How do SASE and ZTA work together to enhance healthcare cybersecurity?

Remote healthcare, telemedicine visits, home monitoring, and field staff accessing cloud-based EHRs are no small projects or special cases. These practices and initiatives are now an integral model for many providers. As the HIPAA Times article Securing telehealth and remote healthcare with SASE states, “Remote healthcare has moved from a pandemic-driven necessity to a permanent part of modern medical delivery.” At the same time, the healthcare sector remains a prime target for cyber threats. For example, “From 2005 to 2019 … the total number of individuals affected by healthcare data breaches was 249.09 million” and “the healthcare sector stands out … on average, each breach cost $10.10 million in 2022.” 

Given this context, securing remote healthcare delivery means more than simply patching perimeter firewalls. It demands a reshaping of how access, identity, devices, and networks are managed and secured. 

What is SASE?

Yiyi Miao, Chief Product Officer at OPSWAT, offers a clear definition: “SASE is a transformative architecture that combines network and security functions into a unified, cloud-based platform. For remote healthcare delivery, SASE offers several advantages:

• Scalability and flexibility: SASE's cloud-native design allows healthcare organizations to scale their security infrastructure as needed, accommodating the dynamic nature of remote healthcare services.
• Enhanced Security: By integrating continuous trust assessment, identity verification, and device posture checks, SASE ensures that only authenticated users and compliant devices can access sensitive healthcare data.
• Simplified Management: SASE consolidates multiple security functions, such as SD-WAN, CASB, and Zero Trust Network Access (ZTNA), into a single platform, simplifying policy enforcement and reducing administrative overhead.

These features make SASE a compelling solution for securing remote healthcare delivery, ensuring both data protection and operational efficiency.”

SASE integrates networking technologies such as software-defined WAN (SD-WAN) with security services like firewalls, cloud access security brokers (CASB), and Zero Trust Network Access (ZTNA) into one comprehensive cloud-native solution. This allows healthcare organizations to effectively oversee connectivity and secure users, devices, and applications regardless of their location, a crucial capability for supporting remote healthcare workers and patients.

What is ZTA?

The National Institute of Standards and Technology (NIST) describes Zero Trust (ZT) as “an evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.” A Zero Trust Architecture (ZTA) applies these principles across an organization’s infrastructure and workflows.

Key principles of ZTA (based on NIST SP 800-207)

• No implicit trust: NIST states that Zero Trust “assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location… or based on asset ownership.”
• Always verify: “Authentication and authorization (both subject and device) are discrete functions performed before a session to an enterprise resource is established.” Every request to access a system must be validated, regardless of where the user is connecting from.
• Designed for modern environments: Zero Trust is “a response to enterprise network trends that include remote users, BYOD, and cloud-based assets that are not located within an enterprise-owned network boundary.”
• Resource-centric protection: Instead of protecting network segments, ZTA “focuses on protecting resources (assets, services, workflows, network accounts, etc.).”

How do SASE and ZTA work together?

According to the study Secure Access Service Edge: A Zero Trust Based Framework For Accessing Data Securely, SASE and ZTA are deeply intertwined. Their paper describes a system in which “SASE uses Zero Trust Architecture as its backbone, without trusting any device or user but authenticates and authorizes at each request.” 

Here’s how their model shows SASE and ZTA working together to enhance security, especially in remote-access and cloud scenarios:

