Zero Trust in a Medical Setting

19 January 2023

With the proliferation of devices that can potentially access an IT network within a medical setting, and the sensitive nature of patient records, it makes sense for medical infrastructure to be protected with the most robust security available. Hospitals and aged care providers have been among the most targeted organisations during the COVID era, with hackers attempting to leverage huge ransoms for captured medical data.

User identity is at the heart of zero-trust strategy. The over-arching goal is to confirm each user’s identity before they are permitted to access to an area of healthcare organisation’s network. Each time a sign-on is attempted, a zero-trust environment automatically references a vetted identity store to verify that entity’s identity and determine whether it has current privileges to access a specific resource. This applies whether the resource is an application, service, device, or data. 

This level of security is recommended for any organisation with a large threat surface. A busy healthcare setting that involves hundreds of connected devices with access to data such as medical records is a prime candidate for zero-trust implementation.

The strategy recognises that the attack surface of an identity is smaller than for an entire network. Modern organisations are not established as a single, flat network. With a combination of private cloud and public cloud with on-premises data centres, networks scopes become increasingly complex and can become difficult to regulate and control. In a traditional network, identity can cross those scopes, whether they are cloud based or on-premises.

Network segmentation, which is widely employed in traditional settings, sets up fences to create perimeter defence. But within the identity segmentation built into zero-trust, a virtual security guard is placed on the perimeter. The guard is grumpy and untrusting and requests to validate your ID no matter how often you have previously entered the perimeter.

You are forced to request clearance every time you wish to enter, because your clearance level may have changed since your last visit. A terminated employee will not be able to enter a secure location just because a security guard knows their face and saw them yesterday. Grumpy and pedantic security guards may not win many popularity contests, but they keep their perimeter safe and secure from intruders and other threats.  

The implementation of zero-trust is best undertaken following extensive planning. It will normally require the benefit of an outsider’s perspective. Don’t be afraid to call on external expertise to ensure that your zero-trust network runs smoothly, disruption is minimised, and the result achieves its intended outcome.

If you are interested in learning more about zero-trust, or the many cyber security related challenges faced by organisations with a large threat surface like those within the medical sector, contact Intalock today.      

back to blog