AHA: ‘Zero trust’ cybersecurity posture necessary to protect hospital data
In January, National Security Agency (NSA), released protocols for the U.S. Department of War to achieve “zero trust” security across the agency, meaning any access to the network must come from something continually inside it. While such a setup would be technically demanding for healthcare, the American Hospital Association (AHA) said it may be time for facilities to start moving in that direction.
Zero trust security would mean radical changes for hospitals, where a countless number of devices have access to networks, including everything from EHRs to medical devices, to tablets and smartphones used for communication.
What the NSA wants the Department of War to adopt is a system where no one gains access to a network from the outside, meaning no logins or passwords. In fact, even systems connected to the network from the inside are not automatically trusted.
In other words, every user, device, and system must continually prove they are allowed access—and access is limited strictly to what’s necessary.
The ethos of zero trust means that it’s assumed even the network itself isn’t safe, hence the continuous verification. Something like a two-factor authentication app displaying a constant active code would be required to log on.
The NSA is implementing this rollout in two phases: The first establishes a secure foundation for zero trust by outlining 36 key activities that strengthen an organization’s environment and enable 30 core security capabilities.
Phase two builds on that foundation by detailing 41 activities that integrate core Zero Trust solutions into the environment, enabling 34 more advanced security capabilities.
In other words, advanced security tools are rolled out across the whole system until everything that access to is controlled over time. In theory, this makes it much harder for anyone to invade the network—for a hacker to get inside, they’d have to be inside the whole time the new cybersecurity infrastructure is rolled out.
For healthcare where EHR systems and patient portals involve constant logins, this can be tricky. But the AHA thinks it should be the direction the industry moves in if they want to stop data breaches.
Trust no one
In a statement released on Feb. 19, the AHA asked members to take note of the NSA’s protocols as a possible roadmap for the future. The logic being, if these zero trust standards are good enough for the Department of War, they’re good enough for hospitals.
“Implementation of zero trust is resource intensive and may be cost prohibitive for some organizations,” Scott Gee, AHA deputy national advisor for cybersecurity and risk, said in the release. “However, with cybersecurity threats and attacks continuing to target the health care sector, adopting zero trust can help hospitals and health systems further reduce their cyber risk through a structured process.”
The professional association admitted that the NSA didn’t have healthcare in mind when it released its guidance. However, that doesn’t mean the basic philosophy isn’t also a memo healthcare can take note of.
“The NSA guidance is very detailed, and, while not tailored to health care, the process can be adapted to meet the needs of hospitals and health systems,” Gee added.
The AHA said its latest cybersecurity and risk resources and threat intelligence and be found by clicking here.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.