Ongoing safety precautions due to the COVID-19 pandemic have forced millions of people to embrace a new reality, regardless of their profession: working from home.
Medical employees face unique challenges when doing so. Their remote technology must not only meet HIPAA security and privacy requirements but also accommodate the needs of diverse patient populations seeking acute and ongoing care.
Healthcare IT teams are pivoting quickly to adopt new teleworking technologies that facilitate direct patient treatment and support back-end office functions. These teams bear significant responsibility for protecting patient information, regardless of the locations where clinicians and staff are working.
Shifts and best practices carried out today will ensure continuity during a crisis, but they’ll also likely influence the future of telemedicine as public health guidelines and patient expectations place a greater value on remote work.
Let’s take a look at some advice for technologists.
1. Set Clear Rules for Remote Use of Healthcare Tools
Remember, healthcare providers are not IT experts. While they understand and support the need to protect the confidentiality of patient information, they don’t necessarily know how to achieve that goal. They’re also incredibly busy as they care for patients and manage their own families during a public health crisis.
The burden on IT teams, then, is to provide clear and concise guidance for practitioners to use the systems and tools at their disposal in a secure manner.
When developing this guidance, think in terms of clear, step-by-step processes that simply tell providers what to do. Don’t offer vague advice or too many options. Tell them what tools are approved for work use and how they may (and may not) use those tools in different circumstances.
LEARN MORE: Find out how your organization can effectively allow for a remote-work environment.
2. Know How HIPAA Requirements Affect Remote Work
Many remote workers, including those in healthcare, are turning to new teleworking technologies that help facilitate videoconferences, share data and manage projects. Clinicians, however, should be particularly conscious of whether a tool may be intentionally or unintentionally used to handle protected health information.
Tools that will handle PHI must work under the constraints of HIPAA’s privacy and security rules. Healthcare organizations don’t have the luxury of simply downloading and using free tools that they hear about from their neighbors, so it’s critical to ensure that a service provider supports HIPAA compliance and is willing to enter into a business associates’ agreement with your organization.
Zoom is a great example. While many telecommuters are using free or enterprise versions of the videoconferencing platform, those versions do not support HIPAA compliance. Healthcare providers seeking to use the tool for PHI must instead license the specialized Zoom for Healthcare solution that provides a compliant platform and interfaces directly with electronic health record systems.
3. Supply Provisioned Devices for Simplicity and Safety
While it is possible to support BYOD approaches that allow interaction with patient records from personal devices, this path is fraught with peril. It’s difficult for healthcare IT teams to verify that employee-owned devices meet organizational security configuration requirements — especially when staffers aren’t on the premises for a consultation.
Sending preconfigured devices home with practitioners increases the likelihood that those devices will comply with security policies. They’ll also be far easier to support, as IT teams can manage them with the same mobile device management platforms that they use back in the office.
Remote work may require some tweaks to that policy, but that’s a far less burdensome task than attempting to secure personally owned devices.
READ MORE: Learn how a top healthcare organization handled a 2,000 percent increase in telehealth visits.
4. Use VPNs to Secure Online Activity
Remote providers will require access to EHR systems and other technology managed by the practice and cloud providers — and they’ll gain this access over their unsecured home internet connections.
IT staff must work with practitioners to implement controls that protect their devices from other threats that may be present on a home network or on the internet between the home and the office. Managing device configuration will handle many of these issues, but that leaves internet communications open to eavesdropping.
Virtual private networks allow providers to offer a secure, encrypted tunnel between the office network and a practitioner’s device. This approach is bolstered when providers are given dedicated devices for work use only. A VPN connection to the office provides content filtering, firewall protection and other endpoint protection technologies to home users, just as it would for users within a hospital or clinic.
5. Configure Strong Encryption Algorithms to Protect Data
VPNs and other security technologies often depend on encryption to protect the confidentiality of information stored and transmitted by providers. Many of these solutions are configurable, allowing IT administrators to select the encryption algorithm and key length used to protect information.
IT staffers should verify the security settings of their VPNs, web servers and other encryption-enabled technologies to ensure that they only support strong encryption algorithms with appropriate key lengths.
The National Institute for Standards and Technology offers a set of cryptographic standards and guidelines. These standards only officially apply to federal government agencies, but they also provide an excellent starting point for healthcare providers.
