Global Workforce Analytics estimates that 25-30% of the workforce will be working from home multiple days a week by the end of 2021. The unknown longevity of the COVID-19 pandemic could push those estimates even higher. As a consequence, health plans subject to HIPAA are facing challenges in maintaining compliance with the increase in remote workers.
Regardless of where the work is performed, protected health information (PHI) must be secured in accordance with the HIPAA security and privacy requirements. These challenges are also experienced by other HIPAA covered entities (such as health care providers) to the extent that they are dealing with remote services (such as telehealth) and have remote workers. Providers should also make sure that their HIPAA obligations are being satisfied with an evolving remote workforce. The best practices described in this post may apply to health care providers in addition to any other HIPAA requirements.
Many challenges
These challenges are numerous and may include:
- Timely installation of important workstation patches and antivirus/anti-malware updates, as users may not regularly log into the required virtual private network (VPN)
- Potential for unsecured and/or unencrypted access points used to access confidential PHI
- Personal devices being utilized without appropriate safeguards (e.g. encryption, passwords remote wipe, antivirus/anti-malware, web content filtering, etc.) and other security controls for accessing PHI
- Family members using company issued devices with potential access to PHI without HIPAA training
- Insufficient backup of PHI due to storage on local drives instead of network or cloud locations
- Inappropriate disposal of hard copy and media containing PHI (e.g. not being shredded/degaussed)
To mitigate the risk of compromising protected health information with an increased virtual workforce, we recommend performing a thorough risk analysis that includes (in addition to typical human, natural, and environmental threats) the threats posed by personal devices, a remote workforce, unsecured electronic transmission, epidemic/pandemic protocols, and computer virus/malicious code. The risk analysis should be performed by a combination of IT, Benefits, and Physical Security personnel, and should document the likelihood and cost impact of these threats and list the mitigating controls in place for each. For any threats “scored” as high risk, additional mitigating controls should be implemented as soon as possible to reduce the chance of compromising PHI.
Remote access policy: Top of the list
Equally as important to a risk/threat analysis is a comprehensive security policy on remote access and home workstation use to ensure the confidentiality, integrity, and availability of PHI. If your organization does not have such a policy, one would need to be developed and communicated quickly. This should be near the top of your to-do list.
To be taken seriously and to have relevance, this remote access policy must include sanctions that will be applied if not followed. The remote access policy should clearly communicate the following to remote workers:
- How and where to store PHI, including specifying that the employee is not to save or store sensitive or restricted data on the remote host used to access IT Resources
- How to back-up PHI
- How to properly disconnect from systems/applications that contain PHI
- That a VPN session must be established during the off-site remote access of PHI and of all information technology resources, and that all network activity during a VPN session is subject to the employer’s policies
- How to establish a VPN
- That users of the VPN can only access machines and resources that they have permission and rights to use
- That the Information Security Department must be contacted when a VPN is not viable, when additional controls are required, or for “white list” requests
- That antivirus/anti-malware patches must be downloaded
- That strong passwords must be used, along with reminders never to divulge passwords to anyone, including family members
- That the responsibility for taking reasonable precautions to ensure their remote access connections are secured from interception, eavesdropping, or misuse is on the employee
- That all remote users are also responsible for following any guidelines issued by the HIPAA Privacy Compliance Office for remote access to PHI accessed within the course of the employee’s job
Do’s and don’ts
From our experience, these are our “top 10” do’s and don’ts to share with your employees to help them keep PHI and other confidential information secure while working remotely:
- Do not print documents unless specifically required as part of your job duties.
- Do not have your computer monitor positioned in a manner so that anyone, including family members, can view any sensitive information, intentionally or accidentally.
- Do not save data locally as it is usually not recoverable and cannot be restored if lost. Save sensitive information to your approved corporate data repository;
- Do not discard any materials that contain protected health information in your regular trash or recycling. Shred the waste paper using your home shredder if it is a cross-cut or micro-cut shredder but do not use a ribbon-cut shredder.
- Do make sure your wireless network is secured with your provider’s WPA2 or similar encryption. Not using a Wi-Fi password opens your network up to anyone in the vicinity.
- Do log in to your corporate VPN regularly to make sure patches and antivirus/anti-malware are updated.
- Do use a locking cabinet or drawer to store sensitive paper information or storage media. This applies to paper reports, storage devices, CDs or DVDs.
- Do notify your manager of any changes in your situation: a household member who becomes sick, or if you are required to self-quarantine for any reason or other circumstances (e.g. school closings) that impact your ability to do your work.
- Do be vigilant about email phishing. The pandemic crisis with its urgency, fear, and rapidly developing news creates a perfect environment for social engineering of all sorts! Remember. legitimate sources of health information likely will NOT use unsolicited emails or text messages to make announcements. If you want to find the latest news about COVID-19, navigate to the usual news providers you trust. Do not click on any random emails related to the current crisis that find their way into your inbox. Criminals are sending phishing emails claiming to be from the Centers for Disease Control and Prevention (CDC), and the World Health Organization (WHO) providing vital information about how to prevent and treat COVID-19. Many emails carry infected PDFs or Word document attachments that appear to contain new or vital information. Clicking on such attachments can infect your computer with malware.
- Finally, do turn on the various optional security settings when using interactive video conferencing tools, such as Zoom or WebEx:
-
- Password protect your meetings: Require attendees to enter a password which you change often.
- Authenticate users: Only allow signed-in users to participate.
- Join before host: Do not allow others to join a meeting before the host.
- Lock down your meeting: Prevent others from joining even if meeting ids or access details have been leaked.
- Turn off participant screen sharing: In many situations disabling the ability for meeting attendees to share their screens is worthwhile.
- Use a randomly-generated ID: Do not use the same meeting id for all your meetings.
- Use waiting rooms: The waiting room is a way to screen participants before they are allowed to enter a meeting.
- Avoid file sharing: Be careful with the file-sharing feature of meetings – in a few cases malware has been shared among participants using this feature.
- Remove nuisance attendees: If you find that someone is disrupting a meeting, remove them immediately.
- Check for updates: Keep your conferencing software up to date, providers are constantly making security improvements.
If you haven’t yet weighed the risks associated with working from home, it’s never too late to review your policies and take “remote” control.