As the roll out of the South Carolina Insurance Data Security Act (“SCIDSA”) begins to unfold, insurance companies' are tweaking their existing information security program or building a new program from scratch to the endeavor of meeting the new security requirements. Information security programs are designed to be comprehensive in nature, using the concept of “defense in depth” by implementing three layers of safeguards to protect key data.
Data in Transit
For businesses, data exists in a few states known as the “three states of digital data”, one of which is “Data in Transit.” As the information moves from business to business, business to client, employee to employee and so on, a complexity to securing the data begins to arise. When these transfers of information are looked at from a business model perspective, hundreds to thousands of transactions occur on a daily basis to meet business needs. Added to this process is the burden of having detailed procedures in place to handle the data as it flows through the other two states, with access, collection, storage, processing, use, and disposal. Policies and procedures are one of the daunting tasks required by SCIDSA as the documents must be in-line with the business model and enforced.
Questions to Answer
But wait there is more! Complexity emerges when we dig deeper into the policy. What kind of hardware, software or technical systems will you employ to safely collect, transmit, access and store this data? How will you update, monitor, or audit this software and equipment? Will you hire an outside firm to handle any of these issues? Will you use multi-factor authentication for all users and additionally what type of data encryption will you select for the various types of electronic data that are handled?
Additionally, companies need to consider the physical safeguards for buildings, equipment and electronic information systems. How do you protect the information from natural and workplace hazards? How about protection from unauthorized intrusion? Is there a business continuity plan or a disaster recovery plan in place? What backup schedule is in place to ensure recovery is possible in a timely manner?
Finally, consider incident response and planning. Who will you assign to identify foreseeable internal or external threats? These resources should be able to evaluate the risk by taking into account the likelihood and potential damage of each threat in a Security Risk Assessment. As the threatscape evolves, current policies, procedure, and technologies need to be reassessed to ensure adequacy of the security program.
Hopefully these ideas will help motivate businesses to use their time wisely and develop a comprehensive information security program before SCIDSA is fully enforced. I also hope that you will join me at the South Carolina Insurance Association's seminar on July 26, 2018 in Columbia, SC to help answer these questions and more. Please check out my prior blog on July 6, 2018, https://www.tandemcybersolutions.com/blog/scia-educational-seminar-on-sc-insurance-data-security-act for the complete details and links.
I will be sure to take good notes and pass along some of the valuable tips and resources in my next blog.
Co-Founder + Forensic Expert
The University of Texas MD Anderson Cancer Center recently found themselves in the news as the latest company in trouble due to HIPAA violations. The U.S Health and Human Services (HHS) takes the privacy of patients very seriously, causing some serious issues for the medical center. By reading on, you will learn more about what HIPAA is and everything that you need to know about this HIPAA breach. You will also learn what we can take away from this story.
WHAT IS HIPAA?
HIPPA (Health Insurance Portability and Accountability Act) was passed by Congress in 1996 to help with the following key areas:
There are some important things to know about the Texas MD Anderson Cancer Center HIPAA breach. Back between 2012 and 2013, an unencrypted laptop was stolen and another 2 unencrypted thumb drives were lost. As a result of their negligence in the matter, the Cancer Center was fined over $4 million. It was determined that they failed to implement preventative measures that impacted 33,000 patients.
Due to the unencrypted nature of the missing devices, HHS assumed that the PHI (Patient Health Information) was compromised since MD Anderson is unable to prove otherwise. Unlike in criminal proceedings, there is no presumption of innocence until proven guilty. Here, the lack of information is all HHS needs.
Medical centers need to encrypt data to prevent lost, stolen, or decommission devices from putting patient information at risk. This is especially important with Bring Your Own Device (BYOD) policies and when USB devices such as thumb drives are used. Encryption is typically a word that most people don’t understand and therefore ignored, but this means to lock the data away so only those with a key can access it. Encryption standards like AES offers fast and affordable methods that are practically impossible to get into without the key.
It is crucial to block all unauthorized USB devices to prevent the loss of sensitive data, as well as to protect against malware and malicious users who want to steal this information. USB devices are particularly hazardous because it allows people to easily steal information from the inside, as can be seen in the Center for Health Care Services in 2017. USB devices that are infected can quickly spread malware at a medical center, which has happened in 2 power generation facilities. If malware does happen at a medical center, the patient data is assumed to be compromised unless the company can prove that the malware never touched the PHI.
If you have been following our blog, you have realized the impact of the South Carolina Data Security Act on SC-based insurance companies. These businesses now have clearer guidelines detailing due care in protecting customer information and can face heavy repercussions for ignoring those guidelines. Although this may seem a nuisance to the insurance industry, overall this is a big step in securing consumer Personally Identifiable Information (PII). As such, it comes as no surprise that insurance associations have begun the journey of educating members before the act is fully enforced.
For more information on the SC Insurance Data Security Act, you can view our other blogs on this topic: https://www.tandemcybersolutions.com/blog/category/insurance-data-security-act.
July 26, 2018, 9:00 a.m. – 11:00 a.m.
1201 Main Street
3rd Floor Conference Room
Columbia, SC 29201
On July 26, 2018, the South Carolina Insurance Association (SCIA) will have an educational seminar in Columbia, SC, concerning the requirements of the South Carolina Insurance Data Security Act for their members. The two-hour seminar will open with remarks from Russ Dubisky, Executive Director of the SC Insurance Association. Following the opening remarks, the seminar will address how the SC law will impact the rest of the nation and speakers will then walk members through a practical guide to compliance. To close out the seminar, guests will have the opportunity to pose questions to representatives of the SC Department of Insurance concerning the Data Security Act.
This will be a great opportunity for members of the SC Insurance Association to not only get answers to their questions but also develop a comprehensive information security plan for their respective companies.