Skip to content

Data Security in the Age of Remote Work: How to Keep Your Business Safe

How should you set up your security policies for your employees working from home? What are the potential culprits of a remote workforce? And is BYOD putting your organization at unnecessary risk of a data breach? Some love it, and some hate it, but there’s no use turning a blind eye to the massive surge in the number of employees working from home.

Ever since covid turned the world upside down in 2020, working remotely became the norm… and a new threat to data security. Covid-19 sent employees packing (to their home offices). Across the globe, workers have been working from home, but not every company has managed to keep up with the security policy department.

Based on the 2022 Verizon Data Breach Investigations Report, 82% of all data breaches involve the human element. You probably know all too well by now how hard it is to keep those humans in check (security-wise), even if they’re all in the same building. But making sure everyone is being safe when they’re out of sight? Are you sure your work-from-home guidelines for employees are up to date?

With 8 in 10 people working either in a fully remote or hybrid environment (and the numbers are expected to rise, based on a 2022 AT&T study), figuring out and maintaining a work-from-home policy is not just important; it’s critical to any organization’s security.

 These are the top things to keep in mind if your organization employs remote workers: 

What are the security risks of working from home?

First of all, let’s be clear about one thing: It’s called “work from home”, but unless you are specifically restricting your employees from working outside of their residence, they could be all over the place: from a cafe downtown to a beach on the other side of the world.

That requires smarter planning, stronger policies, and better communication with employees on your part.

Remote work poses a wide variety of cybersecurity risks due to all the potential scenarios and versions of remote work. Some potential considerations:

  • Without an IT department in the office next door, your remote worker may struggle with their limited IT skills.
  • What type of networks are your employees connecting to? Are they using public wifi?
  • Are you providing hardware for remote workers, or are they using their own devices?
  • Is your infrastructure cloud-based to allow for a more functional work-from-home solution?
  • What are your employees’ work habits? Could they be endangering your data with their behavior? 

The question is: How can you protect my organization from external cyber-attacks and the negligence of employees without making it difficult for your employees?

Because if it’s difficult, hard to understand, and tedious, your employees won’t adhere to your security policies.

The most important work-from-home security policies

Which security you set up for your organization will depend on your specific circumstances. But you don’t need to reinvent the wheel.

There are numerous regulations already in existence that your organization may or may not need to comply with that already specify the most important remote work policies.

You can also use ISO 27001, a major guideline for the establishment of an effective information security management system, to set up the best possible data security policy for your organization. Learn more about ISO 27001

Some areas that will always need to be addressed are:

Securing networks

It can be as simple as making sure that your employees’ home wifi router isn’t still on the default password and insisting they never use public wifi when connecting to your organization’s systems unless they use your organization’s VPN (a virtual private network).

A VPN will encrypt data being sent and received, preventing data leaks. It’s like a disguise for your employees’ online identity and your sensitive data.

Multi-factor authentication

Enforce a strong password policy and require changing passwords periodically, but don’t stop there. Have your employees use two-factor authentication to log onto your organization’s systems as an extra layer of protection.

This can be anything from utilizing single-use passwords to using biometrics.

Two-factor authentication can dramatically reduce the success of phishing and malware attacks since they often rely on stealing information such as passwords to infiltrate a system.

Have you heard of Zero Trust? The Zero Trust Approach is an evolving data loss protection model based on the need to authenticate and authorize any access to the network because trust is not assumed even if it has already been granted. It’s a great tool that can help you set up your authentication requirements.


Encryption means that data from emails and documents is encoded, and only authorized parties can access and decipher it.

Sure, every device has an encryption option (but is it turned on?), but you can also implement data encryption software to protect your organization. Encryption is also used to protect sensitive data that is transferred between employee devices and company servers.

Using a VPN will encrypt data going to and from your remote worker through the internet.

Up-to-date software and security systems

Make sure all of your employees working from home have up-to-date firewalls, software, and security systems on all of their devices. You want all security patches to be activated as soon as they come out so that any vulnerabilities in the system are managed.

This can be harder to achieve in the BYOD (bring your own device) model. More on that is below.

Communication and support

Provide clear channels of communication. Educate your employees on how to report any suspicious online activity. Instruct them on how to spot a phishing attempt or security breach. Do your work-from-home employees know who to talk to in case a security issue comes up? Have someone within each team act as the go-to contact and provide guidelines for what types of issues should be reported.

Safe behavior

Talk to your employees about safe behavior – Are they working in an environment where people can easily see their screens? Do they know not to share sensitive information over messaging systems or on social media? Are they doing enough to prevent hardware theft?

