Using telehealth technology to see patients can be beneficial for many reasons, but it is important to consider the security implications. A recent report released by IBM Security and the Ponemon Institute identified the leading cause behind 2020 data breaches as the increase in remote workers, leading to the widespread adoption of new cloud technologies. As a result of the surge in the remote workforce, the average cost of a data breach increased by 10%, costing $4.24 million per incident.
How Did Remote Work Contribute to the Average Cost of a Data Breach?
The IBM Security report determined that 60% of businesses were forced to quickly adopt cloud technologies to respond to remote work needs. With many businesses forced to adapt to a remote work environment quickly, the implications of doing so were often overlooked. This led to a delay in adopting remote work policies, procedures, and training, making these businesses more vulnerable to breaches.
Remote working contributed to a slower incident response time, attributing to more than a $1 million increase in the cost of a data breach. On average, breaches that listed remote workers as a factor (20% of reported breaches) cost an organization $4.69 million per incident.
How to Improve Cybersecurity for a Remote Work Environment
Although the data is concerning, organizations that prepare themselves with policies, procedures, and employee training can navigate the complexities of a remote work environment. The IBM Security report also cited ways in which organizations can improve their cybersecurity.
- Encryption, AI, and Analytics: Organizations with encryption, artificial intelligence-based security solutions, and security analytics saved between $1.25 million and $1.49 million per incident. Encryption and security analytics are also key components of HIPAA compliance. Encryption is an “addressable” requirement of the HIPAA Security Rule, “The encryption implementation specification is addressable, and must therefore be implemented if, after a risk assessment, the entity has determined that the specification is a reasonable and appropriate safeguard in its risk management of the confidentiality, integrity, and availability of e-PHI. If the entity decides that the addressable implementation specification is not reasonable and appropriate, it must document that determination and implement an equivalent alternative measure, presuming that the alternative is reasonable and appropriate. If the standard can otherwise be met, the covered entity may choose not to implement the implementation specification or any equivalent alternative measure and document the rationale for this decision.” HIPAA also requires organizations to keep audit logs monitoring access to ePHI and determine regular access patterns for each user (security analytics).
- Incident Response Plan: the report determined that organizations that had a tested incident response plan in place decreased their cost per incident by 54.9%. HIPAA also requires organizations to implement incident response plans to respond to security incidents of data breaches. Security incident procedures must address how to identify a security incident; what specific actions constitute a security incident; how, and to whom, the incident should be reported; how security incidents should be documented, and what information should be contained in the documentation; and the response to be taken in the event of a particular security incident.
- Zero-Trust Security Strategy: it was determined that organizations that adopted a zero-trust security strategy spent an average of $1.76 million less per incident. The NSA recommends that organizations adopt a zero-trust security strategy, stating, “The Zero Trust security model assumes that a breach is inevitable or has likely already occurred, so it constantly limits access to only what is needed and looks for anomalous or malicious activity.”
Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!
Would TBHI Telehealth Training Help You?
Basic Telehealth Legal Issues: Rules, Regulations & Risk Management
Bring your telehealth practice into legal compliance. Get up to date on interjurisdictional practice, privacy, HIPAA, referrals, risk management, duty to warn, duty to report, termination and much more!