COVID-19 Compliance Considerations for Remote EmployeesPublished April 17, 2020 by Sherry Jones • 9 min read
If the coronavirus disease (COVID-19) pandemic has caused your enterprise to make a sudden, rapid switch from an on-premises-centered business model to a diverse, dispersed network of ad-hoc home offices, you may have let security and privacy measures slide a bit.
Or perhaps cybersecurity has lapsed of its own accord while you’ve focused on matters that seem more urgent, such as getting laptops and mobile phones for your personnel and setting up teleconferencing and other work-at-home technologies.
The bad news is, cybercriminals are standing by to slip into any holes you might leave open. If you’re breached, don’t expect regulators to look the other way: With the exception of the Health Information Portability and Accountability Act (HIPAA) in very specific circumstances (see below), state and federal officials expect every enterprise to follow the law—crisis or no crisis.
The good news is, there’s still time to find and fill the compliance gaps that your new remote-work environment might have created. By acting now, you can safeguard your sensitive information and that of your customers, clients, and business partners from unauthorized access and use, and maintain the certifications and attestations you’ve worked so hard to achieve.
And the best news of all may be that modern technologies can do much of the work of protecting your assets and maintaining compliance for you while working from home.
A Growing Global Trend
Before the COVID-19 spread transformed so many companies into telework organizations, remote work was already on the rise worldwide.
In the U.S. alone, the number of people working off-site increased by 159 percent between 2005 and 2017, according to a Global Workplace Analytics analysis of the U.S. Bureau of Labor Statistics. According to 2018 telecommuting statistics, 4.3 million Americans worked at home full-time, and 18 percent of full-time employees globally were remote workers.
Those numbers are increasing even now as states continue to order lockdowns of businesses deemed “non-essential” in an effort to slow the spread of the novel coronavirus.
The benefits to businesses of allowing employees to work from home can be significant: companies can save $11,000 per year per remote worker compared to on-site workers. AT&T reportedly saves at least $30 million with remote work, according to The Hill.
Proceeding at their own pace in the past, organizations could more easily fold compliance into the mix of concerns. Even implemented voluntarily, though, work-from-home initiatives bring challenges.
“Creating a responsive technology infrastructure to enable effective remote work is complex,” Gartner reports, recommending that enterprises “stress-test your technology infrastructure to determine its capability to support remote work.”
But when scrambling to provide laptops and other mobile devices, set up telecommunication networks, train workers in remote-work protocols and establish proper security and privacy controls—all in a matter of days—organizations may find that stress-testing is happening of its own volition, in real-time.
Even if your entity had all the proper controls in place before, the speed and scale of changes you’re making now may risk your compliance with important privacy and security regulations and industry standards. Plus, some key frameworks are undergoing changes, too. How do you manage it all?
Cybersecurity and COVID-19
When a crisis strikes, there’s one thing of which we can be certain: cybercriminals will exploit it. In recent weeks, malicious actors have stepped up their attempts to infiltrate organizations’ systems and networks in a number of ways, including:
- Sending coronavirus-related phishing emails and text messages with phony links;
- Placing scam phone calls purporting to offer information about the virus;
- Hacking home wi-fi networks;
- Hacking teleworking applications.
The international security and enforcement community including Europol, the Federal Bureau of Investigation and the U.S. Inspector General have issued public warnings about emerging and increased threats in the wake of the coronavirus pandemic. Microsoft, too, has issued notifications about threat actors’ targeting unpatched flaws in its Windows 10 operating system.
At the same time, the number of vulnerabilities has grown by leaps and bounds as workers move out of firewall-protected on-premises networks to at-home remote connections. The use of cloud services exploded overnight even while many organizations were struggling to secure the information they had already placed in the cloud.
Add compliance to the mix of concerns, and you may feel overwhelmed—especially if your organization must adhere to more than one regulatory or industry standard.
With the right tools, however, this may be the easiest area to manage. To help, we’ve compiled a list of regulations and frameworks most affected by the new paradigm, with the most up-to-date information entities need now.
HIPAA and COVID-19
The Health Information Portability and Accountability Act (HIPAA) is of special concern: Not only are workers “going remote,” but health care consumers are, as well.
Telehealth/telemedicine is on the rise amid government-ordered lockdowns, self-quarantines, and health care clinics’ own efforts to keep their customers and workers safe and healthy.
The rapid adoption of new technologies this shift requires may leave some HIPAA-governed “covered entities” at risk of non-compliance with the federal regulation.
