What Our Pharmacy Group Has Learned as Our HIPAA-Governed Work Has Shifted Remote

The following is a guest article by Marshall Frost, VP of IT and Vendor Management, Longs Pharmacy Solutions.

The COVID-19 pandemic has swiftly reshaped workplaces across the world – our own certainly included. As a pharmacy group, our frontline employees are, of course, still very much going into work to fill prescriptions and serve customers. But for back-office personnel (finance, customer support, the IT team, etc), the workday looks a heck of a lot different. Ensuring that our employees can work from home both productively and securely has meant quickly overcoming a number of challenges that needed to be solved quickly.

For example, we’ve had to rapidly enable secure remote access to data and files that were never previously accessed remotely. At the same time, we’re a healthcare business that necessarily operates within the strict confines of HIPAA regulations. HIPAA mandates that all protected health information (PHI) – in our case, the personal health data of our individual customers – must be secured with effective data access and data encryption safeguards, and a pandemic certainly isn’t an excuse to start getting lax. Maintaining those safeguards when the bulk of the access points remain located at the office is one thing…and a more complex obstacle when devices then become prevalent beyond our walls.

Hopefully, the strategies we’ve put in place to solve some of these remote workforce challenges can be instructive for other healthcare businesses. I’ll touch on three best practices we’ve discovered that are vital to our employee work-from-home policies, both now and in the long-term as these changes are likely here to stay in some form or another:

1) Systematically track all employee-used devices able to access PHI or other sensitive data.

Within our pharmacy group, we’ve found it effective to limit the potential exposure of HIPAA-covered data and other crucial business information by allowing only company-owned hardware to access that data.

As part of our work-from-home policy, employees check out their work laptops for use in their home work environments, and use only these machines for work purposes. Unfortunately, remote work naturally increases the risks of devices becoming lost or stolen. Ensuring that we have only a limited fleet of inventoried access points to protect allows us to reduce risk and the attack surface represented by these devices, and can do the same for your organization.

2) Enable employees to securely recreate their familiar work environments at home.

To minimize the difficulties of transitioning to remote work, it’s important to carefully reproduce the same applications, file and system access, and team interactions that employees are used to working with. Providing employees with their own familiar work laptops is an example of this, but it’s also just the beginning. Establishing effective communication channels for teams can be as essential to preserving normal productivity as making sure that all needed tools and data are readily available.

At the same time, putting solutions in place to ensure the security of these remote employee environments is paramount. In our case, we use ConnectWise and a suite of service-based tools to manage our assets and to perform remote monitoring and management (RMM). We also utilize ESET for anti-virus and threat detection on all employee hardware, and Cisco Umbrella as a cloud-based threat mitigation tool to protect our remote workers from cyberattacks.

3) Encrypt PHI and sensitive data on remote devices – and secure all remote access.

When it comes to ensuring secure access to sensitive data both across networks and that stored on remote devices, seamless and effective protection is vital and likely your top priority. This is especially true for companies like ours that are covered by HIPAA, or any other business that must operate and safeguard data in accordance with similar stringent regulatory frameworks.

Taking advantage of an opportunity to utilize free licenses for the duration of the coronavirus outbreak, we utilize Beachhead Solutions’ SimplySecure for data encryption and access controls. This solves our need for securing and remotely wiping PHI or sensitive data from employee devices in the event that they become lost, stolen, or otherwise compromised. In our case this has been a significant growing pain in the move to remote work, with more requests for files to be made remotely accessible in recent weeks than we’ve ever had before. For our most sensitive data files, our system requires employees to access data via encrypted VPN tunnel, and disallows employees from putting those files on their own systems.

Looking toward the lasting impact of COVID-19, one legacy of the pandemic will certainly be a much greater acceptance of employees working remotely. For that reason, the remote work infrastructure that businesses build today shouldn’t be viewed as a simple stopgap, but as a foundation for the future.

Marshall Frost is VP of IT and Vendor Management at Longs Pharmacy Solutions, a national pharmacy network and family of brands offering specialty and retail pharmacy services and solutions.