HIPAA @ Home: Part 2
In our previous post, we looked at a number of practical measures that companies can take to keep its employees and data safe while working remotely. This post will examine a number of these procedures in more detail to help you boost the integrity of your remote working environment.
Use Defence in Depth for layered security
The security environment on the internet is sometimes compared to the wild west, but a better comparison is to the medieval period, when enclaves of security with castles, towers and walls were surrounded by lawless areas.
Instead of relying on a single wall to keep out intruders, medieval towns and castles had many layers of walls and defences, and the same principle is most effective for cybersecurity.
That way, if any given layer fails, is misconfigured, or is breached, the next layer still protects you. You can build your own secure castle on each of the devices your workers use by following as many of the below procedures as possible.
Use end-to-end encryption
This one is pretty straightforward. It’s likely that the apps and tools that you use are already configured for encrypted networking, but it’s a good idea to check to make sure.
They should all be using standard cryptographic protocols like HTTPS and TLS (Transport Layer Security, formerly known as SSL). On any web app, you can easily see if the connection is encrypted with HTTPS by looking for the lock symbol.
Tip: Use a browser plugin like HTTPS Everywhere
to ensure that your connections are always protected.
If you are running any of your own websites or web apps for internal use (even your company’s marketing site), make sure that they are configured to only allow connections with HTTPS, and purchase certificates if you don’t already have them.
Email should also run over TLS If you use a hosted email service like Gmail, you already have it. If you run your own email server, check that the server is configured correctly.
Remind all of your workers to enable security on their home WiFi, but with all of your connections end-to-end encrypted, you do not need to rely on wireless network encryption, as even if the WiFi is misconfigured, an attacker won’t be able to read your network traffic.
Encrypt all the data at rest
If you lose a device without disk encryption enabled and a password set, then serious fines can result. But if you have encryption turned on, then the assumption is generally that the data is not accessible and so there is no data breach.
Another advantage is that an encrypted drive doesn’t need to be physically destroyed when you no longer need it. That’s useful, as SSDs can not be securely erased like HDDs could, and disk destruction requires special equipment.
Therefore, turn on full disk encryption on all your devices. Most new devices have it on by default: Macs have had encryption turned on by default since Mac OS X 10.10, iOS since version 8, Android since 7.0.
The latest Windows only sometimes has encryption turned on by default. And any device that was purchased before and then upgraded to one of those versions might not have encryption enabled yet. So check all devices to ensure it’s enabled.
Consider installing an ad blocker in your browser
Ad blockers like uBlock Origin and 1Blocker don’t just block ads, they also block web-based malware. On the downside, they do reduce the legitimate ad revenue for the web sites you access. Most have the option to whitelist sites so that you can continue to support them.
Use a password manager
You might have expected us to recommend using good passwords, but good passwords are no longer good enough. There are now massive databases of stolen passwords, and brute force cracking tools have sophisticated libraries of common words and patterns based on real world data.
Instead, use a cloud password manager to generate and store passwords across all devices. For those who are using Apple devices their Keychain is a good solution, and for cross-platform use there are good options like LastPass and 1Password. Install their apps and browser extensions and never have to worry about passwords again.
Password managers will still need master passwords. There’s a simple and secure way to handle these. Come up with one extra complex and secure password for your password manager master password, write it down with pen and paper, and store it in an out-of-sight location like a drawer. There are many sources on the web about creating good passwords, for example Create a strong password & a more secure account from Google.
Tip: You can check if your password has been
stolen using sites like Firefox Monitor.
Activate passwords/passcodes on your devices
This should go without saying, but ensure that laptops, desktops and phones all have a password or code lock enabled. Use the same type of strong password as you use for your password manager (above), and use biometrics (below) so you don’t have to enter it all the time.
Turn on automatic screen lock
Since everyone eventually leaves their device unattended, every device should automatically lock after a short period of inactivity. Set devices to lock after 5 minutes or if they are closed or turned off manually.
Use device biometrics
Once you’ve activated screen lock, it can quickly become tedious to enter and re-enter your password. Fortunately the last few generations of devices have come with biometrics like fingerprint lock and facial recognition.
These are generally well implemented: for example iPhones with face recognition will still prompt the user to enter their full password periodically, based on time passing, failed recognition attempts, and other risk factors. Once you’ve turned on biometrics, increase the complexity of your device password because you won’t need to enter it as often.