According o this author, the conceptual idea of “zero-trust” is a bad choice of words:
User frustration will be brought to the forefront, and this security model will be seen as a blocker to productivity and ‘getting the job done’. What will not help is the users is being told that this is part of a ‘zero trust’ security model. From the user’s perspective, this phrase has a negative connotation — it tells the user that they are not trustworthy, and it goes against building trust in the workplace.
It’s important to point out here, if we want widespread adoption of a new security model, getting buy-in from the people who will be living it, is paramount. With the right buy-in, the same users can become proponents and even champions of the new systems, and that helps everyone. Antagonistic phrasing paired with a troublesome implementation can make the same users the biggest barriers to its adoption.
To my mind, the “zero-trust” security architecture assumes that security is “broken by default” and one needs to be aware before the confidential information is put up. Healthcare demands security and privacy for the individual, and end users are lax around it. It is not because the users intentionally harm the patients-far from it. It is to do with the bad UI practices in the healthcare. Whom do you ascribe the overall responsibility of the system? Who takes the blame in case of a breach? Why have the insecure systems (like Microsoft Windows) in the first place?