Abstract
Given the significance of the need to mitigate threats to company data, security testing assessment requires covered entities to implement industry-specific best practices in security for all related components including administrative procedures, physical safeguards, technical security services, and technical security mechanisms. These security components are imperative to preserve the confidentiality, integrity, and availability of health information.
Clear and Present Danger
The insurance business thrives on reliability and trust. It is critical for insurance organizations to ensure that their customer information is safe from any kind of theft, leak, or destruction. The integrity, confidentiality, and availability of Electronic Protected Health Information (EPHI) that an organization gathers, maintains, or transmits, must be protected from any untoward incidents at all costs. Insurance companies control confidential customer data such as medical records, social security numbers, financial information, and driving records. The privacy of this information can be breached not only by inappropriate access to stored information, but also through electronic transmission.
As technology becomes increasingly sophisticated and complex, so do cyber threats. This makes the risk of a data breach at any organization a very real catastrophe. Currently, no industry standard governs all aspects of security of electronic health information while it is stored or transmitted between entities. These entities may include healthcare clearing houses, employer-sponsored health plans, health insurers, and medical service providers that engage in certain transactions. This white paper analyzes the need for security and privacy of information in the insurance sector, and lists best practices to ensure secure information environments.
Data Protection at All Costs
The Health Insurance Portability and Accountability Act (HIPAA) has set watertight security standards to protect individual EPHI that is produced, received, used, or maintained by a covered entity. The Security Rule needs administrative, physical, and technical safeguards to ensure that only authorized individuals have access to EPHI, so that an insurer can plausibly defend the confidentiality, integrity, and security of protected electronic health information. The Privacy Rule, on the other hand, assures that individuals’ personal health information is properly protected. It establishes the standards for accessing Public Health Information (PHI). This ensures smooth flow of information towards providing and promoting high-quality healthcare. All administrative simplification rules apply to healthcare providers that transmit health information electronically
While the framework for ensuring data security is in place for the insurance industry, the real challenge is to manage the data privacy given the increasing complexity of applications and infrastructure. Data breaches in the insurance industry are often more difficult to detect than credit card information leaks. Threats may include employees, agents, software weaknesses, customers, and external, malicious individuals posing a danger to intellectual property, market valuation, and brand reputation.
Security and privacy assessments—along with active participation from application development, IT operations, and vendor procurement teams—help mitigate these issues.
Most insurance providers automate processes, management systems, and IT infrastructures to expand their business to diverse geographies. The emergence of security threats that increase the risk of sensitive data exposure and manipulation of information requires continued adoption of new technologies and platforms.
Security is an even bigger issue when applications, customers, and agents are geographically dispersed. With the volume of mergers and acquisitions in the insurance sector fast growing, third-party application integration becomes a concern.
The Case for Information Security and Privacy Standards
Before HIPPA, there was no standard for protecting health information in the insurance industry. With the evolution of new technologies, and changes in the healthcare industry from paper-based processes to electronic forms, the industry now relies heavily on electronic means to handle claims, other financial transactions, view health information, and conduct administrative and technical functions.
A majority of insurers, employees, agents, and customers now use desktop, smartphone, and Web applications for faster access to information. Administrative applications used by insurance providers include computerized physician order entry systems, electronic health information systems, and customer premium-charge systems. Insurance plans provide access to claims and care management, as well as self-service applications. While this facilitates mobility and efficiency for medical workforces, the adoption of these systems raises significant security risks.The Security Standard in HIPPA was developed for two primary purposes:
- To protect risk-prone electronic healthcare information
- To protect individuals’ health information while approving suitable access and use of that information; organizations pay heavy penalties if they do not adhere to regulatory requirements
Recent Information Breaches in the Insurance Industry
- In October 2012, the systems of a nationwide US insurance provider were hacked, compromising the personal information of 1.1 million customers
- According to the Associated Press, on October 16, 2013, “A laptop stolen from an auditor’s car contained the personal information of more than 3,400 members of the South Carolina Health Insurance Pool. It contained the names and Social Security numbers of 3,432 people who were part of the high-risk pool in 2011 and 2012.”
- The personal information (names, addresses, birthdates, and Social Security numbers) of Standard Insurance Company’s customers was publicly revealed to vendors on October 18, 2013
- On February 2014, Puerto Rican insurance company Triple-S Salud (TSS) suffered a data breach due to violation of HIPPA rule. The company’s management was fined $6.8 million by the Puerto Rico Health Insurance Administration.
