A Quick Case Study in Zero Trust Architecture
You work in a bustling hospital. Physicians, nurses, and administrative staff are constantly on the move, accessing patient records, medical devices, back-office, and administrative systems, all directed at patient care. Data is stored, transmitted, and applied everywhere. From patient onboarding until they are discharged. But your hospital is different. Practitioners and administrators work diligently to keep all this data secure. To do so, your hospital adopted Zero Trust Architecture (ZTA), a security model that operates on the principle of "Never Trust, Always Verify."
This is not some sharp rebuke; it’s organizational and cultural buy-in. From practitioners to office workers, to suppliers and key stakeholders. Your hospital is keen to provide the absolute best in care, but that care transcends the patient’s direct health concerns. It’s just as much about patient data. It’s concerns Protected Health Information (PHI), Personally Identifiable Information (PII), and all that is associated with both. Security. Compliance. Governance. Risk Mitigation.
Never Trust, Always Verify
In your hospital, every time a doctor or nurse accesses patient records, they go through Multi-Factor Authentication (MFA). This means after entering their password, they also need to verify their identity with a code sent to their phone or they access an Authenticator app. Even the devices they use, like tablets and computers, are verified to ensure they have the latest security updates. The same holds true for administrative staff. MFA is applied to the applications and systems they use to run the hospital and exchange data with patients and key stakeholders. Whether it is via a desktop, laptop, or mobile device.
Least Privilege Access
Your hospital’s Information Security team has implemented Least Privilege Access. Each staff member has access only to the information and systems necessary for them to perform their job. A nurse can access patient records but not the hospital's financial data. Additionally, when an IT admin needs to install software updates, she is granted elevated privileges only for the duration of the task, thanks to Just-In-Time (JIT) Access.
Micro-Segmentation
Your hospital’s security and network team use Micro-Segmentation to further advance its security. The network is divided into smaller segments, each with its own security controls. Patient records are in one segment, medical devices in another, and administrative systems in yet another. This way, even if an attacker gains access to one segment, they can't easily move to another.
Continuous Monitoring
Finally, your hospital employs Continuous Monitoring to keep an eye on all activities. Security Information and Event Management (SIEM) systems collect and analyze log data from various sources in real-time, detecting any unusual patterns or behaviors. Endpoint Detection and Response (EDR) tools continuously monitor devices for suspicious activities, ensuring any threats are quickly identified and addressed. Email is analyzed for threats, quickly identifying phishing, spam, or other non-essential email, and automatically quarantining against ransomware and business email compromise.
Tools, Technologies, and Processes
To implement these principles, the hospital uses a variety of tools and technologies. For Never Trust, Always Verify, security relies on state-of-the-art MFA solutions and Identity Management Systems. For Least Privilege Access, they use role-based access control tools including AWS IAM and JIT access solutions from CyberArk. For Micro-Segmentation, they employ Illumio Core and Akamai Guardicore Segmentation. Finally, for Continuous Monitoring, they use SIEM from Splunk and EDR/MDR solutions SentinelOne. Your hospital also understands that training, development, and process improvement are all necessary components for securing data.
Summary
By implementing Zero Trust Architecture, your hospital ensures that every access request is verified, access is limited to what's necessary, the network is segmented to contain potential breaches, and all activities are continuously monitored through governed and compliant processes. This comprehensive approach keeps the hospital's data and systems secure, allowing staff to focus on providing the best possible care to their patients.
Image = SANS
?