New Zero Trust Security Model for Healthcare Launched
The Alliance for Smart Healthcare Excellence has launched the Healthcare Zero Trust Maturation Model (HC-ZTMM™). The framework provides the first healthcare-specific, clinically-informed model for assessing Zero Trust security maturity. It is being offered for free to qualified healthcare provider organizations to help them strengthen their security posture.
- For the 14th consecutive year, the healthcare industry has incurred the highest average costs for data breaches, reaching an average of $9.77 million per incident in the U.S. - The Zero Trust model operates on the principle of "never trust, always verify," which means no user or device is automatically trusted, even if it is inside the network perimeter. Key components include continuous verification, micro-segmentation, and enforcing least-privilege access to patient data and clinical systems. - Initial findings from the HC-ZTMM show that most healthcare organizations are at a low maturity level, described as "Structured but Static," with foundational controls that are not continuously enforced or automated. A significant gap identified was the lack of dynamic trust assessment, which is typically only evaluated at login rather than continuously. - The model was developed by the Alliance for Smart Healthcare Excellence, a non-profit led by former HIMSS CEO H. Stephen Lieber, in collaboration with Zscaler and a board of security executives from various health systems. - The urgency for such a framework is highlighted by the fact that 92% of healthcare organizations reported experiencing at least one cyberattack in a recent survey, a figure that has been steadily increasing. In the first half of 2024 alone, there were 387 reported data breaches involving 500 or more records. - This model is specifically designed to address unique healthcare vulnerabilities, such as securing sensitive electronic health records (EHR), legacy systems, and the expanding network of connected Internet of Medical Things (IoMT) devices. - The framework evaluates an organization's Zero Trust posture across four key domains: governance, infrastructure, operational resilience, and experience assurance. - Organizations that use the free HC-ZTMM receive a confidential maturity summary that highlights strengths and gaps, which is designed to help leadership with roadmap planning and prioritizing investments over the next 12-24 months.
