Getty Images/iStockphoto

NSA Shares Cybersecurity Guidance, Assessments for COVID-19 Telework

New guidance from the National Security Agency (NSA) is designed to help organizations assess and compare collaboration tools used for remote work during the COVID-19 pandemic.

The National Security Agency recently shared cybersecurity guidance with high-level security tool assessments to help organizations select and safely use collaboration services to support the increase in remote work during the COVID-19 pandemic.

While the guide is aimed at government employees, combined with telework insights from the American Medical Association and American Hospital Association, healthcare providers will be able to lean on these free resources to shore up vulnerabilities within the increased threat landscape posed by the crisis.

Many providers have shifted to telehealth at this time, using personally owned devices for both remote care and other telework responsibilities. NSA explained that “collaboration services vary widely in the cybersecurity functionality and assurance that they offer.”

The guide is designed to help organizations and the workforce to make more informed decisions when it comes to choosing the more secure technology for these purposes, including better understanding their risk exposure and strengthening endpoints from malicious threat actors.

To start, organizations should consider nine key considerations when choosing collaboration services, such as whether it leverages end-to-end encryption and if the encryption is strong, well-known, and tested. Multi-factor authentication should also be in place to validate user identification.

IT leaders should also verify whether users can see and control who can connect to the collaboration sessions, as well as whether the platform’s privacy policy allows the vendor to share data with third parties or affiliates.

For example, Zoom came under fire earlier this year, as the videoconferencing platform was found to be sharing user data with Facebook without their permission. Officials said once the report was verified, the Software Development Kit causing the data sharing was removed from the platform.

Further, organizations should determine if users can securely delete their data from the service and its repositories as needed, while IT teams should verify if the platform’s source code is open source, or publicly shared and whether the service has been reviewed or certified by a national recognized security firm or government body.

Lastly, “is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?”

The guidance also provides insights on securely using these platforms, including ensuring if users download a collaboration service that the source can be verified. IT teams should ensure encryption is enabled, and users should leverage the most secure means for meeting invitations.

All meeting hosts should ensure only intended attendees are participating in the meeting. As noted by the FBI, hackers have been hijacking videoconferencing apps, such as Zoom and Microsoft Teams, to disrupt meetings.

Organizations should encourage users to ensure ay data shared is appropriate for the participants, while securing the physical environment from “unintentional access to voice, video, or data during collaboration sessions.”

The guidance also provides a chart breaking down each collaboration platform and whether it meets these standards.

“The selection of services for this initial assessment was driven by inquiries and usage from across NSA's national security customer base,” officials explained. “This is not a comprehensive list of services or possible criteria.

“NSA analysts gathered factual material from published company literature and product specifications, supplemented by other openly published analyses and basic hands-on technical observation. No formal testing was performed on products or services for this analysis,” they added.

Healthcare providers should also review recent advice from the Office for Civil Rights on COVID-19 cyber scams, as hackers continue to impersonate the World Health Organization and new phishing campaigns have been spotted that impersonate both Skype and Zoom.

Next Steps

Dig Deeper on Cybersecurity strategies