Focused Security Risk Assessments: Remote Work for Healthcare Organizations in the Age of COVID-19

By Ian Terry

As the reality of working from home sinks in, many remote workers and their employers are seeing the appeal fade quickly. We all know that remote work is not quite as simple as it sounds. Technical, operational, and communication challenges are quickly presenting themselves when workforce members overload remote access systems, can’t perform their duties, and don’t know the best channels for reporting their issues and incidents.

Are we prepared for the information security and cybersecurity challenges specific to this new paradigm: remote work in the age of COVID-19?

Normally, when answering that question in less dire circumstances, security and privacy professionals have time and resources to furnish a response. They would aim to ascertain the status of their existing environment, identify vulnerabilities and risks, and formulate remediation strategies with the big picture in mind.

Specifically, they would conduct a Security Risk Assessment (SRA).

An SRA is an exercise performed by organizations to help them:

• Understand their existing environment
• Identify vulnerabilities and risks
• Formulate remediation strategies

For those familiar with the risk assessment process, you already know that a good SRA is one that is performed holistically, collaboratively, and carefully – a potentially months-long process that aims to examine all facets of an organization’s security environment and its administrative, technical, and physical controls.

Without a doubt, SRAs are vital to the wellbeing of any organization, and if you’d like to learn more about them specifically, check out our webinars on the topic, or look at our SRA checklist.

Unfortunately, when facing emergent and rapid shifts in the way our businesses operate, a full-fledged SRA may not provide the best results or the fastest timeframe – especially when insights are needed quickly.

In the current Coronavirus situation, organizations need to understand their level of preparedness quickly and ensure solutions to gaps are implemented with haste. Even if an organization has already transitioned to a remote workforce, it is not too late to perform a Focused Security Risk Assessment.

Focused Security Risk Assessments

Much like a conventional SRA, a Focused Security Risk Assessment (FSRA) is a method of understanding the current state of your organization’s security environment, identifying risks and vulnerabilities, and using those findings to produce remediation strategies.

However, a key difference is that FSRA’s are targeted exercises performed on specific business processes – not across the whole organization. As a result of reducing and focusing the scope of the assessment, security and privacy professionals can get a deep understanding of the targeted business component in a short amount of time.

Much like a conventional SRA, an FSRA examines the environment in scope to assess for compliance with HIPAA requirements as well as requirements specific to other frameworks being used by the organization (like NIST CSF or HITRUST). The following control categories should be targeted:

• Administrative Safeguards
• Technical Safeguards
• Physical Safeguards

It’s easy to see how this methodology could be effectively applied to an organization’s remote access environment during this time of need. Businesses need insight on how to support and secure their teleworking processes in a matter of days or weeks – not months.

Importantly, the subsequent remediation strategies still need to be actionable and sustainable. Companies must implement policy, process, or technology improvements that ensure their teleworking environment is prepared for months of heavy use.

Targeting Your Teleworking Environment – Physical and Administrative Safeguards

So, what exactly should Covered Entities and Business Associates be looking at when performing an FSRA on their remote access environment?

To start, let’s consider the applicable administrative and physical controls. For remote working, these two categories go hand-in-hand as the individuals primarily responsible for ensuring adherence to physical controls are the remote workers themselves – they are probably operating out of their homes after all!

Administrative controls are the policies and processes that communicate requirements and standards to which those workforce members must adhere. Generally, these should include physical controls.

Acceptable Use Policies (AUP) and Teleworking Policies that apply to remote workers should be evaluated by security and privacy personnel. These documents stipulate requirements and workforce responsibilities that should be respected while working remotely. Essentially, these are rulebooks for remote workers that instruct them on what they may and may not do.

Security and privacy personnel should ask the following questions when reviewing their AUP and Teleworking Policies during their teleworking FSRA:

Are workforce members that are eligible to work from home required to sign Acceptable Use Agreements and/or Teleworking Policies?

This ensures that there is a documented acknowledgement of rules and responsibilities, which allows the organization to track who has been informed, who is eligible for remote work, and who is subject to sanctions should their remote working behavior be uncompliant.

Are alternative methods of reporting incidents, security breaches, or other issues communicated to remote workers?

In a remote working environment, employees can’t stroll to the office of their manager or privacy officer. They will need to be informed of alternative means of contacting the correct personnel if an incident should arise.

Are there requirements for employees’ working environments?

Just because they’re working from home, doesn’t mean employees are not subject to HIPAA Security & Privacy laws. Teleworking policies should require the use of unshared workspaces, shred-bins (if paper-PHI is handled), and locked cabinets/doors that lead to the working environment, remote access workstations, or covered information in a paper or electronically stored state.

Other considerations include requiring the use of privacy filters to ensure remote workers’ friends, family members, or passersby are not inadvertently exposed to covered or sensitive information. Of course, remote workers should also be prohibited from sharing any company-owned device with anyone.

