Take extra measures to safeguard employee data from a cyber breach when administering health plans.
More and more employers are opting to self-insure to gain greater control over their employee benefits costs. Along with the benefits of a self-insured plan comes the additional risk and responsibility of adequately protecting the health information of their employees – prime data that hackers want.
“Self-insured plans are a key benefits strategy that many companies leverage today to control benefit costs,” said John Farley, vice president and practice leader for HUB International’s Cyber Risk Management Services. “But, it’s imperative that you understand your legal obligations if you experience a data breach that involves the protected health information of your employees.”
Federal law says that under certain circumstances companies have to notify the U.S. Department of Health and Human Services (HHS) within 60 days of a breach of consumer health data, and 47 states have individual statutes for notification of affected individuals. This can necessitate hiring privacy attorneys, credit monitoring firms and other consultants to sort through the laws and regulations and meet notification requirements in a timely fashion.
If your company is self-insured or is thinking about self-insuring, Farley recommends the following five best practices to help protect your employees’ sensitive information from hackers and to minimize potential damage to your company and its employees in the event of a data breach:
- Have a Business Associate Agreement. Many companies outsource the administrative aspects of their health plan to a third party – including plan design, claims administration and prescription drug management. This vendor will have access to employees’ private health information. If your business has contracted with an outside vendor for any aspect of your health plan management, make sure you have a HIPAA business associate agreement (BAA) with them that clearly outlines the protocols and responsibilities in the event of a data breach, including those caused by any of the vendor’s subcontractors. Make sure the BAA includes a provision that you must be notified of any type of breach immediately. Ultimately, you are responsible for all aspects of breach notification, because it was information from your employees that you gathered. The BAA can transfer the costs and establish a timeframe and process for notifications to the correct parties.
- Test your technology. Your data is only as secure as the network it is on. To test the security of your company’s network, including firewalls and intrusion detection systems, hire an outside firm to complete a penetration test. The firm will act like a hacker to identify any weaknesses in your system, which can run the gamut from application and operating system flaws to risky end-user behavior. You can use this information to implement additional security measures where necessary. Maintain the security of your network by holding reviews on an annual basis to make sure you’re up to date with the latest security measures. Hold your vendors to the same standards, and require them to disclose proof that they are assessing their networks on an annual basis.
- Train your employees. From emailing the wrong person to opening an email that contains malware, staff errors happen all the time. While you can’t prevent all errors from happening, you can implement policies and train employees on best practices to minimize risk. For example, do your employees know how to identify a phishing attempt? Do they work on their own mobile devices and do you know how secure they are? Do your employees email sensitive documents to their home computers to work on at night? Knowing the practices of your employees and educating them on any risky behaviors can limit potential end-user security breaches.
- Review your offline processes. In addition to your online practices, you should also consider your process for securing and disposing of paper files. How do you store paper files and who has access to them? How long will you keep this data and, if it is to be destroyed, will it be disposed of safely? A piece of paper can be as dangerous as an electronic medical record if not handled properly. Make sure your company has secure policies and procedures in place.
- Get a cyber insurance policy. Cyber coverage is an essential need for companies with self-insured health plans. Look for policies that offer network security liability coverage for data breaches, destruction of data and viruses and privacy liability coverage for network security failures and breaches due to human error or a technology malfunction. Thoroughly review any policy with your insurance broker to make sure you are getting the coverage your company needs. Many policies include sub-limits that place restrictions on the payouts for certain aspects of a data breach. “You may have a one million dollar limit on your cyber policy, but only a certain percentage of that could be earmarked for crisis management costs, such as fees for privacy attorneys, IT forensics, credit monitoring, notification, and public relations costs. These costs can easily reach six figures in a matter of weeks,” Farley explained. “A crisis management sub-limit could leave you to cover the rest of the costs that exceed the sub-limit.” Paying attention to the details will help you avoid any surprises if your company finds itself dealing with a data breach.
With so much of our lives lived online, taking measures to protect the information we share has become a modern day necessity. This is especially true for companies in possession of sensitive employee health information. Taking the proper precautions will help make you less of a desirable target for hackers and give your company and employees a safety net in the unfortunate event of a breach.