Security practices for remote healthcare workers

Remote healthcare workers face cybersecurity threats as email becomes the primary vehicle for coordinating patient care and sharing sensitive medical information. With phishing attacks rising during the pandemic and healthcare data valued higher than credit card information on the dark web, healthcare organizations must move beyond awareness to implementation. 

Security practices

Encryption

The Canadian Centre for Cyber Security states that organizations should "use encryption to protect the confidentiality of sensitive information." As Mike Chapple, associate teaching professor of IT, analytics and operations at the University of Notre Dame, notes, "IT staffers should verify the security settings of their VPNs, web servers and other encryption-enabled technologies to ensure that they only support strong encryption algorithms with appropriate key lengths."

Healthcare staff must ensure that their email systems employ end-to-end encryption and that any attachments containing patient data are additionally encrypted. Organizations should provide clear guidelines on when and how to use encryption, making it as easy as possible for remote workers to comply.

Strong password practices

Healthcare staff should use password managers to generate and store complex passwords, avoiding the temptation to reuse passwords across multiple platforms.

Virtual private networks

Using a VPN is essential for secure remote access to healthcare systems. As the Canadian Centre for Cyber Security explains, "Using a VPN ensures that your organization's communications stay private through an untrusted network." Chapple reinforces this point: "Virtual private networks allow providers to offer a secure, encrypted tunnel between the office network and a practitioner's device." Healthcare organizations should require employees to use VPNs when connecting to work servers, especially when accessing patient information from home or public locations.

Jason Sabin, author of The future of security in a remote-work environment, stresses the importance of VPN implementation in remote work environments, noting that one of the most significant security challenges is "working in an online environment that has not been adapted to enterprise-level security." Home networks are typically the same ones used for entertainment and personal devices, where WiFi is rarely secured and firewalls are uncommon. To address these vulnerabilities, he recommends that companies scale VPN access to all secured devices and create a zero-trust zone that requests credentials for every login.

Adopting zero trust security

Simon Biddiscombe, writing for Forbes Technology Council, advocates for a comprehensive approach to security in the new remote work environment. He emphasizes that healthcare organizations should "adopt a zero-trust mobile security model," explaining that "a zero trust model ensures that every device, app, user, network and cloud service must be verified before gaining access to critical healthcare resources." This approach recognizes that in today's distributed work environment, the traditional network perimeter no longer exists, and every access point must be treated as potentially vulnerable.

Learn more: What is email security?

Recognizing and responding to threats

Before clicking links or downloading attachments, staff should verify the sender's email address carefully, looking for subtle misspellings or unusual domain names that indicate spoofing attempts. HealthTech Magazine recommends not clicking on web links directly, but instead verifying that they're legitimate by copying and pasting the links into a browser first.

Urgent requests for information, particularly those involving patient data or financial transactions, should always be verified through alternative communication channels. A quick phone call to confirm an unusual request can prevent security breaches.

When suspicious emails are identified, remote workers should report them immediately to their IT security team rather than simply deleting them. This allows security professionals to assess whether others may have received similar attacks and take proactive measures to protect the organization.

Secure remote work environments

Device security

Work computers and mobile devices should have updated antivirus software, automatic security updates enabled, and full-disk encryption activated. The Canadian Centre for Cyber Security warns that "devices that have reached end-of-life (EOL) pose a security risk to your organization," as vendors stop providing security updates. Healthcare organizations should replace outdated equipment promptly to maintain security standards.

Chapple emphasized the benefits of organizational control over devices stating, "Sending preconfigured devices home with practitioners increases the likelihood that those devices will comply with security policies." This approach allows IT teams to manage devices with the same mobile device management platforms used in the office.

Physical security

Devices should never be left unattended in public spaces, and screens should be positioned to prevent unauthorized viewing of patient information. The Canadian Centre for Cyber Security recommends additional measures including turning off Bluetooth or Wi-Fi when not in use and using password-activated screensavers that lock devices after a period of inactivity.

Furthermore, HealthTech Magazine advises against using automatic out-of-office replies, as hackers look for these messages and take advantage by impersonating high-level executives on vacation in emails to staff.

Managing personal vs. corporate devices

If employees use personal devices for work, the Canadian Centre for Cyber Security highlights specific risks to consider:

• Lack of security updates: Personal devices may not be updated or patched regularly, leaving vulnerabilities unaddressed
• Weak password practices: Personal devices may not be protected with a PIN or password, and even if they are, easily guessed PINs or passwords may be used
• Loss of control over information: Personal devices may hold sensitive business information that your organization can't manage appropriately

Sabin addresses this challenge directly, noting that it is commonplace for companies to issue laptops or tablets for work use, but often that technology is insufficient when employees work remotely. Many people access email on their phones, review documents on tablets, or use personal desktops to get work done, even when it violates company policy. This enhances the risk of password theft, ransomware, or malware placement. To combat these risks, he recommends that companies implement accessible security measures such as VPN and two- or multi-factor authentication, institute enterprise-wide mobile device management policies, and emphasize secure password protection and management.

Organizations should establish clear policies for personal device use and ensure employees understand their responsibilities for maintaining security standards.

