Before Covid-19 hit, keeping private, secure data safe likely meant that employees handling that data did so from within an office that has protections in place. Since that's no longer a choice for many businesses, it's time to put a plan in place to keep sensitive information secure. Here are a few tips to make that happen.
1. VPNs: Whether the data your employees are handling is personal health information (PHI) that needs to stay HIPAA-compliant or proprietary company information, a virtual private network (VPN) provides an extra layer of security. VPNs hide a user's IP address, encrypt data transfers in transit, and mask a user's location. Computerworld says "Most larger organizations already have a VPN service in place and should check they have sufficient seats to provide this protection across their employee base. Smaller enterprises may need to appoint a VPN provider. There are lots of VPN service providers, but not all of them can be trusted. (Especially avoid the free services.) ExpressVPN and NordVPN appear to be good choices, but it is in your best interest to do your own due diligence before selecting a provider for your company."
Anderson Technologies recommends a VPN gateway. "Virtual Private Network (VPN) gateways create secure access from the employee device to the VPN gateway and onward to your internal network. In this way, your enterprise-level cyber security measures are extended to the VPN, which acts as a secure tunnel for employees to work through. Some VPN gateways can even extend your business’s firewall rules to the employee computer no matter where they are working through the use of a portable device—a great advantage when traveling on business."
2. Provide protection for devices: If your workplace is providing employees with a laptop, phone, or other devices, make sure security protections are installed. That includes virus checkers, firewalls, and device encryption.
3. Communicate Privacy and Security Requirements: Total HIPAA recommends putting the following requirements in place for employees handling PHI remotely:
- Employees should not allow any friends, family, etc. to use devices that contain PHI.
- Have each employee sign a Confidentiality Agreement to assure the utmost privacy when handling PHI.
- Create a Bring Your Own Device (BYOD) Agreement with clear usage rules.
- Employees who store hard copy (paper) PHI in their home office need a lockable file cabinet or safe to store the information.
- Employees need a shredder at their location for the destruction of paper PHI once it is no longer needed. The company needs to specify when it is ok to dispose of any paper records.
- Employees must follow the organization’s Media Sanitization Policy for disposal of all PHI or devices storing PHI.
- Make sure employees disconnect from the company network when they are done working. Usually, IT configuring timeouts take care of this.
- Employees cannot copy any PHI to external media not approved by the company. This includes flash drives and hard drives. You may require all PHI to stay on the company network.
- Keep logs of remote access activity, and review them periodically. IT should disable any accounts inactive for more than 30 days.
- Mandate that any employees in violation of these procedures will be subject to the company’s Sanction Policy and/or civil and criminal penalties.
4. Develop a Contingency Plan: Covid-19 has taught us nothing if not that the unexpected happens, and can happen quickly. To ensure that secure data is handled properly no matter what, Computer World says "develop a plan so that management responsibilities are shared between teams and ensure you put contingency plans in place now in case key personnel get sick. Tech support, password and security management, essential codes and failsafe roles should all be assigned and duplicated."
5. Use Secure Cloud Services: Cloud-based apps like Office 365 can keep confidential information much safer than local storage. Just make sure that your security teams review and approve any third-party cloud storage services.
6. Review Common Sense Measures with Your Team: Some of these may feel obvious, but clear communication of any security protocols is important. Among home network security items, make sure to include guidance on: not using public WiFi to access work information; ensuring that home WiFi routers are sufficiently secured; avoiding links in emails from unknown sources; updating home network passwords from default settings; and disabling remote access to home WiFi networks.
Are you an employer or an employee trying to adjust to remote work? Let us know your ideas, challenges, and thoughts about that and other telework topics!
Does your workplace need customized support to create a remote work structure? Movability can help! Contact Kate Harrington to learn more.