Safely working via remote access
June 05, 2020
by Sean Ruck, Contributing Editor
Businesses have increasingly tapped into technology to create remote working opportunities for employees. It’s been used to power companies that need the people, but don’t have the space, to entice the best and brightest who might not be willing to relocate or have long daily commutes, and to help stagger work schedules to have someone from a company available at all hours of the day. For healthcare, remote working solutions have largely been the story of teleradiology. Telehealth and online consultations and check-ins have been on the rise as well, but due to the situation caused by the COVID-19 pandemic, there’s a slew of other services and employees unexpectedly being delegated as offsite work-from-home staff.
Unlike teleradiology and telehealth, the off-citing of these other jobs didn’t have the benefit of small, controlled rollouts, extensive employee training, troubleshooting and all the other planning that goes into a successful process. Instead, hospitals and healthcare systems are improvising and working with systems and tools that might not be up to the task.
Demi Ben-Ari, CTO at Panorays, a company that automates third-party security life cycle management, offered advice for hospitals when it comes to work-from-home staff and access.
"To ensure the security of PII and the healthcare information of patients, security and compliance leaders should be creating mechanisms to access secure systems outside of the workplace,” he says.
To that end, Ben-Ari says there are two important considerations. “First, teams are likely doing shifts around the clock and will sometimes need to sync. There should be some kind of secure way for them to receive information and provide assistance remotely. Second, there should be a secure way to communicate.”
For communications, texting and video calls aren’t necessarily secure. Meanwhile apps have some security professionals alarmed. The increasingly popular Zoom for video conferencing has garnered warnings from some experts due to concern about the security measures it has in place (or lacks). So healthcare professionals need to carefully consider what platforms they use to collaborate on, not just for ease of use, but for security as well. Some platforms may be secure if they’re properly configured, but could be at risk if a user just looks to download and connect.
Ideally, employees should be able to focus on their core work and bring their particular skill sets to bear while the work of determining which platforms will meet requirements is carried out by the IT professionals. Those professionals should ensure secure access to internal networks and internal data stores according to Ben-Ari. He says there should also be secure communications established for video, audio and chat functions, and that tracking and authenticating the hardening (securing) of devices like laptops and smartphones should also occur.
If hospitals or healthcare systems don’t currently have professionals in-house with the experience and knowledge required to secure the systems, he recommends a third-party service provider with a trusted reputation in the healthcare industry be tapped to lead the charge.
However, IT should not be the only ones involved, especially since the work might result in unbudgeted expenditures (like the hiring of a third-party service provider). The challenge needs a team. In addition to IT, high level management should be in the loop to ensure they understand what is permitted for accessing internal systems and which secure channels are being used for transferring patient information. “It's important that management plays a role because they will be held liable if there is a breach," he says.
There’s another challenge that healthcare faces with employees working from home, but the industry isn’t the only one in that boat. With far more people logging on remotely than ever before and even increases in streaming services, as people who might not have been heavily utilizing the internet for their jobs are now home and trying to stay entertained, the whole system is experiencing an unprecedented rate of use. Ben-Ari says that overload of the system will result in database transfer disruptions. Weak internet access will result in increased security issues, because people will then look for bypasses like VPNs, which will cause security problems since VPNs can’t be tracked. And because of connectivity problems, people may also switch from Zoom-like platforms to platforms with even less security control that could cause misconfiguration or abuse.
Ben-Ari recommends single sign-on, multi-factor authentication, passwords for meetings and the avoidance of permanent links for meetings.
He offered a final piece of advice, "it's important to continuously track implementation. When you open a channel to an internal system, track the access, even on a daily or weekly basis. It's important to go over the communication and possible breaches or attempts at breaches. Remote working as a consequence of COVID-19 should be considered like wartime, and it should be handled the same way."
Unlike teleradiology and telehealth, the off-citing of these other jobs didn’t have the benefit of small, controlled rollouts, extensive employee training, troubleshooting and all the other planning that goes into a successful process. Instead, hospitals and healthcare systems are improvising and working with systems and tools that might not be up to the task.
Demi Ben-Ari
"To ensure the security of PII and the healthcare information of patients, security and compliance leaders should be creating mechanisms to access secure systems outside of the workplace,” he says.
To that end, Ben-Ari says there are two important considerations. “First, teams are likely doing shifts around the clock and will sometimes need to sync. There should be some kind of secure way for them to receive information and provide assistance remotely. Second, there should be a secure way to communicate.”
For communications, texting and video calls aren’t necessarily secure. Meanwhile apps have some security professionals alarmed. The increasingly popular Zoom for video conferencing has garnered warnings from some experts due to concern about the security measures it has in place (or lacks). So healthcare professionals need to carefully consider what platforms they use to collaborate on, not just for ease of use, but for security as well. Some platforms may be secure if they’re properly configured, but could be at risk if a user just looks to download and connect.
Ideally, employees should be able to focus on their core work and bring their particular skill sets to bear while the work of determining which platforms will meet requirements is carried out by the IT professionals. Those professionals should ensure secure access to internal networks and internal data stores according to Ben-Ari. He says there should also be secure communications established for video, audio and chat functions, and that tracking and authenticating the hardening (securing) of devices like laptops and smartphones should also occur.
If hospitals or healthcare systems don’t currently have professionals in-house with the experience and knowledge required to secure the systems, he recommends a third-party service provider with a trusted reputation in the healthcare industry be tapped to lead the charge.
However, IT should not be the only ones involved, especially since the work might result in unbudgeted expenditures (like the hiring of a third-party service provider). The challenge needs a team. In addition to IT, high level management should be in the loop to ensure they understand what is permitted for accessing internal systems and which secure channels are being used for transferring patient information. “It's important that management plays a role because they will be held liable if there is a breach," he says.
There’s another challenge that healthcare faces with employees working from home, but the industry isn’t the only one in that boat. With far more people logging on remotely than ever before and even increases in streaming services, as people who might not have been heavily utilizing the internet for their jobs are now home and trying to stay entertained, the whole system is experiencing an unprecedented rate of use. Ben-Ari says that overload of the system will result in database transfer disruptions. Weak internet access will result in increased security issues, because people will then look for bypasses like VPNs, which will cause security problems since VPNs can’t be tracked. And because of connectivity problems, people may also switch from Zoom-like platforms to platforms with even less security control that could cause misconfiguration or abuse.
Ben-Ari recommends single sign-on, multi-factor authentication, passwords for meetings and the avoidance of permanent links for meetings.
He offered a final piece of advice, "it's important to continuously track implementation. When you open a channel to an internal system, track the access, even on a daily or weekly basis. It's important to go over the communication and possible breaches or attempts at breaches. Remote working as a consequence of COVID-19 should be considered like wartime, and it should be handled the same way."