Zero-Trust accreditation is a journey in healthcare
said John McCabe, Chief Information Officer at National institutes of health clinical center, which currently only has 10 percent of its data in the cloud. “We want to meet mistrust requirements while meeting needs around clinical care and patient care. It’s a struggle for all of us to meet these requirements at the same time. We need to mistrust the right way to ensure systems meet these requirements.”
McKeeby added that the lack of confidence should not simply be a “checkbox gambit”. It must fit the organization’s mission.
To Achieve Zero Trust Accreditation, Robert Wood, CISO L Centers for Medicare and Medicaid Services He made it clear that CMS is looking to leverage as many centralized services, capabilities and infrastructures as possible. The agency focuses a lot of its investment on cloud technology, as most of its systems run in the cloud in some form.
Paul Suh, CISO, Inc National Institute of Allergy and Infectious DiseasesHe said his organization starts with The identity pillar of distrust Using tools to determine who or what is accessing systems and data. While the organization has many security tools, Suh explained that the security team has not prepared it well enough to take full advantage of the tools’ capabilities.
Many devices were connected to the network at the start of the pandemic, and now the organization is working to determine the appropriate level of protection for those devices. In addition to data protection, NIAID — and more broadly, the National Institutes of Health — is focused on how data is shared with researchers, scientists, clinicians, and officials.
“Once we come up with a model of how we can share data while protecting it in the right way, the lack of trust will have the biggest impact,” Suh said.
Tips for implementing a zero-trust security framework
“I will not achieve that Level 4 Maturity out of the gate. said Gerald J. Caron, Chief Information Officer and Assistant Inspector General of Information Technology, Inc Office of the Inspector General of the US Department of Health and Human Services. “We need to do a better job of managing effectiveness over compliance. To be effective in cybersecurity it is not enough to comply. We need to know what we are doing well, where we need to do more and where there are gaps.”
He emphasized the importance of returning to Five principles of mistrust to understand the framework.
“These pillars have to work together,” he said, adding that telemetry is key to understanding what is going on within an enterprise network. “What do you know about this computer, and do you manage it? Devices have different levels of risk, and it’s important to put a risk score on them. This visibility allows you to deliver the right data to the right people at the right time.”
Zero trust means constantly checking device and identity factors in real time to see if anything changes. Wood explained that the use of telemetry and risk scores gets organizations part of the path to zero-trust adoption. With applications, data, and devices, security teams need to identify the action that shuts down, isolates, or reduces user access. However, the organization needs a suitable control lane and an IT environment that can interact with this control lane.
“Telemetry and risk score are important, but what can you really do once you have that risk score?” Asked. “Can you ration policy incentives based on a sliding scale of risk? If you can’t do that, you’re spending money on tools you can’t do anything with.”
Caron recommended that organizations include users early in the process and take a look at Zero trust implementation Through the lens of users’ workflows.
“If you do something new under the guise of security without understanding the workflow, they will find ways around it to get the job done,” he said.
The role of zero trust in organizational priorities
Implementing zero trust can help healthcare organizations achieve other commercial and clinical priorities. Suh explained that mistrust helps NIAID bring together different layers of IT and mission-driven priorities, business needs, and people.
“It’s a great opportunity to drive our IT teams and developers towards DevOps Principles,” He said.
Achieving mistrust also depends on interdepartmental cooperation. Wood points out that mistrust is a horizontal, organization-wide scheme, not an isolated vertical approach.
“Different silos contribute to that horizontal plan, and everyone benefits as a result of consuming that plan,” he added.