Benefits administrator blog from Delta Dental

Tag: Privacy

How to respect enrollee (data) privacy

2-minute read

According to a recent survey, 90% of people worry about their data privacy, yet most feel powerless to protect it. We don’t want you to feel this way when it comes to your enrollees’ data. While Delta Dental has cyber risk experts and safeguards in place to keep enrollee data secure when we’re handling it — including personally identifiable information (PII) and protected health information (PHI) — you can take some simple steps to keep enrollee data private when it’s in your hands too.

We asked some of our cyber risk specialists for their top tips to help you safeguard private enrollee data.

Keep (and share) only what’s needed
The more private enrollee data you have, the bigger the risk. If the data has already served its purpose and there isn’t an operational or legal need for it, it’s best to destroy it. The same principal applies when sharing sensitive information — send the minimum amount needed to get the job done.

Slow down, and check before you send
Before you transmit any private enrollee data, double check that you’re sending the correct information to the correct recipient. This may sound like common sense, but one of the most common types of privacy incidents is sending sensitive data to the wrong person — electronically or via snail mail. Be sure that you have the most current enrollee addresses, and always update any necessary partners who may also need them (like us!).

Build a strong virtual defense
Password protection is a key player, but it’s just one part of the privacy defense. Using a VPN for remote access, maintaining strong firewalls and conducting regular vulnerability scans are also crucial to data privacy. If you’re sending any sensitive data through email, be sure to do so safely, such as through secure file transfer processes (SFTPs). And don’t forget about that data when it’s not in transit — using encryption for data at rest adds an extra layer of defense. (Pro-tip: Never store private, sensitive data in your email.)  

Empower yourself and your team
Data privacy can seem overwhelming without the right training. Cyber risks are always evolving, like phishing scams that have gotten so advanced, it’s difficult for most people to spot a fake. That’s why it’s so important for anyone who handles PII or PHI to receive regular training to identify threats and keep enrollee private data safe.    

Want more tips like these? Subscribe to Word of Mouth, our newsletter for benefits administrators, human resources professionals and businesses.

Are you a broker, agent or consultant? Subscribe to Insider Update, our newsletter for benefits producers.

Pumpkin spice, autumn skies … and enrollee notices?

When the leaves start changing, it’s a sign that open enrollment is just around the corner. This is a great time to educate new enrollees — and remind current enrollees — about their rights.

Federal and state laws require groups to notify enrollees about enrollee rights and privacy practices.1 Don’t worry — we’ve made it easy for you to share. All of the notices are available on our website, where enrollees can view and download each document. Additionally, during open enrollment we provide groups with an enrollee flyer summarizing all of the notices.

Please share the notices with current enrollees annually, and with all new enrollees within 30 days of eligibility.

Not sure how to share? Here are some tips:

  • Post the notices on your company Intranet
  • Email employees a link to the notices
  • Place copies of the notices in common areas, or in the HR area
  • Include copies of the notices in your next company mailing

If enrollees have any questions about the notices, they can call 866-530-9675.

Now relax, and enjoy the season! And for more ways to have fun this fall, encourage enrollees to subscribe to Grin!, our free oral health e-magazine.

 

1 Self-funded groups are not required share Delta Dental’s enrollee notices, and may opt to use their own notices; however, these notices cannot be in conflict with Delta Dental’s practices.

Certified Ethical Hacker: Oxymoron or Information Security genius?

We hope you’ve enjoyed reading our internal spotlight series on Delta Dental’s Information Security. (In case you missed any content, check out our article on employee training and compliance and our interview with Sitaram Inguva, Director of Information Security.)

Did you ever think you’d be thankful to read the term “hacker”? If not, we may have a new perspective for you. Meet Chad Greiner, Security Engineer III and Certified Ethical Hacker (CEH) in training, and see how he’s going the extra mile to protect your organization’s privacy.

 

Q: How long have you been with Delta Dental, and what other jobs have you held in your field?

A: I’ve been here for about six years. Before joining this team, I worked for a medical alert device company. I served as the main administrator for their entire IT operation.

Q: You’re training to become a CEH. Are there any other certifications you have or plan to earn?

A: Yes, I’m a Certified Information Systems Security Professional (CISSP). The CISSP seems sort of like a generalized job title, but it’s actually a comprehensive certification. To sit for the exam, you have to have about five years’ worth of work experience, be recommended by a fellow CISSP in good standing and re-certify every three years. The CEH is kind of an extension of the CISSP, except it focuses on strategies to help you think like a criminal — so you’re better armed to prevent a cyberattack.

