“Zero Trust” and healthcare: a cybersecurity blueprint

In healthcare, trust is foundational, but in cybersecurity, trust can be destructive. How a “zero trust” approach can resolve this paradox, protecting healthcare businesses and patients alike.

In 2024, ransomware hit healthcare hard: cyberattacks put more than 25.6 million patient records at risk, while the average ransom demand neared $6 million. With healthcare still a uniquely vulnerable and lucrative target, the attacks are sure to continue.

That vulnerability flows from the complexity of modern healthcare. Hospitals and providers deliver care through a vast array of systems and devices, each of them a portal to highly sensitive personal health information (PHI). At the same time, access needs are broad and varied: with vendors, doctors, remote clinicians and administrators all requiring access to that data in order to care for patients.  Legacy security models based on implicit trust, flat networks and reactive defense models can no longer meet the moment. To stay ahead of the evolving cyber-threat, healthcare organizations need to move toward proactive, risk-based frameworks. In short, they need zero trust.

The case for zero trust

Zero trust is a cybersecurity philosophy that treats every user, device, application and connection as untrusted until it’s authenticated, authorized and validated—and the validation must be continuous. In other words, zero trust assumes that no person, application, system, device, endpoint, etc., within or beyond the organization’s network perimeter, should be automatically trusted.

Zero trust is a principle, not a product, and in healthcare it pays off at every operational pain point along the patient-care delivery chain. These include security gaps created by legacy infrastructure, the risks introduced by medical devices, and the regulatory complexity of handling sensitive patient information. The use cases below show how zero trust can be applied across the whole sweep of the healthcare continuum.

Ransomware resilience

Ransomware remains one of the most pressing cybersecurity risks in healthcare. A single infection of malicious code can shut down emergency rooms, delay diagnoses, and force clinicians to fall back on manual processes.

This vulnerability stems from a mix of technical debt and operational complexity, including:

• Legacy systems that are outdated and/or can’t be patched.
  
  
• Flat, permissive networks that allow a bad actor to move laterally from the intrusion point to other areas of the network.
  
  
• Fragmented identity governance and excessive administrative privileges.
  
  
• Limited visibility into devices and network endpoints, and delayed threat detection.
  
  
• Weak or incomplete backup and recovery processes.

Zero trust won’t eliminate ransomware, but when properly implemented it can significantly slow an attacker’s progression and accelerate recovery, reducing operational and clinical impact.  Here’s how:

Access and containment

Identity- and device-aware access controls restrict access based on role, context and device posture, reducing initial exposure. Network segmentation and micro-segmentation ensure that breaches remain isolated, preventing spread to critical systems. Meanwhile, continuous telemetry and behavioral analytics flag anomalies early, enabling rapid, automated containment of compromised accounts or endpoints.

Data security and recovery

Zero trust enforces strict, role-based access to sensitive data, including personally identifiable information (PII), PHI, and other clinical records. Immutable backups and air-gapped storage protect recovery points from compromise. Granular restoration strategies enable staged, priority-based recovery to minimize care disruption. Regular recovery testing and robust business-continuity planning ensure these capabilities translate into real-world resilience when an incident does occur.

Operational continuity

Understanding service dependencies—such as which apps support surgical scheduling, medication dispensing or ICU monitoring—is essential for orchestrating functional recovery. Just-in-time access provisioning can re-enable critical roles after an incident without introducing unnecessary privileges. Integrated incident-response playbooks connect zero trust policies with disaster recovery and business continuity (DR/BCP) processes, helping healthcare organizations close the loop between prevention and recovery.

Securing medical devices

Connected medical devices are indispensable to modern care delivery. They also make enticing targets and entry points for threat actors. Many are unmanaged, unpatchable, and lack even basic security controls. Most healthcare organizations don’t maintain a complete, up-to-date inventory of these devices, much less real-time data on their health or risk posture. Worse, because even basic forensics or containment actions can disrupt patient care, incident response becomes especially complex.

Traditional endpoint security models aren’t built for these challenges. But zero trust can be adapted to manage medical devices without compromising clinical workflows. Key components include:

• Device discovery and classification. Visibility is the starting point. Network monitoring tools can identify connected devices, categorize them by type, vendor and function, and assess baseline behavior—all without disrupting clinical use.
  
  
• Network-based segmentation. Using software-defined networking (SDN) or other OT/IoT-specific segmentation solutions, healthcare organizations can logically isolate Internet of Medical Things (IoMT) devices into tightly controlled network segments.
  
  
• Real-time behavioral monitoring. In a zero-trust model, validation is continuous. Anomalous behavior, such as a diagnostic machine suddenly reaching out to an unknown external IP address, should trigger alerts or automated isolation.
  
  
• Risk-based policy enforcement. Devices with known vulnerabilities or outdated firmware can be confined to restricted zones with tightly limited communication paths.

Of course, security controls must always align with clinical realities. To avoid service disruptions, security teams need to collaborate with other parts of the organization to define acceptable communication patterns by device type, establish “safe isolation” protocols that protect availability, and align zero trust policies with existing clinical risk assessments and device procurement standards.

AI and zero trust

While AI introduces new risks—such as the ability to generate convincing phishing content—it also can also strengthen security when layered into a mature zero trust architecture. Deployed properly AI can enhance both proactive defense and an organization’s ability to respond under pressure.

By their nature, AI and machine learning are adept at processing huge volumes of complex healthcare data across endpoints, networks, identities and applications. By using this data to establish behavioral baselines for users, devices and systems, AI can then detect subtle anomalies, such as a nurse accessing unusual patient records, or a diagnostic system exfiltrating data. It can also apply dynamic risk scoring at access points, factoring in context data such as time, location, device health, and historical patterns, to validate or deny access requests in real time.

To realize AI’s full potential in a zero-trust framework, its deployment must be deliberate, transparent and aligned with clinical imperatives, not just with security goals. In fact, zero trust should apply to AI itself: automated outputs should never be trusted implicitly. They must be subject to governance, auditability and—most important—oversight by human beings.

Practicing zero trust

Zero trust isn’t a product or a checkbox, it’s a cultural shift. It demands coordination across cybersecurity, IT, clinical operations and executive leadership. While zero trust is broad in scope, implementation can only happen incrementally. Here are some practical steps to get organizations started on this journey:

• Conduct a zero-trust readiness assessment, aligned with NIST or CISA guidance. Use the findings to create a phased, holistic zero trust strategy for the whole organization.
  
  
• Inventory identities, assets, applications and data flows, starting with high-risk areas.
  
  
• Implement risk-based multifactor authentication (MFA) for high-impact user groups, such as remote users and/or privileged roles.
  
  
• Roll out network segmentation for at least one critical service area, such as picture archiving and communication systems (PACS) or pharmacy.
  
  
• Deploy passive visibility tools to monitor medical devices without disrupting care.
  
  
• Establish access baselines for key applications and enforce them using telemetry.
  
  
• Run tabletop exercises simulating ransomware attacks, clinical downtime and zero trust responses.

Ultimately, zero trust offers a practical, risk-aligned path to stronger cybersecurity. By emphasizing identity, segmentation, continuous verification and resilience, healthcare organizations can reduce risk, protect operations and—paradoxically—build trust where it matters most: with patients.