HIPAA @ Home: Part 3
This article in the last in a three-part series on cybersecurity best practices for remote work.
In the previous post, we looked at a number of measures that you can take to boost the security of your remote working environment, including Defense in Depth, end-to-end encryption, encrypting data at rest, ad blockers, password managers, password activation, automatic screen lock, and device biometrics. This post will examine the remaining measures outlined at the beginning of this series.
Turn on 2FA/MFA on critical admin accounts
There are three “factors” that you can use to authenticate yourself:
- Something you know
- Something you have
- Something you are
- A password or passcode (the usual)
- A key to a door, an RFID card, a Yubikey, your phone
- Your fingerprint, your face, your retina
Two Factor Authentication (2FA) and Multi-Factor Authentication (MFA) dramatically increases security beyond just using a password, to requiring both a password and another of the factors to be presented. For example, if an attacker were to gain access to an admin password (relatively easy), but didn’t have the second factor, they won’t be able to log in.
MedStack uses the most popular current form of 2FA called a time-based one-time password (TOTP), most commonly used with the apps Google Authenticator and Authy. Effectively your phone generates a code which changes every 30 seconds, and you enter the code along with your password. This proves that you physically have your phone in your possession when you log in.
Does everyone need to use 2FA for everything? In an ideal world we all would, but as of today it can be a pain to set up and use, so we recommend that you focus on enabling it for your critical administrative accounts.
Own your workers’ computers
Even though your workers are at home, they should be using computers that you provide to them. There are many ways to attack a user and a computer, and a lot of them involve channels that might not be obvious like games, illegal downloads, and personal email phishing attacks.
If you own the computer then you can restrict the use of the machine in reasonable ways and manage it centrally using Mobile Device Management (MDM).
Mobile phone ownership is not as clear-cut. Some organizations (such as hospitals) will also purchase phones for their employees as well, especially if those employees will be accessing PHI over the mobile device. That’s a logical step as it allows the organization to exercise total control over the device through MDM (see below).
On the other hand, mobile phones are intrinsically more secure by default, especially iOS devices, and usually aren’t used to access the most critical administrative systems. And if you have ever met anyone who has to carry two phones, you know that it can be a hassle.
See also: Why are iOS devices so secure? on Quora
Use Mobile Device Management
MDM software applies to phones, tablets, and also computers. It allows you to track your devices, ensure that they have the latest operating system versions installed, that they have a password set, and automatic screen lock enabled after 5 minutes.
Most MDM solutions also allow you to remotely wipe computers, for example if they are lost or stolen. There are many more controls available, and how far you go to restrict what users can and can’t do depends on the sensitivity of the data on the device and how well your user understands cybersecurity.
Install malware protection/antivirus
Likely you already have malware protection and antivirus installed and enabled on your computers. For Windows, it is an absolute requirement. For Mac, a tool like Malwarebytes is useful against browser malware. For mobile devices, we recommend malware protection for Android, but it is not needed or available at present for iOS.
Use a malware protection tool with central management to purchase it for your team and to verify that it’s installed and active.
Store all work and data on the cloud, avoid backup problems
You probably have a good backup setup for your office workstations, but ensuring that remote devices get backed up is a challenge. In addition, if your users do backups at home, then you need to purchase backup drives and the security of the backup device also needs to be managed (such as encryption and access control).
For that reason, it’s fortunate that many workers are now doing all of their work on web apps and saving files into cloud storage systems like OneDrive, Dropbox, and Google Drive. Software developers use secure version management systems like GitLab and GitHub. As long as your people are using those cloud systems, then there’s no need to perform local backups.
Don’t use USB drives
USB/thumb drives are easily lost or stolen, and are rarely necessary with secure file sharing tools like Google Drive and Box, so we recommend that they not be used at all.
Don’t use paper, except for one case
Most modern businesses can avoid the use of paper, and that eliminates a whole category of work that would otherwise need to be done to store paper records securely.
The one exception is your master password for your devices and password manager, and the account recovery codes for 2FA/MFA. Store them on paper in a safe place like a drawer or file folder, so that a cyber attacker can’t access them. Ideally every employee will have a printer to print out the recovery codes.
Don’t put sensitive data like PHI on your devices
Sensitive customer data like PHI (Personal/Protected Health Information) needs to be handled very carefully. One simple way to manage it is to not download it on to workstations and devices. Keep the data on servers where it can be protected by the full strength of your information security program.
(If your employees are accessing PHI on their devices regularly as part of their work, then a significant number of additional protections will be needed which are outside of the scope of this article.)