Dedicated DLP Systems

Dedicated DLP (data loss prevention) systems such as Safetica’s solutions use a centralized and automated system to monitor and report on everything happening in an organization’s cybersecurity landscape – on-site or off. You will feel more secure knowing that no matter where your employees are, your organization’s sensitive data will remain safe.

Dedicated DLP vs Integrated DLP: Which one makes sense for your organization?

How to explain and enforce security guidelines

For in-house employees, you can use things like posters and LED visuals to spread security messages around the office. You’re also more likely to see questionable behavior or notice the need to distribute that new security brochure you spent too long putting together.

For work-from-home employees, out of sight and literally off-site equals fewer possibilities to have any physical effect on the people you work with. You’ll need to think out of the box and remember that it’s much easier to forget about policies (even if it’s by accident) when you aren’t in the office.

Learn more about educating your employees about data security.


Simply put, in order to maintain awareness, you need to keep your policies easy to understand, easy to implement, and easy to remember. And for remote workers also easy to find in the first place.

Since practice makes perfect, everyone in the organization can benefit from a friendly reminder from time to time. Can you plan an email campaign to explain one security rule every two weeks simply? Have team leaders lead by example (that means higher management, too!), and make data security a topic in regular meetings.

To get the word out, get personal and KISS! Emails and passive messages are great as refreshers, but your employees to really hear you and not just scan the security checklist you send them; they need to hear it from the horse’s mouth.

All policies look great on paper (even the digital kind), but they make a much bigger impact during a live video presentation by the IT Director or even CEO – you are letting your work-from-home employees attend important meetings online, right? If it’s just George, the IT guy hounding them in yet another Slack message, he’ll barely be heard.

So keep it short and simple (KISS!), but make it count.  

Specifics of BYOD when working from home

If your remote employees use computers and other devices that your organization provides to them, you are able to make sure that all equipment and software comply with company standards and policies.

But what about BYOD? If employees use their own devices, your work-from-home guidelines for employees will need to:

  • Specify approved devices
  • Separate personal and company data
  • Plan for ongoing maintenance and updates of all devices
  • Set restrictions on what can and cannot be installed on the device
  • Consider potential legal issues/difficult data retrieval
  • Explain ownership expectations and procedures upon an employee’s termination

While BYOD has obvious advantages, such as reduced costs and potentially greater mobility, it also poses a greater security risk for your organization. 

  Let’s talk about data security

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Safetica
Safetica is to provide small and mid-sized companies with the same quality data protection that corporations have – affordably, and without any additional IT administration or disruptions in operation.

Data Loss in Healthcare

As one of the most sensitive pieces of personal information, patient health data needs to be protected from data incidents or breaches. When the majority of the data is spread among multiple applications and devices though, then keeping the data safe from threats can be quite challenging. 

There are a few best practices that companies from the healthcare sector can use to boost their data security (and patient trust) straight away, though – you’ll learn about those in this article. 

How technology has changed the healthcare sector

The healthcare industry has benefited from technology in many ways. Thanks to digitized medical records stored on the cloud, doctors don’t have to spend as much time creating, updating, and managing paper records. Wearable devices and digital health apps help doctors monitor patients with long-term illnesses. There are even AI-powered applications that can record patient-doctor conversations and turn them into complete notes, saving doctors plenty of time. 

All those applications also generate enormous amounts of data every day – and this is both a blessing and a curse for the healthcare sector. A blessing because the data coming from the applications can give healthcare professionalists much more information about a patient than an interview would. That way, they can make better decisions about how to treat them and provide better patient care overall.

The amount of data being generated every single day makes it increasingly difficult to keep track of which sensitive healthcare information is stored where and who can access it though. Add to these hectic work days, a well-known dislike for paperwork among medical staff, and (unfortunately far too often) a lack of cybersecurity training, and you can see why healthcare is among the industries that experience the most data incidents. Unfortunately, Healthcare attacks are also becoming more common. This is due both to the value medical records have to criminals and that many healthcare facilities still use outdated equipment – making obtaining the records much easier for criminals.

What is the average cost of data loss/breach in Healthcare?

Healthcare has the highest average cost of data breaches at $10.10M per incident.

What’s even more worrying is that the cost of healthcare data breaches is rapidly growing. According to an IBM Security breach report, the average cost of such incident in the healthcare sector has gone up 42% since 2020 – and keeps on growing. 

The cost is so high for several reasons. The first is related to the type, and amount of data healthcare providers collect and store in their systems. In every patient’s file, there usually is: 

  • Patient’s full name and address
  • Email addresses
  • ID number
  • Billing information
  • Social security numbers
  • Medical history, together with drug prescriptions, etc.

