Ensuring cybersecurity and privacy in the era of remote and hybrid work

The SMPH Remote Work Team is publishing several blog posts to provide information and context to the SMPH community about the UW–Madison Remote Work Policy and SMPH Remote Work Guide. This article is focused on cybersecurity and privacy. See the previous articles about remote work setups and workplace flexibility.   

Remote work of any kind comes with risk and liabilities for the university, supervisors, and employees. The UW–Madison Remote Work Policy creates procedures and practices to mitigate these concerns.  

The best way to mitigate these risks and achieve peace of mind for an employee and their supervisor is to complete a remote work agreement for any remote work taking place on a regular and repeated basis. Having an approved remote work agreement is required to work remotely (fully or hybrid) starting September 1, 2021. This ensures that risks have been properly assessed. Submit a remote work agreement request using the process described in Step 4 of the SMPH Remote Work Guide. 

An employee who works remotely (in a fully remote or hybrid set up) is expected to follow the same expectations as employees performing similar duties onsite. In terms of cybersecurity and privacy, this means complying with UW–Madison’s Division of Information Technology (DoIT) guidelines for securing a remote workstation and using safeguards to maintain the privacy, confidentiality, security, and integrity of all data, including written and spoken communications.  

One of the best ways to maintain privacy, confidentiality, security, and integrity is to use SMPH-owned and managed hardware, as opposed to a personal machine. This protects both the university and employee in terms of overall risk as well as compliance/adherence to UW–Madison and UW System IT policy. This is especially important for anyone who might handle more sensitive or restricted data on a regular basis, which is quite common in SMPH. Remote employees should use only SMPH-owned IT devices that have been reviewed by departmental IT support staff. If SMPH-owned IT devices are not available, users must exclusively use remote access tools approved by their department. 

When requesting a remote work agreement, employees indicate the kinds of information and data they work with. Depending on the nature of the work, their request may be routed to various campus offices for additional approvals. This is particularly true for remote work taking place internationally.  

However, once a remote work agreement is approved — regardless of if it required additional approvals or not — it’s important to keep in mind best practices for cybersecurity and privacy. In addition, if an employee takes on new responsibilities that may require additional approvals to perform remotely, they should begin a conversation with their supervisor.  

The following are good general tips for employees working with Protected Health Information and other sensitive information remotely: 

  • Log out of your device or lock the screen whenever it is not in use. 
  • Maintain a designated work area at home that is separate from your personal household activities and where the door can be closed. 
  • Face your computer monitor away from any doors or windows or use a privacy filter on the monitor. 
  • If it is necessary to verbalize PHI, use the least risky identifiers possible (ex. medical record number instead of name). 

Where to go for more information on these topics:  

Questions? Contact smphworkmode@med.wisc.edu.