How the Right Healthcare Compliance and Security Policies Protect Payors During COVID-19
The spread of COVID-19 worldwide not only compelled health payors to expand the extent of their member coverage and service – it prompted a modification in the way you and your teams work. Lockdowns went national and half of the workforce started to telecommute. In the hopes of keeping your people safe and productive, many payors developed ad hoc guidelines to help nonessential workers report for duty from home.
Though the rapid transition to remote work created a sense of operational continuity in a chaotic time, it also spawned some challenges. Here are some of the threats on the horizon for payors and some actions you can take to enhance the efficiency of your healthcare compliance and security policies.
Security and Compliance Challenges from COVID-19
The official response of the Department of Health and Human Services to the current public emergency has done some immediate good. The relaxation of penalties for using telehealth remote communication and other platforms has kept patients, members, and healthcare professionals safe while maintaining essential services. Yet the enforcement discretion is temporary and healthcare organizations still need to take precautions to protect the privacy of members.
The impromptu home offices that workforces have created are by their nature vulnerable to HIPAA violations. Depending on whether or not employees have a dedicated space to work, there’s a risk for family members to view or overhear PHI, which creates a situation that is noncompliant with HIPAA regulations.
Additionally, most household networks do not have device authentication and strong encryption policies. Without the right work-from-home procedures and practices, their access can be compromised. In fact, the FBI reports that cybercrime has quadrupled over the course of the pandemic, putting telecommuting operations at risk.
Enhancing Your Healthcare Security Policies
Though this new work arrangement poses some challenges, there are actions payor organizations can take now to balance privacy, security, and the physical health of their people. Certain compliance and security policies are of particular importance with heightened risks from cybercriminals. Here are some of the precautions that we recommend our clients take to prevent HIPAA violations down the road:
Providing Clear Guidelines to Employees
Before the pandemic, only two-fifths of organizations worldwide offered remote working options. Shelter in Place orders accelerated the transition without giving organization the appropriate time to prepare their workforce for the shift. For many employees, working from home is an entirely new set of circumstances, and they will not intuitively understand how to maintain compliance and security standards in a far less controlled work environment.
As well as implementing daily check-ins and communication platforms, your organization needs to outline security best practices for your remote workers. Explain the expanded threats in a work-from-home arrangement and give them the knowledge to protect themselves, your members, and your business.
Embracing Zero Trust
If your organization has not embraced a zero trust security framework, there’s no more waiting. It’s impossible to prevent cybercriminals from reaching every point of access within your system. However, you can block their progress if/when they do compromise individual people or programs.
Requiring every user, application, or device to verify their connection authorization at each access point stifles the attempts of cybercriminals to compromise work-from-home scenarios. This allows your employees to work remotely without your organization making a massive investment in encrypted hardware and software.
Enabling Virtual Desktops
The last few months have resulted in swarms of employees connecting to sensitive systems from their personnel devices. Outside of the confines of secure office networks, any exchange of data is exposed to more points of vulnerability.
Setting up employees with access to a virtual desktops can prevent outside users from intercepting PII since no data other than screen paints, keyboard inputs, and mouse movements are exchanged between the client and internal infrastructure. It is important that the virtual desktop client is enforcing their security policy on the client machines or, minimally, scanning them for potential threats prior to allowing access to the virtual desktop.
Our consultants avoid HIPAA violations by only accessing our clients’ networks through virtual desktop infrastructure (VDI).
Improving Multi Factor Authentication
Over the years, traditional passwords have proven susceptible to attacks. As more employees are working outside of their household network, it’s vital for payors to take additional steps to enhance compliance and security. Multi factor authentication routinely proves its ability to block automated cyberattacks and unauthorized individuals from reaching sensitive data within your organization. Here are a few of the strategies that yield the greatest results:
- Common Access Cards – The Department of Defense (DoD) has used Common Access Cards (CAC) as a secure and standardized identification for years, authorizing personnel to access government buildings and computer networks. Advancements have even allowed CACs to securely access VPNs from remote connections. With the right partner, healthcare payors can implement similar measures, issuing microchipped access cards that are very difficult to forge.
- Tokens – A similar concept is the multi factor authentication token which is unique to the user and can be inserted into any compatible device as a way to authorize users. Though ordering enough tokens for your employees may take time and money, it creates a hurdle that is hard for cybercriminals to replicate.
- SMS Passcodes – The reactionary nature of remote work under COVID-19 has created a scenario where many organizations have not been able to prepare or invest in the hardware necessary for multi factor authentication strategies. The easy-to-use, one-time SMS passcodes provide an ideal solution for payors that want to scale their security quickly to meet the demands of this new situation.
- Biometrics – In healthcare environments, where employees are sharing multiple devices, biometric authentication (facial recognition, voice imprints, fingerprint readers etc.) paired with a cryptographic key has been instrumental in shutting down cyberattacks. As employees go remote, payor organizations can invest in USB fingerprint scanners or iris or facial readers that manage access control – no matter where your employees are.