Benefits administrator blog from Delta Dental

Category: Privacy

How to respect enrollee (data) privacy

2-minute read

According to a recent survey, 90% of people worry about their data privacy, yet most feel powerless to protect it. We don’t want you to feel this way when it comes to your enrollees’ data. While Delta Dental has cyber risk experts and safeguards in place to keep enrollee data secure when we’re handling it — including personally identifiable information (PII) and protected health information (PHI) — you can take some simple steps to keep enrollee data private when it’s in your hands too.

We asked some of our cyber risk specialists for their top tips to help you safeguard private enrollee data.

Keep (and share) only what’s needed
The more private enrollee data you have, the bigger the risk. If the data has already served its purpose and there isn’t an operational or legal need for it, it’s best to destroy it. The same principal applies when sharing sensitive information — send the minimum amount needed to get the job done.

Slow down, and check before you send
Before you transmit any private enrollee data, double check that you’re sending the correct information to the correct recipient. This may sound like common sense, but one of the most common types of privacy incidents is sending sensitive data to the wrong person — electronically or via snail mail. Be sure that you have the most current enrollee addresses, and always update any necessary partners who may also need them (like us!).

Build a strong virtual defense
Password protection is a key player, but it’s just one part of the privacy defense. Using a VPN for remote access, maintaining strong firewalls and conducting regular vulnerability scans are also crucial to data privacy. If you’re sending any sensitive data through email, be sure to do so safely, such as through secure file transfer processes (SFTPs). And don’t forget about that data when it’s not in transit — using encryption for data at rest adds an extra layer of defense. (Pro-tip: Never store private, sensitive data in your email.)  

Empower yourself and your team
Data privacy can seem overwhelming without the right training. Cyber risks are always evolving, like phishing scams that have gotten so advanced, it’s difficult for most people to spot a fake. That’s why it’s so important for anyone who handles PII or PHI to receive regular training to identify threats and keep enrollee private data safe.    

Want more tips like these? Subscribe to Word of Mouth, our newsletter for benefits administrators, human resources professionals and businesses.

Are you a broker, agent or consultant? Subscribe to Insider Update, our newsletter for benefits producers.

Fear and comfort: Why businesses should care about data security

As technology advances and we make more and more personal information vulnerable to cyber breaches, it’s difficult not to feel fear or anxiety about cyber security. According to the FBI’s Internet Crime Complaint Center, the FBI receives an average of 284,000 complaints each year of cybercrimes ranging from identity theft to phishing scams.

When businesses are on the line, the stakes are high. But that doesn’t mean you can’t find peace of mind when conducting business with other organizations. To find some comfort, ensure you are asking the right questions before you trust your information with a third party, including software vendors, hosting service providers and even insurers. As an insurer, Delta Dental handles both personally identifiable information (PII) and personal health information (PHI), so we take cybersecurity extremely seriously.

To point you in the right direction, we asked our security experts on staff to list some categories and questions to begin. Here are some of their suggestions.

Questions about baseline security considerations

  • What policies does your organization have in place to safeguard information?
  • How often do organizations review and update their security posture?
  • What measures has the organization taken to prevent security breaches and/or threats?

Delta Dental uses both our enterprise code of conduct and federal regulations to guide our information security practices, and we regularly update our policies.

Questions about physical security safeguards

  • Does the organization employ multi-factor authentication? Are any of these combined for two-factor authentication? Here are three ways to authenticate:
    • Something you know (pin, password or similar codes)
    • Something you are (a biometric verification)
    • Something you have (a smart card, badge or chip)

At Delta Dental we use a variety of physical safeguards, including limiting physical and cyber access to PII and PHI. We are proud to employ a “principal of least privilege.” This means staff should only have a level of access that is absolutely necessary.

Questions about technical safeguards

  • How does your organization secure data in transit?
  • Does your organization use encryption for data at rest?
  • Does your organization conduct regular vulnerability scans?
  • How does your organization evaluate third parties who may have access to PII or PHI?

For instance, we use secure file transfer processes (SFTPs) for data in transit to and from Delta Dental. We use encryption for any sensitive information — in transit and at rest.

We also use a vendor evaluation matrix to determine what information our vendor partners have access to, and compare access to the level of risk they pose. We then categorize vendors as high-, medium- or low-impact vendors and assess them accordingly.

Questions about incident reporting protocol

  • What is your process for reporting a cyber security incident?
  • What is your timeline for reporting a cyber security incident?

