Before the coronavirus pandemic, working from home (WFH) was considered an unusual but popular employment perk. In the aftermath of the pandemic, working from home has become the norm for anyone whose job can be done from a computer. While the medical industry hasn’t experienced nearly as much disruption as other industries, the pandemic has still transitioned millions of professionals to at-home positions. This is especially true for administrators and operations professionals who are the most likely to be handling and transmitting electronic personal health information in bulk. Those who are temporarily quarantined may also have to work from home.
WFH Information Security Concerns
With HIPAA compliance to maintain, and patient quality of care to uphold, there are some serious considerations to make in this transition to a workflow that includes WFH roles. The biggest concern is information security. It’s one thing to defend your facility’s network with iron-clad firewalls, defensive network configuration, and live network monitoring. But what about when you are sending and receiving confidential files with remote at-home staff?
To build a solution, it’s necessary to first fully understand the challenge. Most remote teams are leveraging cloud solutions such as Office365 or G Suite. These solutions make document sharing a breeze and allow employees to access and edit files across devices seamlessly. Let’s first talk about network vs cloud security, and then examine the medical information security risks when establishing a WFH cloud structure. Each problem will be accompanied by guide points to help your medical business’ at-home staff work securely.
There are two key areas of WFH security risk:
- Data Handling Security
- Virtual Server Security
- Data Transit Security
- Home Network Security
- Home Device Security
- Housemate Device and Account Access
Medical data handling security relates directly to how your business builds remote access for at-home staff. To ensure that data is safe when it leaves your secured network, steps must be taken beyond providing a cloud platform for work documents and projects. To ensure security with at-home devices, precautions must be taken to prevent housemates and guests from accessing staff accounts or private resources.
Necessary Risks The Cloud Presents
In the transition to at-home staff, the biggest change is from a secured facility network to a distributed cloud network. You can secure your network with firewalls, virus scanning, network monitoring, and iron-clad permissions management. This makes it possible to minimize the risk of security breaches with stacked security measures on the local network.
When you transition to the cloud, medical business data is no longer under facility network protection. If you have established your own cloud server on a virtual private network (VPN) then the new network must be secured with similar measures and thoroughness as your facility’s local network. A transition to cloud connection to remote staff means securing both in-transit data and employee’s residential networks. The paradigm has shifted and the trade for remote accessibility is layers of new medical data security.
Data Transmission And Security Risks For WFH Employees
Consider the journey of a private medical document from your business to the home computer of a WFH team member. First, it leaves your secured servers through a private connection to your VPN where shared data is hosted and distributed. The data has been safely under your control and protection so far, but now it leaves the VPN to travel over public internet channels. It travels over wireless signal and/or miles of cable and arrives in the home router of your team member. Then it is (very likely in most homes) transmitted wirelessly through the home Wi-Fi network to the target laptop.
From the moment the data left the VPN, it was no longer under business-class security protection. The trouble is that some hackers are capable of reading data-in-transit. Data travels like a train in packets, and those packets can be scanned and read along the way. Some hackers can even insert malicious packets into the stream. So how do you secure this necessary data transfer for remote employees of your medical business?
1. Readable Data Packets
The first step is to make sure your data packets are secure. Think of your data traveling like cars on a train. The engine says “here is your data packet, wait for the end” and the caboose says “that was all of the packets”. In between are the millions of data bytes lined up to arrive. This train travels through the public internet channels – over cables and airways – until it reaches the WFH computer target. The trouble is that hackers can read your ‘train’ as it travels publicly accessible internet pathways if they know how to look.
Encryption is the answer. In fact, end-to-end encryption is necessary, not just encryption at the end-point. Data must be encrypted as it travels between the server, VPN, and each remote team member’s home devices.
2. False Packet Insertion
A rarer but related issue is packet insertion. Sometimes, very skilled pipeline hackers can insert a data packet into your train, like adding a disguised car while it’s moving. When the engine says “here’s the data, wait for the end”, the receiving device accepts all the packets until the caboose says “this is the end”, including the false packet. Packet insertion can slip in trackers, malware, and other malicious assets.
The solution to false packet insertion is packet numbering. The engine gives more information, and each packet carries a tracker that marks it as legitimate. The first packet informs the device to expect an exact number of packets, and only numbered packets. Anything that does not match the numbered packet sequence.
3. Default Router Configurations
Most people are not network administrators, so most people stop configuring their home router as soon as it works. This is perfectly fine for checking email and watching Netflix, but not when medical documents and company secrets are at stake. Most network hackers can access a router on default settings (with default ports and passwords) with their eyes closed.
