The U.S. Department of Defense (DoD) plans to release its formal zero trust security strategy sometime mid September. As we all know, zero trust means trust no one automatically. And with the sharp rise in data breaches, the government’s decision to push such a stringent position makes smart sense.
In fact, organizations worldwide are adopting zero trust, including healthcare covered entities and their business associates. For critical infrastructure, like healthcare, it is vital to safeguard personally identifiable information (PII) and protected health information (PHI). This is a specific area of concern with HIPAA compliance and email.
HIPAA, email and zero trust should always go together within healthcare
Paubox builds HIPAA compliance and strong email security into all its solutions to help healthcare deliver zero-trust email to its organizations.
READ: HIPAA compliant email
What is zero trust security?
Zero trust rightly assumes that anyone that tries to access a network is a possible threat. It contrasts with traditional security programs that rely on perimeter defenses such as a firewall.
As a security framework, zero trust effectively halts access until someone is proven trustworthy. Zero trust security validates users multiple times and even then, after validation, doesn’t give them full access. It follows a few core principles including:
- Multi-factor authentication (MFA)
- Least privilege access
- Monitor all activities in real-time
Threaded throughout is the focus on strong and aggressive access management. Enhanced access management gives organizations more control over what their employees see, read, and click. It does not matter if the behavior is intentional or accidental.
Thankfully, the principles of zero trust are everywhere as is the switch to zero trust security. IBM recently released its 2022 Cost of a Data Breach Report. Within, IBM states that organizations deploying aspects of zero trust grew from 35% in 2021 to 41% in 2022. And this includes the U.S. government, which finalized its Federal Zero Trust Strategy at the beginning of this year.
The Federal Zero Trust Strategy
On January 26, 2022, the U.S. White House released a memorandum that laid out its Federal Zero Trust Strategy. The government began exploring this idea early in 2021 in response to what some experts labeled as a ransomware epidemic.
The government based its strategy on the Cybersecurity and Infrastructure Agency’s (CISA) Zero Trust Maturity Model. In summary, the model directs organizations to:
- Institute enterprise-wide MFA
- Inventory all devices
- Encrypt networks
- Treat all applications as connected to the Internet
- Improve data monitoring
The January 2022 memorandum asserts that the government wants to prioritize defense especially against “sophisticated phishing.” The Agari and PhishLabs Quarterly Threat Trends & Intelligence report emphasizes that hackers use phishing on a wide range of online platforms. This includes social media, webmail/online services, ecommerce, and cloud storage/hosting. The report demonstrates why it is important to keep phishing emails from causing chaos and organizational-wide shutdowns.
All federal agencies must draw up plans to move to zero trust architecture by end of fiscal year 2024. The DoD has taken this challenge to heart.
The DoD’s response to zero trust
The DoD published its first zero trust architecture draft before the White House released its January 2022 memorandum. In fact, it created its joint Zero Trust Engineering Team with the National Security Agency (NSA) in 2020.
The upcoming strategy outlines dozens of what the DoD calls zero trust “capabilities” organized around seven “pillars”:
|Users||Devices||Networks and environments||Applications and workloads|
|Data||Visibility and analytics||Automation and orchestration|
The DoD wants to utilize most capabilities (90) to reach what it states is its targeted zero trust level. An additional 62 capabilities will then impel the Pentagon into an even more advanced zero trust state.
Next week’s draft also lays out steps for them to take with their vendors. The DoD is already talking to commercial providers about how to implement zero trust in the cloud.
John Sherman, the CIO of the DoD, declared that the goal is not to reinvent the wheel. The department is using the Department of the Navy’s recent switch as an example of how to move forward. They aim for a complete deployment by 2027 across most of their enterprise systems.
Zero trust, healthcare, HIPAA compliance and email
Strong zero trust access controls are vital for all critical infrastructure, like healthcare. Solid cybersecurity, however, still lacks in the healthcare industry. In fact, healthcare cyberattacks in the first five months of 2022 nearly doubled from the same period last year.
At the same time, the Okta State of Zero Trust Security 2022 report observed a 21% increase in healthcare organizations implementing zero trust initiatives. And most surveyed said they had plans within the next 12 to 18 months.
Zero trust shifts healthcare away from what the U.S. Department of Health and Human Services calls its current “castle-and-moat [perimeter] approach.” The idea is to use barriers between people and technology for better control over who receives, sends, and views PHI.
Access barriers would also help healthcare providers demonstrate HIPAA compliance and avoid HIPAA violations. And doctors and hospitals would be able to focus better on patient care.
If threat actors access someone’s credentials, zero trust would make it unlikely for them to move deeper into a system. Especially through email, the most used and abused threat vector.
One simple way to incorporate the zero trust framework is by leveraging a HIPAA email solution like Paubox Email Suite. We take zero trust seriously when it comes to our HIPAA email security features.
Paubox Email Suite, our HITRUST CSF certified solution, encrypts all outgoing email and delivers them directly to an inbox. And best of all, there are no extra passwords or portals to remember. Our Plus and Premium solutions also come equipped with solid inbound security tools such as Zero Trust Email.
This feature ensures inbound messages are genuine by adding an extra layer of access to every email. In fact, no one can access sent emails without the correct permissions. And phishing emails won’t reach an inbox to catch employees off guard.
Zero trust and Paubox protect healthcare organizations and keep email accounts locked from unnecessary access. Given the benefits of zero trust, all organizations that work with PII/PHI should implement the approach. The only cybersecurity worthwhile includes protections for every endpoint and every attack surface.