rerouting of patients, complications from delayed care and even death. 
At Dayton Children’s Hospital, we believe the zero-trust framework is the right approach to defend connected assets, protect identities and safeguard resources against malicious activity such as ransomware. According to Gartner, interest in zero-trust grew more than 230% in 2020, and the market is expected to reach over $22 billion this year.
One of the biggest obstacles to zero-trust adoption is the misconception about what a zero-trust architecture means and viewing it as an “all or nothing” proposition. Many cybersecurity/IT professionals do not know where to start, which leaves many organizations extremely vulnerable. At Dayton Children’s, we have learned a lot from our zero-trust journey that other health care organizations (and other non-health care organizations) can benefit from—reduced risk, protection against network breaches and a more consistent and robust security process.
Cybercriminals use malware to exploit vulnerabilities in IT infrastructure and medical devices to access patient information, steal identities or compromise the devices themselves, endangering patients. To prevent malicious activity, zero-trust is an inversion of the old “trust and verify” concept into “don’t trust, always verify.” Instead of allowing unfettered access, a zero-trust approach to security provides least-privilege access to resources only after validating a user’s and a device’s identity. With zero-trust principles, security teams need to not only verify a user’s identity to grant least-privilege access to the appropriate resources, but also continuously monitor this access. Strong identity and access management processes are essential to ensuring user identities and assets are not compromised in any way.
These same principles can also be extended to unmanaged devices including IoT, IoMT and OT. In a health care organization, medical IoT devices are critical to patient care, but so are video cameras and HVAC systems that play a role in health care operations. A zero-trust architecture prevents any new connected device from connecting to a network until it’s verified and granted access. Zero-trust operates under the assumption that no device can be trusted, and leverages least-privilege access, behavioral analytics and network microsegmentation to reduce the risk of permitting unauthorized access that can open the gate for ransomware. 
Here are some key considerations for getting started with a zero-trust architecture:  
Getting started with zero-trust can feel a bit overwhelming. But remember that it’s not an “all or nothing” proposition. Health care security organizations can begin with the most important assets first, then re-prioritize based on their progress and evolving risks.
At Dayton Children’s Hospital, our zero-trust initiatives began with asset discovery. To be able to protect the network, we needed a full inventory of everything connected to it. As a hospital, we deal with a significant amount of confidential PHI data, and we need to know where it exists within our network so we can secure it. We used a purpose-built connected device security platform to automate and accelerate the asset discovery process, identify devices with risks, and baseline device behavior.
Once we understood what assets were on the network, including their behavioral patterns and where protected health information (PHI) lived, we moved quickly to assessing risk by defining criteria to prioritize which assets to protect with a zero-trust policy:
  If compromised, does this device or system impact patient safety?
  Can we run security software on this device?
  Does the device pose a high risk for an attack?
Devices and systems that fit the criteria above moved to the top of our list. By determining which devices and systems were most vulnerable and posed the greatest risk, we were able to implement zero-trust incrementally and forge a viable path to rolling out the policies across our infrastructure.
Since implementing a zero-trust architecture, we’ve been able to thwart attempted business email compromise attacks, detect and deny illegitimate ERP access attempts and quarantine compromised devices to quickly mitigate threats and stop lateral movement of malicious attacks. While ransomware isn’t going away—and hospitals will always be among the organizations that are most vulnerable to an attack—implementing zero-trust policies on our most critical devices and assets has enabled us to strengthen the security posture of Dayton Children’s Hospital’s infrastructure to better protect the organization and the patient population we serve.
Christopher Kuhl is a Chief Information Security Officer (CISO) and Chief Technology Officer (CTO) at Dayton Children’s based in Dayton, Ohio where he has recruited and established an enterprise cybersecurity team for the past three years. With his dual CISO and CTO roles, he has written cybersecurity awareness courses, partnered in enterprise management risk functions, participated in vendor oversight committees and presented to board of directors on enterprise risks. Previously, Christopher was a cybersecurity architect at Premier Health Partners where he architected and implemented various security technologies. Chris is a big proponent of the Zero Trust architecture and has designed and implemented a Zero Trust architecture at Dayton Children’s Hospital and Premier Health Partners.
christopher-kuhl has 1 posts and counting.See all posts by christopher-kuhl

More Webinars
Security Boulevard Logo White