4 Ways Benefits Administrations Can Stop Cyberattacks

Original Post from BenefitsPro.com

By: Tom Pohl

There are reports of data breaches in the news every week, impacting a range of organizations and industries. These cyberattacks are costing businesses, both large and small, a great deal to resolve — from financial expenses to IT and legal resources to reputation recovery efforts.

According to a new study by the Ponemon Institute, data breaches are costing the health care industry $6.2 billion annually. Nearly 90 percent of health care organizations were victims of a breach in the last two years, raising concern for patients, employees, and others involved in the health care system.

Today, the leading cause of health care data breaches are targeted criminal attacks that seek to place valuable personal information into the hands of malicious actors. The personal information given out to health care organizations can be some of the most valuable to cybercriminals. For example, when enrolling in benefits, the information submitted can include patient names, family history, Social Security numbers, and billing information.

It’s important to also note that not all breaches are malicious. Human error is often a cause of breaches, asCompTia’s International Trends in Cybersecurity report found the 58 percent of security breaches are typically due to human error.

So what can benefits administration technology providers do to keep sensitive data secure from human error and malicious threats?

Conduct extensive user testing on your security systems

Implementing user testing through a third party vendor allows benefits administration technology providers to discover gaps or holes in their security systems. This can be done via a user testing group, which is comprised of individuals trained to discover the predominant methods that cybercriminals would abuse to compromise web-based applications.

The group is given a platform with authorized access and fake scenarios, all set up to act as if the system was running as usual. As these experts go into the system and know what areas to try and hack, the organization is able to develop plans to combat or repair these issues. User testing is similar to proofreading a paper; getting a second set of eyes on a program allows companies to see the full risks of its security system.

Educate employees on cyberthreats

As data breaches become a daily concern for IT departments, educating employees on the risks and dangers of cyberattacks becomes even more of a priority. Benefits administration technology providers need to prioritize educational resources and programs to teach employees how to spot potential cyberattacks, especially as they are handling their customers’ private information.

An effective and simple way to train employees on how to spot strange activity can be done via an email phishing awareness campaign. This involves delivering emails to employees with mocked up links or downloadable materials that, if real, would have the potential to open users’ accounts up to cyberattacks. Organizations should also consistently remind its employees to report any suspicious activity and to change their passwords regularly for a more secure system.

Automate processes to reduce the risk of human error

Recently, Google was in the news for a suffered data breach via its benefits provider. Yet the reason for this incident was human error, in which an email sender accidentally sent a document to the wrong contact. Fortunately for Google, the damage was limited, but human error is not always so forgiving.

With automation, benefits administration technology providers have the ability to decrease the chances of sensitive information getting into the wrong hands. This can be done by sending dummy files before sending the actual files to contacts. Another option is to implement triggers on email accounts when certain information is involved. For example, if a file is attached to the email, prompt the sender to confirm it is the correct file before sending. Implementing automation is a key factor in combatting human errors that could increase the risk of a cyberattack, especially when it comes to personal data.

Beware of the insider threat

While public perception is that these attacks result solely from the actions of malicious hackers outside of an organization, insider threats are a growing and serious concern. Vormetric’s 2015 Insider Threat Report reveals that over 90 percent of U.S. organizations believe they are vulnerable to insider threats such as stolen passwords or email spam. In fact, the National Association of Manufacturers released a statement in April 2016 stating the theft of trade secrets has cost businesses $250 billion per year.

Benefits administration technology may want to go a step further to ensure employees are operating in the correct space. Requiring background checks and limiting access to sensitive data will provide an extra level of security for patient, employee, and others’ personal information.

by 6d-destani

Keep Employee Data Safe

Original post benefitspro.com

When a cyber breach occurs, lawsuits are usually not far behind. It’s a chain of events that has become de rigueur in the consumer realm when retailers experience a breach and it is bleeding over into the workplace, too.

Employees whose data is exposed are increasingly pointing the finger at failings in the technology employers use to secure their information and lapses in protocols that allow vulnerabilities to be exploited.

Who is responsible if your employees’ personal information is stolen on company time? Where does the company’s obligations begin and end under the duty of care laws? How might state and federal breach regulations impact an organization’s proactive and reactive data security efforts?

How a breach happens and how the company responds both play a major role in determining the potential legal ramifications. To mitigate the risks, it is critical for HR professionals to understand their responsibilities before a cyber criminal strikes.

Many employers aren’t even aware of either the enormous security risks their organizations face or the best strategies to protect the employee data they hold.

Ensuring that employers have access to the right tools and expertise to address data breach concerns is an important role for benefits managers and the brokers and agents who support them.

