Telework Security: Securing Home and Remote Workers
It goes by many names:
Telework.
Telecommute.
Work from home.
Remote work.
According to recently released data from the US Census, 5.2% of Americans – 8 million people – worked from home in 2017. Home workers include those in traditional employment relationships, as well as freelancers and contractors. For some, the home is their full-time office; others do work occasionally to respond to an email, complete a report, or take a call. Home workers include senior executives, computer programmers, case workers, medical billers, home care nurses, and many others. In need of a change of pace, home workers take their laptop to their favorite coffee shop for a few hours.
For many years, the loss or theft of unencrypted mobile devices was the largest category of HIPAA-related breach events reported to the HHS Office of Civil Rights. As encryption technologies have become more widespread, different issues have emerged. According to a survey by the mobile technology vendor iPass, more than 50% of CIOs worldwide believe that their mobile workers have been hacked or caused a mobile security issue in the last 12 months. For Wi-Fi related incidents, most have occurred at cafes, airports and hotels. CIOs believe that telework security risks have increased due to the rise of employee-owned devices, also known as “Bring your Own Device”, or BYOD. Issues also involve paper records, according to Shred-It’s 2018 State of the Industry Report, which states that 86% of senior leadership teams said data breaches are more likely to occur when employees are working out of the office.
Including Remote Security in your Risk Assessment
Based on these findings, Eagle Consulting Partners recommends including the issue of home and remote working in the HIPAA Security Risk Assessment. The risks will vary from organization to organization based on these and other variables:
- The type of employee working remotely
- Whether remote working is full-time or occasional
- The location of the worker – home, co-working space, airports, hotels or coffee shops
- The nature of the work and the sensitivity of the information involved
- Whether company-owned equipment or BYOD equipment is used
- The corporate information systems used by the worker
- For home working, individual factors: household composition, neighborhood crime rate, etc.
The Risk Assessment should drive the process of creating a formal, written policy. In practice, Eagle Consulting Partners has often written policies that permit an IT department or company owner to conduct individualized evaluations and to require or permit adjustments to the baseline security measures.
Based on risks identified in the Risk Assessment, and in establishing written policy, here is a list of safeguards to choose from:
- Physical Security of Home. Exterior doors and windows should be locked. For full-time home workers, a dedicated room for the home office is best. If there are other household members, such as children, a lockable door may be considered. For workers with highly sensitive information, such as senior leaders, home security systems should be considered.
- Home Router Security. A checklist for router security should be employed. This may include minimum technical specifications for the router and/or a list of required models, changing default admin password, enabling two-factor authentication whenever possible, enabling WPA/2 encryption, selecting a secure DNS, and ensuring that firmware updates are applied.
- Device Security. Security of laptops, smartphones, and even printers should be addressed. Mobile device management systems can be used to centrally manage and enforce secure configuration of both company-owned and employee-owned (BYOD) devices, including encryption. Security patches/updates should be applied. IT departments should evaluate risks of any solutions which require the employee to connect their device to the home office network for these updates to occur.
- Data in Motion. Security of data in motion is a top concern. Potential security measures include requiring VPNs to connect to the home network and/or prohibiting the use of public WiFi.
- Data Protection. Safeguards to protect data include the use of an organization-approved and managed file sharing service, such as Box or Citrix Sharefile, prohibiting the use of personal file sharing services, such as Google Drive or Dropbox, and attending to backup if the employee’s work involves files stored on the local device.
- Paper Documents. Policies should specify standards for secure transport and storage of paper documents. A home office shredder should be considered if sensitive paper documents are used or created.
- Household Members. Policies should prohibit household members from any inappropriate access to the organization’s assets – computers, smartphones, or paper records.
The Center for Internet Security has published Telework and Small Office Network Security Guide. This 28-page guide contains excellent material for organizations that want to include additional security measures.
There is no one-size-fits-all approach to security of remote workers. Organizations should carefully assess risks in deciding whether to permit remote work, and if so, should select appropriate safeguards based on the risks involved. Organizations that desire assistance with a Security Risk Assessment to evaluate telework security, and/or who desire assistance with crafting their written policies may contact Eagle Consulting Partners.