Administrative and physical safeguards are the responsibility of the organization, as well as the workforce themselves. For remote working situations, the lines blur further as responsibility is decentralized throughout a network of remote workers. A proactive organization should review their Acceptable Use Policies and Agreements, Telecommuting, and/or Remote Access policies to ensure all their bases are covered.

Targeting Your Teleworking Environment – Technical Safeguards

In order for remote workers to perform their job duties, they rely on remote access technologies. VPNs, virtualization, and cloud applications are some of the most common remote access solutions used by organizations to support remote work. Oftentimes, they are equipped with company equipment to use such as laptops or company-owned cellphones and tablets.

All of these technologies are within the technical scope for an FSRA targeted at an organization’s teleworking environment, which would examine the technical controls in place to keep data secure. Some of the key components of your technical environment that should be examined during an FSRA include:

Encryption for data-in-transit: This one seems obvious at first. Most likely, your VPN solution is encrypted data in transit between remote workers and information assets. If your remote users are accessing applications in the cloud, they should be connecting to HTTPS enabled sites which encrypt their traffic. However, remote workers should also be required to ensure their home WIFI routers are configured for WPA2 encryption. If remote users are using their WIFI to connect, and the router is configured for WEP, it would be easy for a malicious actor to intercept traffic – possibly compromising covered or sensitive information.

Screen lock-out timers and other endpoint controls: For instances where teleworkers use company laptops, phones, or tablets, security assessors should evaluate the lock-out timers they have deployed to those devices. An unattended workstation or phone could still be a trajectory for a data breach incident in a home office environment. Additionally, antivirus, password protection, and other controls should be in place for all devices used in a teleworking capacity.

Availability of remote access services: This is an issue many organizations are facing acutely since the onset of Coronavirus and the national migration to teleworking. Companies are finding they didn’t prepare to support this level of volume with their remote access solutions, and as a result, teleworkers are unable to perform their duties. Availability is one of the three elements of the CIA triad – Confidentiality, Integrity and Availability, concepts with which any security or privacy professional are intimately familiar. Assessing your remote access solution’s ability to handle the increased volume should be a priority of your FSRA.

Some teleworkers may be working out of public spaces or using public WIFI, which limits their options for controlling their working environment. Rather than risking connections to unsecure and unfamiliar WIFI networks, equip these employees with personal WIFI hotspots that you configure to meet your security standards. Privacy-filters are also valuable for these users to ensure the public isn’t exposed to covered information on their screen.

Technical challenges are widespread during this shift to remote work. However, that doesn’t minimize the importance of security. Performing an FSRA on your teleworking environment’s technical components allows you to determine your technical preparedness without overburdening technical, security, and privacy staff. In fact, it’s likely that the outcomes will quickly make their lives easier as a direct result of remediation efforts.

Targeting Your Teleworking Environment – Education and Awareness

While some might argue that education and awareness fall under the category of administrative safeguards, I think this topic deserves a special shout-out for this article.

In a teleworking environment, much of the security responsibility is shifted away from an organization and onto its teleworking workforce. Security and privacy officers can’t monitor the actions and behavior of the remote workers firsthand or remind them of the importance of protecting covered information. As a result, it is imperative that organizations evaluate their security education and awareness programs to ensure they are effective in a teleworking paradigm.

During your teleworking FSRA, consider the following when evaluating your education & awareness program:

Is there a digital medium for communicating information security and cybersecurity awareness?

Already, the Cybersecurity and Infrastructure Security Agency (CISA) at Homeland Security is warning individuals to remain vigilant for scams and phishing related to COVID-19. The FBI released warnings specific to COVID-19 teleworkers. Remote workers in the healthcare industry are guaranteed targets for similar attacks. A reliable and repeatable method for alerting remote workforce members to these threats is vital to ensuring your organization is protected

Are remote worker personnel trained on the risks and their responsibilities when teleworking?

Employees may be quick to sign off on telecommuting policies without reading or understanding the totality of their security expectations. Education specific to teleworking should be provided to remote workers to ensure they are familiar with your companies’ policies and processes and be aware of best security practices

Because of the importance of education and awareness in a secure teleworking environment, your FSRA activities should examine policy, process, and training materials. If you find that your company doesn’t have resources specific to teleworking, there are numerous resources with which to create educational materials. Using e-mail, or other collaboration tools to disseminate these materials is a simple task. For example, regularly sending the latest HHS, CISA, or OCR alert to everyone’s inbox is a great start and something you can do right now.

Conclusion

Obviously, the security implications of remote working are numerous. Considering the scope and timeline for migration to teleworking currently faced by organizations, security incidents are inevitable – if not imminent. Already, cyberattacks are being directed at health industry institutions, including the HHS itself. Before long, members of our rapidly burgeoning remote workforce will be targeted by the same cybercriminals.

Healthcare covered entities and business associates should take action to ensure their teleworking environments and workforce are adequately protected. An FSRA applied to your remote working environment will quickly unearth gaps and risks, allowing you to remediate in a timely manner and be confident in your teleworking program for the coming months.

Ian Terry, SSCP, HCISPP, is an information security consultant at Intraprise Health.