For criminals, one such medical record is worth even 50 times more than a credit card number as they can build an entirely fake persona from the information available in the healthcare records. Then they use the new persona to purchase medical equipment on the victim’s health insurance, take loans under the patient’s name, abuse the victim’s health plan or fill insurance claims. Plus, as health records (compared to, for example, credit cards) can’t be canceled, blocked, or changed after a data compromise is noticed, healthcare companies have a much harder time containing it and minimizing the damage.

As a result, it’s estimated that now 95% of identity theft comes from stolen healthcare records – which means any data incident might pose a serious risk to the patient’s safety.

Another thing that makes healthcare data incidents so costly is how much time they take to solve them. In their 2022 report, IBM security found that the average healthcare data breach lifecycle is 329 days. 

Considering how little time healthcare professionals have during the day and how easily files (including sensitive healthcare ones) can be copied or shared without anyone noticing, it can take a long time for a clinic or hospital to discover a data incident. 

Unfortunately, when they find out about it, it’s often far too late. Their patients’ data (from social security numbers and credit card numbers to health history) has already been leaked to the darknet, and the company has now to deal with reputational damage, financial losses – and also legal consequences. 

Healthcare data breaches and legal consequences

Healthcare data breaches are so costly also because of the number of laws and regulations the industry has to adhere to these days – and the penalties for violating those are pretty hefty as well. 

The largest HIPAA violation penalty up to date, $16 million, was paid by Anthem Inc. in 2018 after a 2014 cyber attack caused a healthcare data breach spanning 78.8 million records. In addition, Anthem also had to pay $115 million to settle the lawsuits filed on behalf of the incident victims and $48 million as penalty fines. 

The second largest breach with the highest penalty was imposed on health insurance company Premera Blue Cross in 2020. The company was fined for neglecting several HIPAA requirements and causing a data incident in which hackers obtained the protected health information of 10,466,692 individuals. The company then agreed to pay a financial penalty of $6,850,000 to resolve the case and adopted a corrective action plan to address all areas of non-compliance. 

Besides that, Premera Blue Cross settled a multi-state action for $10 million and a class action lawsuit filed on behalf of victims for $74 million.

Health, genetic and biometric data are also considered special categories of data under the General Data Protection Regulation (GDPR). That’s why healthcare companies are expected to follow stricter guidelines when collecting, processing, and storing health information – otherwise, fines can be pretty steep as well.

On 23rd February 2021, the health data of nearly 500,000 people was released on the internet following a massive data breach at the DEDALUS BIOLOGIE company. The exposed data included names, Social Security numbers, the name of the patient’s primary doctor, examination dates, as well as confidential health information related to HIV, cancers, genetic diseases, pregnancies, and drug therapy. The company was then fined 1.5 million euro by the French data protection authority (CNIL) for violating GDPR articles 28, 29, and 32 requirements and causing the breach to happen. However, the investigation is still ongoing, so the final amount the company will have to pay for the violations could be much higher.

It is also becoming more common for people to file lawsuits after a breach of their data. For example, Baker Hostetler law firm analyzed more than 1,200 data security incidents from 2021 that their company helped clients manage and found that 23% of those incidents involved healthcare breaches.

That means that in case of a serious data breach, healthcare facilities may find themselves not only facing data privacy law enforcement but also private lawsuits from individuals affected by the incident. Then, companies could end up having to pay lawsuit settlements, compensation and also reimburse the breach victims out-of-pocket costs connected to the incident – which will significantly increase the costs of the breach.

How to protect patient records from loss or breach?

While enhancing the data security at the health center facility will likely take some time and effort, it will help you in the long run as it will make it easier for you to avoid data incidents or compliance violations. This way, you can both assure your patients and business partners that their data is safe with you, as well as prevent very expensive financial repercussions from healthcare data breaches.

Where should you start, though? 

Here are some things you can do to tighten up your health systems:

  • Run a security risk assessment

Both GDPR and HIPAA require healthcare providers to run an annual security risk assessment to identify potential security vulnerabilities and data threats in their networks. While those usually take some time, they are incredibly important for healthcare companies as they can give them enough information about where the patient’s data might be compromised and how you should address the vulnerabilities. 

In this way, you’ll be able to fix any vulnerabilities or issues in your network that could lead to breach or loss incidents in the future, saving you time (and money).

  • Educate your staff on best cybersecurity practices

Without cybersecurity training, your employees might not be aware of your company’s security policies or cyber risks, leading them to take risky actions – such as sending a patient’s file through social media messenger. And yet nearly a third of healthcare employees (32%) said they had never received cybersecurity training from their workplace! Lack of awareness of the breach consequences might also cause the employees to skip security procedures just to get a task done faster. This can quickly lead to healthcare data breaches though – in fact, human error accounted for 33% of healthcare breaches in 2020 alone.