Protecting sensitive information

The Canadian Centre for Cyber Security reminds organizations that "your organization is responsible for protecting the sensitive information that it collects and uses. Keep in mind that sensitive information is a high-value target for threat actors." For healthcare organizations handling protected health information, this responsibility carries additional legal and ethical weight.

Chapple adds context about HIPAA compliance, noting, "Tools that will handle PHI must work under the constraints of HIPAA's privacy and security rules." Healthcare organizations must ensure any technology used for email or communication supports HIPAA compliance requirements.

Key practices for information protection include:

• Regular backups: Information should be backed up regularly and backups should be stored securely
• Principle of least privilege: Ensure that employees only have access to the information they need to do their jobs, which can prevent unauthorized access to data and data breaches
• HTTPS-only access: Only allow users to access HTTPS-supported websites on corporate devices to ensure encrypted connections

Biddiscombe notes continuous monitoring, recommending that organizations "keep an eye on every endpoint that can access critical healthcare data." He notes that healthcare organizations must "have visibility across every endpoint, application, user, network and cloud that workers use to access data."

Read also: HIPAA compliant email

Creating a culture of security

Healthcare organizations must adopt what cybersecurity professionals call a "defense-in-depth strategy." As Hugh Percy, Cybersecurity Operations Manager at Moffitt Cancer Center, told HealthTech Magazine: "We believe strongly in defense in depth." This approach involves deploying multiple layers of email security solutions to protect against threats.

However, the Canadian Centre for Cyber Security cautions that "security tools can reduce the risks to your organization, but keep in mind that no tool is perfect. You should never rely on a tool alone." 

The human element

Research identifies human error as a threat to information security that companies face. For example; an employee who connects to public WiFi without using a VPN; someone's child who uses their parent's computer and visits unauthenticated sites; or an employee who receives a phishing email after a long day and clicks the link without thinking twice; all are gateways to a data breach. The most proactive step organizations can take, according to Sabin, is to purposefully engage the entire workforce on where risks are highest, what their common traits are, and the resources available to protect themselves.

Chapple emphasizes the need for clarity in guidance: "The burden on IT teams, then, is to provide clear and concise guidance for practitioners to use the systems and tools at their disposal in a secure manner." Healthcare providers are not IT experts, therefore, organizations must make security practices as straightforward and accessible as possible.

As Michael Osterman, president of Osterman Research, explained to HealthTech Magazine: "No system is perfect. Something will eventually get through to the user, and that's why you need good training as the last line of defense."

The role of noncompliance and awareness

According to "A systematic analysis of failures in protecting personal health data: A scoping review," noncompliance with information security policies represents one important factor contributing to the violation of privacy and disclosure of personal data. Research shows that employees' noncompliance with information security policy results in failure costs for organizations.

The scoping review emphasizes that the information system literature underscores the importance of security awareness as a countermeasure to mitigate IT misuse and promote employees' compliance behavior. The absence of adequate security awareness exposes the organization to the risk of data breaches. Without proper training, healthcare workers may unknowingly create vulnerabilities that cybercriminals can exploit.

Ongoing training and communication

Healthcare organizations must provide regular, ongoing training for remote staff that goes beyond annual compliance modules. The Canadian Centre for Cyber Security recommends that organizations "set your employees up for success and clearly communicate the measures that they need to take to contribute to your organization's cyber security." Security training should include practical examples of actual phishing attempts targeting healthcare organizations, hands-on practice identifying threats, and clear, accessible policies for handling protected health information via email.

Bill Chelmowski, MRHC Cybersecurity Manager, emphasized to HealthTech Magazine, "Education is key. One user clicking on the wrong email can circumvent the best technical controls that are available."

Remote workers should feel empowered to ask questions and report potential security concerns without fear of repercussions. When staff members are properly trained, they become active participants in security. As Michael Gaskin, CIO of Camarena Health, shared with HealthTech Magazine, "Because of the education we've done, users have taken it upon themselves to call or email me asking, 'How about this email?' It's reassuring they are taking it seriously."

A Fudo Security survey cited by Sabin found that 42% of respondents said that COVID-19 had changed their cyber security priorities, and one in four said their companies had already been victims of cyber attacks. This data demonstrates that healthcare organizations are not alone in facing these challenges, and that proactive security measures are becoming industry standard across all sectors.

Read also: Inbound Email Security

FAQs

How can remote healthcare workers verify whether an email encryption tool is HIPAA compliant?

They should confirm that the tool supports required HIPAA safeguards such as access controls, encrypted transmission, and audit logs.

What are the risks of relying solely on antivirus software for remote healthcare security?

Antivirus alone cannot prevent phishing, social engineering, or compromised home networks.

How can organizations reduce the security risks of employees using smart home devices on the same network as work devices?

Segregating the network with guest Wi-Fi or separate SSIDs helps isolate potential threats.

How can remote workers safely access patient records when traveling or working outside the home?

They should only connect through secure VPNs and avoid public or unsecured Wi-Fi.

How can healthcare teams monitor for breaches when employees work from multiple locations?

Centralized logging and endpoint monitoring provide visibility across all devices.