Health care and insurance information is among the most valuable data to hackers. See how businesses can keep health information safe and secure.
The year of the data breach
2016 was a banner year for data breaches. Over the past year, 4,149 data breaches compromised more than 4.2 billion records worldwide, according to Risk Based Security (RBS) – and with recent global ransomware attacks like WannaCry and Petya, there’s no sign of slowing down. Wells Fargo, Brooks Brothers, Verizon and Anthem Blue Cross Blue Shield are among the major names that have been hit this year, according to IdentityForce, and it’s only expected to get worse through the remainder of 2017.
Health care and insurance information
Health care is one of the industries most vulnerable to ransomware attacks. This is hardly surprising, as health care records contain extremely valuable information, personally and financially. While previous attacks targeted health insurers, 2017 has seen ransomware attacks expand to hospital networks and other aspects of health care that tend to be more distributed and therefore harder to maintain in terms of security measures.
Even more damaging is the fact that hackers are able to target vulnerable institutions like hospitals because many of them fail to update their systems in a timely manner. Better safeguards and rapid-response procedures are not yet as common for sensitive health information maintained by health care systems, insurance providers or corporate HR. Health care and benefits information, in the hands of the unscrupulous, can be used to file false insurance claims, or to order costly drugs and covered medical equipment for resale. These scams can take years to uncover, making health care data the gift that keeps on giving.
What’s a business to do?
All businesses, no matter their size, need to have policies and procedures in place that detail how benefits-related information is maintained and who has access to it. In-house IT systems must be updated to reduce the risk of an attack, and incident response teams should be formed to detect security incidents and quickly take action to significantly limit any damage. Furthermore, employees should be trained on basic matters relating to security – from how to spot a phishing email and not rely on the use of a single password across systems to how to recognize and report a suspected data breach.
While businesses need to make sure that they practice sound security hygiene for their in-house systems (both physical and digital) and that their employees are security-aware, they also need to be vigilant about the external, cloud-based applications they use. By now, the arguments for cloud-based systems, when it comes to productivity, have been pretty well established. They free up internal IT resources, enable employees to work from anywhere, lower capital expenditures and more. Because these service providers typically have security expertise and experience beyond what is typically present in businesses, especially smaller companies, cloud-based applications can also provide a more secure environment. This is especially critical if the cloud-based applications deal with highly valuable benefits information.
Security checklist for benefits systems
Whether benefits and HR systems are managed and maintained in-house or by a cloud services provider, these items should be on a security checklist for all benefits applications.
Policies and procedures
Are background checks conducted on employees? Is regular security training required? There are a number of excellent online training programs available. Are clear rules in place for what employees can install and keep on their work computers, or websites they can and cannot visit?
Are regular employee password changes and complex password requirements enforced? Are passwords stored on company computers, or are they written down and kept on file? Do employees understand the dangers of repeat usage of the same password? Do they rely on password management services?
There should also be controls in place that are every bit as stringent as those in place for financial data when it comes to security, availability, confidentiality and privacy. Whether in-house or cloud-based, any systems containing benefits-related data should be HIPAA compliant. Both at rest and in transit, data should be encrypted using industry-standard protocols. Two-factor authentication should be required for secure access, and all data uploaded should be scanned for viruses and malware.
Systems should be continuously monitored, and data access and system changes tracked. Beyond monitoring, businesses should conduct regular security assessments such as vulnerability and penetration testing.
The simple truth is that there will never be such a thing as 100 percent information security. Hackers will always be coming up with new and worse ways to exploit systems and retrieve the sensitive data they’re after. But companies that arm themselves and their employees with the tools they need will significantly mitigate the risk of a breach and keep private health information safe.
David Reid has over 30 years of experience in the employee benefits and group insurance industry and was one of the earliest adopters of technology as an integral strategy for employers in the late 1990s.
Mr. Reid started his career as a group sales representative in 1986 with John Alden Life, and after a short period with Lincoln National Corporation, then became a consultant and agent for Unison Benefits Management, a leading provider in the Minneapolis/St. Paul marketplace. It was here that Mr. Reid became Vice President in 2000 and a partner of Unison, Inc. cultivating over $5 million of annual revenue. Unison was eventually acquired by Arthur J. Gallagher of Gallagher Benefit Services Inc.
In 1999, Mr. Reid was among the first to venture into the world of online technology designed for employee benefits enrollment and communication, and in 2005 founded Apprize Technology Solutions (www.apprizetechnology.com) and served as President. Today, the company continues as a leader in providing online benefit enrollment solutions for brokers and employers by using industry leading enterprise software solutions.
In 2012, Mr. Reid co-founded EaseCentral (https://www.easecentral.com/) to create a small group solution that provides the robust eligibility management features previously limited to enterprise solutions used by large employers. After just three years, in 2015 EaseCentral was launched on the West Coast and is among the most widely adopted, fastest growing solution for brokers and employers in the area, with over 22,000 employers and nearly 1 million employee users.
Throughout his career, Mr. Reid’s focus has been creating broker-centric solutions that are easy to use and practical to deploy. Having recently launched the industry’s first ‘real time’ EDI capability, EaseCentral is among the first enrollment solution programs that provides direct ‘real time’ carrier connectivity for groups as small as two employees.