As things ease up, and slowly people return to the office, what steps do you need to take to make sure data and devices are secure? It’s not quite a reversal of what covered entities (CE) and business associates (BA) went through when everyone who was non-essential was required to go to remote work, but there are some similarities.
Back to HIPAA as Usual
After the national emergency ends, so does OCR’s enforcement discretion.
Reassess telehealth vendors. That means if you made an in-the-moment decision to move forward with a non-HIPAA compliant video conferencing vendor for telehealth, you need to reassess. Either discontinue telehealth and telework or find a vendor who will sign a business associate agreement. If you continue to use a non-HIPAA compliant vendor and there’s a breach, it’s all on you.
Stop sharing (BAs). When enforcement tightens up again, BAs won’t be permitted to disclose PHI to public health and health oversight agencies. Only CEs will be permitted to disclose PHI to these agencies.
Teach employees how to create strong wireless passwords. One of the steps CEs and BAs may not have thought to take when remote work and remote health suddenly became the norm was to require that employees strengthen their home wireless network passwords. Take that step now if you want to continue with some remote work and telehealth, or if providers conduct telehealth from home.
CEs and BAs may require some training on the how-to of creating a strong wireless password. Plus, not all employees will know how to check their wireless network passwords. Remember, wireless carriers often set the password, and employees don’t reset when setting up their home router. That means these passwords may be easy to crack. If employees know that carriers set their network passwords, they’ll want to reach out to their carriers for instructions on how to change the home router password to meet strength protocols.
Clean, Patch and Update Remote Work Devices
Check device security settings and hard drives. As employees return from remote work and bring company laptops and tablets back to the office or clinical setting, check these mobile devices to ensure all security settings are where they should be. Also, the lack of timely patches on the devices may leave you open to cybercrime. For example, employees may have turned off device encryption, not updated anti-malware frequently enough or, if employees’ devices are not locked down, there may be non-approved applications installed.
With employees working from home, a number have pulled double duty – work remotely, make sure the children are taken care of, and keep them up on their classwork. That means a good likelihood that company-owned mobile devices were used for something other than work. Again, check hard drives. Children are quick to tap and install; ensure they didn’t install an application not approved for use on the device.
Clear off sensitive personal data. The above are also good reasons to remind remote-work employees to delete any sensitive personal data stored on those devices. Now that mobile devices are returning to use at the office, and in clinical settings, there’s a chance that personal data may be exposed during routine scanning, patching, and repairing the company-owned mobile devices.
Put PHI in Lockdown. Some CEs and BAs locked down company devices used remotely in such a way that the user couldn’t print, make screenshots, or plug in USB drives. A number likely have not. If employees were able to print at home, remind employees not to print PHI there, and if they have, to properly shred the paper. It’s a good time to lock those devices down so you make sure no one can print PHI at home or plug in a personal USB drive that may not be encrypted and may have malware present on the drive.
Hold Remote Work Training – Phishing, Telework
Run a Mock Phishing Exercise. If you haven’t run a mock phishing exercise recently or at all, now is the time. During the COVID 19 outbreak, cybercriminals have been actively spreading malware, setting up phishing campaigns, and so forth. Mock phishing exercises do a couple of things: (1) they educate employees or at least the ones who clicked a bad link, and (2) they help you assess risk – how many employees clicked on bad links. All it takes is one to jeopardize your organization, your network, and your PHI.
Review and vet your telework policy and telework agreement. Many CEs and BAs scrambled when remote work became the norm. A telework policy may not have even existed, much less an agreement, because no one thought it would be needed. Take some time now to figure out what worked and what didn’t, what’s enforceable, and what’s not. After thinking that through, adopt or update your telework policy and your telework agreement. And after that, be sure to (1) educate your workforce on the updated telework program and (2) make sure you can enforce it.
It Happened Once – It can Happen Again
Review your business continuity plan (BCP). If you didn’t have a solid BCP before the pandemic, you were likely scrambling when all non-essential workers were required to work from home. Now that you’re slowly getting back to normal, dust off that plan. Check if it worked or if you need to make changes because of what went wrong. After any major disaster or disruption, like a pandemic, you need to take a moment to examine your plans and update them to reflect on the fact that it may reappear in the future. Start now to put the lessons learned to work and place your organization back on solid ground.
When all is said and done, great job! Everyone did what was necessary to continue the important work of healthcare, plan, or no plan. You know what else it’s a good time to do? Thank all of those who kept the ball rolling, taking care of patients, and supporting patient care. Again, great job!