Work From Home Presents Privacy and Security Considerations for Research and Higher Education Institutions
Research Institutions & Higher Education Data Privacy & Cybersecurity Article Series 04/14/20 Meghan C. O'Connor, Stephen J. Gardner
Increased precautions to slow the spread of COVID-19 have forced research and higher education institutions into unprecedented reliance on technology and remote connectivity (e.g., work-from-home arrangements, online learning, electronic document and data sharing, and telehealth services). Since universities and other research centers were among the first in the country to adopt these practices and rapidly transition from an "on-campus" work environment to an almost completely remote workforce, their early priorities were necessarily focused on simply ensuring systems worked and remained reliable.
Privacy and Cybersecurity Considerations as Remote Work Continues
Now that a few weeks have gone by, staff have settled into somewhat of a routine, systems have been proven reliable, and the COVID-19 pandemic has not yet been contained, the time is now to be proactive in planning for enhancements to privacy and cybersecurity policies and procedures that accompany remote work and remote learning.
Several key areas warrant consideration as privacy and cybersecurity plans are further developed:
- Test Increased Remote Connectivity
- Train Workforce on Remote Access
- Test and Understand Bandwidth Limits
- Reevaluate Role-based Access
- Test Redundancies and Prepare Backup Plans
- Plan for Increased Security Exposure Due To Remote Workforce (discussed in an upcoming article)
- Continue Communication and Remember to Maintain Your Culture
Test Increased Remote Connectivity
Continue testing remote connectivity capabilities as well as bandwidth and server capacity. Institutions should also confirm they have the IT infrastructure and concurrent licenses and subscriptions to support increased users, especially users who may be in multiple states or countries. For many institutions, the question of which students or employees may remain on campus is somewhat left to the discretion of the institution. But, as situations evolve, even the current on-campus presence could change. For example, some schools may be leveraging dormitory space to house healthcare workers, or homeless/disadvantaged populations -- this could create a sudden need for more on-campus bandwidth. As another example, some foreign students who remained on campus may be able to leave and return to their home countries, and institutions should consider whether their infrastructure and software licenses can support international distance learning. This can be particularly complicated for research and higher education IT teams that manage vendors to support multiple campuses and varying needs across the institution.
Train Workforce On Remote Access
As institutions have moved to work-from-home arrangements, many workforce members who are not accustomed to working from home will suddenly have remote connectivity, potentially without training on the relative lack of security of personal accounts and home technology. Consider pushing out training materials to the workforce which outline secure and appropriate remote work policies regarding:
- Approved technology and software for communication of sensitive institution, student, applicant, employee, patient, and research subject information via internal electronic communication platforms
- Sensitive information not being visible to non-authorized users via video conference and screen-sharing
- Use of public Wi-Fi networks
- Use of personal devices and accounts to download or transmit company information
- Ability to store, download, or copy data from institution systems to personal devices
- Use of encrypted email
- Print-from-home options, and the storage and proper disposal of paper files
- Logging out of computers at the end of the day or during breaks to prevent non-employee access
- Handling sensitive information out of earshot of those present in the home, as well as virtual assistants and other visual or voice-enabled IoT devices
- Practice of good security hygiene (discussed in an upcoming article)
- Secure storage of cellphones, tablets, and laptop computers used to access work systems when not in use
Develop a list of FAQs your IT help desk is receiving, and make those available to workforce members to avoid overwhelming IT with repeat questions. Offer your virtual private network (VPN), virtual desktops interfaces (VDI), or other remote access to institution systems and enable multi-factor authentication.
Test and Understand Bandwidth Limits
Bandwidth and server capacity should continue to be monitored. Broadband providers may be lifting data caps, but bandwidth limits should be considered in remote operations planning. Remote workforces are competing with other online users, including K-12 and higher education moving to online learning, increased telehealth usage, and streaming services. This increased dependence on and use of technology with remote connectivity will slow performance and test bandwidth limits.
If bandwidth becomes an issue, consider workforce communications and monitoring to control video streaming and other data intensive activities. For example, ensure that workforce members know that personal online activities should be done on their own devices. Additionally, guidance to help workforce members minimize non-essential home internet use during working hours may also be effective (e.g., limit children’s video streaming to standard definition, turn off internet connected devices like video game systems that can automatically update during the day without notice, etc.).
Reevaluate Role-based Access
With an increased remote workforce comes increased exfiltration of data historically only accessible via more secure and monitored processes. While remote access is necessary for research and higher education institutions to function amid the COVID-19 pandemic, it is important to consider appropriate access.
Now is an opportune time to reassess access needs. Adjust and monitor role-based access to match job duties. Consider whether you can restrict access to high-risk systems with sensitive data or mission critical designations to workforce members with appropriate training and need-to-know status. You can adjust access rights as the situation continues to unfold.
Test Redundancies and Prepare Backup Plans
Be prepared for failures and overload on system resources. Not everything will work. Test your backups, identify redundancies, and implement your emergency mode operations plans to support business continuity.
Many organizations have sent non-essential workforce members home but keep IT personnel and skeleton operations teams on site to support essential operations. Research and education institutions should prepare backup plans (a Plan C) in the event of new or changed shelter-in-place orders or workforce sickness/exposure that limit the ability of an on-site IT presence. Identify mission critical systems and team members, and set redundancies and backups where possible.
Continue Communication and Remember to Maintain Your Culture
Remember your workforce may be scared, responding to lack of normal human interaction, and adjusting to a new work-from-home lifestyle. Try to find ways to foster moments of normalcy between coworkers. Also, use technology where possible to enforce and enable institution culture (e.g., chat, video, and conference systems to enable secure communication). Look for end-to-end encryption on any software that will be used to communicate confidential information. Other platforms may be used to encourage coworkers to continue social connections.
Finally, while many institutions are typically great at external communications (e.g., alumni, etc.) and student communications, it should be kept in mind that periodic check-ins, tips, updates, and reminders to staff and vendors who access sensitive information (e.g., student data subject to FERPA, patient or health data, sensitive financial data, and general personal information) are essential. Even if systems seem to be in place and working as expected today, remote workers can be constantly changing the way they work. For example, if a remote worker's bandwidth or remote security access is causing issues, that person may resort to alternative, less secure means to continue performing their job functions. Frequent reminders and FAQs can help stem unfortunate consequences of such actions.
For more resources, check out the SANS Institute tips to secure your organization in a work-from-home environment and National Institute of Standards and Technology telework cybersecurity guidance.
More Articles Upcoming in This Series
As the COVID-19 situation continues to unfold, Quarles & Brady will continue to monitor data privacy and cybersecurity considerations and opportunities for higher education institutions and provide additional guidance in future articles.
For questions on best practices to enhance existing privacy and cybersecurity remote work policies and procedures, contact your Quarles & Brady attorney, or: