Insurance Companies Need Strong Security Policies

Many insurance companies are offering coverage for data breaches, and indeed a growing number of organizations are purchasing this type of insurance as hacker attacks become more common.

Data breach or cyber insurance policies are becoming a more vital component of organizations’ preparedness plans, according to a 2014 report by the Ponemon Institute. In 2013 only 10% of the companies surveyed by Ponemon said they purchased a policy. In 2014, the percentage more than doubled to 26%.

As the firm noted in its 2014 Cost of Data Breach: Global Analysis, “an interesting finding is the important role cyber insurance can play in not only managing the risk of a data breach but in improving the security posture of the company. While it has been suggested that having insurance encourages companies to slack off on security, our research suggests the opposite. Those companies with good security practices are more likely to purchase insurance.”

But let’s not forget that insurance carriers themselves can be—and often are—the victims of cyber security attacks.

One very recent and glaring example is Anthem, one of the largest health insurers in the United States. The company in early February revealed that it had been hacked, resulting in the exposure of personal information about millions of its employees and members.

The attack was reported to be one of the biggest data breaches ever at a major insurance company. While the number of records lost isn’t clear, the company said all of its product lines were affected. The breach impacted Blue Cross and Blue Shield plans that are not owned by Anthem, according to an FAQ on the company’s Web site.

The Blue Cross and Blue Shield Association's BlueCard is a national program that allows members of one Blue Cross and Blue Shield Plan to obtain healthcare services while traveling or living in another Blue Cross and Blue Shield Plan's service area, Anthem says. The program connects participating healthcare providers with the independent Blue Cross and Blue Shield Plans across the country and in more than 200 countries and territories worldwide through a single electronic network for claims processing and reimbursement.

So it’s easy to see how the breach has the potential to be in the high tens of millions of records, and how many people might be affected by the incident in one way or another.

Insurance_Security_Policies

In an email message to members, the company’s president and CEO Joseph Swedish said the data includes individual’s names, birthdays, social security numbers, street addresses, email addresses and employment information such as income data. Based on what the company knows, there’s no evidence that credit card or medical information, such as claims, test results or diagnostic codes were targeted or compromised, the note says.

Anthem has retained a cyber security firm to evaluate its systems and identify solutions based on the “evolving landscape”.

Insurers in general are potential cyber attack targets because of the huge volumes of personal information they store and transmit. Like banks and other financial services companies, insurers rely on customers providing them with information about personal income. They also routinely gather data such as credit card numbers, social security numbers, addresses, etc.

And among criminals, healthcare insurers such as Anthem might be particularly attractive targets. As security site CSOOnline.com points out in a recent article, “with more health providers and insurers incorporating IT into clinical care, hackers are viewing the healthcare industry as their next target.”

Health insurance companies use electronic health records (EHRs) and manage and store other personal data such as credit card details, the article notes.

Aside from the obvious reasons why they need to protect against security breaches, health insurers also need to be concerned with regulations that address security issues, namely the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act.

To comply with these regulations, health insurers and others in the industry have had to be extremely vigilant about protecting patient information. The laws include provisions for safeguarding protected health information (PHI) such as names, addresses, medical conditions and treatments, and the fines for non-compliance can be substantial.

Furthermore, companies can suffer long-term damage to their reputations if they are found to be in non compliance and experience a data breach.

All of this adds up to opportunities for channel partners to help clients in the insurance industry to better protect themselves against hackers, malware, denial-of-service, advanced persistent threats and other attacks.