Technology Risks
Cyberrisk: ‘Healthy Dose of Paranoia’ Needed
The workers’ comp system has been generally spared from data hackers. But with the multitude of people and companies transmitting and sharing files daily, it is incumbent upon companies to take protective actions, advises a managed care services provider.
Data breaches at some of the country’s largest health plans as well as among retailers has prompted Genex Services, LLC to offer suggestions to protect the industry. In addition to recommended steps to take, a new white paper also includes basic regulatory issues and terminology to help industry stakeholders better understand data concerns and the need to collaborate with partners and vendors.
“Our industry certainly could be, and perhaps already is, at risk,” notes the paper. “Lack of strong data security could expose an organization to millions of dollars in litigation, damage control and repair costs.”
The document, Enemy at the Gate: Data Security Risks in Workers’ Comp, outlines the potential risks and offers advice.
“A healthy dose of paranoia is a necessity for today,” the paper states. “It is clearly in the best interest of our industry, and of workers, to err on the side of caution.”
The Risks
“The ability to show strong data security controls is critical for employers and carriers,” the paper advises. “Companies want assurance that their data will be stored and backed up securely and in a physically safe location, that there are controls for who can access data, who can share information and the manner in which data is shared, e.g. secure email server.”
A number of “key domain risks” face the industry such as unauthorized access to personal health information. Such information “could be used for identity theft or even blackmail,” the paper says. “Unfortunately, there are many ways for such data to be accessed. Data is always in motion in comp claims as there are various vendors, case managers, bill review specialists, and independent medical examiners, all transmitting and sharing files and forms every day.”
“A healthy dose of paranoia is a necessity for today. It is clearly in the best interest of our industry, and of workers, to err on the side of caution.”
Carefully vetting vendors and properly managing passwords are among the methods to ensure security controls are effective. Passwords, the paper advises, should be “easy to remember, but not overly simplistic and be changed more than twice a year to reduce potential risks.” Password parameters should be developed for “all applications and networks.”
Sending claim information over the Internet is risky. The emphasis on mobile workplaces “exacerbates risk from the Internet.”
The authors advise companies to remind employees to “remain vigilant” when adjusters, providers, and injured workers are sending emails that include addresses, dates of birth, and Social Security numbers through non-secure servers. “These senders need to be informed and educated of the dangers associated with nonsecure platforms,” the document states.
Securing Data
Administrative, technical, and physical controls should be implemented. Administrative controls, for example, include conducting background checks and using confidentiality agreements, as well as security awareness training. Anti-virus, network segmentation and web and email filtering are among the technical controls that should be put into place.
Physical controls relate to limiting access to buildings and data access. Key fobs or card entry building access systems are recommended. A “security triangle” should be created to ensure all controls are highly secured and monitored.
Steps to Take
Organizations can take a variety of measures to ensure the security of sensitive data. Continually reviewing and improving technical controls and providing clear guidance and instruction to employees transmitting data are among them. Antivirus programs should be installed on all systems and virus definitions should be updated frequently, such as every three hours.
The paper offers a variety of additional tips, including:
Encrypt data on the C drive, data-in transit, and databases on servers to protect data, in case a laptop is lost or stolen.
Implement a system to determine which department or individual can access data and limit the number of people with full access to everything.
Guard against email phishing to avoid scams. “Be aware of anything involving shipping or delivery of product, and warn employees to be especially wary of unsolicited emails purporting to be from government agencies and popular internet commerce sites, such as the IRS or PayPal, especially during tax season, and high volume online shopping periods,” the document recommends.
Instruct vendors to tell their own employees of the importance of security to ensure all links in the data security chain are strong.
Insufficient Standards
The paper is the latest to address concerns of potential data breaches in workers’ comp. Cyber security is among the targets for Sedgwick this year.
In a recent blog post, Sedgwick’s senior vice president and information security officer Robert Jackson suggested the health care industry has set the bar on data security too low. “You may think you have taken the steps needed to protect your company’s data,” Jackson wrote. “How does your data security currently stack up?”
Jackson poses a series of questions on tools to protect data and points out that many “standards” are insufficient. For example, antivirus software is not the best protection against malware, he says. “Traditional antivirus software can only protect against things it has previously seen; new malware is specifically designed to constantly change itself to bypass traditional antivirus software.” He points to application whitelisting software as the best replacement for antivirus software on workstations and servers.
Penetration testing is not the best way to double-check Internet facing software so it cannot be hacked. Instead, he says tools such as binary code testers analyze logic and software vulnerabilities for all programming in an organization’s code, not just the code operating when regular testing occurs.