Zero trust
Never trust the network, always verify the request — the security model for a world where the perimeter already failed.
In one line
Zero trust abandons the castle-and-moat: being inside the hospital network grants nothing — every request is authenticated, authorised against policy, and encrypted, every time.
How it works
NIST 800-207 frames it as policy-driven access: strong identity for users and workloads, device posture checks, least privilege per request, micro-segmentation so a compromised workstation can't roam, continuous verification instead of one login that unlocks everything, and rich telemetry because you assume breach. It is an architecture journey, not a product purchase — identity first, then segmentation, then policy automation.
Where it shows up in digital health
Hospitals are flat-network heaven for ransomware — one phished laptop reaching every unsegmented device is the recurring incident. Zero trust is the counter-design: medical devices on tightly segmented zones, EHR access gated per request, vendor remote access brokered not VPN'd. Supabase's row-level security in this very platform is the same philosophy at the database layer: the table grants nothing; every row access is policy-checked.