Zero Trust and NIST SP 800-207
The National Institutes of Standards and Technology brought private and public partnerships together to discuss how to develop a framework to defend against attacks. On Aug. 11, 2020, NIST released “Special Publication (SP) 800-207: Zero Trust Architecture,” which discussed deployment models and recommended a roadmap for how to carry out a zero-trust architecture approach in an organization.
“NIST 800-207 is the base foundation if anyone wants to follow zero trust,” Raina says. “It’s not just for public or federal agencies, but also for private institutions.”
How the Zero-Trust Security Model Benefits Healthcare Organizations
Zero trust can help secure a healthcare ecosystem that includes multiple types of users such as doctors, nurses and lab technicians who require access to consoles and applications for various purposes, Raina says.
“In the healthcare environment, you have to deal with multiple personas and multiple levels of access to the same data,” Raina notes. “You have the supply chain of data that can sit either in your environment or in a third party, such as an electronic health record.”
Zero trust can help manage the scope of access to healthcare data in applications such as the EHR and billing systems, Raina says. Health systems can issue multifactor authentication challenges to physicians if the use of credentials show behavioral abnormalities inconsistent with their profiles or histories, Raina says.
The security framework also incorporates analytics and logging, which are important to healthcare when it comes to meeting HIPAA and HITRUST regulations, says Kistler. Healthcare organizations can monitor who is accessing data and whether they are writing to a file or accessing data as read-only, he says.
Zero trust can also enable faster access to lab results for health providers with more efficient, single authorization access if all the parties are using zero trust, Kistler says. Data transfer among labs, doctors and specialists can then happen in minutes rather than days or weeks with today’s application program interface integrations, he says.
More secure data transfer with zero trust also brings more efficient insurance authorizations and approval of coverage, Kistler says.
LEARN MORE: Palo Alto Security Expert Paul Kaspian explains why healthcare needs zero trust.
How Zero Trust Compares with Other Cybersecurity Strategies
Zero Trust works with other cybersecurity strategies such as least privilege and cybersecurity mesh to provide a complete approach to authentication. Here is a comparison of zero trust and some other key security concepts.
Zero Trust vs. SASE
Secure Access Service Edge, or SASE (pronounced “sassy,” a term coined by Gartner), is the convergence of WAN and network security services into a single, cloud-delivered service model.
SASE allows applications to communicate between multiple systems and lets healthcare organizations access resources securely from the endpoint to the cloud, says Raina.
Zero trust differs from SASE because it focuses on granting access to authenticated users, while SASE also incorporates network and security services and grants access based on identity. Zero trust can be simpler to operate with narrower functionality, so more companies are choosing zero trust in the short term, according to CrowdStrike.
Zero Trust vs. Least Privilege
Zero trust enables healthcare organizations to enforce policies of least privilege, in which they grant the least amount of credentials necessary for the tasks required, Raina explains. For example, doctors would only have access to the health records necessary for a specific plan of care.
“Least privilege is, how do I give a user application access to what they need to do, but the minimum level of access for the minimum amount of time,” Raina says.
Zero trust expands on least privilege by adding conditional testing and repeated verifications, according to Kistler.
“Often, it adds just-in-time access right where you have to request access to a certain resource,” he says. “Then it’s granted, and then it’s taken away after two hours or 12 hours.”
DISCOVER: How CDW services can help healthcare organizations implement zero trust.
Zero Trust vs. Perimeter Security
Raina describes perimeter security as an older concept referring to a legacy, on-premises network environment.
“Most organizations could not even tell you where the perimeter is,” Raina says. “There is no concept of the perimeter anymore in today’s modern environment.”
Zero trust expands beyond the old perimeter style with firewall layers to encompass a multilayer defense, according to Kistler. That includes strong authentication and conditional access rather than having a trusted side and an untrusted side where bad actors operate, per Palo Alto Networks.
“It broadens business enablement and allow us to provide more options to our IT staff and to our companies that want to connect securely,” Kistler says.
Zero Trust vs. Cybersecurity Mesh
Raina compares a cybersecurity mesh to having guards at a fixed checkpoint who can communicate with each other and who trust people to enter with the right credentials. Zero trust does not have requirements for fixed checkpoints and requires that security layers are assessed as necessary so that access can be granted in real time, he says.
“Cybersecurity mesh focuses on extending consistent security controls across widely distributed assets,” Kistler says. “And while that’s certainly a valuable thing to have, that really just meets one component of a full zero-trust architecture design.”
When it comes to zero trust in healthcare, turning to the cloud will be key, according to Raina.
“In the concept of zero trust and healthcare, really having a consolidated platform approach that’s cloud-native and understands the adversary goes a long way in executing zero trust more effectively, both from a security perspective and also from a cost and operations perspective,” Raina says.