To lower the number of incidents, make sure your employees know how they should work with sensitive data and what are the consequences of neglecting the procedures. Handing them an incident response plan with guidelines on how to respond when they notice a healthcare data breach would also be very helpful when it comes to preventing and dealing with data threats.

  • Limit access to health records

With hundreds of people and devices within a healthcare organization, it’s vital that you keep a close eye on who can open, edit and share patients’ health records to prevent data theft. The access permissions for the most sensitive healthcare files should be set up so that only healthcare specialists who need the specific medical records can access and edit them. 

The fewer people that have access to the health records, the less likely it is that the data might be compromised – or leaked outside.

  • Limit the use of personal devices

Healthcare professionals may find it convenient to use their personal devices for work, but these devices are usually not as secure as those they have at the clinic or hospital. Having clear policies that outline how employees can access your network/applications when using personal devices and how they should handle incidents are essential if you want to allow employees to bring and use their own devices for work. It is also a good idea to keep a close eye on what devices are added to your network and to restrict or block access to sensitive files for those you don’t recognize.

  • Keep a data audit log

Keeping data logs is an essential part of HIPAA compliance, as through those, you can quickly detect any policy violations and respond to those straight away. In addition, when an incident occurs, an audit trail will also help forensic specialists pinpoint the place where the incident started, determine the cause and suggest the best way to prevent similar issues from happening. 

Manually tracking and saving the audit log would be time-consuming and complicated though. Fortunately, here you can rely on applications such as Safetica that will create and update the audit logs for you. Then, when you’ll be dealing with a data incident, you will only have to check the data logs, and you will know where and how it started – rather than having to search the entire network.

  • Restrict what actions can be taken when working with sensitive data

In addition to monitoring which employees have access to sensitive files, it is recommended to restrict what can be done with those files to prevent unauthorized disclosures. For example, limiting or blocking sensitive file web uploads, screenshotting, copying to external drives, adding the files as mail attachments, or printing can go a long way in lowering the risk of incidents happening.  Data endpoints monitored and secured will also greatly reduce the chances of data thieves stealing confidential data as they will have far fewer options to copy or share the data without getting caught.

  • Encrypt data

Encryption is one of the most effective methods of protecting sensitive information. Even if someone unauthorized gains access to sensitive files such as patients’ medical records, the information inside the files would be unreadable to them and so they won’t be able to use the files in any way. For additional security, you can also add more encryption layers so that more than one encryption key is required to enter a system or combine the encryption with multi-factor authentication.

  • Destroy sensitive information properly

HIPAA also has stringent regulations regarding how you should destroy files and devices with patients’ data or other sensitive information to make sure no unauthorized person can use it. Failing to properly destroy the data you no longer need can cause the data to be exposed, and then you might be fined for non-compliance. 

In fact, some of the largest fines for HIPAA violations have been for failing to comply with the medical records destruction rules. For example, New England Dermatology and Laser Center had to pay $300,640 to settle an investigation into the improper destruction of medical records. 

It is recommended to hire HIPAA-compliant data destruction services for disposing of the sensitive data and the devices the data was on to ensure that they were destroyed properly and that the information can’t be recovered.

  • Backup data regularly and store it in a secure location

Whether your healthcare system crashed or your employee accidentally overwrote patient records, losing access to sensitive data can force you to spend more time restoring the files rather than taking care of your patients. Additionally, if you have to reschedule patients’ appointments or procedures because of a data incident, you risk losing their trust that their data is safe with you.

That’s why HIPAA’s final rule requires that electronically protected health information (ePHI) be backed up regularly and stored securely offsite. Ideally, you should have three backups of the data stored in different locations, as that way, you significantly reduce the chances of losing all of your data.

It’s also recommended that the backups be done daily or at least once weekly. If you don’t have time to do it yourself though, it will be a good idea to schedule automatic backups at set intervals – for example, every day at midnight. Additionally, you should make sure that only people who will need the copies for their work have access to the copies – and also that all copies are encrypted.

How can Safetica help you protect the data?

Meeting compliance and data security requirements while also giving patients the best care possible is definitely not an easy task – especially if most of the tasks related to securing the data are done manually. Safetica can take over the data security and compliance tasks to give your healthcare professionals more time to take care of your patients.  

After you set your own data privacy policies and requirements inside the platform, Safetica will monitor your entire healthcare data within and (most importantly these days) outside of the work environment, 24/7. 

What else can Safetica do for you:

  • Automatically discover, classify and secure sensitive files.
  • Analyze your environment to find out places where there’s a risk of data breach or non-compliance.
  • Ensure that all employees are following internal security policies and are meeting HIPAA/GDPR compliance requirements.
  • Respond to any suspicious activity in the manner you specified earlier (for example, it can show a warning to an employee when they are working with sensitive data).
  • Monitor all external or remote devices for potential data incidents or breaches and report all new devices added to the network. 
  • Automatically create data activity logs for audits. 

