Taking stock of healthcare security: A look at Redox’s zero trust maturity

March 20, 2024
Bill Easton Staff Security Engineer

A traditional cybersecurity model is like an uncooked chicken egg. It has a hardened shell that, when compromised, exposes a soft interior. Once you crack that shell, you are in; you are trusted with the contents inside. Traditional cybersecurity approaches have a firewall or two (maybe even from different vendors in an attempt to prevent one vendor’s vulnerabilities from compromising your whole system), and users are trusted by authenticating into the network. The problem with this model is that once threat actors are inside, they can do almost everything, if not everything, they want to do within your environment.

A zero trust model is designed to change that by assuming that nothing is trusted. The National Security Telecommunications Advisory Committee defines zero trust as “… a cybersecurity strategy premised on the idea that no user or asset is to be implicitly trusted. It assumes that a breach has already occurred or will occur, and therefore, a user should not be granted access to sensitive information by a single verification done at the enterprise perimeter. Instead, each user, device, application, and transaction must be continually verified.” 

Why zero trust is important in healthcare

2023 was the worst-ever year for breached healthcare records, increasing by 156% over 2022. This surge in cyberattacks has prompted the Department of Health and Human Services (HHS) to publish voluntary cybersecurity performance goals to help healthcare organizations plan and prioritize their cybersecurity implementations. HHS plans to follow these goals with financial incentives for hospitals’ cybersecurity implementations, along with enforceable standards. 

The rise of a hybrid workforce has also intensified healthcare’s interest in zero trust. Distributed networks and the dissemination of health data over multiple locations have also accelerated zero trust adoption. Today, Okta reports that 47% of healthcare organizations have a zero trust initiative in place, and 38% have plans to begin one in the next six to 12 months.

More research indicates that organizations have a long way to go before they have a complete zero trust solution and practice in place. According to Fortinet’s 2023 State of Zero Trust Security Report, only 28% of organizations (across multiple industries, non-exclusive to healthcare) say they have a complete zero trust solution in place. 

While all these factors add urgency to pursuing zero trust now, Redox began its zero trust journey in 2019. As we began to build the Identity and Access Management program, we had a few strategic company goals that lead us to a zero trust model. First, we are a cloud-first company with a distributed workforce. We did not have and did not want to build a traditional corporate network. If we cannot rely on a hardened perimeter, we must focus on protecting the user identity. Second, we needed to balance the flexibility and agility of our workforce with securing their access to our assets and the data we are entrusted by our customers and our customer’s customers. Third, we must maintain expected industry certifications such as HITRUST® level 3 r2 or SOC® 2 Type 2. Both of these certifications have access control requirements and we wanted to ensure that we continued to meet those requirements. Finally, we wanted to ensure that Redoxers were able to do what is needed with the least amount of friction. Our zero trust implementation allowed us to meet all of those goals.

After the recent impact of ransomware on one of the largest U.S. clearinghouses for medical claims, more of our customers and prospects are asking about various aspects of our security policies and practices, including zero trust. As a result, we’re writing this blog to share where Redox is today with zero trust, not only for our customers, but also for the healthcare community at large. 

A quick breakdown of the CISA model

CISA model
Source: CISA. “Zero Trust Maturity Model, Version 2.0.” April 2023.

We assess Redox’s zero trust progress based on the Cybersecurity and Infrastructure Security Agency’s Zero Trust Maturity Model (version 2.0). CISA’s model identifies five key areas that should be individually addressed in a zero trust environment: Identity, Devices, Networks, Applications & Workloads, and Data. These five areas, which make up the enforcement element of the framework, are built upon a set of controls and policies focused on Visibility and Analytics, Automation and Orchestration, and Governance. Each enforcement area advances through the model using four stages: Traditional, Initial, Advanced, and Optimal by making some adjustments that work towards the optimal state.

The zero trust program’s maturity advances as it becomes more automated, access policies become more dynamic, and governance becomes continuous validation of policy. Redox conducts our self-assessment based on these details. However, keep in mind that this model was written for U.S. government agencies, such as Health and Human Services. Accordingly, some areas in this model do not apply to Redox. In these cases, we give our best-effort evaluation based on the spirit of CISA’s model.

Zero Trust Maturity Model, Version 2.0
Source: CISA. “Zero Trust Maturity Model, Version 2.0.” April 2023.

