The evolving COVID-19 pandemic has forced businesses large and small to make rapid and often dramatic changes to their day-to-day operations. Many former in-house workers are now doing their jobs remotely, from a tapestry of home computers, tablets, and smartphones. And while remote work is not exactly new, the quick pivot to a work-from-home economy has left many companies facing new cybersecurity vulnerabilities and compliance risks.
One major concern is the way in which businesses meet their regulatory and legal obligations during this time—particularly regarding Health Insurance Accountability and Portability Act (HIPAA) and payment card industry (PCI) standards. Though each has a different goal, both these sets of requirements set out clear rules for the ways information can be stored, transmitted, and used.
While COVID-19 has forced many businesses to slow down, cybercriminals have been identifying and exploiting newly created vulnerabilities and are ramping up their attacks (including phishing scams and identity theft). So how can you protect your business from cybercrime while maintaining compliance with both HIPAA and PCI?
HIPAA and Data Security
The Health Insurance Accountability and Portability Act (HIPAA) was passed by Congress and signed into law by President Clinton in 1996. The aim of the law is to protect the privacy of sensitive personal medical records, both while in storage and during transmission, yet to allow easy access to persons with permission to view them. HIPAA’s stringent guidelines for the handling of sensitive health data remain in full effect during the pandemic, and it remains the responsibility of businesses to meet HIPAA standards. Failure to achieve compliance can result in costly penalties to your business.
PCI and Data Security
Payment card industry (PCI) standards work a little differently. Designed to protect primarily financial transaction data (rather than health records), PCI regulations focus on securing financial payment data (such as credit card numbers, transaction records, and personal payer information). These rules cover the use of credit and debit cards, whether used online or in person. Most businesses, from multinational corporations to startups should have a plan in place to achieve PCI compliance. Failure to meet PCI standards can result in noncompliance fees and penalties between $5,000 and $500,000.
How Can You Maintain Compliance during COVID?
The idea of maintaining regulatory compliance while trying to meet the day-to-day challenges of managing a work-from-home staff may seem challenging, and it can be tempting to put it off until later. Unfortunately, any delay can be costly—both in fines and in losses to cybercriminals who can penetrate your systems and compromise your data.
PCI has offered the following list of best practices for businesses seeking to maintain compliance and boost cybersecurity…
- Security awareness training
- Added security controls for home workers (including laptops, tablets, and phones)
- Multi-factor Authentication for remote connections (to secure data while in transit)
- Company approved devices (outfitted with current cybersecurity software)
- Strict regulation of passwords
- Use of virtual public networks (VPNs) to protect workers using public Wifi.
For more information on full PCI compliance regulations, click here.
The government realizes that both healthcare workers and consumers are going remote. To help relieve some of the stress on smaller companies, U.S. Department of Health and Human Services’ Office of Civil Rights has stated that it will not penalize companies for using telehealth services that do not currently comply with HIPAA regulations during the pandemic. One caution: businesses are expected to act in good faith during this period, which may include conducting telehealth sessions from private locations. So if your business handles sensitive health records or other health-related data, you must keep HIPAA regulations in mind and try best as possible to maintain those standards.
Beefing up Cybersecurity
With so many workers now doing their jobs from home, cybercriminals are finding more entry points, increasing your risk for data loss, ransomware scams, phishing scams, and interception of critical data while in transit.
Fortunately you do have options. Partnering with a cybersecurity consultant can help you identify and close potential entry points. An experienced consultant can also evaluate your network, perform penetration testing to discover any vulnerabilities you may have missed, and recommend and install state-of-the-art cybersecurity software to help keep your data secure. They can even help train your staff in best practices to promote both regulatory compliance and increased security.
At Waterdog Computer Works, we have the tools and technologies needed to help our clients identify their cybersecurity risks, update their security protocols, safeguard their networks, and maintain regulatory compliance. If your in-house workforce has shifted to a work-from-home model and you’re concerned about maintaining both security and regulatory compliance, give us a call. We’re eager to hear from you.
Located in Wayne, Pa, Waterdog Computer Works is a complete IT solutions and cybersecurity provider serving businesses throughout Main Line Philadelphia. Focused and responsive, Waterdog Computer Works offers a two-hour emergency response time guarantee, no-risk contracts and a team of technicians with over 75 years of combined experience. Call us at 484.580.8568 to speak to a member of our team.