Controlling Cyber Risk for Teleworkers with HITRUST

Jason Kor, Senior Manager, Healthcare Risk Assurance Services, Coalfire

Organizations across the globe have sent workers home to avoid spreading the Coronavirus and, as a result, technology leaders are hard-pressed to create cyber-safe work-from-home environments. Organizations must quickly identify and treat new cybersecurity risks introduced by the newly formed remote workforce.

Here’s how the HITRUST CSF®, a certifiable framework with a comprehensive approach to regulatory compliance and risk management, provides guidance. The latest release of the HITRUST CSF includes a control (01.y Teleworking) that addresses these risks specifically. Here are the takeaways:

Provision the right equipment – Teleworking increases the likelihood that sensitive data is exposed through misplacement, shoulder surfing, theft, or a more malicious exploitation of insecure software. Issuing the right equipment can mitigate risk associated with these vulnerabilities. IT departments should mind their baseline security configurations for things like session timeouts, passwords, remote patching, and disk-encryption, and consider issuing extra hardware like privacy screens and cable locks.

Evaluate home network security – Teleworkers will likely connect to their home networks which add risks like rogue devices that may monitor otherwise private transmissions. A particularly high-impact threat would be rogue devices exploiting network vulnerabilities to compromise corporate assets and expose the organization’s network to malicious actors. At a minimum, employers should validate that their remote workers’ networks are encrypted using AES and WPA2.

Create a plan for revocation of access – Before an organization can authorize employees to work from home, it should have a plan for employees who quit or who need to be removed from network access. Employees who leave the organization during a work-from-home stint increase the likelihood that access is abused, or sensitive files and media are leaked. Secure organizations will ensure that access is revocable and that accounts can be remotely disabled. Flash drives and external hard drives should be prohibited, and paper files should be removed from use altogether.

Communicate with teleworkers – Teleworkers are more likely to act securely if the organization communicates what’s expected. Acceptable usage should be defined, and additional training courses can be made available to help teleworkers understand their responsibilities and restrictions.

Encrypt data in transit – Remote workforces are far more likely to leak data via unencrypted transmission than employees working on a secured corporate network. One of the best mitigating controls for unencrypted transmission is a virtual private network (VPN). With a VPN, employees accessing on-premise resources (such as email servers) are less likely to inadvertently expose transmissions over the open internet.

Understand physical security – Mature organizations will understand the physical security of their workforce teleworking sites. Management should consider risks such as theft of sensitive machines, shoulder surfing, and misplacement of paper files or sensitive media. Nearby family members or guests may overhear sensitive or restricted information while workers are on phone calls. Some organizations require employees to sign additional agreements before authorizing teleworking. Others will have employees fill out a questionnaire or audit the environment through webcams to gauge the level of physical security. Make sure that sensitive conversations are held in private and that only authorized personnel are accessing workstations.

Access authorization – Lastly, a secure organization should consider all these risks and controls and formally authorize rights to telework. Authorization creates organizational and individual accountability which ultimately reduces the likelihood that data or systems are compromised with employees working from home.

Over the last five years, advancements in technology and tight labor markets have enabled companies to recruit remote workers and even allow local workers to remain in their homes. Although the Coronavirus has required teleworking for many employees, this isn’t a trend we see going away after the current crisis is over. Mature risk management programs will not only understand teleworking risks but leverage the new paradigm in their business continuity plans.

Before making changes in your HITRUST program to address these risks, we recommend working with your External Assessor to understand the requirements. Remember, the HITRUST CSF is right-sized for the organizations that enroll in the program so there’s no one-size-fits-all compliance or risk management solution to teleworking.

Jason Kor


Jason Kor — Senior Manager, Healthcare Risk Assurance Services, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS