[REQUEST] Would you require remote workers to have a UTM installed at their home?
- Thread starter gpg
- Start date
SAFCasper
Well-Known Member
- Reaction score
- 830
- Location
- United Kingdom
Not familiar with HIPAA but this seems a bit extreme for home workers and possibly questionable on the legal side as the UTM would monitor/log a lot of personal information unrelated to their work. Also, imagine they try visiting websites outside work hours on a personal device and the UTM blocks it. Who deals with that? So to even consider this it would have to be hooked up behind their existing router with only work-issued devices connecting through it.
I'd prefer just having a good software stack on the computer they use for home working. Something that allows you to centrally enforce policies, antivirus, web filtering etc.
Or use RDS/WVD and everything is driven from a server under your control.
I'd prefer just having a good software stack on the computer they use for home working. Something that allows you to centrally enforce policies, antivirus, web filtering etc.
Or use RDS/WVD and everything is driven from a server under your control.
britechguy
Well-Known Member
- Reaction score
- 4,788
- Location
- Staunton, VA
If the company is supplying the machine, they can do what they want, and have every right to.
If the company is expecting the remote worker to use their own machine, then no.
HIPAA is important, but it requires reasonable precautions against the accidental sharing of protected health information. The restrictions on who one can share protected health information and when, by intent, is clearly written into the law. Reasonable precautions are open to interpretation, but can generally be met by freelancers (and there are plenty in the business) that have never dealt with a UTM in their professional lives.
YeOldeStonecat
Well-Known Member
- Reaction score
- 6,697
- Location
- Englewood Florida
I used to think that at first. BUT...I don't want to support "all the other stuff at a home, which will have issues with a UTM at the edge". IoT stuff, oh..the kids games. Streaming TV issues. More of the kids games. Double NAT issues because reconfiguring the ISP supplied gateway didn't happen. More kids games stuff. XBox, Playstation. Endless new IoT stuff. Yeah the list goes on and on and keeps repeating.
What we do is...use secure methods to connect remote workers.
Many use personal devices to connect. Can have Splashtop Business client on their home rig, they remote into their office computer. I don't care how badly infected their home rig is, it will not transfer through a remote desktop connection/splashtop client to host connection. RDP to terminal server/TSGateway....also safe/immune from transferring bugs.
Many of our clients setup on 365 now....Teams/Sharepoint for files, etc. Advanced threat protection scanning the files, and from personal computers...just done through a browser. Really little chance of infection there.
VPNs...well..VPN into HQ...actually CAN BE a point of infection, as with many VPN setups...a client connection brings that computer onto the central network. Some VPNs do that more securely than others..but....
What we do is...use secure methods to connect remote workers.
Many use personal devices to connect. Can have Splashtop Business client on their home rig, they remote into their office computer. I don't care how badly infected their home rig is, it will not transfer through a remote desktop connection/splashtop client to host connection. RDP to terminal server/TSGateway....also safe/immune from transferring bugs.
Many of our clients setup on 365 now....Teams/Sharepoint for files, etc. Advanced threat protection scanning the files, and from personal computers...just done through a browser. Really little chance of infection there.
VPNs...well..VPN into HQ...actually CAN BE a point of infection, as with many VPN setups...a client connection brings that computer onto the central network. Some VPNs do that more securely than others..but....
Thank you all for the responses. I should have been more precise in my original post. We have many people working from home accessing a EMR application in the cloud via an installed program on each workstation. I am guessing the installed program uses the latest TLS.
My main concern is most home users have a lousy ISP supplied modem/wireless router and use that to connect to the internet. Well, if said wireless gets hacked and the hacker has access to the home users system then they can then see what is going on with the EMR while the home worker is doing their job.
I would rather each home worker be on a wired connection but I know that may not be possible. And like YeOldeStonecat said I really don't want to support the home users non work related internet connections. Maybe a cloud VPN using WireGuard for all home workers to connect to?
Thanks,
gpg
My main concern is most home users have a lousy ISP supplied modem/wireless router and use that to connect to the internet. Well, if said wireless gets hacked and the hacker has access to the home users system then they can then see what is going on with the EMR while the home worker is doing their job.
I would rather each home worker be on a wired connection but I know that may not be possible. And like YeOldeStonecat said I really don't want to support the home users non work related internet connections. Maybe a cloud VPN using WireGuard for all home workers to connect to?
Thanks,
gpg
britechguy
Well-Known Member
- Reaction score
- 4,788
- Location
- Staunton, VA
@gpg,
Were I you, I would consult with your (or their, if you're doing gig work) organization's HIPAA compliance officer. Any organization that routinely handles PHI (Protected Health Information) electronically has a policy and protocol they use. It's not up to an independent contractor to create one, just to know what it is and implement it if possible or if tasked to do so. Otherwise, what's lacking should be reported to the organization then they can decide how they wish to proceed.
Were I you, I would consult with your (or their, if you're doing gig work) organization's HIPAA compliance officer. Any organization that routinely handles PHI (Protected Health Information) electronically has a policy and protocol they use. It's not up to an independent contractor to create one, just to know what it is and implement it if possible or if tasked to do so. Otherwise, what's lacking should be reported to the organization then they can decide how they wish to proceed.
I have had to use Secure ID in the past for remote logins https://www.rsa.com/en-us/products/rsa-securid-suite
Basicly it's a keyfob token generator synchronised to the server that only works for your account, you login as usual and then get the chalange screen asking for the code from the device that changes every 30 seconds, get it wrong and you are logged out.
Basicly it's a keyfob token generator synchronised to the server that only works for your account, you login as usual and then get the chalange screen asking for the code from the device that changes every 30 seconds, get it wrong and you are logged out.
Last edited:
Sky-Knight
Well-Known Member
- Reaction score
- 5,576
- Location
- Arizona
Zero Trust methodology means no UTM anywhere, because your infrastructure is entirely isolated. Therefore VPN is dead, and endpoint protection is based on the endpoint itself. Access modes are limited such that home users can only achieve well documented minimal access from their own equipment. Additional access levels may require managed machines, and so forth. All of this is made relatively trivial via Azure and its Conditional Access policies.
Similar threads