You can learn more about how Safetica can protect the data in your healthcare facility by reading our dedicated whitepaper


Hospitals, clinics, and healthcare providers are responsible for safeguarding patient data and critical healthcare information, as the consequences of those falling into the wrong hands can be disastrous. The average cost of a data breach is also growing – so that makes preventing various types of breaches and incidents more critical than ever.

By educating the hospital staff members and healthcare personnel, restricting access to patient data, and encrypting the data though, the number of incidents and the damage they can cause can be visibly reduced though. 

Safetica can also make keeping patient data secure easier by monitoring healthcare data and protecting it from threats. Once you combine best security practices with Safetica, you can rest assured that every piece of data within your organization’s system is safe and secure.

About Version 2
Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

About Safetica
Safetica is to provide small and mid-sized companies with the same quality data protection that corporations have – affordably, and without any additional IT administration or disruptions in operation.

Differences between SaaS DLP and legacy on-prem Data Loss Prevention solutions

It can be too complex and heavyweight for small and midsized companies handle legacy DLP solutions. But SMBs with limited IT capacities also face the same risks of internal data leakage, and the resulting incident impacts can be devastating. Luckily there’s an alternative – cloud-native SaaS DLP.

If you run an SMB company or work for one, you usually have limited to no in-house hardware infrastructure, because there’s usually no reason to manage your own servers.

SMBs also have minimal IT capacities, and due to the broad scope of IT admin or manager responsibilities, there’s little room for increasing their security expertise.

That’s why it can be almost impossible to implement a legacy DLP solution, even though it could help prevent sensitive or confidential data from leaking outside of the company.

The main barriers usually are: 

  • Requirements for available hardware infrastructure (servers and databases)
  • Lengthy and costly implementation projects (quarters/years to implement)
  • Labor- and skill-intensive administration with dedicated specialists needed

Legacy DLP alternative: Next-gen SaaS DLP

The cloud is the way to go when you don’t have or don’t want to have your own servers. With cloud/SaaS you can use the solution as a service, so you don’t need to worry about keeping it up and running. The vendor’s SLA ensures DLP availability. The advantage of a cloud-native DLP solution is that it’s designed from scratch to run in the cloud efficiently and reliably. It’s also multi-tenant by design so that it can be provided and managed by MSPs (Managed Service Providers). The “cloud-native” and “multi-tenant” architecture also means that it can be deployed in minutes. There’s no need to install servers, databases, or a management console. The only installation required is the remote deployment of “clients” to endpoint devices.

Ease of use comes with next-gen solutions

Whether a DLP solution is centrally managed by a MSP or by an IT manager in a SMB organization, it needs to be easy to use and as simple to manage as possible. In other words, it should be straightforward and semi-automated, with pre-configured settings and out-of-box templates. We in Safetica think that next-gen DLP, which is primarily “risk-driven”, must employ smart analytics to evaluate both the risk of data operations and individual users. Because knowing your risk level can help you anticipate potential incidents that could be difficult to secure using only DLP policies.

Cloud-native but still endpoint DLP

Some vendors provide “Cloud DLP” solutions that mainly protect data stored in the cloud or SaaS applications. You may have also heard about CASBs (usually agentless Cloud Access Security Brokers), which protect data from being transferred to and from the cloud. These solutions require an internet connection to protect data.

For Safetica, next-gen cloud or SaaS DLP is a solution managed from a cloud console (via a web browser) that provides data security and risk assessment directly on endpoint devices.

Safetica’s SaaS DLP is agent-based, meaning the client must be hosted on the computer that classifies the sensitive or confidential data, enforces the DLP policies, and collects data for risk evaluation.

One of the main advantages of an endpoint DLP is that it always works, even when the device is offline.

With endpoint DLP managed from the cloud, you can still prevent data from being uploaded to an unsecured cloud and classify (and protect) data downloaded from cloud services.

When combined with CASB, the endpoint DLP provides complete protection against data leakage.

SaaS – DLP as a Service

When using DLP solution as a service you should have transparent and convenient subscription options – either monthly or annually.

The main benefit of a monthly subscription is that you can increase and decrease the number of protected users on a monthly basis.

Also, a monthly subscription may be more attractive in terms of cash-flow management. On the other hand, annual subscriptions are usually cheaper.

In Safetica we offer a pay-as-you-go model with a “per-user policy”. Customers pay based on the number of users they need to protect.

TCO of SaaS DLP vs. legacy on-prem DLP

When considering which solution to choose it’s important to calculate the total cost of ownership. If you simply compare the license/subscription price per user, an SaaS can appear more costly.

