For MSPs supporting the myriad businesses under HIPAA’s purview, the pandemic forcibly accelerated work-from-home policies that were, for many, already on the roadmap. Any forward-looking organization had anticipated future expansion of remote work practices. But the pandemic meant implementing such practices whether they were ready at that point or not – and left MSPs scrambling to answer all questions around meeting data security and HIPAA compliance requirements.
Now that distributed workforces and remote work polices are in effect, they’re here to stay. Many MSPs have helped clients make the best of these forced changes, ensuring that non-customer facing departments can operate efficiently while being 100 percent remote, with no plans to return to the office after the pandemic.
Thanks to flexible MSP support, many businesses with distributed workforces are also now untethered from traditional geographic restrictions on where they pull talent from, much to their benefit. At the same time, there’s still nothing like the productivity of impromptu face-to-face meetings in an office setting. Coming out of COVID, the general consensus is that many businesses will operate with hybrid office/remote workforces that take advantage of the best of both worlds.
Best practices for implementing HIPAA-compliant work-from-home policies
For MSPs supporting clients in the healthcare industry, the most critical concern with this shift is (and, really, always has been) data security. As these MSPs well know, HIPAA regulations place strict requirements on data handling practices, in order to safeguard the protected health information (PHI) of individuals receiving medical care.
Maintaining the effective access controls and data encryption that HIPAA calls for is one thing when employee-used devices reside within a secured office environment, but quite another feat when those devices could be anywhere. At the same time, HIPAA regulators aren’t interested in data security degree-of-difficulty or whether a breach happens in the office or an employee’s home: protected data is exposed all the same, and both the business and its MSP will face the same dire consequences.
Here are three MSP best practices for implementing HIPAA-compliant work-from-home policies that will serve clients well long after COVID is in the rear-view mirror.
Leverage a HIPAA-compliant security stack to secure remote devices
Healthcare businesses with remote workforces face two significant requirements. One: employees need seamless access to PHI and company data to do their jobs productively. Two: any device containing or connecting to that data must deny access if lost, stolen, or otherwise compromised. Ticking both boxes is a necessity but not always easy. Whether a clients’ employees use company-issued hardware or their own BYOD devices, the right security execution can create a home away from home when it comes to extending office-grade protections across distributed workplaces.
Any MSP-delivered security technology stack for healthcare-industry clients should include tools designed to manage HIPAA-required data encryption and access controls. Such tools should be able to remotely wipe data in case devices become compromised, and revoke data access from any device at risk. Features that specifically support remote workers, such as two-factor authentication or geofencing-based security protections, are especially welcome. Endpoint security, anti-virus and malware protection, and threat mitigation are further essential components of an end-to-end security stack ready to protect a remote workforce.
Finally, MSPs I’ve talked to recommend allowing employee access to clients’ most sensitive data only through an encrypted VPN tunnel, and not allowing this data to reside on employee-used devices. You can’t be too careful with HIPAA compliance and PHI protections, and this is a practice that serves many businesses and MSPs well.
Reproduce familiar office work patterns
Migrating resources to the cloud and adopting cloud-based or SaaS-delivered tools is another effective way that MSPs can provide uniform and secure experiences for their clients’ employees across physical locations. If cloud transformation is a long-term goal for a client, putting the pedal down on those projects can pay dividends when it comes to enhancing and ensuring the safety of remote work environments.
If clients are struggling with the shift to remote work and looking for advice, MSPs should encourage them to eliminate functional differences between office and remote environments. Doing so allows workers to be more comfortable, productive, and secure. They can also help to ensure that employees can sit down in either environment and have the same applications, access, and communication channels at their disposal. Further, MSPs can help to facilitate employee preferences in this area as much as possible, and tell clients to do the same on their end: if employees need identical desk phones or office chairs at home to optimize their efficiency, so be it.
Implement a robust employee training regimen
Employee behavior remains the greatest threat to an organization’s security. While it’s crucial for MSPs to have all the right security tools in place, there are only so many dangerous URLs that can be can blocked, and only so many protective limitations that can be imposed. If a client’s employee clicks a link in an attacker’s email and downloads a malicious file that exploits a zero-day issue, the best security can’t help anymore. To avoid such scenarios, the client’s team needs to be a human firewall.
Achieving this means implementing effective employee training. There are services and tools out there, like HIPAA Secure Now, that can provide feature security awareness training modules which employees must complete throughout the year. After training employees to recognize phishing emails, many solutions will then regularly test employees with simulated phishing attacks. Those who fail a test go back for additional training. Programs like these certainly yield results, and make employees very aware of what they’re clicking.
Lastly, MSPs supporting healthcare businesses must stay on top of the latest security trends (such as the specific ransomware threats that are being reported), and have a solid disaster recovery plan at the ready in case the worst happens.
Photo: Tero Vesalainen / Shutterstock