Spring is here and Security Awareness in on the rise. Many companies take this time of year to review their current Data Security, Risk Management, and Regulatory Compliance status and look for ways to improve. This is a necessary step of proper Security Management. Things change, and we must routinely take time to review where we are, as well as where we need to go, in order to stay up to date. Although this post is directed toward Health Insurance Agencies, ALL businesses will benefit by taking this information to heart and doing their Security Due Diligence.
Recently a major Health Insurance Provider sent out a “Security Due Diligence Questionnaire” to all of its partners and vendors. If you work in the health insurance industry and received this notification, this request may have come to you as quite a shock. There are two different versions of this document, a long form and a short form. Many of you likely received the short form version, and although it’s only 3 pages long… it has some very daunting questions that require very specific attention to detail. Our security and compliance specialists here at ITNS Consulting have taken the opportunity to review this questionnaire in detail and here’s some important information you need to know:
- There are State and Federal Laws as well as many other regulatory compliance standards that govern the collection, use, notification, and disposal of Personally Identifiable Information (PII) and/or Protected Health Information (PHI).
- Examples of required compliance standards include the Gramm-Leach-Bliley Act, the Health Insurance Portability and Accountability Act (HIPAA), the Payment Card Industry Data Security Standard (PCI DSS), NIST, CIS, ISO/IEC 2700-Series (ISO27K), etc.
- The term “Compliance” basically means ensuring law-abidance. Private and public stakeholders expect that every company will conduct business in a way that complies with applicable standards as a civil responsibility.
- Every business, regardless of size… collects, manages, manipulates, and stores Personally Identifiable Information (PII) from its customers, partners, and vendors. That means that every business, regardless of size, has the inherent responsibility (even under law) to guard the data that it collects, manages and stores from others.
Now that we’ve defined the common ground as it pertains to the law, data security, and regulatory compliance, here’s the most basic requirements that create a standardized security baseline applicable to all businesses:
Data Management, Access, and Accountability
|Has your company implemented procedures and security controls designed to comply with protection of PII/PHI as required by privacy and security standards?||Nearly all Privacy and Security Standards require that businesses implement standardized Security Policies, Processes, and Procedures designed to protect PII/PHI.
A comprehensive list of standard data security policies can be found here: Policy Management
|Is PII/PHI data access monitored, logged, and tracked? Please explain.||Yes, PII/PHI data access should be monitored, logged, and tracked. However, in order to perform this task effectively and efficiently, specialized Security Information and Event Management (SIEM) software is required along with personnel trained to respond to the alerts that are generated by the SIEM system.|
|Please explain the physical safeguards around workstations where PII/PHI is stored, accessed, transmitted or processed:||It’s important to maintain physical security of your network environment at all times as Physical Access provides a pathway to gain the “keys to the kingdom”. This includes preventing “shoulder surfing” and other social engineering tactics to gather confidential information. Data Loss Prevention (DLP) measures should also be implemented to ensure confidential information does not intentionally or accidentally leave the environment without holding someone accountable.|
|Does your company have written internal policies or guidelines for the safe handling and protection of data?||Every business should have a Data Classification Policy to detail how the data is classified and stored. In addition, there should also be a Data Access Policy detailing “Who” should have access to the data, the security measures that are applied to protect the data, and the method for which access to the data is tracked and audited. Finally, there should also be a Data Retention and Secure Data Destruction Policy that details how long the confidential data is to be retained, and when it is no longer needed, how that data will be securely destroyed.|
|Does your company have a Cyber Insurance Policy?||Cyber Insurance picks up where your General Business Liability and Errors and Omissions Insurances leave off. Cyber Insurance has become very important, as neither of the other two insurances are designed to protect your business in the event of a Data Breach whenever the loss, or unauthorized access, to PII/PHI data is involved. We recommend that all businesses have Cyber Insurance in addition to their other insurances. However, the business must also be able to prove its security due diligence, or any potential cyber insurance claim may get rejected.|
|Has your company experienced any reportable breaches of sensitive/confidential information in the last two years?||Unless the breach was blatantly obvious, how would you ever really know for sure? When was the last time you had a Vulnerability Assessment performed on your environment?
You may want to get one done before answering this question (or for your own sanity), as your business may have already experienced a security breach and you’re just not aware of it. Worse yet, someone could be rooting around in your systems right now.