Where Redox is on our zero trust journey

Before we dive into the details of where Redox stands with zero trust, I’d like to provide some context with general information about Redox, our identity tech stack, and our defined user lifecycles. We use a cloud-based Identity Provider (IdP) with built-in no-code/low-code tools to automate a user’s lifecycle, including just-in-time access provisioning. We push client certificates to all managed user devices using our Mobile Device Management (MDM) solution, which is used by our IdP to make risk-based authorization decisions to access resources. Every resource is placed in a risk level authentication profile and may require device trust attestation from our MDM, defined geolocation data, and connection to our Virtual Private Network (or any combination of these) based on the criticality of the resource. We have established automation processes for joiners, movers, and leavers that automatically grant, or revoke, access based on the user’s business role with Redox as defined by their attributes from our Human Resources Information System.

With all this in mind, here is where we are on CISA’s zero trust maturity model.

Identity – Optimal

Within the model, identity becomes the keystone to protecting company resources and assets rather than the hardened perimeter of the company’s network. Attributes of the user’s identity and the user’s device during the authentication process become critical decision points when authorizing access to any resource, significantly reducing the reliance on the network perimeter for defense. In fact, Google advocates an approach of moving all corporate applications and workflows from the intranet to be directly on the Internet. Redox has embraced this philosophy fully, and we do not have a corporate network.

We leverage our IdP to provide phishing-resistant Multi-Factor Authentication and even passwordless authentication for managed devices. We have a limited session time before reauthentication is required. As mentioned before, we utilize user attributes (such as department and squad) to enforce Role Based Access Control (RBAC) combined with real time attributes (such as geolocation, device compliance, and device trust attestation from our MDM as well as a connection to our Virtual Private Network, if required) to make risk-based policies decisions about whether access to a particular resource should be granted. Further, we provide just-in-time privilege elevation for authorized users if they require access outside of their normal entitlements for a short period of time. Access to these elevated privileges is removed by automation after they expire.

We have clear and defined automated processes throughout a user’s lifecycle from joiner to mover to leaver created in a no-code/low-code platform connected to our IdP, which is integrated with our human resources information system (HRIS) so HR data can trigger these lifecycle phases.

Devices – Advanced

In addition to tracking all virtual and physical assets, we enforce compliance using our MDM within the corporate space along with Amazon Machine Images (AMI) / OS Images though our infrastructure as code processes in the production space. We also use an XDR and MSSP to continuously monitor and react to threats everywhere. In the future, we plan to achieve optimal state by automating our supply chain risk.

Networks – Optimal

We do not have a corporate network so this does not directly apply in all aspects. Critical workloads are isolated to virtual private clouds and connecting to those environments requires the use of our VPN by users. We have just-in-time and just enough access controls using our RBAC framework and tooling. We encrypt traffic in transit, have a key management process for storage, and automate rotation. We don’t have microsegmentation because it is not applicable to our environment.

Application and Workloads – Optimal

Our application is publicly available through a Redox host dashboard or via available APIs. For authentication and authorization, our customers can choose between a local account and (if they prefer MFA) or Single Sign On through their IdP of choice. To support customers, Redox employees use our IdP for accessing the dashboard as needed. We authenticate and authorize APIs using a combination of OAuth and JWT for continuously authorized access. We also deploy protections against advanced attacks in all workflows, testing these protections through both penetration testing (internal and external) and our public-facing bug bounty program managed by HackerOne.

Data – Advanced

We automate data categorization and labeling by using required templates in our continuous integration and continuous delivery pipeline. Data is stored in highly redundant data stores with annually tested failover. We encrypt data in use (i.e., in both transit and at rest). In addition, we have dynamic access controls to our data.

We are making strides towards optimal state with a recently deployed Data Loss Prevention solution, which is currently in an audit mode to notify the information security team of possible exfiltration. Our next step is to automatically block certain activities that might lead to exfiltration of data to prevent security breaches.

Overall maturity

While we have a pretty mature adoption of zero trust, we classify Redox as falling between the advanced and optimal stages. As we move forward, we’ll be concentrating on advances within the devices and data areas so we can achieve the optimal state across the board.

Few things are as important to us as gaining our customers’ trust through privacy, security, transparency, and compliance. Zero trust plays a critical role in that effort, and we’re excited to advance our program. Stay tuned for more updates on our progress.

Want more details on the Redox security posture? Visit our security page.