Remote work is a mandate for many companies during the coronavirus (“COVID-19”) pandemic. With so many employees working from home, companies face increasing privacy and data security challenges as they conduct business remotely while attempting to protect sensitive data from unauthorized access and use.
Organizations must ensure that they are implementing the proper security and privacy measures necessary for secure remote work. Below is guidance on the most pressing data security and privacy issues:
Your employees must access sensitive information from your network to do their work. They are now doing so using their home networks and, in some cases, with their personal computers, which are not as secure as corporate networks and equipment. When employees use personal devices, it is much more difficult to prevent, identify, and mitigate a data breach. Ideally, employees working remotely should be using a secure company computer system, a digital workspace platform (e.g., Citrix), or a remote connection through a secure virtual private network (VPN). By using a VPN and keeping employees off public networks to the extent possible, you are decreasing the chances of security breaches and cyberattacks.
Added Security Measures
Multifactor authentication is a strong step toward preventing attackers from gaining access through employee credentials. Multifactor authentication requires a user to enter at least two credentials before being granted access to the network. Additionally, reminding employees not to save personal or confidential information to their personal devices or print outside the company confines and asking them to review company policies are good ways to get your team started on the right foot.
Vendors and Disruption
Your company shares sensitive information with many vendors and suppliers, which now face their own remote-work security challenges. You are entitled to ask how they are protecting that information while their employees work remotely. Review your vendor agreements to better understand their business-continuity plans and remote-work plans, and how they will respond to business interruptions. In some cases, vendor contracts may need to be amended.
The Health Insurance Portability and Accountability Act (HIPAA)
It continues to be important to understand and comply with HIPAA’s Privacy and Security Rules, which is more difficult with remote work. The U.S. Office for Civil Rights (OCR) has emphasized that the COVID-19 pandemic does not relieve HIPAA-covered entities and business associates of their obligations, with the exception of providers leveraging telehealth platforms (i.e., using video chat, cell phones, or computers to examine patients exhibiting COVID-19 symptoms). OCR announced that it will not impose penalties for noncompliance against providers using such platforms that may not comply with the Privacy Rule during the COVID-19 crisis.
Scams and Phishing E-Mails
According to the Food and Drug Administration and the Federal Trade Commission, there has been an increase in the number of reports related to fraudulent COVID-19 cures, fake charities requesting donations, and phishing e‑mails claiming to be from government entities with information relating to the pandemic.
To help ensure that you do not become a victim of a COVID-19 scam or cyberattack, remind your employees now:
- Don’t open unsolicited e‑mails from people you don’t know;
- Never click on links from sources you don’t know;
- Hover your mouse over links to see where they lead;
- Research charities or crowdfunding sites before donating;
- Be on high alert when you see “investment opportunities” in connection with curing COVID-19; and
- Be wary of e‑mails claiming to be from the Centers for Disease Control and Prevention or experts saying that they have information about COVID-19. To obtain the most up-to-date information, visit Centers for Disease Control and Prevention.
Handling of Paper Mail and Checks
With many businesses moved to the remote-workforce concept and buildings closing access to meet “shelter-in-place” requirements, some of the last vestiges of paper mail must be addressed. Many companies are engaging outside services that can handle rerouted mail delivery, scan mail to key contacts at a company, and, if paper checks are part of that mail delivery, scan and deposit checks. If you are looking to third-party services, it is important to complete due diligence and confirm required certifications to meet continued industry security, banking, and HIPAA rules and regulations.
Our data security and privacy team is currently helping many companies work through the complicated data security and privacy issues involved with responding to COVID-19. Please let us know if you need help on data security best practices, vendor contracts, compliance with legal requirements, and industry-specific rules.