After several recent high-profile data breaches over the past few years, the U.S. government has taken an offensive position against cyberattacks. And this includes using a zero trust approach to cyber threats. In short, zero trust means trust no one automatically; consider everyone a potential threat.
RELATED: HIPAA stands for . . .
What is zero trust security?
Zero trust security assumes that anyone that tries to access a network is a possible threat. It contrasts with traditional security frameworks that largely rely on perimeter defenses such as a firewall. In reality, perimeter defenses rarely cover every endpoint or attack surface.
And why, in conjunction with other needed defense mechanisms, zero trust inhibits attacks inside and outside a network.
As an IT security framework, zero trust requires strict identity verification for every person and every device accessing private resources. The core principles are:
- Verify more than once (multifactor authentication (MFA))
- Grant users the lowest level of access necessary (privileged access management)
- Create data zones to isolate and secure workloads (microsegmentation)
- Monitor activity in real-time
- Control device access
In fact, zero trust makes people or devices validate their identity multiple times. And even after confirmation, they will more than likely still not have full, unmonitored access.
The Federal Zero Trust Strategy
Then in May, the U.S. government released an executive order, Improving the Nation’s Cybersecurity, outlining its zero trust approach. And in September, the Office of Management and Budget released a draft, opening its strategy up to public comment.
The government based the draft on the Cybersecurity and Infrastructure Agency’s (CISA) Zero Trust Maturity Model. In summary, the model directs organizations to:
- Institute enterprise-wide MFA
- Inventory all devices
- Encrypt networks
- Treat all applications as internet-connected
- Improve data monitoring
According to CISA director Jen Easterly, zero trust is necessary to strengthen cyber defenses. Finally, the January memorandum officially disseminated the federal strategy, stating:
This strategy sets a new baseline for access controls across the Government that prioritizes defense against sophisticated phishing, and directs agencies to consolidate identity systems so that protections and monitoring can be consistently applied.
SEE ALSO: What is an email phishing attack?
It requires all federal agencies to adopt its zero trust goals by the start of fiscal year 2024.
Zero trust in healthcare
Given the benefits of zero trust, all organizations that work with PII or play a critical social role should implement the approach. Especially the healthcare industry, currently lagging when it comes to implementing cyber defense strategies.
A zero trust strategy strengthens a healthcare organization’s security by limiting access to PHI. And it helps healthcare providers demonstrate HIPAA compliance and avoid HIPAA violations. Especially as the healthcare industry expands and increases its digital perimeters and access points and therefore increases its vulnerability as well.
The more access points, the harder it can be to manage and protect a network and PHI.
This is where zero trust comes in, shifting healthcare away from what the U.S. Department of Health and Human Services calls its current “castle-and-moat approach.”
A zero trust framework would provide healthcare organizations better control over who receives, sends, and views PHI. If a threat actor gets ahold of credentials, it is unlikely that they can move deeper into a system. The zero trust barriers prevent further access letting healthcare providers focus on patient care.
Zero trust with Paubox Email Suite Plus
One simple way to incorporate the zero trust framework into your healthcare organization is by leveraging a HIPAA compliant email solution that contains a zero trust feature, like Paubox Email Suite Plus.
SEE ALSO: Why America needs zero trust email
Malicious messages are quarantined for further review where we require another layer of verification before delivering an email. In other words, we ask for additional evidence from a sender’s mail server before an email passes inbound security checks.
Zero Trust Email, along with other features of Paubox Email Suite Plus, creates strong inbound security to prevent threats like phishing from entering an inbox. Moreover, we encrypt all outbound email directly from an existing email platform (e.g., Microsoft 365 or Google Workspace), requiring no change in email behavior.
In other words, Paubox Email Suite Plus allows healthcare organizations to send and receive HIPAA compliant email securely. Something especially needed given the rise of cyberattacks.