Federal agency leaders agree that zero trust security is the “bread and butter” of their agencies’ cybersecurity operations in order to best secure personal health information, where the stakes are high given the special sensitivity of that data.
At the GDIT Emerge Health 2022 conference on Nov. 3, Col. Joseph Hoffert, chief of the Risk Management Executive Division within the Defense Health Agency (DHA) and senior information security officer, explained that because healthcare data needs to be accessible and shareable – unlike other classified data – it requires a strong cyber defense to protect it.
“The goal at the end of the day isn’t to close with and destroy the enemy, it is to ensure a medically ready force and a ready medical force for the nation and to care for our veterans from cradle to grave and their families from cradle to grave,” Hoffert said. “Because we have that charge, we have to protect some of the most sensitive information out there.”
Hoffert said credit card information can sell on the dark web for about $10, but personal health information can sell for several thousand dollars because it’s “immutable.”
That’s where zero trust comes in. Hoffert said his agency is deploying zero trust security architectures to get a better understanding of who has access to what data.
He emphasized that “zero trust is not an application that you buy off the shelf,” but instead it is more of a construct.
Hoffert explained that DHA is in the process of sunsetting its large legacy systems by the end of 2025, and in doing so, has been able to invest more in zero trust.
“The number one thing is turning off the stuff that is cost prohibitive to actually implement some sort of zero trust construct around it,” Hoffert said. “We’re also more moving towards platform as a service and putting more eggs into those platform baskets, and then using zero trust construct around those platforms, so that we’re not building multiple different things.”
Woodie Robinson, the director of specialized device cybersecurity at the Department of Veterans Affairs (VA), said his agency is also leveraging zero trust to protect its infrastructure.
“We really have adopted and embraced zero trust architecture. We find that zero trust architecture is really the bread and butter of us in making sure that we protect these systems and devices within our ecosystem,” Robinson said.
He went on to explain that the VA has a zero trust strategic plan to ensure that proper security controls are in place, “but more importantly, we make sure we have the proper infrastructures in place and security solutions to be able to detect, respond, etc.”
As for the Centers for Medicare and Medicaid Services (CMS), zero trust supports “the secure execution of mission,” according to Conrad Bovell, Director of the Division of Information Systems Security at CMS.
Bovell explained it takes leadership, focus, and bravery in order to chart forward and stand up a strong zero trust architecture.
“I’ve worked with some folks who are very demanding and have pushed us, so that’s why my system is in a position where in terms of the analysis of the zero trust pillars and its DANDI – device, application, network, data, and identity, DANDI, that’s the acronym we use – all of those areas we are very mature in, quite a number of them,” Bovell said.