2020 marked a monumental push in the healthcare IT community to help independent practices increase awareness of data and system security specific to the threats and safeguards when working from home.
While much of what we saw in 2020 is certainly still valid, now that we have cycled a year behind us, the remote or hybrid work setup for practices has surfaced additional complexities that this article aims to address. It’s my goal to offer several tips for anyone starting to set up remote capabilities for employees who don’t typically work from home as well as those with existing work-from-home staff. As a recap, here’s our 2020 Data Security Checklist:
- Require multi-factor authentication (MFA, or 2-factor authentication) on as many accounts as allow them, especially banking and email accounts.
- Make sure you have automatic updates enabled on your computers and mobile devices.
- Make sure you have anti-virus and anti-malware software on your computers and mobile devices. (Windows and MacOS include these by default—just make sure they’re enabled and up to date.)
- Make sure that your data is backed up.
Now for 2021, when security professionals and IT leaders think about security, we tend to think about securing devices and deploying security tools. When hackers think about security, they think about people. Who is most vulnerable to phishing attacks? Who has the most privileged accounts? If one person opens the wrong email, even the most well-designed and implemented security measures may not be enough.
COVID-19 has exposed some security challenges when people who usually work in an office start working from home:
- When an employee working from home receives a suspicious email or text, they can’t turn to the person sitting next to them and ask, “Did you get this, too?”. Instead, they’re stuck evaluating the email or text on their own and may be more inclined to respond in a way that is unsafe (instead of reporting it to your security team).
- Your office may have excellent security measures and practices in place, but what happens when your employees work from home? Do their Wi-Fi routers still have the default passwords? Have they opened up their home network (using port forwarding, for example) to attacks without knowing about it? Are they storing sensitive documents on the same computer that spouses or children use? Are they throwing documents with PHI on them in their trash, without shredding them? Do they have Wi-Fi printers that are highly vulnerable to attack? Are they using their phones and other mobile devices to access on an unencrypted Wi-Fi network?
- Multi-factor authentication (MFA) becomes even more important with employees working outside of a protected network.
- Security awareness training needs to be emphasized even more, now that employees are working from home and don’t have some of the environmental safeguards present in most offices.
A major emerging threat is MFA attacks, meaning hackers are getting more and more skilled at finding ways around MFA. This does not mean that practices shouldn’t implement MFA wherever they can. It just means that MFA shouldn’t be considered a panacea. Common sense and security awareness training continue to be key. As always, MFA that involves an authenticator app is more secure than email- or SMS-based MFA.
The recent SolarWinds compromise illustrates the need to keep software up-to-date, especially highly privileged security software.
Many organizations’ security budgets have shrunk due to COVID, even though the attack surface has grown dramatically (expanding from just one or a few secured offices to include dozens or hundreds of employees’ homes).