Security in a Remote Access World, Revisited

It’s time to circle back to the topic of remote access.  Earlier I provided you a checklist to send to your remote working employees to assess workspace and workstation security. With new portable devices and web apps that support working from home, including transmitting large amounts of data with minimum resources, I feel it’s important to share additional information that can help you protect your organization and your data.

Keep in mind, there’s nothing in HIPAA that prohibits remote access. 

On the other hand, organizations are still required to implement appropriate safeguards to protect the privacy and security of protected health information (PHI).

In the past, I’d see articles saying that limiting the transport of documentation offsite also limited what could be easily copied. That hasn’t been true for some time. Technology that permits easy transporting or transmitting data offsite didn’t just pop up now, during the COVID era. We have a greater attack surface – more opportunities for misrouted data and breaches. Everyone needs to implement safeguards to protect the healthcare-related data that’s generated.

So, what does HIPAA say? 

It really doesn’t matter if the PHI is stored on a workstation, in a cloud app or on portable media. Covered entities and business associates need to make sure they pay attention to the security safeguards implemented to protect PHI wherever it is. This is not just a technology issue. It still goes back to the fact that people are the weakest link when it comes to security.  You can have the best technology in the world but if an employee or an organization’s vendor doesn’t adhere to good security hygiene, you end up with breaches and potential network damage.  All it takes is one person to click on a malicious link.

Poor security practices at home could lead to inappropriate access by family members and friends, device and portable media theft, etc. No, you can’t eliminate all of the risks, but if employees pay attention, stick to the security controls you’ve developed, the risk is significantly limited.

Implement as many technical safeguards as you can that don’t rely on people. 

Those safeguards include personal firewalls, SPAM filters, anti-malware, and blocking access to webmail on company-owned devices used remotely.

6 Safeguard Actions to Consider

  1. Set up a company controlled virtual private network (VPN) that is the only path into your organization’s network and applications
  2. Implement two-factor authentication such as texting a code to the employee’s phone that needs to be used in conjunction with the employee’s password
  3. Automate anti-malware updates and scans
  4. Force encryption on devices and when new devices connect to your company network
  5. Block the use of mass storage devices such as USB drives
  6. Automate patching on company-owned workstations and force patching through reboots if employees don’t reboot their workstations to apply new patches

Remember the administrative, too!

Implement strong administrative safeguards for remote access such as policies that employees are required to read, conduct training, especially around phishing, and if you permit BYOD, require the signing of a mobile device use agreement.

Whether your security access solution is technical, administrative, or physical, make sure you’re auditing.  That means monitoring firewalls, using intrusion detection systems, and monitor access to your EHR and other web-based apps that store PHI.

COVID19’s effect on remote work expansion has changed everything.  It’s critical that healthcare organizations develop safeguards to protect remote access to data, plus the assets, like workstations, that your employees rely on to be able to work remotely. Your attention to what happens outside your organization has become incredibly important.

Chris Apgar, CISSP, CCISO, is CEO and president of Apgar & Associates, LLC. He is a nationally recognized expert and educational instructor on information security, privacy, HIPAA, the HITECH Act, state privacy law, and electronic health information exchange. Contact him at 503-384-2538 for help with your information security program.