As more healthcare providers push to go cloud native or close data centers down in favor of hosting some applications in the cloud, you need a solution to securely connect to those applications. Traditionally, applications have been hidden behind a firewall that, unless you have a VPN or a VDI client, you cannot access them. Once logged into a VDI machine you would be able to stream these pixels to your machine without the fear of a MiTM attack.
This used to work fine, but in the modern age with vulnerabilities becoming more sophisticated—such as Log4J—we are seeing an increase in attacks even against these VDI servers. We saw a lot of articles similar to "Night Sky ransomware uses Log4j bug to hack VMware Horizon servers" during the early stages of Log4J. Attackers will also go after an internet-facing load balancer such as this Citrix ADC critical vulnerability in July 2023, "New critical Citrix ADC and Gateway flaw exploited as zero-day." This means that someone could compromise the VDI server and then they are now in your Electronic Health Records (EHR) system, potentially gathering PHI or on your network to sniff for credentials all to start a ransomware attack. Some cyber insurance vendors are even now stating they want all VDI non-internet facing.
Now that EHRs are moving to the cloud or customers are choosing to move their EHR architecture to the cloud, you still have these same risks unless you fundamentally change the way you connect. You still need to be able to provide access to your clinicians, but the problem remains of going over the open internet to get into the data center then into a direct connection up to the cloud or exposing them directly from the cloud.
If I am a malicious actor—either in your hospital’s network by plugging into an empty ethernet jack or sitting at a coffee shop while a doctor checks his schedule for the day—I am able to see traffic flowing to and from an endpoint. ISPs are not by default encrypting your traffic, so anything over the internet is fair game.
Eliminating the risks
We can eliminate those risks by using our product Zscaler Private Access (ZPA). ZPA allows users to securely connect from anywhere to an application hosted either in the cloud or on prem using Zscaler App Connectors. All traffic funnels through our Zero Trust Exchange cloud via TLS. The App Connectors then talk back to the cloud in an outbound-only communication also on TLS. This eliminates the external attack surface as you no longer need to expose those apps to the internet for end user connectivity. You also will not see the traffic of where that app is connected from as it would be a request to our cloud vs the app directly. One of the other benefits is this can be browser-based or with our Zscaler Client Connector depending on the use case.
What does this look like on paper though? Below is a diagram of what this network flow could look like.
A user will log into Zscaler Client Connector—a lightweight agent—or, if enabled, they could do clientless access via ZPA. The connector would make a TLS tunnel to the ZTE Cloud and the App Connector would then respond back with outbound only TLS. The application being asked for in this case is your EHR system, which may be served by Citrix, and the user would then be able to use the application as normal. This means that your VDI infrastructure is no longer exposed directly to the internet. We can also eliminate the need for VDI vendors completely by allowing you to go directly to your application without the middleware.
If you have IoMT devices or printers as an example, we can also connect those devices to the EHR vendor of choice as well using our Branch Connector appliance. This appliance acts much in the same way as Zscaler Client Connector would on a desktop, but is meant for IoMT devices that can not install Zscaler Client Connector.
The important thing to note is that this isn’t a traditional VPN, which are inherently vulnerable as seen in these two examples; "Critical Patch Out for Critical Pulse Secure VPN 0-Day Under Attack" or "Fortinet fixes critical RCE flaw in Fortigate SSL-VPN devices, patch now". A traditional VPN would allow me to get on your network and make lateral moves on the VPN network. This is instead a microtunnel to just the application and the application alone. This means you can set policies to prevent certain users from accessing the system, enforce posture, and be aware of context.
But what if...
Now I know you may be saying to yourself, “but what if?” What if a user falls for a phishing attack and gets their machine compromised completely including access to the VDI system. This is always possible, but with Zscaler we can put the Zscaler Client Connector on a VDI machine as well whether persistent or non-persistent (just not multi session at this point in time). The benefit to this is now you can enforce DLP, URL filtering, cloud app controls, NGFW, and malware protection. You can isolate browsers or use sandboxing to prevent/inspect/quarantine people from downloading malicious files and prevent people from uploading sensitive PHI. We do these things with SSL inspection which we do at scale in over 150 POP’s across the world. We do not host PHI in our data center; we just inspect the traffic to ensure no violations occur. You as the customer can also choose what you inspect and what you don’t inspect to ensure HIPAA and other compliance requirements.
Zscaler not only works with your traditional SaaS applications such as O365 but as you can see we can hide your VDI infrastructure behind the Zero Trust Exchange or connect directly to your EHR system removing the need for VDI.
Moving applications to the cloud can be a straightforward process when using the Zscaler Zero Trust Exchange to broker secure access to your users. We also have the ability to monitor these public cloud applications using Zscaler Digital Experience (ZDX) to ensure a consistent experience across your entire user base.
We look forward to exploring how Zscaler can help you do more with less, as we have for hundreds of other customers in the healthcare sector. You can also find more information on Zscaler for healthcare here.