However, with a legacy on-premise DLP solution, you need to consider the cost of buying, operating, and maintaining servers and databases (including possible hosting or datacenter costs). You usually also hold full responsibility for keeping the server with the management console available.

Administration of complex DLP solutions also require more experienced specialists with a significantly larger time capacity. In our experience, the difference could be 1+ man-day per week in the case of legacy on-prem DLP vs. a couple of hours per week with next-gen SaaS DLP.

And what do our customers think of the future of business? Vladimír Püschner, IT PMO & Innovation Director at Direct Parcel Distribution CZ considers SaaS and cloud applications as the way to go.

If you’d like to learn more about Next-Gen SaaS DLP, read about Safetica NXT, book a quick call with our solution expert, or try our free web trial.

What is HIPAA? The Scope, Purpose and How to Comply

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 is the federal law that created national standards for protecting sensitive patient health information from being disclosed without the patient’s knowledge or consent. Read more about this US regulation and find out how to comply.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) was primarily about solving insurance coverage for individuals that are between jobs. Without this law, employees would have faced the risk of losing their insurance coverage for the period between jobs.

Another goal was to ensure that all data is properly secured and no unauthorized individuals can access healthcare data.

HIPAA applies in the United States and is regulated by the Department of Health and Human Services’ Office for Civil Rights (OCR).

Purpose of HIPAA

The HIPAA was created in order to modernize the flow of healthcare information and to make sure that Personally Identifiable Information gathered in healthcare and insurance companies are protected against fraud and theft, and cannot be disclosed without consent.

Patients’ healthcare information is treated more sensitively and can be quickly accessed by various healthcare providers. HIPAA regulations require that records are better secured and protected against leakage.

What is Protected Health Information?

Any company or individual that works with Protected Health Information (PHI) needs to be compliant with HIPAA. PHI is created when any health data is combined with personally identifiable information, such as the following:

  • Names 
  • Geographical identifiers 
  • Phone and fax numbers 
  • Email addresses 
  • Medical record numbers 
  • Account numbers 
  • Vehicle information 
  • Website URLs 
  • Fingerprints, retinal and voice prints 
  • Social security numbers 
  • Health insurance beneficiary numbers 
  • Certificate and license numbers 
  • Device information, IP addresses 
  • Full face photographs 

      When PHI is stored electronically, it’s called ePHI. 

      The Scope of HIPAA

      There are several entities that regularly work with Protected Health Information and therefore must follow The Health Insurance Portability and Accountability Act: 

      • Healthcare providers 
      • Health plans 
      • Healthcare clearinghouses 
      • Business associates 

        HIPAA Rules

        HIPAA consists of the following rules: 

        • Privacy Rule 
        • Security Rule 
        • Breach Notification Rule 
        • Omnibus Rule 
        • Enforcement Rule 

        HIPAA Privacy Rule 

        The Privacy Rule defines how, when and under what circumstances PHI can be used and disclosed. Without a patient’s prior consent, the use of information about the patient is limited. Patients and their representatives are allowed to obtain a copy of their health records and request corrections in case of errors.

        HIPAA Security Rule 

        The Security Rule sets standards to protect ePHI. The Security Rule must be followed by anyone who works with ePHI. Security Officers and Privacy Officers must perform risk assessments and audits to identify any threats to PHI integrity.

        Breach Notification Rule 

        The Department of Health and Human Services must be notified in case of a data breach, as must the affected individuals. If more than five hundred patients in a particular jurisdiction are affected, a press release must be issued in a news outlet covering the area.

        Omnibus Rule 

        The Omnibus Rule is a part of the HITECH Act (Health Information Technology for Economic and Clinical Health Act) that came into force in 2009 and was created to encourage the use of electronic health records by healthcare providers.

        The Omnibus Rule prohibits the use of PHI for marketing or fundraising purposes without authorization.

        Enforcement Rule 

        The Enforcement Rule is about determining the appropriate fine when a breach occurs. A fine can be lower in case of negligence, however if the violation happens due to willful neglect it can be much higher. 

          The Rights of Individuals

          Within the HIPAA Privacy Rule, individuals have the legal right to see and receive copies of medical information.  

          Individuals have the right to: 

          • Access PHI 
          • Amend PHI 
          • Request restriction on who uses PHI and how it is disclosed
          • Request confidential communications 
          • Request accounting of disclosures 
          • File a complaint 

          Even though patients have the right to access their records, some types of information are excluded from the Right to Access. The following information is excluded:

          Excluded information is the following: 

          • Quality assessment or improvement records 
          • Safety activity records
          • Business and management records 
          • Psychotherapy notes 
          • Information compiled for use in civil, criminal, or administrative action or proceedings 

            HIPAA Violations

            A HIPAA violation occurs when a HIPAA entity or a business associate fails to comply with any of the HIPAA Rules. Penalties for HIPAA violations are issued by the Department of Health and Human Services’ Office for Civil Rights (OCR) and state attorneys general. HIPAA uses four categories of penalties:

            • Tier 1: Lack of Knowledge 

            The entity was not aware of the violation; therefore, it could not have been avoided. The penalty per such violation is $120—$30,113.