Know the risks, have a plan

Financial information is what comes to mind most frequently when businesses consider where breach risks exist, but that thinking is too narrow. It overlooks the incredible value inherent in employee data. Not only does financial information lurk within HR’s employment records in the form of salary histories and bank routing numbers used for automatic deposits, but standard consumer data is also present.

Full names, birth dates, addresses and social security numbers exist in every employee’s file. Health and benefit data may be present, too, such as carrier names, subscriber numbers, or details on beneficiaries and dependents. And where there’s smoke, there’s fire. The same servers and systems that host employee and customer data, likely hold data pertaining to trade secrets, M&As, business plans, and more. All the more reason to get your company’s cyber strategy in gear.

Adding complexity to the situation is the fact that employers must be concerned with two types of data breaches — those that are the result of a purposeful act, such as a hacker or a malicious insider, and those that occur by accident. Lost laptops and cell phones are just one common example where an inadvertent exposure could easily happen.

Each flavor of breach represents a different risk profile and each requires its own mitigation measures. A two-pronged approach to breach prevention that marries technology and best practices enables employers to address any existing security gaps while also providing improved protection for employee data.

Deploying technology tools to safeguard sensitive information assets is one part of a comprehensive data security strategy that keeps employers in line with duty of care laws and other breach regulations.

Firms have a range of solutions to choose from and they should tailor their approach based on their network and infrastructure architecture, the information types that are vulnerable to exposure, the volume of data that must be protected, resource availability — from funding to staffing — and any regulatory guidelines or compliance mandates that must be considered.

Encryption is a perfect example of a technology that is relatively simple, but still enormously effective when it comes to securing employee data. Free and low-cost encryption platforms are available which can help to protect confidential information from unauthorized access even if a hardware item (thumb drive, laptop, etc.) falls into the wrong hands.

Other technology tools may also be appropriate depending on the employer’s needs, including firewalls, mobile device management software, and multi-factor authentication to protect access to more sensitive systems.

Security best practices are the second half of a successful data protection strategy. These protocols largely deal with the ways humans interact with the organization’s information and they also cover what to do in the event of a breach. Employers will want to manage network and data access in a way to limits who is able to view and change employee information.

Methodologies for storing, processing, analyzing, archiving, and destroying employee data should be documented in detail and anyone responsible for those tasks must be trained on the organization’s security practices.

An incident response plan is another best practice employers should include under the data security umbrella. This doesn’t need to an exhaustive plan, but it should outline the steps employees are to take if they suspect a breach has occurred — everything from blocking access to compromised servers to contacting the company’s privacy or information security employee or consultant. (Don’t have one? Here’s why you should.)

A strong plan can significantly limit the potential harm that is likely to fall upon any employee whose data was exposed. And as risks evolve, so should the incident response plan – it should be a living, breathing part of a comprehensive cyber strategy with routine reviews.

Retain the right expertise

Another concern often faced by employers, particularly those smaller organizations where internal resources are lean, is that they don’t have good insight into the evolving cyber threat environment and the latest data protection strategies.

Efforts to craft, deploy, and maintain an effective privacy and security program are made more difficult when industry expertise is lacking. Without a strong understanding of where security vulnerabilities exist, or which new threat vectors are likely to be of concern, employers could find themselves directing their limited resources in too many directions and without much effect.

Because many breach scenarios involve little or no technology — hard copies of completed enrollment forms accidentally left in a shared conference room, for example — simply turning responsibility for data privacy over to the IT function isn’t going to work. It’s important that employers are able to seek guidance from someone experienced in data protection in all its forms.

Continuously educate the front line

Employees themselves may pose potential security challenges, so continuous training is essential to protect a company’s own data and that of its customers. Companies should consider implementing educational sessions about new scams and privacy and security refreshers as part of their annual compliance training.

By partnering with employees to help protect their data, the organization can maximize its technology investment and ensure that everyone is committed to the company’s culture of security.

Social engineering schemes are increasingly popular among hackers, effectively turning the workforce into either an employer’s first line of defense or its greatest weakness.

The most recent spoof comes courtesy of a company’s top executive — or so the scammer wants you to think. An employee will receive a request from the CEO — either by way of a hacked email account or an email address that closely resembles the real thing — to cough up documents, usually W-2s. With a few clicks, countless data about a company’s employees has been exposed.

Rather than quickly react, employees should be trained that if they see something, say something.