The government is sympathetic. Recognizing the difficulties in balancing health and safety with privacy in this state of emergency, the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) announced that it will not penalize providers for using telehealth platforms that do not comply with HIPAA during the COVID-19 pandemic, for diagnosis and treatment of the virus and of non-virus health conditions.
“OCR will exercise its enforcement discretion and will not impose penalties for noncompliance with the regulatory requirements under the HIPAA Rules against covered health care providers in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency. This notification is effective immediately.” — OCR statement, March 18, 2020
The suspension comes with a caveat: OCR expects medical professionals to act in “good faith” to protect patients’ data, including conducting telehealth sessions from a private location.
And it applies only to telemedicine: All other health care provider services must comply with HIPAA; those that don’t will be penalized.
This means that, even while you’re scrambling to provide COVID-19 care and treat your non-COVID patients safely, you must keep HIPAA regulations in mind and make sure you’re adhering to them. (This guide to all things HIPAA can help.)
At the same time, it’s important to keep in mind that teleconferencing applications have experienced “bombing” (similar to “photo-bombing”) in which unauthorized parties hack into video conferences to disrupt meetings. These hacks raise concerns about patient privacy—which is why bringing your telehealth environment into HIPAA compliance as quickly as possible is a must.
PCI-DSS and COVID-19
The Payment Card Industry Data Security Standard (PCI DSS), required for organizations and their vendors that process credit-card and debit-card payments, will be enforced as stringently as ever during the pandemic.
In fact, the PCI Security Standards Council (PCI SSC) has issued guidance for use during the COVID-19 pandemic that emphasize the importance of maintaining security practices to protect cardholder data.
The guidance, taken from an existing PCI SSC information supplement, lists card security best practices to follow at all times, including:
- Security awareness training;
- Added security controls for remote or home working;
- Multi-factor authentication for all remote connections;
- Company-approved or company-issued devices for remote work;
- Limits on applications to those necessary for work;
- Stringent password requirements;
- Virtual private network (VPN) use.
One factor that very well may change for some organizations: whether they may complete a self-assessment questionnaire (SAQ) to demonstrate compliance with PCI DSS, or must undergo a lengthy and expensive on-site audit.
Only merchant level one entities must meet the most stringent of PCI DSS requirements and undergo the full compliance audit, although many merchant levels two and three choose to comply with the level one requirements. Since compliance levels are determined by the number of payment card transactions processed per year, an increase in remote sales could shift a business upward to a level one merchant.
Level 1 merchants and service providers process more than six million payment card transactions per year, with the number depending on the card or cards they accept. Reciprocity’s complete guide to PCI compliance explains the framework and its requirements in detail. And our ZenGRC software-as-a-service can update you in real time regarding your enterprise’s compliance with PCI DSS.
CCPA and COVID-19
In response to requests from 35 advertising groups that enforcement of the California Consumer Privacy Act (CCPA) be delayed because of the COVID-19 pandemic, the California Attorney General said, “No.”
Pointing out that the law took effect Jan. 1, 2020—and that businesses should have been compliant at that point—the attorney general declared that enforcement of the law would proceed on schedule, beginning July 1, 2020.
“We encourage businesses to be particularly mindful of data security in this time of emergency,” an aide to California Attorney General Xavier Becerra reportedly told the International Association of Privacy Professionals.
Often referred to as “GDPR Lite,” the CCPA imposes data-privacy-protection requirements on for-profit enterprises that do business in California or with Californians. Penalties for non-compliance are steep, and the law also gives individuals the right to sue for violations or financial harm suffered because of a breach.
The European Union’s General Data Protection Regulation (GDPR) sets stringent requirements for the protection of European residents’ personal data. Enforcement is stringent, as well, and can involve harsh penalties including crippling fines.
But this landmark regulation is especially valuable right now as a tool for measuring the security of your systems and networks and the effectiveness of your policies and procedures at guarding information privacy.
Start by familiarizing yourself with the GDPR in depth by consulting our user-friendly and comprehensive GDPR compliance guide.
Questions to ask include:
- Are remote workers using new or different ways to gain access to data than before? If so, it may be more difficult to stay apprised of breaches—not only when they are occurring, but how. Evaluating your networks’ compliance with the GDPR as well as identity access management protocols can help ensure that remote work won’t create confusion around information access.
- What controls do you have to ensure that personal data gets pseudonymized or encrypted as the law requires before it’s transferred or stored?
