Implementing zero trust is difficult in any environment, but healthcare organizations, especially those involved in patient care, tend to find it particularly challenging. This piece details six common stakeholder objections to implementing zero trust in the healthcare sector and provides some effective strategies for overcoming them.
Objections to Zero Trust in Healthcare
1. Zero Trust Will Impact System Availability
Healthcare organizations, especially those involved in patient care delivery, are often reluctant to implement zero trust technologies for a variety of reasons.
The main one is uptime. Many portions of healthcare organization networks have extremely critical availability requirements. Interruptions to system operations, for any period of time, can adversely affect patient care. Because zero trust uses a “deny all, permit by exception” philosophy, downtime is possible during the rollout. System and network changes are also more fragile in a zero trust environment because, ideally, all devices are configured in a “deny all” posture.
To overcome these objections:
- Get strong policies in place for new networks: Develop policies to architect new networks with policy enforcement points and document specific authentication and authorization requirements. You can’t implement zero trust without policy enforcement points, and most networks were not architected with zero trust policy enforcement in mind.
- Focus on blocking known bad communications in existing networks: First, determine communications that should never occur, particularly in protocols known for lateral movement and data theft. Then block those using network access control lists (ACLs).
- Take it slow: After blocking specific protocols and destinations used for lateral movement and/or data exfiltration, continue progressively limiting more communications (starting with east/west communications).
Organizations that ease their way into zero trust policy enforcement before adopting a “deny all” posture typically experience far fewer system interruptions during implementation. Bonus: Problems that do occur are significantly easier to troubleshoot.
2. Zero Trust Is Unnecessary
Some healthcare leadership stakeholders still (somehow) think threat actors aren’t interested in their networks. Threat actors consistently disprove this assertion, yet it persists. To the extent they understand they are a target, many leadership stakeholders misunderstand the security return on investment for implementing zero trust.
To overcome this objection:
- Cite real-world data: Use case studies from public and private reporting to demonstrate how other similarly sized/situated healthcare organizations have been impacted by cybersecurity incidents. Then discuss how the zero trust measures you’re proposing would have prevented those incidents by stopping threat actors from moving laterally in the network, exfiltrating data, etc.
- Make the case for early detection: Ensure stakeholders understand even an incomplete zero trust implementation provides opportunities for early detection of incidents.
- Help them see the big picture: Educate stakeholders that zero trust isn’t a specific technology that’s deployed (although, we may deploy technologies to implement zero trust). Rather, it is a design and operating philosophy that improves security.
3. Tight Budget Dollars Should Go to More Proven Initiatives
Many healthcare organizations operate on meager security budgets that inhibit the deployment of zero trust in their networks. Stakeholders will often argue other security- or technology-related expenditures should be prioritized over zero trust implementation.
To win the budget wars:
- Underscore zero trust’s relative importance: Educate stakeholders on the security benefits of zero trust relative to other recommended expenditures.
- Be sure to use existing technologies where possible: Identify solutions already in the environment that can be used to gradually reduce trust, even if it isn’t eliminated for a given system.
- Use free labor where possible: Consider using interns for data, asset and application inventory used to create zero policy. This is especially easy for healthcare organizations affiliated with a university. Many interns (especially graduate students) are familiar with Linux and can implement security through basic AppArmor (easier) and SELinux (harder) profiles to increase security of existing workloads.
DOWNLOAD: Zero Trust: A Step-by-Step Guide
4. Zero Trust Can’t Protect Legacy Infrastructure
Many healthcare organizations use old legacy software and operating systems. This is by necessity, but that doesn’t change the fact that many zero trust software packages aren’t compatible with legacy OS or software versions. Stakeholders think because the entire network can’t be “protected with zero trust,” the effort to increase security posture is not warranted.
To overcome this objection:
- Adopt a “can do” attitude: Ask, “What solutions are available?” instead of just accepting defeat when a given tool isn’t supported.
- Focus on segmentation: Examine network segmentation [link to: https://www.iansresearch.com/resources/all-blogs/post/security-blog/2023/03/30/zero-trust-network-segmentation-best-practices] opportunities for devices where endpoint zero trust agents aren’t supported.
- Learn to use SSH tunnels: They’re amazing for creating encrypted tunnels. Combined with appropriate network ACLs, these can add encrypted transport, MFA and certificate-based authentication to any legacy application.
5. Zero Trust Tools Store Sensitive Data
Security instrumentation may result in protected health information (PHI) being stored in security tooling (e.g., SIEM), which may be contrary to existing policies and/or security requirements.
To overcome this objection:
- Focus on compliance: If necessary to comply with policy, grant requirements, etc., deploy security tooling as part of the healthcare network itself. This utilizes well-understood models in creating enclaves (e.g., PCI).
- Reduce in-scope PHI: Examine existing processes and adapt them to limit the amount of PHI (or other regulated) data stored in security tooling (e.g., recompiling a binary to accept PHI data from an environment variable vs. a command line).
- Establish data security agreements with third parties: Consider putting business associate agreements in place to cover instances where a third party may obtain sensitive data through incidental security tool collection.
6. SaaS-Based Zero Trust Tools Present Unacceptable Risk
Some healthcare networks have limited connectivity with the internet by design. Many zero trust tools deliver capabilities via SaaS. Even when networking isn’t an issue, data collected via SaaS applications is necessarily shared with third parties, increasing the risk of compromise. Additionally, every tool that might contain regulated healthcare data increases the organization’s compliance burden.
To overcome this last objection:
- Choose your vendors wisely: Use third-party risk management to choose SaaS vendors considered safest. Focus on picking vendors that minimize the amount of data collected.
- Look for on-premises alternatives: Understand your core requirements for zero trust and evaluate available on-prem solutions that meet those requirements.
- Watch the scope: Don’t let SaaS vendor capabilities create new requirements for you (e.g., if you’re first learning about a capability in a vendor’s marketing literature, you probably don’t need it).
How to Sell the Organization on Zero Trust
Every good salesperson is ready to deal with common objections to closing a deal, and cybersecurity staff seeking to "sell" the organization on zero trust deployment should be just as prepared. To improve your chances of overcoming stakeholder objections:
- Don’t boil the ocean: Educate stakeholders that no environment gets to the point of zero trust. The goal is to reduce trust.
- Focus on reducing implicit trust going forward: The easiest first step to take on your journey to zero trust is to examine every change to the network and ask: Is this change increasing implicit trust, decreasing it or not impacting it at all? By simply favoring those changes that don’t increase implicit trust, the organization will be better positioned to implement a full zero trust deployment with every passing month.
CISO Compensation & Security Budget Benchmark Reports
Each year, IANS, in partnership with Artico Search, conducts a survey of CISOs across the U.S. and Canada on CISO compensation, security budgets, key security staff compensation and job satisfaction.
The findings from this survey are published in a series of in-depth reports that feature new takeaways, uncover a wealth of insights and provide valuable leadership guidance to fine-tune your current role, budget, department and career path.
Download the Compensation, Budget and Satisfaction Benchmark for Healthcare CISOs, 2023–2024 Report – the seventh in our 2024 series of reports – for additional insights and data on the evolving CISO role
within the healthcare security organization.
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.