by Mike Semel - published at April 15, 2020

You built a strong IT security environment based on people working from your offices, including firewalls, endpoint protection, access controls, and automated processes that align with your cybersecurity policies.

What is your new environment like, with so many people working from home? Are they using personally owned computers? Are they using their phones to take pictures of documents, permanently copying your sensitive documents and Protected Health Information to their personal iCloud with their family pictures?

ACTION ITEM #1: In March, everyone was in a mad rush to get users set up at home, get everyone set up with teleconferencing, and deal with remote access issues. The goal was to get everyone working. Now it is time to take a hard look at your current cybersecurity risks.

The U.S. Department of Health and Human Services Office for Civil Rights (OCR) that enforces HIPAA has been busy changing and relaxing regulations related to the COVID-19 pandemic. That doesn’t mean the OCR doesn’t care about enforcing HIPAA’s requirements to secure patient data. Be ready for them to enforce the rules that protect patient information.

You have two problems that need to be addressed now. The first is going through your new computing environment to look at it through a cybersecurity lens. Next will be updating your risk analysis and risk management plan.


ACTION ITEM #2: All endpoints, including personally owned devices, should be scanned to identify their current state of security.

ACTION ITEM #3: Many more users are now working outside your office’s firewall that protects your physical network. Their home connection is through the free router that came from their Internet Service Provider, not through a business-class firewall. Check out the cloud-based firewall services that extend business-class firewall protection to your remote workforce.

ACTION ITEM #4: Evaluating your current state of cybersecurity doesn’t mean just looking at devices. You must also talk to your users and ask them about how they are working with documents and where they are saving data.

In our client assessments we always find data on local computers, even at organizations that have written policies requiring data to be stored on encrypted servers. This is because the users have not been properly trained and because the I.T. department hasn’t out-thought all the ways that users can store sensitive and protected data in unsecure places that are not backed up.

ACTION ITEM #5: When was the last time you checked someone’s Downloads folder, their Desktop folder, or the Recycle Bin on their local computer? If you remote in and find data in those locations, you will know that data isn’t secure and backed up. If they are using a personally owned computer, that data is now permanently outside of your secure computing environment unless you move it back and have them delete it from any backups.

You also need to train your users not to save data on their desktops so they can get to it quickly. Teach them how to create shortcuts instead of moving files. Teach them to empty their Downloads folder and their Recycle Bin.

ACTION ITEM #6: If users are using their phone cameras to take pictures of documents to send to themselves, find a secure and compliant app or cloud service that will get them what they want without your sensitive or regulated documents permanently ending up with their family pictures.

ACTION ITEM #7: This is a good time to think about using terminal servers or virtual desktops that you can control. If someone leaves, your data doesn’t leave with them.

ACTION ITEM #8: Are people recording online meetings where sensitive or regulated information is being discussed? See who has access to those recordings, which may contain business secrets or Protected Health Information.

ACTION ITEMS #9: Check with your senior leadership to determine what is expected of furloughed or laid off workforce members. Are they still able to access their email? What about server shares?

Work with department managers to identify all areas outside of what the I.T. department manages.  Can furloughed or laid off workforce members still get to sensitive and protected data in cloud services, like bank and credit card accounts; health plans; and health record systems?


Things may have settled down a bit, but we still don’t know exactly what the future will look like. I’m hearing that the world won’t be going back to ‘business as usual’ soon, if ever. Until there is a COVID-19 vaccine there will still be restrictions that may affect users working in tight spaces.

A friend in an I.T. company just told me that he has his staff working successfully from home, and “they won’t be coming back to the office.” Why spend money on expensive office space if people can work from home?

Others have said that some of the people who were laid off or furloughed won’t be coming back. Their organizations are using COVID-19 as a reason to re-think their staffing needs.

ACTION ITEM #10: Now is the time to look for long-term solutions for a permanent remote workforce.


Everyone knows about HIPAA’s basic requirements for an ‘accurate and thorough’ Security Risk Analysis and Risk Management Plan, defined in CFR 164.308. Now is the time to also look at CFR 164.316, that requires your risk analysis to be updated and documented to include changes to your computing environment.

(e) Maintenance. A covered entity or business associate must review and modify the security measures implemented under this subpart as needed to continue provision of reasonable and appropriate protection of electronic protected health information, and update documentation…”

ACTION ITEM #11: Create new diagrams and workflows that show how your users are now accessing data. Document new vulnerabilities and threats. What steps should be taken to address them?

ACTION ITEM #12: Update your policies and procedures to reflect your current situation. Don’t just assume that things will go back to the way they used to be.

Always remember that your documentation of what you do to secure data may be required for an audit, breach investigation, or lawsuit. If you can’t produce documentation showing your current situation, you will have a hard time proving that you did things correctly.

Even during a pandemic.

Stay safe and thanks for your service during these difficult times.