The concept of zero trust has gained a lot of interest and traction among cybersecurity professionals, and for good reason. As threat vectors expand and the ingenuity of bad actors increases, the number and diversity of cyber risks becomes greater every day, making it imperative that business and technical leaders not take anything for granted.
The zero trust model is based on the assumption that organizations should not trust anything inside or outside their organization, but should verify the integrity, authenticity and appropriateness of anything trying to gain access to an enterprise’s network or other IT resources.
Zero trust is now considered a strategic cybersecurity framework for just about any organization. But as healthcare organizations embrace the Internet of Things to connect medical devices and lab equipment in order to tap into a lodestone of potentially invaluable data, zero trust may be considered an imperative. With the number of healthcare IoT devices surging past the 100-million mark, the potential for some pretty awful things happening when defibrillators and infusion pumps are infected by malware soars every day. Of course, these risks are not limited to threats to patients’ health: There also are enormous compliance, legal, and governance challenges stemming from data breaches, theft of personally identifiable information, and service outages caused by cyberattacks on “thin” endpoints like blood gas analyzers and X-ray machines.
However, this is new territory for healthcare organizations, which have always focused on physical safety and security more than cybersecurity. “Most healthcare industry R&D goes into care for patients, not securing devices,” said Jamison Utter, director of business development at Palo Alto Networks. “Medical devices are an exciting area for healthcare IoT because of the huge amounts of potentially impactful data they capture, store, and share, but these devices have been designed to work in a clinical environment that has purpose-built to shut out hostile factors. And today’s computer networks can be very hostile.”
Jonathan Langer, CEO of medical device cybersecurity supplier Medigate, stressed the importance for hospital executives to understand how to assess the risk/reward factor of healthcare IoT, and to plan accordingly. “The major challenges is that when hospitals connect medical devices to each other, to computers, and to networks, you are exposing them to new and different kinds of vulnerabilities,” he said. “These devices, for the most part, run on firmware, which is not updated as frequently on medical devices as it is on computers. As firmware versions become outdated, devices become more vulnerable, and hospitals need to understand that they have to become much more diligent in blocking potential threats.”
Adopting a zero-trust mindset can help alleviate many potential healthcare IoT problems in large part because it assumes the existence of potentially devastating threats and plots a defensive framework in accordance with those risks. By taking extra steps to verify users’ identities, validate devices, limit physical and digital access, and analyze user behavior through automation and artificial intelligence, healthcare organizations can better secure their data, their digital assets, and their patients’ health while still reaping the long-term business benefits of healthcare IoT.
So, what should business executives and board members keep in mind when evaluating the risk-versus-reward equation for healthcare IoT under a zero-trust model?
“First, don’t lose track of the fact that healthcare IoT holds fantastic potential, and that from a cybersecurity standpoint, there is hope,” said Utter. “This is not the wild, wild west, where we have more unknowns than knowns when it comes to medical device cybersecurity.” He added that, while there still remains a gap in awareness, understanding, and appreciation of the problem between hospital IT leaders and clinicians, that gap is closing because everyone now realizes that this is something that must be addressed.
“The business, clinical, and technical leaders have to continue to talk to each other more and more often,” said Utter. “Everyone has to get on the same page on the ultimate goal, which of course is patient safety, without abandoning the exciting business opportunity represented by healthcare IoT. And to do that safely and securely, zero-trust is the way to go.”
Mike Perkowski, co-founder of New Reality Media, is an award-winning journalist who founded, led, or helped develop some of the most successful and influential high-tech media properties over the past several decades.