• Authentication and authorization at every step: Every user and device must authenticate and authorize every time before accessing a resource. The framework doesn’t rely on a fixed perimeter; instead, access is verified at distributed inspection points built into the SASE fabric. 
• Edge-based traffic routing (SD-WAN + ZTA): SASE uses SD-WAN to route traffic efficiently; when a user connects, their traffic is directed via the nearest Point of Presence (POP), reducing latency and avoiding backhauling to a central data center. These POPs serve as enforcement points. As the paper puts it, after the trust check, “direct the traffic with SD-WAN to the resource.” 
• Layered inspection via SWG and CASB: Secure Web Gateway (SWG) is used as a checkpoint to inspect traffic for malicious content. SWG records user behavior and enforces security policies on web-bound traffic. Cloud Access Security Broker (CASB) acts as a gatekeeper for cloud-hosted assets. Once traffic reaches the cloud or data center, CASB inspects that traffic, enforces least-privilege access, and protects sensitive data at rest. 
• Least privilege and device posture: The system applies least-privilege access, where each user gets just enough access to the resources they need, no more. The framework verifies devices rigorously, checking OS version, patch level, and other “posture” signals, before allowing access. 
• Continuous monitoring and feedback (“Collect Information”): ZTA includes a continuous information-collection mechanism: the system collects data about user behavior and device status, sending it to an “Authentication Manager.” This real-time telemetry helps the framework refine security policies dynamically. If suspicious behavior is detected, the system can update access policies or restrict that user or device. 
• Multiple layers of security: The authors argue that SASE, when built around ZTA, provides “defense-in-depth.” SD-WAN routes and optimizes traffic, SWG filters and inspects web traffic, CASB controls cloud data access, and ZTA continuously validates users and devices. This multi-layered architecture helps prevent both external attacks and insider threats because every layer enforces zero-trust.

Deployment model considerations

Their proposed architecture supports a device agent/gateway model (similar to Software-Defined Perimeter), in which each endpoint is treated as an untrusted client needing verification for each access. 

This model “redefines the traditional perimeter-based security” by applying trust checks for every resource request, rather than assuming trust once a user is inside the network. 

Why this matters for healthcare

• Remote clinicians and home access: In a healthcare context, this architecture allows clinicians working remotely (from home or clinics) to access sensitive systems (EHRs, patient databases) securely. Each request is verified, and access is limited appropriately.
• Cloud-based health services: As healthcare data are increasingly stored on the cloud, the CASB + ZTA combo ensures cloud resources are protected and only the required data is exposed based on role and risk.
• Regulatory compliance and auditability: The continuous monitoring and policy enforcement built into the model help with compliance (e.g., HIPAA) because all access is logged, checked, and controlled.
• Resilience against insider/lateral threats: Because no device or user is implicitly trusted, even if an attacker compromises one account, they can’t easily move laterally to other resources; ZTA and SASE will contain the damage.

See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)

Complementary solutions beyond SASE and ZTA

While SASE and ZTA together provide a robust framework for securing remote healthcare delivery, Yiyi Miao points out that “there are additional approaches for healthcare organizations to adopt at the source side to prevent leakage of any sensitive information or the transfer of it into the wrong hands. The implementation can be from the data access point side, a server-side data protection solution that combines data loss prevention, sensitive data access control, and secure data transfer can be alternatively used to allow practitioners in the field to access the data where and when they need it after authentication and authorization processes provided by the SASE or ZTA services.”

This indicates the need for data-centric protections, such as:

• Data Loss Prevention (DLP): Monitoring and controlling sensitive data movement across networks and devices.
• Secure data transfer solutions: Encrypting data in transit and ensuring only authorized parties receive sensitive information.
• Sensitive data access control: Managing permissions and access at the file or database level to ensure minimum necessary use.

These tools complement SASE and ZTA by protecting the data itself, beyond access controls and network security.

FAQS

Can SASE and ZTA be used by small clinics?

Absolutely. Small and mid-sized healthcare organizations benefit greatly because SASE provides enterprise-level security tools without needing on-premise hardware.

Do healthcare organizations need both SASE and ZTA?

Not always, but using both provides stronger protection. ZTA secures access at the user and device level, while SASE secures the entire network edge, ideal for remote care environments.

What threats can SASE and ZTA prevent?

SASE and ZTA help prevent a range of cybersecurity threats, including:

• Unauthorized access by enforcing strict identity and device verification
• Ransomware and malware spread through continuous monitoring and secure access controls
• Man-in-the-middle attacks by encrypting all traffic and verifying sessions
• Data exfiltration using granular access policies and data loss prevention tools
• Insider threats by applying least-privilege access and real-time trust assessments

Read also: Types of cyber threats