With many people around the world still under orders to stay at home to slow the spread of coronavirus disease 2019 (COVID-19), remote work has become the new normal for many individuals who can do their jobs from home. Between mid-March and early April, the portion of American workers who said their employer gives them flex time or remote work options rose from 39 percent to 57 percent, according to Gallup.
Overall, 62 percent of employed Americans surveyed by Gallup in a March 30-April 2 poll reported working from home at some point during the crisis. However, everyone working remote presents some serious challenges, particularly for organizations that must maintain high levels of cybersecurity and comply with the Health Insurance Portability and Accountability Act (HIPAA).
Taking steps to ensure protected health information (PHI) stays secure is more important than ever, especially since cybercrime related to the pandemic is on the rise. In a joint alert issued on April 8, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) stated that they observed “a growing use of COVID-19-related themes by malicious cyber actors.” Additionally, the alert notes that the increase in remote work has resulted in new points of vulnerability that hackers can potentially exploit.
Fortunately, your organization can proactively work to address vulnerabilities and reduce the risk of a data breach. Here are some steps you can take to ensure remote workers remain HIPAA compliant during this crisis and beyond.
1. Implement device encryption for all equipment used for remote work.
In a HIPAA security guidance document, the U.S. Department of Health and Human Services (HHS) lists the loss or theft of laptops or other portable devices used to store PHI as one area of risk related to off-site work. Device encryption addresses this concern and drastically reduces your organization’s chances of a data breach.
2. Use a Mobile Device Management (MDM) solution.
In addition to device encryption, it’s a good idea to leverage an MDM platform, which will allow your security personnel to locate devices, lock them and remotely wipe them if necessary.
3. Stay on top of updates and patching.
All devices and platforms used for remote work should be monitored, updated, upgraded and patched regularly to address potential vulnerabilities.
4. Encrypt all emails.
Every business, regardless of industry and compliance needs, should have a high-quality email encryption solution in place to avoid the exposure of sensitive data.
5. Ensure all devices used for remote work have advanced anti-virus software installed.
In addition to encryption and patching, this is essential for equipment used to work from home, according to the American Health Information Management Association (AHIMA).
6. Instruct all remote workers to access your organization’s network and resources using a virtual private network (VPN).
A secure VPN solution can give people working from home access to your organization’s LAN while keeping your data breach risk low and ensuring compliance.
7. Conduct employee security awareness training.
Everyone working remotely should be well-versed in best cybersecurity practices, such as setting strong passwords, not sharing their passwords with others, not allowing their friends and family to access devices used to store PHI, locking all devices that store PHI when not in active use, and so on.
8. Protect your network with an overall comprehensive cybersecurity strategy.
In addition to all the previously mentioned solutions and steps, it’s vital to maintain a strong IT security strategy, including various advanced solutions to address risks and protect sensitive data. Those can include network and endpoint Managed Detection and Response (MDR), vulnerability scans and Security Operations Center services, just to name a few.
If you’d like to learn more about ensuring HIPAA compliance for remote workers, our technology advisors can offer expert guidance. We provide Compliance as a Service, so our team members have in-depth knowledge of HIPAA security and privacy requirements. Please give us a call at 877-599-3999 or email firstname.lastname@example.org for details.