HEALTHCARE AT HOME:
THE  ROWAN TECHNOLOGY REPORT

Serving the home health, home care and hospice industry since 1999.

Untitled Document

by Darcey Trescone, RN, BSN

Remote working can create cybersecurity problems for employers and employees. To accommodate the need for social distancing related to COVID, many of us have moved from a secure office environment to working where home-level security used to be "good enough." The change to remote work has been sudden and, without appropriate security protocols in place, poses many risks.

"There are always new scams to be aware of, and with our current environment, many of us are just trying to keep our businesses alive," Tahnee Puckett, Director of Security for Digital Monitoring Products, told us. "Security may not have been our top priority with remote workers, and this is what these cyber crooks are anticipating. Experts predict that 2020 will be a record high for cyber-attacks globally."

Awareness and preparedness are both vital, according to the EU Agency for Cybersecurity's Executive Director, Juhan Lepassaar, in a news article titled, "Top Tips for Cybersecurity When Working Remotely." Lepassaar recommends staying up to date on the latest threats and to check the following basics for every remote worker:

  • Secure Wi-Fi connection. Most home Wi-Fi systems these days are correctly secured, but some older installations might not be. With an insecure connection, others can snoop your traffic.
  • A fully updated anti-virus system is in place.
  • Up-to-date security software. Security tools such as privacy tools, add-ons for browsers, etc. need to be up to date. Patch levels should be regularly checked.
  • All important files should be backed up regularly. In a worst-case scenario, staff could fall foul of ransomware, for instance. If that happens, all is lost without a backup.
  • Lock your screen if you work in a shared space.
  • Make sure remote workers are using a secure connection to your work environment.
  • Check to make sure they have encryption tools installed.

In addition, Lepassaar recommends employers should:

  • Provide initial and regular feedback to staff on how to react in case of problems: whom to call, hours of service, emergency procedures, and how they evolve.
  • Give suitable priority to the support of remote access solutions. Employers should provide at least dual-factor authentication and secure session capabilities (essentially encryption).
  • Provide virtual solutions. At the EU Agency for Cybersecurity, for example, they use electronic signatures and virtual approval workflows to ensure continuous functionality.
  • Ensure adequate support in case of problems. (And there will be problems.)
  • Define a clear procedure to follow in case of a security incident.
  • Consider restricting access to sensitive systems where it makes sense.

 

What Is Your Plan?

There are always new scams to be aware of, and having a solid security plan in today's environment is key to protecting your organization. Performing a security risk assessment across your organization can help quickly identify potential holes in your security infrastructure that need to be addressed. Puckett added, "If you do not have this talent in-house, these resources are available for hire. When hiring a security company, it is essential to screen for their experience with risk assessments, ask for references, and read company reviews to ensure they will be a good fit for what you need."

Merely handing out laptops to accommodate a work-from-home strategy is risky. "A good security policy helps to mitigate risks through protocols and education," Puckett continued, adding, "Ensure your current remote-work policy includes the following:"

  1. Prohibit laptop and credential sharing. Employees should ideally have dedicated devices used for work. There need to be regulations and guidance around personal use of company property.

  2. Set up two-factor authentication on the devices. Enforce the use of strong passwords that are regularly updated.

  3. VPNs (Virtual Private Networks) allow employees to work in your secure environment behind your firewalls. This is highly recommended because it maintains end-to-end encryption and helps to prevent attacks. Ensure firewalls are checked regularly for vulnerabilities. Install anti-virus software on all devices.

  4. Schedule automatic updates on all devices and systems, especially anti-virus software.

  5. Secure home routers and disallow use of free public Wi-Fi. Unauthorized connections, even Bluetooth, should be discouraged. Locking devices when not in use, should be documented within your policies and its importance explained to employees.

  6. Be aware of remote desktop tools. Have strict policies around what is acceptable and what is not.

  7. Educate all staff about social media use, including and what is appropriate to share about the company, work environment, or other employees. Information put out on social media sites by employees can make a company a target for cyber crooks.

  8. Ensure the company has a current data breach plan and policy on how it would respond to a security incident. This policy needs to be written and the plan must be tested.  

 

Back Up Security Tools with Education

Communication and education with employees about phishing and malware campaigns is essential. Phishing scams are the most prevalent, and the hardest to physically block with security tools. They are as simple as a spoofed email, document, or link that an employee clicks. These scams are built to deceive, and when a user clicks on the document or link, malware gets installed on the machine. Phishing attacks rely on gullibility and carelessness and can only be stopped with enhanced awareness, not with firewalls or anti-virus software.

"COVID-19," "Back to School," "New vaccine," "Work-from-home," are all popular topics for phishing attempts today. Cyber crooks are hoping the user will click before they think, counting on emotion or curiosity defeating what they have been trained to do. Puckett continues, "Executives and even regulatory bodies are targets. Cyber crooks will spoof their identities and send fake emails to employees that appear to be from the boss but are not."

She added, "Communication and collaboration channels must be secured, and vigilant IT support is a must. To ensure regulatory compliance with remote-work, security policies organizations must:

  1. Implement specific procedures that detect or prevent security violations.
  2. Undertake a risk analysis to determine potential vulnerabilities.
  3. Ensure that adequate security steps have been taken to reduce risk.
  4. Create a sanction policy to deal with employees who fail to comply with related policies and procedures.
  5. Ensure that information system activity records are reviewed regularly.

 

More Resources:

There are many helpful websites that provide information about Cybersecurity threats, including what they are, how to mitigate risk, and what to do if your organization is attacked. Here is a short list to get you started:

Cybersecurity and Infrastructure Security Agency

https://us-cert.cisa.gov/Ransomware

National Institute for Standards and Technology (NIST)

https://www.nist.gov/blogs/cybersecurity-insights/telework-security-basics
https://www.nist.gov/blogs/cybersecurity-insights/preventing-eavesdropping-and-protecting-privacy-virtual-meetings
https://csrc.nist.gov/CSRC/media/Publications/Shared/documents/itl-bulletin/itlbul2020-03.pdf
https://www.nist.gov/itl/applied-cybersecurity/nice/resources/online-learning-content

 

 

Darcey Trescone

Darcey Trescone is a Healthcare IS and Business Development Consultant in the Post-Acute Healthcare Market with a strong background working with both providers and vendors specific to Home Care and Hospice. She has worked as a home health nurse and held senior operational, product management and business development positions with various post-acute software firms, where her responsibilities included new and existing market penetration, customer retention and oversight of teams across the U.S., Canada and Australia. She can be reached at darcey@tresconeconsulting.com.

©2020 by Rowan Consulting Associates, Inc., Colorado Springs, CO. All rights reserved. This article originally appeared in Home Care Technology: The Rowan Report. homecaretechreport.com One copy may be printed for personal use; further reproduction by permission only. editor@homecaretechreport.com