- The 2014 Cost of Data Breach Study: Global Analysis, sponsored by IBM, says the average cost to a company from data breaches was $3.5 million, 15% more than in 2013.
- According to US federal agencies in July 2014, hackers broke into the healthcare.gov insurance enrollment website and uploaded malicious software to the portal.
Getting it Right: Best Practices for Data Security and Privacy
Most insurance providers regularly carry out hundreds of transactions daily to receive premiums and update customer information. Budget constraints have meant they have not been able to use the latest technologies for day-to-day operations. Poor infrastructure and unsecured environments are open invitations to hackers. Here are some best practices for the industry towards ensuring a more secure, safe environment:
- Updated Security Requirements: Review projects and specify security requirements based on functionality requirements. Regulatory compliance and best-practice security guidance documents should be analyzed to derive additional requirements for customers.
- Regular Privacy and Security Training: User awareness training—with administrative control—can help ensure that users of the system are aware of security controls and requirements.
- Develop a Secure Architecture: Create a list of recommended software frameworks, services, and other software components in a security architecture document. Also create a list of guiding security principles as a checklist against detailed designs.
- Stringent Threat Assessment: Build a threat model based on documents and information received from the business team for each type of environment. This model helps the development team understand the criticality of various threats and their business impact.
- Diligent Design Review: Identify and analyze entry points (attack surface/defense perimeter) in software designs against known security risks to prevent loss from data breaches.
- Attentive Code Review: Create secure coding standards for the development team to help them understand what security mechanisms are implemented in the coding phase. This can vastly reduce the effort of the development team.
- Rigorous Security Testing: Penetration testing for the application and network is important for the external and the internal security of the organization. Organizations need to follow the best practices of industry-specific security testing standards (OWASP, SANs, OSTMM).
- Scope for Vulnerability Management: Create security testing metrics in which a baseline is established for the mitigation of vulnerabilities. This process prioritizes the high- and medium-impact issues.
Security Regulations for Insurance Providers to Consider
Insurance companies in the US are required to follow regulations including the Gramm-Leach-Bliley Act (GLBA) of 1999, the Patient Protection and Affordable Care Act (PPACA), the HIPPA and the Payment Card Industry Data Security Standard (PCI-DSS). These signify the extent to which organizations must protect personal and financial information of the customer from internal and external threats.
Under the GLBA, for instance, companies need to implement a comprehensive information security program that includes administrative, technical, and physical safeguards based on the size and complexity of the institution, and the nature and scope of its business. Organizations may face fines of up to $100,000 per incident. Officers and directors must pay fines of $10,000 per person if found to be in violation of compliance standards.
The HIPAA provides federal protection for an individual’s health information held by covered entities and their business associates. The Privacy Rule gives patients’ rights with respect to the health information they provide. It authorizes organizations to disclose health information needed for patient care and other important purposes. It applies to all forms of patients’ protected health information, whether electronic, written, or verbal. The Security Rule specifies a sequence of administrative, physical, and technical safeguards for enclosed entities and their business associates.
To meet the challenges of data privacy and regulatory requirements, organizations need to follow best practices in security testing to help them protect customer information and their overall information environment.
Coforge’ Governance and Adherence Solutions
Our security solutions are based on the Open Web Application Security Project (OWASP), Open Source Security Testing Methodology Manual (OSSTMM), SysAdmin, Audit, Network, and Security (SANS), and Web Application Security Consortium (WASC) testing methodologies for security testing. Our Vulnerability Assessment Service is designed to identify security flaws in an organization’s external and internal environment.
Comprehensive Security Cover Will Ensure Growth
In today’s business environment, it is imperative to have an effective and enhanced security testing solution with open source and automated tools for Web-based applications, mobile applications, and thick client applications. Coforge’ formal security management processes create and administer policies to address the full range of security issues and ensure prevention, detection, containment, and correction of security. Our methodologies follow industry best practices for security testing and keep in mind security regulations of the insurance industry. With our leading risk-based testing expertise in areas ranging from vulnerability assessment, risk assessment, penetration testing and more, insurance businesses will be able to ensure a comprehensive security and privacy solution for themselves.
About the Author
Robin Tiwari is a certified ethical hacker and experienced IT professional having rich and insightful 9.5 years of experience in Penetration Testing and Vulnerability Assessment. He has wide experience in various domains such as Airlines, Logistics and Transportation, Banking, Financial Services, and Insurance (BFSI). He has extensive knowledge of BFSI and Web and mobile application security testing assessment.
