How Zero Trust Can Help Address Healthcare’s IoT Dilemma

Originally published by CXO REvolutionaries.

Written by Tamer Baker, Field CTO - Healthcare, Government, & Education, Zscaler.

Healthcare organizations need rigorous security – but don’t always get it

In healthcare, medical devices required for patient care, like dialysis machines, intravenous pumps, pacemakers, and vital signs monitors, are typically part of the hospital IT network. As such, they are usually linked to the local network and to cloud computing services that help manage them.

Smart devices offer numerous benefits to the healthcare industry, from improving patient outcomes through early warning and constant monitoring to countering labor shortages. But, when connected to networks, they also drastically expand hospitals' attack surfaces.

One difficult challenge with OT and medical devices in healthcare is that they could remain on a network for decades, far longer than traditional IT devices. For example, real-time locating systems (RTLS) use tags on assets like infusion pumps and crutches for tracking. These devices typically have no security built-in yet are too valuable to replace solely to address security gaps.

Moreover, most U.S. hospitals are non-profit or government-run, and the high-value data they hold (stolen health records can go for up to ten times what stolen credit card numbers fetch on the dark web) makes them juicy targets for cybercriminals.

Curing the digital threat epidemic

According to the Journal of the American Medical Association, ransomware in healthcare networks doubled yearly from 2016 to 2021. This means in 2021, there were more than thirty times as many ransomware attacks as in 2016. Hospitals unable to pay ransoms often have to cancel procedures, shift patients to other sites, and work from backup systems until the problem is resolved.

Ponemon Institute researchers report more than half – 56% – of surveyed healthcare executives believed cyberattacks against their organizations negatively affected patient care.

The U.S. government has taken note of the problem, passing spending legislation that includes provisions to hold device manufacturers to a higher security standard. The law requires manufacturers of networkable medical devices to have a formal plan for monitoring security vulnerabilities, identifying root causes, and providing fixes. It mandates cybersecurity best practices, including coordinated vulnerability disclosures. It also increases regulatory oversight by closing a device certification loophole.

Elsewhere, MITRE recently revised its 54-page Medical Device Cybersecurity Regional Incident Preparedness and Response Playbook to help health organizations meet the new demands for increased cybersecurity preparedness and improved response framework.

At a fundamental level, measures like these are a mere stopgap. At best, they make individual devices slightly more secure when the goal should be securing the entire hospital ecosystem.

How zero trust can help

Pundits have made calls to overlay a zero trust framework onto smart medical devices for some time. The need for an industry-endorsed framework will grow due to rising attacks in this vertical. Zero trust network architecture could be that framework.

For example, zero trust solutions can:

• Monitor how medical devices communicate externally to ensure they are only communicating with their vendor-required sites and blocking any outside influence, both inbound and outbound
• Identify if these devices communicate with Command & Control (C2) IPs/URLs, blocking communication and notifying the security team of the attempts
• Consolidate organizational assets behind a proxy, which must verify the identity behind every resource request. This ensures that the verification process is applied to every connection from every device, regardless of origin.
• Apply intelligent access policies. These policies must be dynamic and consider all relevant data sources before granting access. Zero trust network access (ZTNA) can also allow for conditional access based on the context of a request, such as device location and endpoint security posture.
• Incorporate artificial intelligence and machine learning (AI/ML) can help to inform, augment, and bolster access policies to reduce the odds of a breach.
• Enforce the principle of least privilege so transactions involve only the necessary services, systems, or data (i.e., not broadly authenticating to an entire network or subnetwork).

Making the leap from theory to practice

Manufacturers could undoubtedly benefit by rolling zero trust support into their devices. One step could be to include universal support for the security certificates that validate and authenticate device network transactions.

It’s also worth considering ways artificial intelligence/machine learning (AI/ML) could augment and monitor access policies in a healthcare organization. AI/ML tech can evaluate many network transactions to create a baseline, then take action against anomalies (actions that deviate too far from the baseline). The more transactions AI/ML analyzes, the more accurate it becomes. This aspect makes it a strong fit for supporting security policy management solutions that oversee infrastructure governing medical devices.

There are already compelling examples of AI/ML in healthcare. For instance, AI/ML is already available to help hospitals restrict access to patient or device data and enforce network segmentation – thus ensuring medical devices only operate in designated subdomains.

Over time, as AI/ML become even more sophisticated, it will deliver even greater value to the medical world – and its continuing evolution may drive the broader security capabilities of ZT.

Zero trust can reduce several risks OT and medical devices introduce into today's environment. Medical facilities often have to grant third-party access to these devices for support services. In granting access to these devices, outsiders are often given permissions that exceed the minimum required to perform their work. A robust zero trust framework would ensure third-party actors operate under the principle of least privilege while limiting their access to the specific device being serviced.