The National Security Agency (NSA) is a national-level intelligence agency of the United States Department of Defense, under the authority of the Director of National Intelligence. Recently, the NSA issued cybersecurity guidance for teleworkers to help improve security for remote work. The cybersecurity guidance is relevant to healthcare workers who provide telehealth services from their home computers and smartphones.
Is your organization secure? Download the free cybersecurity eBook to get tips on how to protect your patient information.
What Does the NSA Cybersecurity Guidance Recommend?
The guidance evaluates a number of telework services, including Slack, WhatsApp, and Zoom. NSA cybersecurity guidance recommends that institutions consider the following factors before choosing a service:
- Does the service implement end-to-end (E2E) encryption? With E2E encryption, content is encrypted all the way from sender to recipient without being readable by servers or other services along the way. Some apps also support encryption while data is “at rest,” both on endpoints (i.e., a user’s mobile device and workstation) and while residing on remote storage, such as a cloud-based server.
- Does the service use strong, well-known, testable encryption standards? The NSA cybersecurity guidance recommends that services use strong encryption standards, preferably NIST-approved algorithms. Many telework services protect data-in-transit between clients and servers using a published protocol standard, such as Transport Layer Security (TLS).
- Does the service use multi-factor authentication (MFA) to validate user identities? Use of multi-factor authentication can prevent weak or stolen passwords from being used to access user accounts and impersonate them. MFA requires that a second form of ID, such as a token or code, be provided before a user can access an account.
- Can users see and control who connects to collaboration sessions? The service should allow organizers to limit access to sessions to only those who are invited.
- Does the service privacy policy allow the vendor to share data with third parties? Services should protect sensitive data such as contact details and content. Conversations, metadata, and device information should not be shared with third parties.
- Can users securely delete data from the service? Users should use a service that affords them the opportunity to delete content such as shared files and chat sessions. The service should allow users to permanently remove accounts that are no longer used.
- Has the service’s source code been publicly shared? Open source code development can provide accountability that code is written to secure programming best practices, and is not likely to introduce weaknesses that can compromise user data.