To solve this issue, home professionals need to be guided to set up their own home routers and network security. Routers are designed to be secured, but most professionals will need a little instruction to set a new password, adjust their access ports, and align the router with their home firewall settings.
3. Unsecured Home Wi-Fi Networks
Then there are Wi-Fi networks, which also must be defended. Home Wi-Fi networks are especially porous, and many families don’t even have a password. Even rudimentary Wi-Fi security can remove your staff members from the easy target list. Hackers to attack home Wi-Fi typically are doorknob rattlers by nature. By guiding your staff through basic Wi-Fi security or upping your game by helping them through advanced Wi-Fi security, you significantly lower the chance that your staff’s home Wi-Fi will be invaded.
Family Access to Work-Devices at Home
After you have covered the pure data-technology concerns, then there is the matter of at-home devices. Computers in the workplace are uniquely safe from prying eyes, except for the occasional not-so-action-movie corporate espionage. Company workspaces are only accessed by authorized, company account-holding staff most of the time. Whether accounts are left logged in or company data is saved on local computers is only a minimal security risk in the workplace.
Home devices, however, provide access to the entire household. Often, a professional’s computer, phone, and maybe tablet are all used by family members. Parents share tech with their children for homework and entertainment. Partners use each other’s devices, and roommates sometimes borrow with or without asking.
5. Leaving a Home Device Logged-In
The first issue is leaving accounts logged in. Even a trustworthy family member can accidentally cause trouble when a borrowed laptop is still logged into work applications or private files are open. Leaving work on shared devices is extremely dangerous in terms of data breaches and network security. From mischief to innocent exposure, the answer is simple.
Idle log-outs and device sleep log-outs. Set up all your cloud work application to log users out when they have been inactive or when the device is closed or goes to sleep. This way, open-account issues can only occur within a few minutes of the team member leaving their chair.
6. Device Access with an Active Password Manager
The next troublesome security issue with personal devices is password managers. How easy it for a knowledgeable family member or roommate to log into your medical document platform or work application? If the password fills itself in through a browser or device password manager, then mischievous or curious housemates with device access can log in whenever they like.
Prevent your team members from using password managers – at least for work-related accounts. You may choose to provide an internal password manager after a non-managed login stage.
7. Family-Known Passwords
Another issue is commonly used passwords. Partners often know their spouse’s favorite password and children learn their parents’ passwords. Using the same password for everything means that work logins are the same as Netflix logins – a security breach most people don’t even realize they have created.
Ensure that WFH staff members create a new, unique password (not just a variation of the old one) through guided password creation and training to know why switching back to the favorite password later is a non-secure choice.
8. Non-Employee Malware Risk Behaviors
Lastly for device access is the risk of acquiring malware that then infects the VPN through your team member’s connection. While most medical professionals know better than to surf risky websites or turn off existing protections – children or roommates may not. Others using devices may play games, watch videos, or click links that riddle devices with malware that could then access private work data or put your network at risk.
The answer here is better automated protection for work devices. Provide your team with the right software and defensive configurations so virus protection can’t be turned off and viruses are quickly detected and snuffed.
At-Home Workflow Independence
Lastly, there are two final concerns that are common mistakes that at-home professionals make in earnest. When you send professionals home to build their own workflows, they build a workflow. But sometimes they don’t make the most secure decisions when improvising at home. Bringing in non-secure software tools and storing private information on their local device storage are the two mistakes you can plan for and help your team to avoid with information.
9. Unauthorized Apps and Programs
Your medical business has likely put together a stack of apps and software tools that at-home staff can use to safely manage their workload. But there are always ways to streamline and your team likely is putting together their own solutions. The trouble occurs when outside apps become a security risk. Consumer apps that are not secure can make it easier to hack a device, or staff may store or transfer information through exposed channels.
The answer to this concern is to involve your team in building a secure stack. Invite them to bring workflow thoughts and needs to the team and together build a secure stack as your at-home workflow develops.
10. Using Local Device Storage
The final WFH security risk is local device storage. It’s such an easy mistake to make when working with files. The need to save data and work quickly. It’s strange to think of your own device storage as being insecure, but it’s also easy for family members to open on-device directories if they have access to the device.
Providing a comprehensive document manager is the best way to prevent this, along with training to know why local storage is risky. A document manager makes it easy and reliable for the WFH team, they never have to download, and you control the security protections on the document platform.
Securing your WFH employees is vital, especially for a medical business dealing with HIPAA-protected records and files. For more insights on how to prepare your team for remote work or secure your current remote staff members, contact us today!