 |
| Sample Newsletters | MarketPlace AIS Products & Services |
|
General Business IssuesHealth Plans See Internal Mistakes and Carelessness as Bigger Threat to Data Security than HackersFeatured Health Business Daily Story June 20, 2008 Reprinted from HEALTH PLAN WEEK, the industry's leading source of business, financial and regulatory news of health plans, PPOs and POS plans. Recent high-profile breaches of protected health information (PHI) involving WellPoint, Inc., CareFirst BlueCross BlueShield and HealthNow New York, Inc. have cast a spotlight on the privacy and security practices of health plans. These and other incidents have ranged from stolen laptop computers to the exposure of protected information on unsecured vendor servers. CareFirst said that between Feb. 4 and Feb. 20, it inadvertently exposed the personal information of about 75,000 dental members on a public Web site. Health plan privacy and security officers interviewed by HPW say that while no information-protection system is totally foolproof, there are certain key steps plans can take to reduce significantly the risk of data being lost, stolen or inappropriately viewed. And they agree that in most cases, the problem is internal mistakes and carelessness rather than threats from hackers. "Typically the weak link is not some exotic hacker," Craig Shumard, CIGNA Corp.'s chief information security officer, tells HPW. "In many cases, it's an employee or third-party outsourcer who just didn't consider the security implications of what they were doing." Among the weak links cited by privacy and security officers:
These weak links can be addressed by the right blend of administrative practices and technology safeguards. "The most important step you can take is arming your employees with the technology and the knowledge they need to protect this information," says Mike Elinski, associate vice president for technology and e-business development at Michigan-based Health Alliance Plan. "Doing this puts you and your customers in the best possible position." Key among the administrative practices and technology safeguards are employee education to create a culture that places a high premium on protecting information, proven technology practices, and procedures for monitoring outside vendors and other third parties. Education Is Key to Culture Building Elinski admits that there is no silver bullet for protecting member information. "The biggest challenge is people," he says. "You can do things to secure your computers and data. But your employees must be totally tuned into the importance of protecting this information." HAP says it invests significant resources in educating its employees and creating a culture that reinforces a respect for privacy and security. In addition to ongoing education and communication efforts, HAP regularly posts privacy and security updates and reminder messages on its employee intranet. CIGNA also invests heavily in employee education. "Because 30% to 40% of information protection challenges have no technology solution, our employees must be committed to the belief that security is everyone's responsibility," Shumard tells HPW. He says that about 40% of the company's information protection efforts are based on human behavior and making sure that people are following the company's policies and procedures. CIGNA uses several vehicles to educate its employees, including e-mail blasts, lunch-and-learn sessions, town meetings and security training classes. Health plans use a variety of technology solutions and safeguards in attempts to ensure that sensitive information is protected at every exposure point. CIGNA, for example, employs internal scorecards and external benchmarks to measure the effectiveness of its policies and procedures in 19 security categories encompassing everything from workstation to network security. Shumard says that during the past year, the company deployed various types of encryption systems, penetration testing procedures, data-loss prevention tools, peer-to-peer monitoring, new login tools and code reviews. HAP says it has never experienced a problem with data stored on laptop computers because the company discourages the use of laptops in certain circumstances. And when laptops are used, the hard drives are always encrypted. HAP routinely exchanges data with vendors through secure circuits and encrypted file transfers. "We may occasionally send files in secure e-mail attachments, but we're not fond of doing that," Elinski says. When e-mailing confidential information, HAP uses a filter system that flags any message containing PHI. That information is then reviewed by the company's compliance officer to ensure that the information is encrypted and that other privacy safeguards have been followed. E-mail attachments with PHI and other sensitive information also must be encrypted and password protected. A secure Virtual Private Network created by HAP's information technology department is available when employees regularly e-mail PHI or sensitive data. Highmark Inc. also encrypts all laptop hard drives and mandates that confidential information be saved to a network rather than the hard drive. "We use a two-factor authentication process [for our laptops]," says Kimberly Gray, chief privacy officer. "So in addition to the normal login ID and password, the user must know a second set of unique numbers and passwords. Thomas Young, Aetna Inc.'s chief privacy and security officer, tells HPW that all confidential member information accessed on personal computers (desktops and laptops) must be encrypted. The company's servers can be accessed only with authenticated IDs and passwords. Aetna conducts annual audits to ensure that all company computers are encrypted. Health plans also are paying more attention to the security procedures being used by their vendors. Beginning next year, Highmark will examine the security policies and procedures of all outside vendors, and will monitor their policies and procedures on an ongoing basis. "We're testing this system now for rollout," Gray says. "We also will be doing more due diligence up front when we select outside vendors to make sure their security procedures are reasonable and meet our expectations." CIGNA audits its third-party business partners. "We conduct business with several thousand third parties, so we created an extensive process to vet and triage any organization that accesses, stores and/or processes sensitive information," Shumard says. CIGNA performs on-site security reviews of any vendor that handles what the company considers its most sensitive information. While HAP does not conduct routine vendor audits, it occasionally visits a vendor to examine its security procedures. Elinski also says that the company spends considerable time educating its vendors on the need to protect the data being handled.
|
 |
