Since the COVID-19 pandemic, the way we work has fundamentally changed. Gone are the days where a local workforce showed up each day to work onsite at corporate offices. Today, you’re more likely to find a hybrid (home / office) setup or, in some cases, a fully remote workforce. These changes mean we need to take a close look at our information security policies and procedures.
Most healthcare providers have relied on the network perimeter to secure network infrastructure, where network endpoints are connected to a managed network, protected by appropriate security controls at relevant entry points (firewalls, managed Wi-Fi, and physical security). In the new hybrid world, the network perimeter is more likely to be an employee’s individual device. How can we ensure precious healthcare data is adequately secured in these circumstances?
Here are five steps you should take right now:
- Know your devices. We can’t secure what we don’t know about, so inventory what devices are in use, and where. Are users exclusively using company-supplied devices, or do we permit the use of personal machines? There are different security concerns with each. Consider the use of a mobile device management (MDM) solution to provide centralized control of all devices so that administrators can manage software updates and patches, security controls such as disk encryption, USB restrictions, and password requirements.
An MDM solution also lets you remotely lock and wipe a device should it become lost or if the user exits the organization. If user-owned devices are permitted, consider additional controls such as data loss prevention or the use of a remote desktop/workspace tool to prevent sensitive data from reaching a user’s personal machine.
- Upgrade your anti-virus / anti-malware approach. Traditional products do not offer adequate protection against today’s more advanced threats. Evaluate the use of a next-generation anti-virus endpoint detection and response (EDR) solution that monitors all endpoint activity and will alert administrators to any suspicious activity / indications of compromise so you can act quickly.
- Reinforce your front door. Ensure all logins are secured using multi-factor authentication and enforce single sign-on (SSO) where possible. This allows an administrator to block all access easily should an account become compromised. Audit all user accounts regularly for signs of suspicious activity, and to ensure that dormant accounts are disabled.
- Consider digitizing your workflows. Every step of healthcare involves the exchange and review of physical documents: patient intake and consent, insurance verification, appointment management, payment processing, and so on. Ensuring document security is easy in a controlled area with managed devices (computers, printers, fax machines) and access to secure document disposal. With a remote workforce, how can you verify that staff are managing this information correctly? Consider partnering with a vendor who can digitize this whole workflow for you. Not only will this greatly reduce the security risk associated with improper handling of sensitive information, you can also drive improved patient engagement and success by offering digital self-service options.
Keep the humans in the loop
I’ve talked mainly about technical controls, but let’s not forget what is arguably the biggest risk factor of all: the human element. Even the best technical controls in the world cannot prevent an individual from making a simple mistake with big consequences. It starts at the top: security must be part of your company culture and that message should come from the C-suite. Your employee awareness program should lay out what is, and what is not, allowed. Make sure everyone understands how serious the consequences can be if we get things wrong. Ensure you have well documented, easy-to-follow procedures for handling sensitive data, and an open communication channel so your employees can ask questions if they are not sure on the correct way to do something.
Educate employees on social engineering, phishing, and ransomware attacks so they know what to look for and what to do if they think they are being targeted. Make sure they are aware of the risks associated with public, unsecured Wi-Fi networks. Consider mandating the use of a VPN connection when accessing sensitive information remotely.
Your employee awareness function should not be an annual, ‘tick the box’ exercise to ensure compliance. Instead, develop an ongoing, continuous process to ensure you are doing all you can to be secure.
Once you have all the above in place, consider certifying your information security program against an established framework such as HITRUST CSF or performing a SOC 2 Type 2 attestation audit. This makes it clear —both internally and with your partners and customers— that you have adequate policies, procedures and controls in place, and that they are operating effectively.
Nick Lees is the director of information security and compliance at Luma Health. Nick has more than twenty years of experience in Security, Compliance, and Infrastructure Engineering working for organizations across the globe such as Luma Health, Red Canary, Thomson Reuters, and IBM. Connect with Nick on LinkedIn.