The challenges facing healthcare organisations following the heights of the COVID-19 pandemic are many, including continually-increasing workloads for staff, not only in the medical professions but also in allied support roles for the teams of specialists dealing with IT and clinical informatics. These challenges clearly show that traditional healthcare models are in crucial need of overhaul to pave the way for new digital health innovations. This vital step will not only support clinicians in their efforts to improve every stage of patient care, it will also improve the lives of many other staff who are desperately struggling with their own workplace demands.
Cyber security and the clinical informatics approach
As a result of the clinical informatics approach, the use of new and different technologies in healthcare is growing rapidly, leading to a transformation in medical solutions across the world. Health technology innovations have long been used to support the diagnosis, monitoring and treatment of various medical conditions, but another and relatively emerging purpose is to protect the sector from cyber threats and attacks.
For healthcare organisations in particular, a recurrent cyber security challenge is linked to network security. Healthcare organisations are commonly vulnerable to cyber-attacks due to their many legacy systems, as well as having a number of hard-to-manage or unruly medical devices. These systems and devices bring inherent weaknesses to network architecture due to their larger attack surface.
This is usually the fault of organisations using a traditional network design approach, focusing predominantly on perimeter security. This divides the network into different perimeters and ‘trust’ levels, in effect walls that are meant to prevent external attackers from entering the internal environment which is split into ‘trusted’ and ‘distrustful’ zones. There is a flaw with this approach. It tends to leave perimeter zones vulnerable to attacks from the inside of the organisation.
The vulnerabilities of a traditional approach
A 2020 report from Protenus revealed the number of breached patient records from attacks inside of the network was over 3.8 million, up 26% in 2019 from the previous year. In more recent findings, the Protenus breach barometer report highlighted that over 50 million patient records were breached in 2022.
In essence, the traditional network perimeter-based design usually presents a ‘tough on the outside,’ ‘soft on the inside’ pattern. There are several access control mechanisms involved. Intrusion protection elements and firewall rules prevent external intruders from invading the inner network.
However, the inside’s more relaxed rules allow already connected ‘trusted’ devices to access critical services and areas. As a result, the traditional perimeter model is vulnerable to several attack forms that can easily breach a network by infecting a ‘trusted’ device access data without ever having to deal with the hard perimeter shell.
One example of this is the infamous WannaCry ransomware attack, which had a devastating impact on the NHS. This ransomware was able to spread across NHS devices due to an outdated operating system on legacy devices in the internal area of the network perimeter. Once again, the use of a traditional network design created a hard on the outside, soft on the inside environment in which ransomware could flourish.
Fixing the challenges with ‘zero trust’
To fix these challenges, a new and growing approach to network security is needed in several different areas, including the healthcare setting, to ensure that the default position is always ‘zero trust‘.
This is the model of the future for network design, particularly in developing effective cyber security systems. Zero trust-based approaches remove the inherent belief in security from the network and treats all devices and areas as hostile by nature and prone to attack. The National Cyber Security Centre (NCSC) provides a list of 10 principles related to zero trust as follows:
- Know your architecture including users, devices, and services
- Create a single strong user identity
- Create a strong device identity
- Authenticate everywhere
- Know the health of your devices and services
- Focus your monitoring on devices and services
- Set policies according to value of the service or data
- Control access to your services and data
- Don’t trust the network, including the local network
- Choose services designed for zero trust.