Healthcare organizations can boost cybersecurity with a zero-trust approach

The IT environment of a healthcare organization can be quite dynamic. The number of users accessing the systems can be vast. Doctors, nurses, office staff, and third-party providers may need access on any given day, and some may rotate in and out of the office. Decisions about authentication and access can be complicated due to the sheer number of individuals needing access and the types of access required. 

IT departments feel the pressure that comes from needing to meet the highly secure access requirements of a rotating and occasionally remote workforce, along with the need to transform their operations to meet efficiency demands.  

The U.S. Department of Health and Human Services' Office of Civil Rights tracks data breaches that impact healthcare data. The numbers can be alarming when you notice the upward trend of data breaches that take aim at healthcare organizations. 

The healthcare space is in the crosshairs of bad actors looking to access patient data. Some of the most significant challenges the healthcare industry faces surround the management of identity and controlling access to the system. 

With unprecedented ransomware attacks and identity-related data breaches over the past few years, healthcare IT leaders need to find a security strategy that allows them to serve patients better, boost security, and develop solid competitive advantages. 

For the past several years, zero trust has been a focal point of cybersecurity discussions in the healthcare industry. There are good reasons for this.  

  • The vast number of users seeking access to critical systems and personal information has made trust a troublesome commodity. 
  • Medical professionals may want each of their non-medical staff to have the same access to patient data as they do. 
  • Insurance companies may want to have access to patient data. Healthcare organizations need to make sure they get the right type of access. 
  • Patients may want to have access to their own data. 

It is for these reasons, and others often unique to the individual organization, that the control of access to patient data is a crucial part of an identity-defined cybersecurity architecture. IT departments need to have a solid understanding of the varying access needs of the wide array of front desk office staff and medical professionals. In addition, they need to consider the access needs of partners and anyone else who may need to access patient information and systems. 

The potentially vast number of accounts can broaden the attack surface, with an increased number of potential targets for the phishing and spear-phishing attacks bad actors seem to prefer. 

IT leaders at healthcare organizations need a deep understanding of the access needs of their frontline clinical staff, as well as the array of partners and others who need access to systems and information. The sheer number of accounts creates a long list of targets for the spear-phishing attacks, which remain a favorite tool of threat actors. 

Key considerations

When it comes to defending against concerns like credential abuse and phishing, multifactor authentication (MFA) has proven to offer success. Prior to rolling out an MFA solution, decision-makers should perform a complete analysis of the healthcare organization’s IT infrastructure. 

Taking the time to do this will allow decision-makers to best understand the access points that need added protection and also which applications, and systems may be at risk. 

The amount of friction that users are willing to deal with should also be considered. If MFA is not set up to be user-friendly, users may get frustrated and angry. Whether MFA combines passwords and biometrics, security tokens and passwords, or something else entirely, user friction needs to be considered.  

The more friction that users need to deal with, the more frustration and potential for pushback there is.  

Healthcare is highly regulated 

The healthcare industry is perhaps one of the most highly regulated in the country. While HIPAA does not explicitly demand it, MFA does fit neatly into several HIPAA requirements to protect patient health information. 

Legacy systems and moving forward 

MFA is a crucial step on the path to zero trust security. One of the major concerns healthcare organizations face, and many organizations in other industries, is that legacy systems can become a serious barrier to implementing new cybersecurity models, including zero-trust authentication. 

However, with the increased adoption of cloud services, zero trust will ultimately become easier to integrate.  

A key component of zero trust is enforcing every user and every device that accesses the network. With this comes the implementation of the principle of least privilege. In this, users should be given only the privileges that they need to perform their job duties. If a user doesn’t need an access right, they should not have that right given to them. The goal of least privilege is to help minimize the potential attack surface. 

With the expansion of cloud services, along with staff and partners needing to access systems, the implementation of a least privilege strategy, combined with a robust identity solution, can help mitigate some of the cyber-attacks targeted at healthcare organizations. 

At the top of the list of these cyber-attacks are ransomware and spear-phishing. Organizations should have a plan of action to roll out in the event of an attack. But there should be care given to the reality that too much downtime in the healthcare space can significantly affect patient care.  

With a zero-trust approach to security, healthcare organizations can continue to offer a focus on quality patient care.  

To maintain a high level of protection while meeting compliance demands, healthcare organizations need to consider several pieces. Network security, endpoint security, and security awareness are all a part of the cybersecurity puzzle. 


In truth, the protection of healthcare spaces is unlikely to get less complex. Bad actors are going to continue to target the healthcare space. However, a focus on a zero-trust approach supported by robust identity-defined security solutions can help reduce the risks that healthcare organizations face significantly. It can also help them to see an improvement in their cybersecurity prognosis.