Identity management

Along with taking appropriate security measures internally, employers may also consider offering identity-related benefits to their employees. These packages bring a powerful suite of tools to the table that provide workers with proactive education and reactive support. Informational resources teach individuals how to spot corrupt websites and suspicious e-mail links.

They give details on what to look for when conducting annual credit report reviews. And workers concerned their personal data may have been exposed — whether at work or through a health care provider, retailer or other avenue — have access to identity theft experts able to help them navigate the resolution process.

The fraud team can assist them in replacing important documents that may have been lost due to theft, fire or flood. They can even monitor known black market websites to see if an employee’s stolen data is being used fraudulently.

Together, these strategies give employers a way to keep employees’ information safe while providing workers with assurances that they’ll have the support they need if the worst should happen.

by 6d-destani

Employer FAQs: Responding to the Anthem Breach

Originally posted February 9, 2015 by The National Law Review - National Law Forum LLC.

The first massive data breach of 2015 hit one of the country’s largest insurance issuers, Anthem, Inc., including Anthem Blue Cross and Blue Shield and other related entities (Anthem). The incident reportedly affected over 80 million persons who are or were covered under a policy or program insured or serviced by Anthem. The personal note from Anthem's CEO, Joseph R. Swedish, and the Anthem Facts (or FAQs) seek to provide helpful information to the millions of individuals affected. These communications address what is known about the incident, describe the kinds of information compromised, warn affected persons about potential email attacks, and advise that there is more information coming.

But there is not much information at this point for employers that are plan sponsors of group health plans and other welfare plans serviced by Anthem either as an insurance issuer or a third party claims administrator (TPA). Below are some FAQs about the Anthem breach for affected employers.

Isn't this really Anthem's problem?

From a legal compliance standpoint, the answer largely depends on whether the plan is insured or self-funded. For example, as discussed below, in the case of a self-funded group health plan, the HIPAA breach notification rules place the obligation to notify affected persons on the covered entity (i.e., the plan, and practically the plan sponsor) and not on the business associate (i.e., the TPA). However, contract obligations in the business associate agreement (or administrative services only agreement) have to be considered. Finally, as a practical matter, because employees and other persons covered under the plan(s) will be concerned and have questions, employers will need to have a strategy for addressing those concerns.

Is the information involved subject to HIPAA; the Anthem FAQs say Anthem does not believe diagnosis or treatment information was compromised?

According to the Anthem FAQs:

the member data accessed included names, dates of birth, member ID/ social security numbers, addresses, phone numbers, email addresses and employment information...[but its] investigation to date indicates there was no diagnosis or treatment data exposed.

Many maintain the mistaken belief that, in the case of a group health plan, a covered person’s name and social security number, alone, is not “protected health information” (PHI) under the privacy regulations issued under the Health Insurance Portability and Accountability Act (HIPAA). The absence of diagnosis or treatment data does not make information any less PHI. This is because the regulatory definition includes not only information about a person’s physical or mental health condition, but also how care is paid for and provided. Thus, data elements that relate to the payment or provision of health care, such as address and email address, could constitute PHI even if not as sensitive as a covered person’s diagnosis information.

What about the state breach notification laws, do they apply?

The Anthem breach involves personal information of individuals, such as names, member ID/social security numbers and other data, the kind of information protected by state breach notification laws, which currently exist in 47 states. Given the massive scale of the breach, it is likely that there are affected individuals residing in all 50 states and beyond.

Some of those state laws have exceptions when HIPAA or other federal regulations apply. Some do not. According to the Anthem FAQs, all product lines have been affected, not just health insurance (medical, dental and vision). This includes life, disability, workers compensation and other policies and products which typically are not subject to HIPAA. Thus, regardless of the Anthem policy or product at issue, the applicable state laws will need to be considered to determine their application in this case.

Our plan is/was insured by Anthem, what should we be doing?

Under HIPAA, both the employer’s group health plan under ERISA and the health insurance issuer that provides the insurance for that ERISA plan are covered entities under HIPAA. Covered entities have the primary breach notification obligations. Under state breach notification laws, the primary notification obligation generally falls on the entity that owns or licenses the data, not necessarily the entity that held the data at the time of the incident. However, in the case of a breach experienced by an insurer, and not the employer sponsoring the plan, the insurer generally is considered to be responsible for responding to the breach. Even if not entirely clear in the applicable statutes or regulations, this makes practical sense because the carrier is in control of the investigation and the facts, and usually is in the best position to work with law enforcement. Carriers can typically disseminate notifications more efficiently across the affected policies, as well as to federal and state agencies, and the media.

