Health care and insurance information is among the most valuable data to hackers. See how businesses can keep health information safe and secure.
The year of the data breach
2016 was a banner year for data breaches. Over the past year, 4,149 data breaches compromised more than 4.2 billion records worldwide, according to Risk Based Security (RBS) – and with recent global ransomware attacks like WannaCry and Petya, there's no sign of slowing down. Wells Fargo, Brooks Brothers, Verizon and Anthem Blue Cross Blue Shield are among the major names that have been hit this year, according to IdentityForce, and it's only expected to get worse through the remainder of 2017.
Health care and insurance information
Health care is one of the industries most vulnerable to ransomware attacks. This is hardly surprising, as health care records contain extremely valuable information, personally and financially. While previous attacks targeted health insurers, 2017 has seen ransomware attacks expand to hospital networks and other aspects of health care that tend to be more distributed and therefore harder to maintain in terms of security measures.
Even more damaging is the fact that hackers are able to target vulnerable institutions like hospitals because many of them fail to update their systems in a timely manner. Better safeguards and rapid-response procedures are not yet as common for sensitive health information maintained by health care systems, insurance providers or corporate HR. Health care and benefits information, in the hands of the unscrupulous, can be used to file false insurance claims, or to order costly drugs and covered medical equipment for resale. These scams can take years to uncover, making health care data the gift that keeps on giving.
What's a business to do?
All businesses, no matter their size, need to have policies and procedures in place that detail how benefits-related information is maintained and who has access to it. In-house IT systems must be updated to reduce the risk of an attack, and incident response teams should be formed to detect security incidents and quickly take action to significantly limit any damage. Furthermore, employees should be trained on basic matters relating to security – from how to spot a phishing email and not rely on the use of a single password across systems to how to recognize and report a suspected data breach.
While businesses need to make sure that they practice sound security hygiene for their in-house systems (both physical and digital) and that their employees are security-aware, they also need to be vigilant about the external, cloud-based applications they use. By now, the arguments for cloud-based systems, when it comes to productivity, have been pretty well established. They free up internal IT resources, enable employees to work from anywhere, lower capital expenditures and more. Because these service providers typically have security expertise and experience beyond what is typically present in businesses, especially smaller companies, cloud-based applications can also provide a more secure environment. This is especially critical if the cloud-based applications deal with highly valuable benefits information.
Security checklist for benefits systems
Whether benefits and HR systems are managed and maintained in-house or by a cloud services provider, these items should be on a security checklist for all benefits applications.
Policies and procedures
Are background checks conducted on employees? Is regular security training required? There are a number of excellent online training programs available. Are clear rules in place for what employees can install and keep on their work computers, or websites they can and cannot visit?
Are regular employee password changes and complex password requirements enforced? Are passwords stored on company computers, or are they written down and kept on file? Do employees understand the dangers of repeat usage of the same password? Do they rely on password management services?
There should also be controls in place that are every bit as stringent as those in place for financial data when it comes to security, availability, confidentiality and privacy. Whether in-house or cloud-based, any systems containing benefits-related data should be HIPAA compliant. Both at rest and in transit, data should be encrypted using industry-standard protocols. Two-factor authentication should be required for secure access, and all data uploaded should be scanned for viruses and malware.
Systems should be continuously monitored, and data access and system changes tracked. Beyond monitoring, businesses should conduct regular security assessments such as vulnerability and penetration testing.
The simple truth is that there will never be such a thing as 100 percent information security. Hackers will always be coming up with new and worse ways to exploit systems and retrieve the sensitive data they're after. But companies that arm themselves and their employees with the tools they need will significantly mitigate the risk of a breach and keep private health information safe.