            • Tier 2: Reasonable Cause 

            The entity should have been aware of the violation, however, could not have avoided it. The penalty per such violation is $1,205—$60,226. 

            • Tier 3: Willful Neglect 

            The entity willfully neglected HIPAA Rules, but tried to correct the violation. The penalty per such violation is $12,045—$60,226.

            • Tier 4: Willful Neglect and not corrected 

            The entity willfully neglected HIPAA Rules and didn’t make any attempt to correct the violation. The penalty per such violation is $60,226—$1,806,757. 

            The Most Common HIPAA Risks


            Keeping unsecured records 

            Employees leave sensitive documents at their desks or don’t use passwords to access digital data. Make sure that the workspace is secured, and passwords are used at your company.


            Unencrypted data 

            Encryption of your data is not mandatory by HIPAA, but it is highly recommended. Even if data is leaked, when it is encrypted it can’t be accessed without authorization.


            Hacking or phishing campaigns 

            Keep your anti-virus software up to date, regularly change passwords and use a DLP solution to protect your data against leakage.


            Loss or Theft of Devices 

            Valuable devices can be lost in the blink of an eye. Encrypt your data, so even if a device is lost, no one unauthorized can access it.


            Sharing PHI 

            Always keep in mind that people like to talk. Very often employees don’t even realize that they have been sharing sensitive information with each other. Educate them about sensitive data handling, and make sure that only authorized individuals can access the data. 


            Lack of employee training 

            Employees might not even realize that they have been working with PHI and the violation can be harmful to both the company and patients. Educate them regularly and make sure they understand what PHI and HIPAA are, as well as the consequences of violation.


            Unauthorized Access 

            Employees who are not authorized to process sensitive information can still access it and go through the documents. Set the proper security policies and make sure your employees are aware of them.

            Insider Threats in the Healthcare

            As you can see above, violations often stem from mistakes made by employees, whether they lose a device, click on a phishing campaign, or just talk with their colleagues about patients. HIPAA violations can happen easily. Insider threats can be either unintentional or malicious. However, 56% of insider threat incidents are caused by negligent employees.

            And according to Ponemon Institute, the average total cost of a data breach for healthcare companies jumped 29% to $9.23 million. Health and pharmaceuticals are among the industries with the highest annual insider threat costs, at over $10M per year (Ponemon Institute, 2022). 

            Read more about insider threats here.

            How to Secure Data For HIPAA Compliance?

              1. Encrypt your data 
              2. Adopt security policies and define authorized employees to access your PHI 
              3. Use a DLP solution to protect your data against insider threats and to enforce security policies. 
              4. Educate your employees on a regular basis 
              5. Secure your workplace, adopt policies on how to work with sensitive documents 

              How Safetica Secures Your Data For HIPAA Compliance?

              1. Safetica encrypts your data and keeps it protected in case of device loss or theft. 
              2. Safetica is a DLP solution that protects your data against insider threats. Define which operations can be risky and block them or make Safetica notify you and your employees about potential risks.
              3. With Safetica it is easy to adopt security policies and define authorized employees that can work with PHI. You can set your security policies and monitor whether your company’s sensitive data is being misused, and only allow authorized individuals to access it.
              4. Educate your employees on a regular basis. Safetica notifies your employees in the event of risky operations, so they are more aware of data security.
              5. Secure your workplace, and adopt policies on how to work with sensitive documents. Safetica performs security audits and provides you with regular reports that allow you to adjust your security policies.

              Customer Stories:
              How Safetica Helps in Healthcare

              Gyncentrum Clinic protects their clients’ sensitive data with Safetica. Read more here.

              Our staff, both administrative and medical, has access to our patients’ sensitive data on a daily basis. These are personal and medical information, examination results and psychological evaluations. Thanks to Safetica, I can, as the person responsible for data protection in the clinic, decide who has access, how data is processed and whether it can be shared with third parties or not. Employees’ activities are reported, and patients’ data protected.

              Says Paweł Czerwiński, Owner of Gyncentrum.

              Top 3 HIPAA Violations

              #1 Tricare 

              Number of records leaked: 5 million 

              Tricare is a healthcare program for active-duty troops, their family members, and military retirees. In September 2011, the company experienced a data breach. Backup tapes of electronic health records were stolen from the car of the person who was responsible for transporting these records.