To date, Anthem appears to be taking the lead on the investigation and notifying affected persons. For example, its FAQs inform members that they can expect to “receive notice via mail which will advise them of the protections being offered to them as well as any next steps”. Because this incident affects both HIPAA-covered and non-HIPAA plans, it is likely the notices will address the applicable HIPAA and state law requirements.

Still, there are some action items for affected employers to consider:

  • Stay informed. Closely follow the developments reported by Anthem, including coordinating with your benefits broker who might have additional information.

  • Consult with counsel. Experienced counsel can help employers properly identify their obligations and coordinate with Anthem as needed.

  • Communicate with employees. Be prepared to respond to employee questions – consider providing a short summary of the incident to employees along with links to the Anthem materials and FAQs.

  • Evaluate vendors. Use this incident as a reason to examine more closely the data privacy and security practices of all third party vendors that handle the personal information of your employees and customers, including insurance companies. Of course, a data breach is generally not a reason, by itself, to switch vendors. With breaches of all sizes affecting many companies, there is no telling whether the grass will be greener. But making inquiries and pressing vendors to do more, including by contract, is a prudent course of action, and even required in some states.

  • Revisit your own data security compliance measures. Employers should take this as an opportunity to assess or reassess their own data security compliance measures. As many have noted, it is not just large companies that are vulnerable to these kinds of attacks.

Our plan is/was self-insured and Anthem was our TPA, what should we be doing?

In this case, whether the plan is a health plan covered by HIPAA or another employee welfare benefit, as TPA, Anthem maintains the personal information of covered persons on behalf of the employer. In that case, Anthem’s legal obligations under HIPAA and state law, as applicable, generally require only that it notify the employer concerning the circumstances of the breach – how it happened, the kind of information breach, who was affected, etc. Then it is up to the employer/covered entity to carry out an appropriate investigation, provide notice to affected persons and otherwise comply with the applicable federal and state laws. However, administrative service agreements and in the case of health plans, business associate agreements, may delegate some of these responsibilities to the TPA, as well as indemnification obligations. So, in addition to some of the steps listed above, employers have a number of things to consider and steps to take:

  • Determine if plans have been affected. Employers might soon be receiving communications from Anthem concerning whether their plans have been affected. They also may want to reach out to Anthem and inquire.
  • Act quickly. HIPAA and state breach notification laws generally require that notices be provided without unreasonable delay, as well as place outside limits on when such notices can be provided – e.g., 60 days following discovery under HIPAA, and 30 days in Florida.
  • Examine the administrative services agreement and/or business associate agreement. For plans have been affected, employers need to review the related agreements as they could place certain obligations either on the employer or Anthem. The agreements also could be silent, in which case the plan/employer likely has the obligations to notify participants, agencies and media.
  • If Anthem is responsible for responding, employers should consider taking certain steps to ensure Anthem’s reaction is compliant – e.g., has it protected data from further attacks, completed the investigation, identified all affected persons, crafted content-compliant notifications (HIPAA and some state laws have specific content requirements), and notified the applicable federal and state agencies.
  • If the employer retained the responsibility to respond, it should be taking steps immediately to determine what happened and coordinate with Anthem concerning the response. This includes some of the steps listed above. For instance, in the case of group health plans under HIPAA, employers will need to confirm with Anthem whether Anthem or the employer/group health plan will be notifying the Department of Health and Human Services. Also, employers that have developed a data breach response plan (a good idea for all employers) should review that plan and follow it.

However, as a practical matter and regardless of what is in the services agreement, Anthem may decide to take the lead on the response, and not give employers much choice in shaping the communications made to persons covered under the plans.

  • Communicate with covered persons. If it turns out that the employer will be notifying plan participants, in addition to the notification letters referred to above, employers also need to be prepared to address participant questions about the incident. Designating certain individuals or outside vendors to handle these questions and creating a script of anticipated questions and answers would facilitate a consistent and controlled response.

  • Evaluate insurance protections. Some employers may have purchased “cyber” or “breach response” insurance which could cover some of the costs related to responding to the breach or defending litigation that may follow. Employers should review their policy(ies) with their brokers to understand the potential coverage and what steps, if any, they need to take to confirm coverage.

  • Document steps taken. Employers should document the steps they take to investigate and respond to the incident, particularly if it affects one of their group health plans covered by HIPAA.

    Some employees have complained about our data security practices, how should we respond?

    Take them seriously! Data security has been recognized at the federal, state and local levels as an important public policy concern, most recently by President Obama at the recent State of Union Address. Disciplining or taking adverse action against an employee who has raised these concerns could expose the employer to retaliation claims or violations of employee whistleblower protections.

by 6d-destani