Poorly secured home networks. Highly accessible workstations. Use of personal laptops that don’t adhere to security standards. Each of these (and more) is a vulnerability for revenue cycle staff working at home during COVID-19. Unfortunately, with vulnerability comes opportunity for hackers to target this newly remote workforce and access protected health information (PHI). Consider the following strategies to mitigate risk:
1. Require a signed telecommuting agreement. Chris Apgar, CISSP, CCISO, president of Apgar & Associates, LLC, a privacy and security consulting company based in Tigard, Oregon, said remote revenue cycle staff must attest to the following:
- Anti-malware and firewalls updated at least weekly with continuous scans enabled
- Operating system patches applied within one week of release
- Secure cabled router or wireless router secured with WPA2
- Secure connection to the corporate network (e.g., through a Virtual Private Network [VPN])
- Strong device password
- Strong home router password
Security patching, in particular, tends to go under the radar, says Ken Townsend, CISSP, vice president and chief information security officer at R1 RCM, an outsource revenue cycle management vendor headquartered in Chicago, Illinois. Patching is likely an afterthought for remote staff using their home computer because most users are focused on providing customer service — not keeping up with the latest vulnerabilities, he said. For health systems, it’s also difficult to routinely identify software bugs and vulnerabilities, and it’s challenging to take critical systems offline for routine maintenance, he adds.
In terms of physical security, Apgar said to consider the following:
- Auto logout password screen protectors that require users to re-enter their password after five minutes
- Secure and secluded workspace
- Secure perimeter (e.g., locked doors, blinds on ground floor windows for rooms where computers are present or stored, and ground floor window security)
- Secure storage of portable media
- Use of a crosscut shredder, when necessary
It doesn’t hurt to video chat with staff to visually inspect their workspace and ensure it adheres to the agreement, Apgar said.
2. Use multi-factor authentication (MFA). Consider a three-step process, says Zubair Ansari, executive director of physician reimbursement at Luminis Health, headquartered in Annapolis, Maryland. For example, Ansari’s staff log into their work account. Then they wait for passcode via text on their cell phone. Finally, they type that code into their computer to open their work desktop via a secure VPN.
MFA is critical because it addresses an ongoing challenge: People use the same password for all devices and accounts, Townsend said. For example, it’s not unreasonable to think that a hacker could harvest credentials from a personal device or email account on an unencrypted or poorly encrypted home network and use those same credentials to access a corporate device on a secure VPN. MFA reduces the likelihood that unauthorized users can access the VPN or any cloud-based applications that store sensitive data, he said.
3. Mask payment data. Organizations have far less control over physical security now that revenue cycle staff are working from home, and it’s not hard to imagine why using credit card machines at home is less than ideal.
“Organizations should try and remove as much sensitive data out of the home environment as possible,” Townsend said.
Fortunately, technology exists that can mask payment information for call center associates, said Townsend. Here’s how it works: A patient calls to make a payment over the phone, and then staff member hits a button that turns the call over to an automated system. The patient states their credit card information or types it into the keypad. Then the patient hits a button to return back to the staff member. The staff member never sees or hears the payment card number.
Ansari’s staff — which includes coders, patient account representatives, auditors and revenue integrity specialists — aren’t permitted to take any payment information over the phone. Instead, they route all payment-related calls to an onsite customer service center, Ansari said.
4. Consider using a virtual desktop interface (VDI). With VDI, the operating system, all applications and data are kept on a central server instead of a local desktop, Townsend said. Users can only view data — not download it. “If there are remote users using personal devices to access corporate applications, organizations should strongly consider VDI,” he added.
5. Use cell phones with caution. Cell phones store all kinds of data, and many organizations don’t want to run the risk of someone viewing sensitive patient data on a staff member’s personal phone, Townsend said.
That said, there may be workarounds. For example, organizations may be able to use mobile device management (MDM) solutions that enable managers to audit regularly, identify non-compliant devices and set appropriate restrictions, he adds.
However, even with MDM, policies are critical. Organizations must take the time to define specific use cases for personal cell phone use, Townsend said. For example, smaller medical facilities may allow personal phones while larger health systems may not because they can afford more mature voice technology.
Most importantly, organizations must perform a risk-benefit analysis to determine whether the risk is justified. For R1, a company that employs many offshore staff, it’s not, he added.
“Decision-makers should consider the risk of fraud and inadvertent and-or intentional data loss,” he said. “Organizations may not be capable of implementing the required safeguards on personal devices to minimize the risk.”
6. Focus on encryption. This includes encrypted responses to external requests (e.g., from outside agencies or the attorney general), encrypted text messages and encrypted electronic faxes, Ansari said.
7. Provide ongoing privacy, security education. This goes without saying, but it’s something that can be easily overlooked. Telling staff they need to ensure privacy and security is important, but they also need to know how to do it — for example, how to secure their home Wi-Fi router, how to patch their system and what constitute a strong password, Townsend said.
Ansari’s staff are required to take annual privacy and security courses regardless of whether they work remotely. In addition, he also sends periodic emails that provide HIPAA compliance tips. One big one? Try not to print PHI or write it down on a piece of paper.
Communicate best practices, Apgar said. For example, log off your computer when you’re taking a break and at the end of the day, and don’t change the security settings.
In addition, continue testing staff through phishing and simulation exercises that are tailored to revenue cycle staff, he added. For example, test staff’s ability to resist clicking on nefarious links embedded within emails about patient accounts or payments.
8. Talk to staff. Ongoing education is paramount. However, mangers still need to be in touch with their staff to identify any unique privacy and security challenges. For example, is it impossible to work in a secluded area? If so, can the organization provide a privacy screen? Do multiple family members use the same computer? Do employees have enough bandwidth on their personal laptops to view all of the information they need (and to avoid having to print information onsite and bring it home with them?)? When necessary, can the organization supply a laptop?