Teleworking Policy Guidance for Healthcare Organizations

The goal of this policy is to govern the controls and safeguards implemented for workforce members that are approved for teleworking activities.

What should the policy statement say?

In the policy statement, state the goals and objectives and setting the tone for teleworking security. The policy statement should say something like this:

Workforce members that participate in teleworking arrangements should be expected to satisfy all job responsibilities, meet performance expectations, and follow all policies/procedures that govern their employment. Authorized teleworking workforce members should be required to complete a teleworking agreement.

How should processes and procedures be defined?

Teleworking processes and procedures should define or address the following:

  • Work permitted;
  • The hours of work;
  • The classification of information held and the internal systems and services that the teleworker is authorized to access;
  • Suitable equipment and storage furniture for the teleworking activities expressly for business use by authorized workforce members, where the use of privately owned equipment that is not under the control of the organization is not allowed;
  • Suitable telecommuting equipment, including methods for securing remote access;
  • Rules and guidance on family access to the equipment and information;
  • Hardware and software support and maintenance;
  • Procedures for back-up and business continuity;
  • A means for teleworkers to communicate with information security personnel in case of security incidents or problems; and
  • Audit and security monitoring.

Additional insurance will be obtained to address the risks of teleworking as may be necessary.

What are Teleworker’s security requirements and responsibilities?

Teleworking workforce members should obligated to protect the confidentiality and security of all information deemed sensitive or considered protected health information. This information should not be disclosed or able to be viewed by family members or visitors. All related information security policies/procedures should be adhered to by the teleworking workforce member. Other security arrangements for teleworking activities may be required as necessary.

All teleworking activities should occur through encrypted remote access communications that requires identification/authentication of remote access sessions. If the teleworking workforce member utilizes a home wireless network, the wireless access points should be securely configured utilizing strong encryption (i.e. WPA2 with a strong pre-shared key).

Suitable equipment should be provided to be utilized by teleworkers for business purposes. Use of issued equipment should comply with policies/standards at all times. Only company provided equipment should be maintained/supported and workforce members should protect the equipment from damage or theft.

Equipment such as laptops and mobile devices should be installed with anti-virus/malware, firewalls, and application/OS patches should be updated as necessary. Ownership rights should be maintained over all organization assets used by the workforce member for business purposes. Upon request or at termination of employment, workforce members should have their access terminated and should be expected to return all issued equipment within forty-eight (48) hours.

The right should be reserved to inspect/audit virtual offices to ensure information is properly secured and controlled within the home/remote office location. Teleworking sites should be evaluated for physical security such as building itself or the local environment to address any threats or issues that are identified. These threats/issues may include, but not limited to, unauthorized access to information or resources from persons using the accommodation such as family and/or friends.

Workforce members and their manager should agree upon regular work schedules. Any changes to the work schedule should be pre-approved by the manager. Workforce members should be responsible for maintaining performance requirements.

If a service outage occurs that is projected to last for a period of time that will affect the workforce member’s job requirements, the workforce member should notify their manager. Alternative work locations should be determined.

Teleworking workforce members should be expected to minimize any distractions or disturbances from their work areas. Face-to-face meetings with customers at a workforce member’s home should be prohibited. The organization should not be responsible for liabilities arising out of face-to-face meetings not pre-approved in writing by management.

What are the restrictions or prohibitions for teleworkers?

Workforce members should not utilize personal addresses on business documentation or business cards. Workforce members should establish a secure work environment with appropriate lighting, appropriate noise levels, and sufficient, convenient electrical outlets.

Workforce members should not provide primary care during working hours to a child or adult who otherwise may be required to have regular supervision of care. A caregiver should be present and responsible for care.

Workforce members should be trained on the risks and their responsibilities over teleworking activities. Additional insurance may be required to address teleworking risks as necessary.

Teleworking Documentation Checklist

  • Teleworking Workforce Member Agreement
  • Virtual Site Visits Audits
  • For teleworking arrangements, ensure the arrangements address all necessary protections in accordance with the organization’s policy.
  • Insurance Policy referencing increased risk of teleworking activities

For more information and details on how we can help, contact us today!

    Discover more from Information Security Program

    Subscribe now to keep reading and get access to the full archive.

    Continue reading