GISEC: For zero trust in healthcare, assume you’re always under attack

If you’re an IT professional, especially if you’re working in healthcare, you need to keep the zero trust approach to security top of mind, according to experts meeting at GISEC 2021 in Dubai this week. That’s because, despite the advantages that digital services bring, enterprises are seeing their attack surfaces grow and need to rethink the basic fundamentals of perimeter security to protect users, data and critical applications.

Organizations, particularly those such as hospitals and other healthcare organizations that hold sensitive personal data, should establish a zero trust stance, where people, devices, and applications have to prove their identity before being allowed to access resources, said health professionals and security experts at GISEC.

Digital transformation is having a profound impact on the way in which companies deploy new applications, as well their exposure to threats. Enterprises in virtually all sectors are pursuing digital transformation projects with the aim of enhancing the value of their products and services to customers, operating with greater efficiency and agility, and fostering innovation.  But even though companies have started to adopt devops workflows, security practices have not kept up.

Healthcare is one of the sectors most vulnerable to cyberattacks, due to the rapid deployment of new services based on emerging technology such as AI and IoT, as well as the sensitivity of data involved, noted security experts at GISEC.

IDG

“When I started … we protected the firewall, that was all,” said Saqib Chaudhry, head of digital innovation and development at Cleveland Clinic Abu Dhabi, who started his career in cybersecurity 20 years ago. “Now with digitalization, IoT and cloud, things have become more difficult — we can’t define the perimeter, it’s all around on the internet, cloud, our mobile phones.”

What is zero trust?

The zero trust concept has been around for a while but has become popular recently. “The idea is to verify first, and then trust,” said Chaudhry this week during GISEC. “You need to verify your devices and network, it’s not only about name and password, there are more variables like the network connection or the location.”

His most important advice: “Always assume that you are under attack; that forces you to take control of the situation and protect yourself.”

The zero trust concept is vital for security in healthcare since medical records are available via an increasing number of channels and devices, and in the wrong hands, health information can cause serious damage. Healthcare records contain the most valuable information available, including government identification numbers, home addresses and patient health histories, making them more valuable to hackers than other types of data.

Healthcare has been the favourite target of hackers, especially in the last two years, said Ramakrishnan Natarajan, vice president of IT at Emirates Hospitals Group. “Why? Patient data can be used in many ways, especially to get money.”

Employee devices are the main threat

Just about all employees these days have access to company services through devices, including mobile phones, a main reason why the security perimeter that CSOs need to protect is bigger than years ago.

“The maximum vulnerability always comes from our own employees, even if it’s not malicious. We need to train our employees, especially in healthcare so they are qualified enough in terms of cybersecurity”, explained Veneeth Purushotaman, group CIO at Aster DM Healthcare. “Are they really well-trained? That’s my question.”

During COVID, IT staffs at healthcare organizations accelerated deployment of innovative services as well as data-sharing, due to the complex, constantly shifting pandemic situation. IT departments stepped in to reinforce the trust model.

“We need to give patients trust on their data, and they only way to do this is identifying the ownership of data — a client wants to be sure data is protected,” said Osama Elhassan, Specialist, Health Informatic and Smart Health Department at Dubai Health Authority. “What we also need is to train doctors, nurses, etc., and for that we need to bring on board cybersecurity experts.”

 In healthcare, just about everyone involved in patient care has to input as well as access data, industry insiders said.

“Our sector is not simple, is a very complex ecosystem, we need to be focused on network segments,” said Natarajan, of the Emirates Hospitals Group. “When security is decentralized, zero trust provides the roadmap.”

There is, however, no single, specific product or application that will ensure zero trust, experts cautioned. It is, rather, an approach to security that must be kept top of mind by security professionals as well as end users, and adopted throughout an organization’s IT infrastructure.  

“From a zero trust perspective, we have to understand is not a solution, and it’s not a device, it’s a concept, that’s why you need your employees on board,” clarified Cleveland Clinic Abu Dhabi’s Chaudhry.