Gerry Blass, President & CEO, ComplyAssistant
Paul Garrin, CIO, Urban Health Plan
6 essential steps to protecting your organization while enabling a remote workforce
Though telecommuting was on already on the rise at a rate of 2-3% per year, the COVID-19 pandemic required healthcare organizations to re-evaluate work from home policies and quickly enable a remote workforce. But, in the midst of a pandemic, when you have to act as quickly as possible, how do you also make sure your networks and operations are still protected?
Regardless of the timeframe or the circumstances, there are a few essential considerations that IT leaders should remember when setting up a functional telecommuting environment in order to protect their networks from cyberattacks.
- Never allow any employee to use their own equipment to get on your network.
Rather, issue every staffer, including full-time employees and contractors, a company device (e.g., phone, laptop, workstation)
- Have security protocols for offsite email.
During the pandemic, having webmail available was a necessity for enabling a remote workforce. But webmail comes with its own set of risks, opening your network up to attackers. Take steps to ensure your offline email systems are just as secure as your onsite systems. Make sure webmail is encrypted, and the device connects first to a VPN and firewall. Have constant monitoring in place by your security officer and help desk.
- Do not let any third-party vendor access your network.
Create controls and processes that ensure the vendor either has to come onsite, or they receive and use equipment issued by your organization.
- Keep a close eye on credentialing and terminations of third-party vendor employees.
If staffers of third-party vendors are credentialed to access your network, it is even more important now for the business associate (BA) to follow your organization’s security controls. If an employee leaves the BA, the BA must terminate the employee’s access and communicate that termination to you immediately. During a crisis, third-party access is an even higher risk area – when employees are furloughed, laid off or otherwise lose their jobs, who is making sure access for those employees have been terminated? In this situation, gaps in process arise, giving way to higher risk of an unauthorized party having access to your network.
- Maintain the same or compensating controls for remote work as you do for in-office work.
Have security protocols in place and make sure each company-issued device is as locked down as possible. Lock down devices so employees cannot install any software on their own. Train staff not to access non-secure networks (e.g., at a coffee shop) as this opens them up for risk of cyberattacks.
- Train and empower employees.
The need for and importance of staff education hasn’t changed due to COVID-19. What has changed is that many employees who have not worked remotely need new information and instructions on how to protect the network. Going back to item #1 above, make sure no employee uses a personal device to access the network. Every staffer should have a company-issued device from which to work, and they must be trained only to use secured home networks. In addition, continue your standard training around phishing attempts. We recommend automatic additional training for any employee who opens a phishing email. Finally, empower your staff to speak up when they see something suspicious. Give them the tools to easily report something that may look like a malicious attempt to access the system. And, we also recommend that staff automatically pick up the phone and verbally report anything related to financial matters. Staff should be trained to recognize that any financial transactions should not be handled via email – this is an immediate red flag they should report.
In these times, IT is the lifeblood of any healthcare organization. And, with this rapid shift to move to a more remote workforce, many providers that would not have allowed telecommuting needed to change their corporate mindset. It took a global pandemic for some providers to change. Consequently, over the course of a few short months, we’ve all experienced a momentous shift in how we work. That does not mean, however, that we can be lax in how we protect our networks and our data. It’s even more important now to employ stringent rules and controls, and to give your staff what they need to play a part in the overall security of the organization.
Looking for more resources?
Free Tool: HIPAA Business Associate Agreement Template
Checklist: HIPAA IT Compliance