HIPAA @ Home: How to Keep Your Remote Workers Cybersecure Out of the Office



This article in the first in a three-part series on cybersecurity best practices for remote work.

As an unprecedented number of people work from home due to the COVID-19 pandemic, it’s natural to be concerned about cybersecurity, privacy, and compliance for home offices and remote working.

Here at MedStack we have been a remote working company since our inception, and we have built our compliance program around home offices and a distributed team.

Our team’s remote security, privacy, and continuity have been analyzed through our third-party PIA/TRA reports and validated in our AICPA SOC 2 report.

It might surprise you to learn that there is very limited guidance on remote working available from regulators and standards. As a result, we have worked hard over the past five years to develop intelligent and feasible work-at-home security, and we have continuously reviewed them both internally and with many third-party assessors, experts in frameworks including ISO, HIPAA, NIST, SOC 2, as well as practical cybersecurity.

This guide gives you a number of practical measures that you can take to keep your employees and data safe at home.

Hazards and Benefits of Remote Workers

In a central office, it’s easy to create, maintain and observe a secure area around your workstations. By comparison, the physical environment of a remote worker is difficult to manage. 

Our approach is to focus on protecting the devices themselves, access to the device, the operating system, and the software that users are running on it. Thus the device becomes its own castle with multiple layers of defence. The benefit from this approach is that a worker can safely access their full suite of tools from anywhere, whether that’s at home now, or on the road or in a coffee shop in the future.

We have validated this approach with multiple independent third party assessors and customer audits over the years and found it to be very secure in practice.

When you have a workforce that can and does work from almost anywhere there is internet, you improve your organization’s resiliency to adverse environmental conditions, which is code for floods, storms, power outages, and pandemics.

Natural disasters and events tend to strike on a local or regional basis, and the ability for different team members to be distributed means that any crisis is much less likely to affect your whole company.

Of course, all of these remote-working related controls are only as good as the rest of your information security and privacy program. You need a complete program with training, documentation, continuity planning and more. If you don’t already have a program, ISO 27001 is the framework that we build on, because it is clear, well documented, and used worldwide.

It’s a good starting point including if you require HIPAA compliance or compliance with Canadian regulations like PHIPA. At MedStack, we provide all of our customers with a complete copy of our policies and with support in ensuring their own privacy and security.

Below are some recommended procedures that individuals as well as companies can take. The more of these you can follow, the more confident you can be in the integrity of your remote working environment:

  • Use Defense in Depth for layered security
  • Use end-to-end encryption
  • Encrypt all data at rest
  • Consider installing an ad blocker in your browser
  • Use a password manager
  • Activate passwords/passcodes on your devices
  • Turn on automatic screen lock
  • Use device biometrics
  • Turn on 2FA/MFA on critical admin accounts
  • Own your workers’ computers
  • Use Mobile Device Management (MDM)
  • Install malware protection/antivirus
  • Store all work and data on the cloud
  • Don’t use USB drives
  • Don’t use paper, except for your master password and recovery codes
  • Don’t put sensitive data like Personal/Protected Health Information (PHI) on your devices

In part two of this series, we begin to examine these procedures in more detail. Click here to read on.