Take
extra measures to safeguard employee data from a cyber breach when
administering health plans.
More
and more employers are opting to self-insure to gain greater control over their
employee benefits costs. Along with the benefits of a self-insured plan comes
the additional risk and responsibility of adequately protecting the health
information of their employees – prime data that hackers want.
“Self-insured
plans are a key benefits strategy that many companies leverage today to control
benefit costs,” said John Farley, vice president
and practice leader for HUB International’s Cyber Risk Management Services. “But,
it’s imperative that you understand your legal obligations if you experience a
data breach that involves the protected health information of your employees.”
Federal
law says that under certain circumstances companies have to notify the U.S.
Department of Health and Human Services (HHS) within 60 days of a breach of
consumer health data, and 47 states have individual statutes for notification
of affected individuals. This can necessitate hiring privacy attorneys, credit
monitoring firms and other consultants to sort through the laws and regulations
and meet notification requirements in a timely fashion.
If
your company is self-insured or is thinking about self-insuring, Farley
recommends the following five best practices to help protect your employees’
sensitive information from hackers and to minimize potential damage to your
company and its employees in the event of a data breach:
- Have a Business Associate Agreement. Many companies
outsource the administrative aspects of their health plan to a third party
– including plan design, claims administration and prescription drug
management. This vendor will have access to employees’ private health
information. If your business has contracted with an outside vendor for
any aspect of your health plan management, make sure you have a HIPAA business
associate agreement (BAA) with them that clearly outlines the protocols
and responsibilities in the event of a data breach, including those caused
by any of the vendor’s subcontractors. Make sure the BAA includes a
provision that you must be notified of any type of breach immediately.
Ultimately, you are responsible for all aspects of breach notification,
because it was information from your employees that you gathered. The BAA can transfer the costs and establish a timeframe and
process for notifications to the correct parties.
- Test your technology. Your data
is only as secure as the network it is on. To test the security of your
company’s network, including firewalls and intrusion detection systems,
hire an outside firm to complete a penetration test. The firm will act
like a hacker to identify any weaknesses in your system, which can run the
gamut from application and operating system flaws to risky end-user
behavior. You can use this information to implement additional security measures
where necessary. Maintain the security of your network by holding reviews on
an annual basis to make sure you’re up to date with the latest security
measures. Hold your vendors to the same standards, and require them to
disclose proof that they are assessing their networks on an annual basis.
- Train your employees. From
emailing the wrong person to opening an email that contains malware, staff
errors happen all the time. While you can’t prevent all errors from
happening, you can implement policies and train employees on best
practices to minimize risk. For example, do your employees know how to
identify a phishing attempt?
Do they work on their own mobile devices and do you know how secure they
are? Do your employees email sensitive documents to their home computers
to work on at night? Knowing the practices of your employees and educating
them on any risky behaviors can limit potential end-user security breaches.
- Review your offline processes. In
addition to your online practices, you should also consider your process for
securing and disposing of paper files. How do you store paper files and
who has access to them? How long will you keep this data and, if it is to
be destroyed, will it be disposed of safely? A piece of paper can be as dangerous
as an electronic medical record if not handled properly. Make sure your
company has secure policies and procedures in place.
- Get a cyber insurance policy. Cyber
coverage is an essential need for companies with self-insured health
plans. Look for policies that offer network security liability coverage
for data breaches, destruction of data and viruses and privacy liability coverage
for network security failures and breaches due to human error or a
technology malfunction. Thoroughly review any policy with your insurance
broker to make sure you are getting the coverage your company needs. Many
policies include sub-limits that place restrictions on the payouts for
certain aspects of a data breach. “You may have a one million dollar limit
on your cyber policy, but only a certain percentage of that could be earmarked
for crisis management costs, such as fees for privacy attorneys, IT forensics,
credit monitoring, notification, and public relations costs. These costs
can easily reach six figures in a matter of weeks,” Farley explained. “A
crisis management sub-limit could leave you to cover the rest of the costs
that exceed the sub-limit.” Paying
attention to the details will help you avoid any surprises if your company
finds itself dealing with a data breach.
With
so much of our lives lived online, taking measures to protect the information
we share has become a modern day necessity. This is especially true for
companies in possession of sensitive employee health information. Taking the
proper precautions will help make you less of a desirable target for hackers
and give your company and employees a safety net in the unfortunate event of a
breach.