As a result of the pandemic, many businesses have closed their offices and have employees working from home, which is an excellent compromise for keeping operations ongoing and while keeping employees safe.
However, the shift to working from home is a big jump for many companies and their employees, mainly if an existing remote work policy isn’t in place. Organizations need to tread carefully because, with certain exceptions for the public health emergency, coronavirus doesn’t change their security and compliance obligations.
This is especially critical for organizations that process electronic protected health information (ePHI) and for employees that deal with valuable or sensitive data. If the appropriate precautions aren’t taken, companies could breach regulations like HIPAA or PCI DSS and face the significant penalties that come with violations.
They may also have their sensitive data stolen by cybercriminals or leaked through negligence, which could lead to all kinds of problems, ranging from the theft of intellectual property to blackmail.
How Can Organizations Establish a Secure & Compliant Remote Work Policy
Even in these difficult times, a secure and compliant remote work policy needs to be designed carefully. It needs to meet company requirements and its employees, as well as any legal obligations and the needs of customers.
To address each of these needs, all of these stakeholders should be involved in the process. It’s critical to get legal advice and engage security experts to make sure that the policy and technical measures are adequate for your company’s unique circumstances.
A secure and compliant remote work policy should include:
- Who is covered, when, and in which situations.
- What are the organization’s responsibilities and obligations.
- What are the employee’s responsibilities and obligations.
- What hardware and software must be used, and in what configurations.
- What security and privacy measures should be in place.
- How reliability and availability will be ensured.
Companies may still have specific legal obligations for their remote workers, so a secure and compliant remote work policy needs to take these into account. For example, the company may still need to take measures to ensure that laws such as the Fair Labor Standards Act are followed and that employees are working in a safe environment.
Once your company has developed its remote work policy, it should have each of its employees sign it so that they are aware of the expectations and committed to following them.
What Security Measures Do Companies Need as Part of Their Remote Work Policies?
The particular measures will vary from situation to situation, depending on a company’s setup, the regulations it is subject to, the data assets it has, as well as how it transmits and stores valuable or sensitive information.
Some measures for remote work, found in the HITRUST and other security guidelines, include:
- All data should be encrypted when it is transmitted over public networks. FIPS-approved ciphers should be implemented in any of the security protocols used.
- Wireless access points should be encrypted with AES WPA2 as a minimum security standard.
- Emails and other digital messages should be protected from end-to-end and sensitive information should never be sent without encryption.
- Faxes should only be used for protected information if more secure alternatives are not possible.
- Employees should use VPNs to connect to corporate systems, and all traffic should flow through the VPN. Any access should be remotely logged and monitored. Unauthorized connections should be monitored and reviewed quarterly at a minimum, and appropriate actions should be taken after the review process.
- Effective authorization systems need to be in place for privileged connections and access to sensitive business information. Remote administration sessions should have heightened security measures in place.
- The authentication process for remote devices should include additional measures on top of passwords, such as the verification of IP or MAC addresses.
- Employee use of portable storage devices should be strictly controlled, and the information should be encrypted.
- Any data transfers outside of controlled areas require approval, and the details need to be recorded. Cryptographic measures need to be in place to protect the integrity and confidentiality of data when it is transferred.
- Sensitive or valuable data should not be available to unauthorized individuals or left unattended. This includes leaving the information out on desks, on printers, or viewable by others on computer monitors.
- External services (such as new SaaS vendors) should not be used to store or transmit information without prior approval.
- Controls and training should be in place if personal devices are allowed to be used in the workplace.
Solutions for Secure & Compliant Remote Work
In the wake of the rapid spread of coronavirus and the significant changes it has brought, many companies are scrambling to provide secure and compliant remote work solutions to their employees.
This poses a significant challenge because when new systems are implemented abruptly, it can easily lead to mistakes. If these errors involve data leaks or compliance violations, they can have substantial long-term consequences for businesses.
To minimize risk, the best option is to use well-established and specialized solutions like LuxSci’s many offerings. All of our products are designed to be secure and comply with various sets of regulations and optimize our users’ workflows.
These services include our secure and HIPAA-compliant email service, as well as tools like SecureText. The rise of coronavirus may have permanently changed work environments, but adopting LuxSci’s safe and carefully designed tools can help prevent further threats from harming your business in these difficult times.