Health care cybersecurity has never been more critical, with the industry facing a seemingly endless barrage of cyberattacks. Cybercriminals are exploiting even the smallest vulnerabilities to slip in unnoticed. With so much at stake, implementing a zero-trust security framework is crucial.
Establishing a Zero-Trust Architecture
Zero trust assumes the network has no traditional edge — it can be local, in the cloud, or a combination of both. Regardless of where resources are, users must undergo continuous validation to maintain access to applications or data. Authentication can be discrete, taking place in the background or requiring an action from the user.
There is no universal zero-trust security framework. Rather, this concept comprises guiding principles. The federal guidance National Institute of Standards and Technology (NIST) SP 800-207 outlines the seven tenets of zero trust. Professionals must:
- Consider data sources and computing services resources
- Secure all communication
- Grant access on a per-session basis
- Leverage dynamic access policies
- Monitor asset integrity
- Strictly enforce authentication and authorization
Health care facilities must continuously verify all devices and ensure that users are who they claim to be. To mitigate the damage caused by breaches, a robust and strategic architecture design is necessary. If a breach occurs, automated data collection and threat response mechanisms should trigger to reduce dwell time.
Why Should Hospitals Adopt Zero Trust?
According to the United Nations, 98% of developed countries have enacted cybersecurity legislation. Many apply to health care to curb the industry’s rising cybercrime rate. HIPAA’s Security Rule outlines administrative, technical and physical safeguards for protecting PHI, including information from medical IoT devices. These requirements do not mandate zero trust, but they complement many zero-trust principles and can serve as a strong foundation for implementing such a framework.
Since federal, state, and industry-specific regulations may vary, compliance can differ from one facility to the next. Decision-makers should use this as a justification to go beyond the minimum regulatory standards. Zero trust applies equally to all users, regardless of their seniority or tenure, making it a practical security framework.
Beyond compliance, professionals should consider how protected they are against today’s biggest cybersecurity threats. With healthcare cyberattacks increasing in severity and frequency, only the most stringent methodologies will be adequately effective.
Common Security Threats to Health Care
Cybercriminals target healthcare with a variety of techniques and are constantly developing novel attack methods because PHI is highly valuable. Ransomware, credential theft, and supply chain attacks are among the most pressing threats as of 2025, as they cause significant damage but can be challenging to detect in a timely manner.
Attacks don’t have to be sophisticated or drawn-out to pose a significant threat. If providers place their trust in the wrong vendor or fail to consider trustworthiness in the first place, they risk unauthorized access and data breaches.
In September 2025, cybersecurity researcher Jeremiah Fowler alerted news outlets that Archer Health, a home healthcare company, had kept an unencrypted, non-password-protected database publicly available on the internet. It contained 145,000 files, comprising patient identification numbers, social security numbers, and personally identifiable information (PII).
Without forensic analysis, it is impossible to know whether a bad actor accessed these documents before Fowler. However, as of September, no evidence has appeared to suggest the documents are on the dark web. Still, this blunder serves as a reminder of the potential consequences of unregulated access.
Healthcare cybersecurity professionals must account for every information storage system and digital asset, as they can only protect what they know exists. Even in the best-case scenario, identifying indicators of compromise and remediating threats is a time-consuming process. Statistics show IT teams take around 88 to 208 days to patch vulnerabilities, depending on their risk level.
Zero-Trust Strategies for Protecting Patient Data
Zero-trust security frameworks should be purpose-built for specific technology stacks, resulting in numerous potential strategies. However, there are multiple generalized approaches professionals can adapt. Here are some of the best risk mitigation strategies to protect PHI and PII.
The Crawl-to-Run Strategy
This strategy is ideal for smaller clinics or those with fewer resources. It begins at a crawl, which means starting with existing systems to cover critical assets or establish foundational components. Then, the IT team gradually adds capabilities beyond the identity, credential, and access management system, security analytics, and endpoint protection tools. Discovery and enforcement mechanisms are key.
The All-Purpose Approach
In this general approach, security specialists leverage policy engine, administrator, and enforcement mechanisms. They perform multiple seamless logical functions automatically, accelerating response time. Although they seem simplistic, these components are not plug-ins. They comprise complex infrastructures with multiple hardware and software components.
The Cloud-Based Strategy
As cloud-hosted services become more prevalent in the healthcare industry, cybercriminals are increasingly targeting cloud environments. This poses a problem since healthcare cybersecurity professionals have less control here.
They should place policy enforcement points (PEPs) at the applications’ corresponding access points. Whether clients use portals or locally installed agents, they access the PEPs directly, allowing security specialists to manage their access to externally hosted resources. This framework may be complex in multicloud environments since providers often have unique implementation methods.
The Patient-Facing Scheme
Hospitals should already have a strong foundation for managing information access requests from registered users since HIPAA preserves patient privacy by protecting PHI.
However, their policy implementation capabilities may be limited since patients have a legal, enforceable right to access and retrieve records. Additionally, malicious actors may use stolen credentials to impersonate legitimate users. IT leaders should consider mandating biometrics and multifactor authentication to ensure users are who they claim to be, without risking noncompliance.
Industry Best Practices for Clinics to Follow
Following implementation best practices can help accelerate design and deployment. IT leaders should look to trusted authorities, like NIST. The NIST National Cybersecurity Center of Excellence released the final practice guide, Implementing a Zero Trust Architecture, in 2025.
NIST SP 1800-35 explains how facilities can implement a framework consistent with the best practices outlined in NIST 800-207. It contains in-depth technical information, models to emulate and lessons learned from past attempts to help make integration more seamless and cost-effective.
Early on, observations are key. Professionals should use discovery tools to audit and validate what they deploy and provision. This way, they can ensure their known data correlates with the information their tools provide, enabling them to form robust zero-trust policies.
IT leaders should also look to their peers to determine which implementation best practices align best with their needs. In the case of Dayton Children’s Hospital — a $600 million pediatric care facility — a small team secured over 25,000 devices across two primary campuses and 20 ambulatory care sites, ranging from smart televisions to robotic surgery aids.
After conducting a gap analysis, the team classified all assets and upgraded its technology stack to simplify management. The hospital had limited time, money, and people to dedicate to health care cybersecurity, so gradually implementing a zero-trust architecture was essential for maintaining security without impacting patient care.
Proceeding With Architecture Implementation
A zero-trust security framework has emerged as a practical solution because it enables clinicians to perform their duties without risk of cyberattack-related interruption or downtime. It also frees up the IT team for more critical matters. Once they identify gaps, classify assets, and understand which logical components their architecture requires, they can protect against emerging threats.
Emily Newton is a seasoned freelance writer and Editor-in-Chief of Revolutionized Magazine, specializing in digital technologies disrupting industry. She has a passion for exploring how IoT is revolutionizing the industrial and tech sectors. You might have seen her work in publications like TripWire, IoT For All, and Embedded. When she's not writing, Emily enjoys playing chill video games and stargazing.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.