In this interview, CGI Vice President, Management Consulting Paresh Patel explains how adoption of zero trust architecture at Federal agencies protects Healthcare data from cyberattacks.
Vulnerability of Healthcare Data
Healthcare is one of the most targeted industries for cyberattacks. In fact, selling medical records on the dark web is financially more valuable than the sale of credit card or social security numbers. This stolen information can be used to file fake claims or blackmail people.
When it comes to protecting this data, we need to understand who is granted access. For example, computers, phones, medical devices and Healthcare trackers all collect data. They also have become more sophisticated over the years and provide other entry points to gain access to private information.
People, including employees, contractors, business partners and third parties, also have access to data. While we like to believe that everyone who has access is treating the data properly, a recent study found that 18% of Healthcare workers would be willing to sell information to unauthorized parties if the price was right.
One of the first steps to reducing cyberattacks is looking at who has access to confidential information.
Zero Trust architecture for Federal Agencies
As Veterans, retirees and citizens are increasingly affected by cyberattacks, recommendations around Zero Trust architecture have been developed. Some of these Zero Trust components can already be found in use within Federal agencies. Recent executive orders have established the model to use as a stepping stone to achieve better security moving forward, and for those who have yet to move in this direction.
Zero Trust is not something you can go out and purchase and implement. It’s a strategy and different way of thinking about a process. Rather than building a wall to keep unauthorized users the bad guys out, the approach is to focus inward and outward in order to keep information safe.
Due to the growing use of technology by citizens and with more people working from home, the perimeter of what needs to be secure is larger. In the past, we believed that if attacks were kept outside a border that the data inside would be safe. A shift from this perimeter model to Zero Trust eliminates those boundaries altogether and instead provides protection from wherever data is being accessed.
Continuous monitoring, with constant validation and verification through strategies such as multifactor authentication is one tool that system users will have to adapt to as Zero Trust moves forward. While initially this extra step may feel like a burden, a change in mindset to understanding the necessity to better protect information will help it become part of normal procedures.
Having that single point of failure increases the likelihood of a cyberattack. By changing the design of policies and procedures we can minimize the burden of mitigating threats.
For instance, looking at the patterns of Healthcare workers could help indicate a threat from inside. If an employee is typically working within systems during the day but has a login at night, a warning should trigger. Investigation into the activity should confirm whether or not an imposter is accessing information.
Tools Government can Implement as it adapts to Zero Trust
There are some basic tools Government should implement as part of moving toward Zero Trust.
The first is reducing the risk of insider threat. A good set of policies and procedures will ensure that employees who have access to sensitive information are not a danger.
The second is securing the remote workforce. We’re seeing a permanent shift to some employees working from home all of the time or on a hybrid schedule. Remote work locations means putting measures in place that are flexible while also escalating security.
Third on the list is maximizing customer privacy. As keepers of data, Government and businesses have a duty to protect Healthcare customers.
Finally, protecting the hybrid cloud, which is a new foundation, is important. Security means protecting information that is on site and in the cloud. There is a need to work with cloud partners and vendors to establish the right measures.
Working with these outcomes is a roadmap to Zero Trust security. The greatest efficiency will come when we can use existing investments to get the maximum return on investment.
Advice for Industry
At the end of the day, Federal agencies and businesses working in Healthcare are the stewards of personal data for many individuals.
For industry partners supporting Government agencies in their move to Zero Trust, going back to fundamentals is key, with a focus on people, process and technology. This involves doing an inventory for each of these components while thinking about the people aspect whether it’s a contractor, employee or citizen accessing information. Going through this exercise will identify gaps, overlaps and redundancies.
Change management is found throughout this process as well. Stakeholders should be identified with a focus to ensuring they are on board, aware of the changes and that they are communicating to their teams along the way. Training is also important when rolling out a new security system for anyone who has a technology role.
Geopolitical activities have had a role in a significant uptick in cyberattacks with the Federal Healthcare domain becoming a new area for assault. Attackers have become bolder, but they can easily get hacking toolkits that make it easier for virtually anyone to launch an attack. Simplifying processes and looking for redundancies will put Federal agencies and commercial businesses on the right path for a Zero Trust mindset.
About Paresh Patel
Paresh Patel is the Vice President, Management Consulting – CIO Advisory Practice Lead with CGI. He is an experienced leader with a demonstrated history of working in the information technology and services industry. He is skilled in Artificial Intelligence, Robotics Process Automation, Internet of Things, Mobile Technologies, IT Strategy and Business Transformation.
Founded in 1976, CGI is among the largest IT and business consulting services firms in the world. We are insights-driven and outcomes-based to help accelerate returns on your investments. Across 21 industries in 400 locations worldwide, we provide comprehensive, scalable and sustainable IT and business consulting services that are informed globally and delivered locally.