These questions are crucial for building trust with an organization. At Delta Dental, we have four ways for employees to report any information breaches and three mandatory training programs to educate and encourage our employees on best practices in information security.

Want more tips like these? Subscribe to Word of Mouth, our newsletter for benefits administrators, human resources professionals and businesses.

Are you a broker, agent or consultant? Subscribe to Insider Update, our newsletter for benefits producers.

Life hack: 3 ways to make cyber security a priority

Did you know January 28 is Data Privacy Day? If so, you’re an information security rock star! If not, no worries — we’ve got you covered with some quick tips to bring you up to cyber speed.

Woman using laptop

We’re no stranger to exploring information security — from awareness and compliance to prevention, we’re constantly adapting to an evolving cyber landscape. Here are some ways your business can make data protection a priority, too:

  1. Know the impact

As evidenced in the wake of recent data breaches, people aren’t happy when their personal data is exposed in cyber attacks. But did you know that 76% of consumers say they’d abandon a company that experiences multiple breaches?

  1. Make compliance cultural

Studies have proven that having a dedicated incident response team in the occasion of a breach can significantly lower the financial impact on an organization. But take it one step further! Share your organization’s prioritization of data privacy with all of your employees — because the more they care, the more likely they are to take care.

  1. Do the math

If you’re not sure how your organization stacks up against cyber threats, try plugging some information into this Cost of a Data Breach calculator, provided by IBM and Ponemon Institute.

The calculator takes your organization’s location, industry and security measures into account to a deliver an estimated impact to your bottom line in the event of a threat. Take special note of how some factors, like participation in threat sharing and employee training, can actually lower your estimated costs.

Join the #DataPrivacyDay conversation on LinkedIn and Twitter, and subscribe to our newsletter for more industry news from Delta Dental.

One phish, two phish

Protected Health Information (PHI) is more valuable than credit cards on the internet. Meet the team protecting your PHI.

Last year, cybersecurity experts determined that PHI is especially attractive in criminal circles because it can be more useful in identify theft.

Have you ever wondered what Delta Dental is doing to protect you and your employees from a data leak or cyberattack? If you have, Sitaram Inguva — our director of Information Security — has some answers for you.

 

onephishtwophish

Q: How long have you been with Delta Dental?

A: I have been at Delta Dental for three years now, but the majority of my experience is in financial security. I have held positions at American Express, IBM and Cubic.

Q: Now that you’ve been in the health care sector, would you say that the stakes are higher with PHI than with average consumer information?

A: All matters of information security are serious, but PHI is quite attractive on the internet, and data breaches can be very expensive. A recent study1 shows that a single compromised health record can cost a company more than $200 in reparation (per enrollee). For these reasons, we use world-class cybersecurity technology to prevent such compromises from happening.

Q: What causes a data breach?

A: A data breach can take many forms, the most obvious form being external hacking attempts by cyber criminals. However, they also happen due to technology gaps, human error and a lack of awareness. At Delta Dental, we of course use best-in-class technologies to protect information, but our most valuable line of defense is employee training and awareness. Apart from data encryption, current software upgrades and patches, our greatest priority is ensuring that our people are trained and up-to-date on best practices in information security.

Q: Are there any specific challenges you face in your job?

A: One challenge we face is striking a balance between convenience and security. As technology continues to evolve, and people rely more on mobile devices, we have to develop controls and safeguards alongside it. We want to offer our clients an excellent customer experience while also ensuring their private information is secure.

Q: Do you or your team have any information security super powers?

A: Our security team is comprised of very talented and highly trained professionals, many of whom have industry-leading certifications including Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA). These certifications are backed by years of information security work experience in health care, banking and government agencies.

Q: Is there anything else you want to share with our clients?

A: I have a few quick tips, plus an interesting resource to pass along.

  1. Make employee training a priority in protecting your own company’s records and any private information.
  2. Beware of phishing scams, hoaxes and urban legends. If it sounds too good to be true, it probably is. Always check a company’s known web address if you receive a suspicious email.
  3. Be aware of vulnerabilities like mobile devices — especially if children have access to them. Check out this project on staying safe online for some useful tips to pass on to your employees.

Thanks for reading, and stay tuned for more information on our IT security efforts!

 

1 2015 Cost of a Data Breach: United States, Ponemon Institute, May 2015

© 2020 Word of Mouth

Theme by Anders NorenUp ↑