- How are you respecting and protecting the privacy of your employees while ensuring they do their jobs as required from offsite locations? The GDPR protects workers as well as customers.
The EU Agency for Cybersecurity recently published guidelines for continued protection of personal data in remote-work situations. For workers, the agency recommends the following:
- Secure wifi connections.
- Update anti-virus system.
- Update security software.
- Back up important files periodically.
- Use a secure connection to your work environment.
- Ensure that encryption tools are installed.
- Inform staff on how to react in case of problems: who to call, hours of service, and emergency procedures.
- Give suitable priority to the support of remote access solutions. Employers should provide at least authentication and secure session capabilities (encryption).
- Provide virtual solutions such as electronic signatures and virtual approval workflows to ensure continuous functionality.
- Make sure that support staff are available at all times.
- Define a clear procedure to follow in case of a security incident.
- Consider restricting access to sensitive systems where it makes sense.
This list is by no means comprehensive, however. The GDPR is a long and complex regulation, and maintaining compliance can be a challenge even during the best of times.
A good compliance software solution can continuously monitor your systems, networks, policies, and procedures throughout your transition to remote work and beyond; alert you in real time to compliance gaps and tell you how to fill them; and stay on top of any changes in the law or your situation—so you don’t have to.
The National Institute of Standards and Technology (NIST) issued its response to the coronavirus pandemic with a bulletin created to “help organizations mitigate security risks associated with the enterprise technologies used for teleworking.”
To reduce risk caused by remote access, NIST recommends tightening security and strictly limiting access to networks and data. Its guidance, derived from NIST SP 800-46, includes the following:
- Assume that external environments contain hostile threats, and implement controls accordingly. NIST lists three types of threats, with mitigations:
- Risk 1: Malicious actors will take control of digital devices and try to access their data, or use them to gain access to your network. Mitigations: Limit devices’ storage of sensitive data; encrypt devices or their data; use multi-factor authentication for access to your network.
- Risk 2: Eavesdropping, interception, or unauthorized changes in communications. Mitigation: Encrypt these communications and verify devices in their communications to one another using authentication.
- Risk 3: Malware. Mitigation: Use anti-malware solutions; secure your network with access controls; and segment devices on their own separate network.
- Incorporate telework, remote access, and BYOD into your security policy requirements. Your policy should stipulate which forms of access your enterprise allows, which devices can be used for remote access, the type of access granted to each remote worker, and procedures for administering and patching remote-access servers. NIST recommends making “risk-based decisions” on the levels of remote access you will grant to various types of devices, perhaps using a tiered approach that allows “the most controlled devices [e.g. organization-owned laptops] to have the most access and the least controlled devices [e.g. BYOD mobile devices] to have minimal access.”
- Check your remote-access servers to ensure that they will enforce your telework security policies. Malicious actors can use your remote-access servers for a number of criminal activities. NIST recommends that you configure them as a single point of entry to your organization’s network, that they can enforce your telework security policy, that you keep them fully patched and up to date, and that only authorized administrators from trusted hosts can manage them.
- Secure the organization-owned computers that your remote workers are using against common threats, and maintain their security on a regular basis. You should not only apply your normal security baseline controls to remote-work devices, but enhanced controls, as well, such as encryption of any sensitive data they might contain. Your device administrators and users may need your guidance on how to secure these devices.
Clearly, NIST sees this time of pandemic, remote work, and increased security threats as a time to be more vigilant than ever. Maintaining compliance, difficult though it may seem, is critical.
The Challenge: Keeping Up
Everything is changing all the time, and nothing is certain, it seems. As you try to cope with the exigencies of pandemic response, work-at-home accommodations, budgets, and new technologies, regulatory compliance issues may be the farthest from your mind. For regulators, however, it’s more important than ever.
Cybercriminals are counting on lapse security as they step up their efforts to access systems, networks, and data and install malware. While your attention is distracted is when they are most likely to strike.
Staying on top of security, privacy, and compliance may seem like just another stress to contend with—but it doesn’t have to be this way.
ZenGRC can monitor your security, privacy, and compliance posture around-the-clock and alert you the instant you fall short in any area. Its color-coded dashboards let you see in real-time where you stand, and user-friendly checklists tell you what you must do to achieve a state of compliance nirvana.
Regulations should be the last thing keeping you awake at night. Worry-free compliance is the ZenGRC way. Contact us now for your free consultation, and see how easy GRC can be.