How Our Pharmacy Group Has Readied Secure HIPAA-Compliant WFH Policies


If anticipating a hybrid or remote workforce in the post-pandemic era, here are three best practices to ensure security

By Marshall Frost, VP of Corporate Systems, Avita Pharmacy

At our business and certainly across countless others, the COVID-19 pandemic forcibly accelerated work-from-home policies that were already very much on the roadmap. Any forward-looking organization had anticipated future expansion of remote work practices in some capacity. The pandemic demanded implementing such practices – and compressing the timelines incredibly thin to solve all questions around meeting data security and HIPAA compliance requirements – sooner than later.

Now that distributed workforces and work-from-home polices are in effect, they’re here to stay. Within our pharmaceutical company, multiple non-customer facing departments such as accounting, marketing, and IT are now 100% remote. There are no plans to return to offices, for these roles, in the future. Recent national expansions have also enabled us to benefit from the fact that our distributed workforce removes traditional restrictions typically placed on where we can pull talent. At the same time, there’s still nothing like the productivity of impromptu face-to-face meetings in an office setting. Coming out of COVID, we expect many businesses to operate with hybrid office/remote workforces that take advantage of the best of both worlds.

For businesses in the healthcare industry, one of the most crucial concerns with this shift is data security.

HIPAA regulations place strict requirements on data handling practices, in order to safeguard the protected health information (PHI) of individuals receiving medical care. Maintaining the effective access controls and data encryption that HIPAA calls for is one thing when devices reside within a secured office environment, but it is quite another feat when those devices could be anywhere. At the same time, HIPAA regulators aren’t interested in your data security’s degree of difficulty or whether a breach happens in the office or an employee’s home. Protected data is exposed all the same, and regardless your business will face the same dire consequences.

Here are three best practices for implementing HIPAA-compliant WFH policies that will serve you well long after COVID is safely in our rear-view mirror:

1) Leverage a comprehensive security technology stack, designed to secure devices no matter their location.

Healthcare businesses with remote workforces face two crucial needs. Employees need seamless access to PHI and company data to do their jobs productively. At the same time, any device containing or connecting to that data must deny access if lost, stolen, or otherwise compromised. Whether your employees use company-issued hardware or their own BYOD devices, the right security tool strategy can create a home away from home it comes to extending office-grade protections across distributed workplaces.

For example, we use BeachheadSecure to manage HIPAA-required data encryption and access controls. This cloud-based tool can remotely wipe or quarantine data, automatically revoke data access from any device deemed to be at risk, and specifically support remote workers with two-factor authentication and geofencing-based security processes. Endpoint security, anti-virus and malware protection, and threat mitigation are further essential components of an end-to-end security stack ready to protect a remote workforce from HIPAA violation. It’s also wise to enforce remote security using cloud-based solutions: we use threat mitigation from Cisco Umbrella, and CrowdStrike for endpoint protection. We also have implemented Microsoft Endpoint Manager to allow data access from only enrolled devices, whether they be company-issued or BYOD.

Finally, I recommend allowing access to your most sensitive data only through an encrypted VPN tunnel, and not allowing this data to reside on employee-used devices. You can’t be too careful with your HIPAA compliance and PHI protections, and this is a practice that has served us well.

2) Reproduce familiar office work patterns for remote workers, leveraging the cloud where possible.

Eliminating functional differences between office and remote work allows employees to be more comfortable, productive, and secure. Ensure that your workforce can sit down in either environment and have the same applications, access, and communication channels at their disposal. Facilitate employee preferences in this area as much as possible: if employees need identical desk phones or office chairs at home to optimize their efficiency, so be it.

Migrating resources to the cloud and adopting cloud-based or SaaS-provided solutions is another effective way to provide uniform and secure employee experiences across physical locations. In our case, a greater pivot to the cloud was one of those projects accelerated by the pandemic. If cloud transformation represents a long-term goal for your business, putting the pedal down on those projects can pay dividends when it comes to enhancing and ensuring the safety of remote work environments.

3) Implement a robust employee training regimen to protect employees from themselves.

Say it with me: employees’ own behavior is the greatest threat to an organization’s security. While it’s crucial to have all the right security tools in place, there are only so many dangerous URLs you can block, only so many protective limitations you can impose. If an employee clicks a link in an attacker’s email and downloads a malicious file that exploits a zero-day issue, the best security can’t help anymore. To avoid such scenarios, your team needs to be a human firewall.

Achieving this means committing to an effective employee training solution. Our company uses KnowBe4 for its security awareness training modules that our employees must complete throughout the year. After training employees to recognize phishing emails, we then regularly test our employees with simulated phishing attacks. Those who fail the test go back for additional training. I recommend adopting a similar continuous training program to any business with IT exposure, especially any in the healthcare field. Our program has certainly yielded results, and made our employees very aware of what they’re clicking.

Lastly, healthcare businesses must stay on top of the latest security trends, such as specific ransomware threats as they get reported, and have a solid disaster recovery plan at the ready in case the worst happens. For most businesses in our field and others governed by HIPAA requirements, the work-from-home policies and security measures driven by the pandemic are here to stay, and it makes sense to prepare for this new normal now.

About the Author

Marshall Frost is the VP of Corporate Systems at Avita Pharmacy. Prior to his current role, Frost was the VP of IT and Vendor Management at Longs Pharmacy Solutions. He holds a Doctorate of Pharmacy (PharmD) from the University of Georgia College of Pharmacy.



Source link