Set Up Remote Workspaces for HIPAA Compliance
While it’s impossible to avoid every security risk, strong technological and policy-related solutions can create a more compliant alternate workspace. A certain degree of control can be attained with reliable safeguards followed by every employee.
What does that involve? The Cybersecurity and Infrastructure Security Agency encourages organizations to consider the following suggestions:
- Establish and update VPNs — along with any and all devices being used in a remote work environment — with the latest software patches and security configurations.
- Confirm that IT security teams monitor and test VPN limits to prepare for an increase in the number of users. Team members should also prepare to implement any modifications for users with higher bandwidth needs.
- Make certain security teams are also ready to address an increase in the need for security-related tasks — log review, attack detection and incident response and recovery — tied to the sudden ramping up of remote work.
- Implement multifactor authentication on all VPN connections (if MFA isn’t possible, ensure that remote staff are using strong passwords).
- Notify all staff that phishing attempts are likely to increase while working remotely.
Tom Kellermann, head of cybersecurity strategy for VMware Carbon Black, also highlights some top measures healthcare staff should take to better protect themselves at home:
- Address home network concerns. Ensure that you’re the only system administrator for your home network and all devices that connect to it. Next, change your router’s password to a sentence or phrase rather than a single word. Lastly, home routers typically have two networks; put your work laptop on one and all other devices on the other.
- Mitigate software-associated risks. Deploy the appropriate security software on all your devices; update your software, including applications, on Tuesday nights; and use Firefox as your browser.
- Be vigilant when videoconferencing. Set a password for every Zoom meeting. If sensitive material must be discussed in a meeting, ensure that the meeting name doesn’t suggest that it’s top-secret, thus making it a more attractive target for potential eavesdroppers. Finally, restrict the sharing of sensitive files to the approved file-sharing technologies, not as a part of the meeting itself.
Each solution is part of a greater defense. It’s important for organizations and staff to work together to adopt a combination of these measures to avoid a data breach.