Q&A: Mount Sinai’s Chris Frenz on Best Practices for Zero-Trust Implementation
Health Tech Magazine
When did you first get interested in zero trust as an architecture and as a general framework?
FRENZ: Actually, back in 2015, the hospital I worked for at the time became very concerned about the possibility of a ransomware or other widespread malware attack hitting the organization. One of the things we decided to do was simulate what it would look like if a malware attack were to hit the hospital.
We took what’s called the EICAR test string — if anybody is unfamiliar with that, it’s a harmless string of characters that years ago all the anti-virus makers got together and agreed to treat as a virus. It provides a safe but effective way to test malware defenses — and I wrote a script that would take the EICAR test string and attempt to copy it to every PC within the hospital.
Now, this was an exercise that was executed without anyone else in IT being aware. We launched a script and simulated the malware spreading through the organization. By doing the exercise, we learned quite a bit about which controls were effective, which controls didn’t work and, in some cases, how people responded to the attack, both in terms of the users and in terms of incident response.
One of the controls that stood out as...