Zane Smith

Telehealth and HIPAA

Photo by National Cancer Institute on Unsplash

With the national emergency of COVID-19, many health providers are turning to alternative methods of providing health care to their patients. These include phone calls, video conferencing, internet sites, store-and-forward imaging, and streaming media to name just a few specific technologies. All of these technologies can broadly be considered Telehealth, as they are working to promote long-distance clinical health care.

In this middle of this national emergency, many providers sought to provide excellent clinical healthcare while maintaining social distancing. New technologies emerged, and many new and innovative ideas came to life. Now many providers are wondering whether these new innovations are compliant under HIPAA and HiTech certifications.

During the national crisis, you can place your concerns aside. The U.S. Department of Health and Human Services has stated that covered healthcare providers will not be subject to penalties for violations of the HIPAA Privacy, Security, or Breach Notifications rules that occur in the good faith provision of Telehealth during the crisis. Bad Faith actions would include using Telehealth services to conduct a criminal act, disclosing patient data beyond the Telehealth environment in violation of the Privacy Rule, violations of state licensing laws or professional ethics standards, and the use of public-facing remote communications products such as TikTok, Facebook Live, Twitch, or similar products.

When working with a Telehealth product, you should keep in mind these guidelines:

  • Generally, health care providers should conduct Telehealth in private settings.  Providers should always use private settings, and patients should not receive Telehealth services in public or semi-public locations (absent patient consent or exigent circumstances)
  • When choosing a Telehealth internet-based platform, be sure that the platform supports both individual user accounts, and the ability to encrypt the services from end to end. Most internet-based platforms offer these options in their services, but validating they are enabled and in use is a best practice for all Telehealth services.
  • You should have a Business Associate Agreement (BAA) signed with your Telehealth provider, especially those providing internet-based services.
  • Once Telehealth services are enabled, you are required to update your HIPAA Risk Assessment to include the Telehealth services within your overall practice risk assessment.

If you have further questions regarding HIPAA and Telehealth related services, Black Cat Security Partners is available to help answer them. We can also do many parts of the HIPAA Risk Assessment remotely. Please contact us to arrange for your free HIPAA Gap Assessment or to ask your cybersecurity questions.

Telehealth and HIPAA Read More »

6 thoughts to consider when employees work from home.

Child and Black Kitten touching a laptop
Photo by Charles Deluvio on Unsplash

Many businesses are finding a new challenge in maintaining a remote workforce, especially if they have thrived without it in the past. Remote workforce technologies have expanded and remote home offices have become a necessity rather than a privilege.  Unfortunately, most businesses ‘ policies and procedures have not kept pace with these trends. If your business needs to have employees work from home, here are a few thoughts you might consider:

  1. Keep an updated list of your remote employees: It’s important to know which employees are working remotely and have a detailed list of them and what information they have access to. This is crucially important in the event of any breaches of the employee’s home computer or network, and it will allow you to understand the reach of the breach with your business. This information also comes in handy if one of those employees severs employment, as you would be prepared with a detailed list of the data they access.

  2. Identify business hardware that is deployed with your employees: An up-to-date inventory of all computer hardware, disks, media, and software that is deployed at your employees’ home is critical. Employers should track identifying serial numbers, product keys, and other identifying markings within their asset log to validate that all deployed hardware is accounted for.  While this may seem like a burden to keep an accurate and up-to-date list, it’s needed as what was crystal clear today may not be so in 2-3 years down the road.  
     
  3. Update Security Policies: If you are allowing employees to work remotely, then your business security policy should reflect that. Policies help employees know what is permitted and provide an enforcement mechanism to protect your business data. Additionally, if your business is required to maintain compliance with a security standard, updating your security policy to reflect the compliance requirements while working at home is a must.

  4. Require Encryption: Encryption should be required for any work material being accessed at home. Most internet sites already encrypt traffic going over the internet (You can verify this, by looking for the https:\\ prefix in your browser’s URL bar). However, employees who store information on home computers need to take appropriate measures to keep the material safely stored. This may include:
    • Purchase or configure a Full Disk Encryption software package (Examples would be BitLocker – Windows, or FileVault – Mac) that encrypts the local hard disk to make sure all data stores on it is inaccessible.
    • Purchase a USB disk that requires encryption – We recommend a product called  IronKey (URL: https://ironkey.com) for this purpose.
    • Not allowing downloads to the local workstation. Using online file viewing and editing software means the critical data never leaves your network and thus is protected online.

  5. Detail Expectations for Transit: Every year laptops, hard drives, computers, and other electronic equipment are stolen from personal vehicles.  We suggest when possible employees load equipment right before leaving the office, and immediately travel to their home and unload the equipment. This will reduce the time the equipment spends unattended in a vehicle. While considering this policy, it is also a good time to verify whether your business insurance covers the theft or damage of business properly in an employee’s vehicle.

  6. Create clear separation: Many homes today have multiple computers, and employees may be tempted to log in from whichever is most convenient. Unfortunately, this can create new security issues, including:
    • Other users creating vulnerabilities. Home computers are typically shared by the members of the household, and the types of sites accessed are much broader than what would be legitimately accessed on a work PC.
    • Weak security measures deployed on the home PC. Many home PC’s do not meet the standards of corporate security measures. Problems may include lack of Security Software, missing security patches, and potentially antiquated operating systems.
    • Unauthorized Access. Multiple users on a home computer may allow non-employees the ability to access business data stored on the local computer, or access shared systems using the employee’s saved credentials.

For these reasons, we highly suggest deploying regulated business computer assets at home, if a work-from-home strategy is contemplated. Having a business device at home provides clear and deliberate separation between home and work and has the benefit of allowing that device to be returned when no longer in use.

Black Cat Security Partners is ready to help you build your telework security plan. Please let us know how we can help you create peace of mind in these challenging times!

6 thoughts to consider when employees work from home. Read More »