Be sure to read this article if you want to know what’s worse than getting hacked.
|Do your written contracts with relevant third parties require them to adequately protect the privacy and security of all confidential information they may gain access to during the partnership?||Most businesses employ a variety of services from 3rd party vendors. Examples of this are Managed IT and Desktop Support Services, Managed Copy/Print Services, Document Shredding Services, Managed Phone Services, and even Temporary Staffing. It’s extremely important that these service providers not only maintain the security and privacy of your data, but also follow well documented Standardized Security processes, procedures, and protocols in their own business environments as well. Written contracts between your business and these other providers should clearly reflect this.|
|Are Incident Response Procedures documented?||Incident Response is designed to provide step by step guidance for what to do, and who to contact, when an incident happens. These plans cover incident topics from the most minute issues such as “What to do if a user receives a Phishing Email” up to, and including how a full-scale Active Data Breach is handled.|
|Do you perform background checks for personnel who are entrusted with sensitive information or granted access to sensitive systems?||Performing background checks for all personnel should be a standard procedure of your business hiring process. Hiring a 3rd party vendor should also include a background check.|
|Describe your procedures for protecting physical records that contain sensitive PII/PHI data (i.e., Locking Cabinets, Key Card Access, Clean Desk Policy, etc.)||Documents should never be left lying around on desks or easily accessible in other areas of the office. Desks should be cleared of all documents when left unattended, even for only a few minutes. Documents in other areas should always be locked in cabinets and/or file drawers. Clean Desk Policies cover this exact topic.|
|Are complex passwords required (i.e., at least 8 characters includes alpha, numeric and symbols)?||This is an extremely old standard that needs to be updated. An 8-character password can be cracked in a matter of minutes to a few hours. We recommend using at least a 16-character password following all modern password complexity requirements. However, you should never rely on passwords alone. Instead, you should employ Multi-Factor Authentication (MFA/2FA) in addition to passwords whenever possible. Also… use a secure password manager to help keep track of your passwords.|
|Do you outsource the configuration, maintenance of your network, or information technology services?||Most businesses employ 3rd party IT vendors for this purpose. It’s imperative that you have a signed Confidentiality and Non-Disclosure Agreement with these entities. These providers should also be able to prove that they have similar agreements with their personnel. In addition, here are 10 Cybersecurity Questions You Should Be Asking Your IT Vendor|
|Please explain your company’s use of firewalls to restrict traffic into and out of your network:||Properly configured Hardware and Software Firewalls are necessary components to every business network. Firewalls and other network devices should only be configured by qualified personnel. Firewall rules must also be clearly documented. This includes the Application, Devices, and/or IP Addresses allowed, the Ports used, the Protocol used, and the exact purpose for each Firewall rule.|
|Do you use Google Cloud, Amazon Web Services, Microsoft Office 365, or a similar outsourced virtual-machine-based data center?||Regardless of the hype promoting Cloud Services, the “Cloud” will never be as private or secure as an On-Premises solution. Businesses that have opted to move their data to the Cloud must take additional precautions by subscribing to add-on services in order to even begin to properly secure their data. Data containing PII/PHI should NEVER reside in a Cloud storage solution unless that data is properly encrypted.|
|Please explain any encryption used to protect data or systems:||Encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot. All data that includes PII/PHI is considered confidential and must be properly encrypted while in transit, at rest, and in use.|
|Please explain your protections for malware and antivirus:||Antivirus and Antimalware software solutions are just one of many layers required to achieve proper data security. Every compliance and security standard require that computers have up to date Antivirus and Antimalware software installed, and that the software remain fully operational at all times. In addition, the software should be managed and monitored in order for security and privacy incidents to be actioned by qualified personnel. Antivirus and Antimalware software is not perfect by any means, and should be only viewed as a first line of defense.|
|Please explain any vulnerability scanning tools used to scan system and network for vulnerabilities and how often scanning is performed:||“Without independent auditing and testing, it’s impossible to know where your company’s vulnerabilities are.”
Although businesses get smarter about protecting their data and their customer’s privacy, cyber criminals continue to find new ways to gain access. Even with sophisticated security systems, businesses are still vulnerable to attack. Every organization needs frequent Vulnerability Assessments in order to identify their security issues and correct them. Assessments should always be performed by a qualified security professional that is not responsible for configuring, managing, monitoring, or maintaining the business’s network environment.
|Please explain the remediation plan if vulnerabilities are found:||After performing a Vulnerability Assessment, it’s important to consult with the security professional who performed the audit in order to properly prioritize the correction of the issues identified by the assessment. Once the issues have been corrected, a follow up assessment should be performed on these items to ensure they were properly remediated.|
|Please explain how patches for operating systems and other network peripherals (Routers, Switches, Wireless Access Points, etc.) are managed and how frequently these systems are updated:||Updating and patching operating systems and network peripherals is extremely important. New security vulnerabilities are identified quite often, and these vulnerabilities put your business at risk if left unpatched. It’s recommended that patches for operating systems and network peripherals be checked and installed at least monthly, or more often if a critical vulnerability has been identified that needs to be addressed immediately.|
All of this may seem like a lot, but in reality, it’s only the beginning of what’s necessary to create a solid business security program. Our hope by sharing this content is that we’ve shed some insight on what these questions mean and what’s necessary to fulfill those basic requirements. But, don’t worry or get frustrated, we’re here to help.
We realize the deep concepts involved with implementing proper Data Security and achieving Regulatory Compliance can seem overwhelming to most people. That’s the exact reason why we made Security and Compliance Management the very core of our business. We can make it easy, so you can get back to doing what you do best… running your business.
Every business shares the responsibility to protect and secure the data that’s been entrusted to them. So, let’s work together and do what’s necessary to protect our consumer’s privacy. After all, we’re all consumers in one way or another.