About half of American workers have been forced to work from home by Covid-19, and it appears the shift may become the new norm. In April, nearly one in five CFOs surveyed by the Brookings Institution planned to keep at least 20 percent of their workforce working remotely.
And while there are some advantages to remote work, it also opens up security vulnerabilities. With this in mind, medical practices should put policies in place for handling IT for work-at-home staff. "Anything an employee does that creates a problem on their home computer could also affect clinic apps," says Curtis Woods with Integrated Solutions. "So practices need to start with oversight of the home computers. We've seen people not be cautious at home, and their computers had to be wiped and reloaded, which means lost work and downtime.
"There was an instance where a newly remote worker got ransomware on his home computer and it transferred to the clinic. The clinic network had to be restored from backup, which caused two days of downtime for the practice."
"A remote user, who forgets that his home computer is now also a work computer, might visit a website that was locked at the practice. This could expose their device to something harmful to the clinic, like a keylogger app that grabs passwords and keywords."
In June, malware attacks by a Russian-based group of hackers were found to specifically target remote workers. The malware waited on popular websites and even a news site, searching for a sign that the computer was hooked to a corporate or government network, such as the home computer using a virtual private network (VPN) that creates an encrypted channel from a computer to a network.
The hackers only used the VPN to identify who the user worked for. The attack came when the remote worker visited a public or commercial website on that computer. Then the malware used that vulnerability to infect their computer and, when that device reconnected to the corporate network, the malicious code was deployed in hopes of accessing the company's system.
"Everyone needs to follow a security policy that concentrates on how remote employees access data," says Drew Braden with Keep IT Simple. Policies should state that before accessing the clinic network, every computer used at home needs to be checked by IT professionals. They can verify that the operating system, apps such as Word and Excel, and malware and antivirus software are up to date and set to automatically update.
"Someone needs to check that computer and see what it has to make sure it is secure," Braden says. "You don't want to allow bad things to get through because you had no active monitoring on that workstation."
And management should perform a review of each remote user's access to clinic data. "Decide which files get accessed by which employees," says Chris Hosmer, also with Keep IT Simple. "While it might have made sense in the office, with firewall protection, for a larger group to have access to the accounting folder, it will lessen security risk to tighten that access for remote staff. Document who can access remotely, what they can download, and the systems they've been granted access to."
Also add procedures that IT techs, whether employees or outside contractors, must follow, such as calling a manager first to confirm someone has been granted work-at-home access to the system before opening the system and ensuring the remote-user's passwords are sufficient. "We need to know their wireless access is not set to 'public' or their router is not set to a default password, like 'admin'," Hosmer says. The practice should also schedule a regular review, at least annually, of remote computers.
A more sensitive situation to cover in policies is protocol in the case of a remote worker who quits, is fired, or falls ill for an extended length of time. "Obviously, IT can remove their access to your systems fairly easily through the firewall and lock that down," Braden says. But to ensure the employee has no files on their machine, IT will need remote access to their computer. It could avoid potential problems to have work-at-home users sign an agreement to allow the clinic access to the computer remotely and prohibit the user from storing or printing patient or clinic data.
So far, neither Woods, Braden or Hosmer have seen any major data leaks or crashes occur from work-at-home situations among their clients. "Based on the number of people working from home, though, it's something to take seriously because, it's a very bad outcome," Woods says. "Too many people think that these problems will never happen to them, until it happens to them."