              Types of data exposed:  

              • Social security numbers 
              • Names 
              • Addresses 
              • Phone numbers 
              • Personal health data 
              • Clinical notes 
              • Lab tests 
              • Prescription information 

                #2 Community Health Systems Data Breach 

                Number of records leaked: 4.5 million 

                In 2014, malware software was deployed and sensitive patient data was stolen. Patients who received treatment from the company in the previous 5 years were impacted.

                Types of data exposed: 

                • Names 
                • Birth dates 
                • Social security numbers 
                • Phone numbers 
                • Addresses 

                  #3 UCLA Health Data Breach 

                  Number of records leaked: 4.5 million 

                  In October 2014, UCLA experienced a cyberattack in which sensitive patient information was stolen.

                  Types of data exposed: 

                  • Names 
                  • Birth dates 
                  • Social security numbers 
                  • Medicaid 
                  • Health plan identification numbers 
                  • Medical data 

                    About Version 2
                    Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

                    About Safetica
                    Safetica is to provide small and mid-sized companies with the same quality data protection that corporations have – affordably, and without any additional IT administration or disruptions in operation.

                    Safetica is using OKRs to support rapid growth

                    Objectives and Key Results (OKRs) is a trending methodology for collaborative goal-setting invented by Andy Grove (Intel) and made famous by Google, which still uses it today. Companies implement OKRs primarily to execute their strategy, communicate what their top priorities are, and align teams and individuals on what is most important. Read how we use OKRs to grow our business at Safetica. 

                    Why OKRs at Safetica?

                    When Richard Brulik joined Safetica as the new CEO in 2020, he first used the term OKRs during one of our management meetings: “We should use OKRs to execute, communicate and measure the success of our strategy.” Execution, communication and measurement of our success became the focus of our work with OKRs. The other benefits we were looking for were alignment, growth, increased transparency, and better cross-functional collaboration. 

                    What Do OKRs Bring Us?

                    After 3 quarters of running OKRs, we did an evaluation of realized OKRs benefits (the solid color) and benefits employees would like to see in the future (the lighter color). Alignment, Transparency, and Track Progress to Goals were desired and mostly realized benefits in our org. The focus was also rated highly but there was a gap indicating that some people would like to get an even better focus. And the biggest gap was for sure in Cross-team Cooperation. 

                    OKRs help us grow, shine a spotlight, and align everyone with the top priorities of our business. 

                      How Do We Use OKRs?

                        We set OKRs based on a strategy that aligns with our vision and mission. From the strategy, we define a set of company-wide OKRs that are typically set for 1 year. These company OKRs represent our top priorities for the year and define how we will measure our success. At the next level, we invite key contributors and set Shared or Team OKRs that align with the company-wide OKRs. OKRs on the second level are typically set for a quarter. OKRs are here to help our company fulfill its mission while staying aligned with the vision and our core values as demonstrated in the picture below. 

                        We have weekly check-ins where we discuss the current results, roadblocks, and what we can do to improve the results. At the end of each quarter, we close the OKRs, do a review & retrospective, share the results, and set new OKRs for the upcoming quarter. These routines are the heartbeat of our OKR system and allow us to learn rapidly.

                        And What Are the 2022 Safetica OKRs?

                        To better illustrate how we work with OKRs, here are examples of our company-wide OKRs for 2022. Check out our main goals for this year!

                        • Double the efficiency of the entire Safetica ONE customer journey: The goal is to bring the best customer experience possible at all stages of the customer journey, and make our customers successful.
                        • Rapid growth by mastering the best practices of SaaS: We want to make excellent data protection easy with our new SaaS solution Safetica NXT.
                        • Safetica is the top Czech-based company in which to grow: The aim is to let our employees grow; this objective focuses on employee satisfaction and growth index.

                        And what have we learned by implementing and using OKRs? I have shared our experiences and tips for a successful implementation in this article. OKRs themselves are simple but accomplishing them is not easy. It is about changing the mindset, not being afraid to fail, and most importantly, to learn and improve. 

                        About Version 2
                        Version 2 is one of the most dynamic IT companies in Asia. The company develops and distributes IT products for Internet and IP-based networks, including communication systems, Internet software, security, network, and media products. Through an extensive network of channels, point of sales, resellers, and partnership companies, Version 2 offers quality products and services which are highly acclaimed in the market. Its customers cover a wide spectrum which include Global 1000 enterprises, regional listed companies, public utilities, Government, a vast number of successful SMEs, and consumers in various Asian cities.

                        About Safetica
                        Safetica is to provide small and mid-sized companies with the same quality data protection that corporations have – affordably, and without any additional IT administration or disruptions in operation.



                        Click one of our contacts below to chat on WhatsApp