Blog
← Back to Blog
March 18, 2020 cybersecurity

COVID-19 and Remote Work: Securing Your Practice When Everyone Goes Home

Remote work and home office setup

Everything changed this week. Practices are closing for non-emergency care. Staff is working from home. Teledentistry and telehealth are suddenly essential. And the security controls that work inside your office may not work when everyone is remote.

We're all adapting in real time. Here's what you need to think about from a security perspective.

Immediate Priorities

Secure Remote Access

If staff need to access practice systems from home, how they connect matters:

  • VPN (Best): A VPN creates an encrypted tunnel between the home computer and your practice network. All traffic is encrypted and controlled.
  • Remote Desktop/ScreenConnect (Acceptable): Remote desktop tools let staff access their work computer from home. Ensure 2FA is enabled and access is limited to authorized users.
  • Direct RDP to Server (Dangerous): Never expose Remote Desktop Protocol directly to the internet. It's one of the most exploited attack vectors. Always use a VPN or remote access tool as an intermediary.

Two-Factor Authentication

If 2FA isn't enabled on your remote access tools, email, and cloud services, enable it today. Remote access without 2FA is an open door for attackers. This is non-negotiable.

Personal Device Security

Staff using personal computers to access practice data introduces risk:

  • Ensure personal devices have current antivirus and updated operating systems
  • Enable full disk encryption (BitLocker or FileVault)
  • Don't allow patient data to be downloaded to personal devices if possible
  • Set up a separate user account for work activities

Telehealth and Teledentistry

HHS has temporarily relaxed HIPAA enforcement for telehealth during the pandemic, allowing providers to use consumer communication tools (FaceTime, Skype, Zoom) in good faith. But "relaxed enforcement" doesn't mean "no standards." Best practices:

  • Use HIPAA-compliant telehealth platforms when possible (Doxy.me, VSee, Zoom for Healthcare)
  • Avoid public-facing social media platforms for patient consultations
  • Document the telehealth technology you're using and your rationale
  • Conduct telehealth sessions in private spaces, not in public areas
  • Don't record sessions unless you have a secure, HIPAA-compliant storage location

COVID-19 Themed Phishing

Attackers are already exploiting the pandemic. We're seeing:

  • Emails claiming to be from the WHO or CDC with malicious attachments
  • Fake COVID-19 tracking maps that install malware
  • Phishing emails about stimulus payments, insurance changes, or relief programs
  • Impersonation of vendors claiming COVID-related policy changes

Remind your staff: verify all COVID-related emails independently. Don't click links in unsolicited emails. Go directly to cdc.gov, who.int, or your insurance carrier's website for information.

When You Come Back

When the pandemic passes and you return to normal operations:

  • Disable remote access accounts that are no longer needed
  • Change passwords that were used on personal devices
  • Review access logs for any unusual activity during the remote period
  • Update your disaster recovery plan to include pandemic scenarios

This is unprecedented. Nobody planned for this. But the security fundamentals still apply: protect access, encrypt data, verify identities, and maintain backups. Stay safe, stay healthy, and stay secure.