Rob Suárez, VP, Chief Information Security Officer for BD

Cyberattacks have increased exponentially since the COVID-19 pandemic began, and the healthcare industry remains a consistent target. At the same time, the industry has also experienced multiple technology shifts that will likely become part of our “new normal” after the pandemic subsides. For example, providers and patients will likely come to expect virtual medical appointments for certain routine and follow-up visits. Similarly, connected medical devices will continue to be used to monitor patients recuperating at home well beyond the COVID-19 pandemic. For healthcare cybersecurity leaders, sustaining these changes long term means we will need to create a new normal, too—one that represents an important paradigm shift.

For the last decade, the focus in medical device cybersecurity has been on securing the networks on which medical devices operate. Yet, the boundaries for practicing healthcare have shifted. An organization’s security perimeter is no longer confined to a physical building. Instead, the perimeter now includes all the locations where healthcare employees work and where patient devices are used, including homes, businesses and myriad locations beyond the hospital campus.

Embracing Zero Trust principles

To improve the resilience of healthcare during a pandemic or any other crisis, we need to adopt Zero Trust principles. In other words, we need to assume nothing and verify everything. Instead of trusting devices inside the network, this approach means trusting no one by default and operating as though the network has already been compromised. To use the analogy of protecting your home by locking the front door, adopting Zero Trust principles means guarding your valuables as though a thief has already broken in to the house.

Making this approach part of our new normal means we must accept that strong passwords and virtual private networks (VPNs) are not enough. Instead, we need to incorporate additional criteria to authenticate and authorize access—such as location, user behaviors and device health—to strengthen our approach and take cybersecurity to the next level.

Interfaith Medical Center, a 287-bed non-profit teaching hospital in Brooklyn, New York, with ambulatory care clinics that treat more than 250,000 patients every year, began to incorporate Zero Trust principles in 2015. Christopher Frenz, assistant vice president of information security for Interfaith, is a strong proponent. “Organizations need to fundamentally shift their approach to cybersecurity and focus more on proactive strategies that only allow for known good behaviors, rather than focusing on reactive strategies,” advises Frenz.

“A reactive approach to security protects you against yesterday’s threats,” Frenz said. “Taking a Zero Trust approach to security, in which any unapproved behavior is blocked by default, is becoming an increasingly critical approach to dealing with the growing number and sophistication of cyber threats. In a modern hospital, it is crucial to remember that cybersecurity can directly impact patient safety, and as such we must ensure that measures are in place to mitigate the spread of cyber threats through our networks. Zero trust is a key control for minimizing the lateral movement of such threats.”

Just as the healthcare industry has come together to adapt and scale beyond the hospital to manage the current demand for healthcare services, we will need to come together to define how medical technology will be protected when it moves from a hospital room to a pharmacy, grocery store or patient’s home. Across the industry, as we look toward creating a new normal beyond the COVID-19 pandemic, we cannot ignore the opportunity to bolster our approach to cybersecurity by more broadly embracing Zero Trust principles.