Q: I think that makes sense. Sort of like an information security version of Criminal Minds. With that said, do you think the CEH is a controversial certification?  

A: We don’t view it as controversial within the security industry. My perspective is that any type of attack is a crime, so in any criminal field, you need to understand the people you’re trying to catch or obstruct to be effective at your job.

Q: That makes sense. How would you respond to criticism that the title “ethical hacker” is an oxymoron?

A: In my mind, intent is what makes an action ethical or unethical. I’m not necessarily learning how to break things; instead, I’m learning how things can be broken to prevent breaches in security from occurring.

Q: What do you think is the most important aspect of your CEH training?

A: Learning about what tools are out there has been extremely important. Early on in my career, there weren’t as many “hacking” opportunities readily available to experienced cybercriminals, let alone the average person. The way technology is evolving has made it easier to access private information — so it’s that much more important to learn every defense against cyberattacks that we can.

Q: Why do you think being a CEH is particularly valuable to an analyst within an organization like Delta Dental?

A: Knowing what to protect against — knowing what avenues people can take in an attack — is critical. It’s really the first and most important step in securing private information. Our clients can have confidence in knowing that, with a CEH, we’re able to get into a criminal’s mindset and get a step ahead of them.

Q: Absolutely. Okay, this is the most important question of all. If you could choose any superhero to compare your work to, who would you choose and why?

A: I can honestly say I’ve never thought about this […] I’d have to say Captain America, since he has the shield and I really see myself as shielding our organization and our clients from people and scenarios that could jeopardize everyone’s privacy.

 

Thanks for reading our series on Information Security! Stay tuned for more client news and insights from Delta Dental.

 

One phish, two phish

Protected Health Information (PHI) is more valuable than credit cards on the internet. Meet the team protecting your PHI.

Last year, cybersecurity experts determined that PHI is especially attractive in criminal circles because it can be more useful in identify theft.

Have you ever wondered what Delta Dental is doing to protect you and your employees from a data leak or cyberattack? If you have, Sitaram Inguva — our director of Information Security — has some answers for you.

 

onephishtwophish

Q: How long have you been with Delta Dental?

A: I have been at Delta Dental for three years now, but the majority of my experience is in financial security. I have held positions at American Express, IBM and Cubic.

Q: Now that you’ve been in the health care sector, would you say that the stakes are higher with PHI than with average consumer information?

A: All matters of information security are serious, but PHI is quite attractive on the internet, and data breaches can be very expensive. A recent study1 shows that a single compromised health record can cost a company more than $200 in reparation (per enrollee). For these reasons, we use world-class cybersecurity technology to prevent such compromises from happening.

Q: What causes a data breach?

A: A data breach can take many forms, the most obvious form being external hacking attempts by cyber criminals. However, they also happen due to technology gaps, human error and a lack of awareness. At Delta Dental, we of course use best-in-class technologies to protect information, but our most valuable line of defense is employee training and awareness. Apart from data encryption, current software upgrades and patches, our greatest priority is ensuring that our people are trained and up-to-date on best practices in information security.

Q: Are there any specific challenges you face in your job?

A: One challenge we face is striking a balance between convenience and security. As technology continues to evolve, and people rely more on mobile devices, we have to develop controls and safeguards alongside it. We want to offer our clients an excellent customer experience while also ensuring their private information is secure.

Q: Do you or your team have any information security super powers?

A: Our security team is comprised of very talented and highly trained professionals, many of whom have industry-leading certifications including Certified Ethical Hacker (CEH), Certified Information Systems Security Professional (CISSP), Certified Information Security Manager (CISM) and Certified Information Systems Auditor (CISA). These certifications are backed by years of information security work experience in health care, banking and government agencies.

Q: Is there anything else you want to share with our clients?

A: I have a few quick tips, plus an interesting resource to pass along.

  1. Make employee training a priority in protecting your own company’s records and any private information.
  2. Beware of phishing scams, hoaxes and urban legends. If it sounds too good to be true, it probably is. Always check a company’s known web address if you receive a suspicious email.
  3. Be aware of vulnerabilities like mobile devices — especially if children have access to them. Check out this project on staying safe online for some useful tips to pass on to your employees.

Thanks for reading, and stay tuned for more information on our IT security efforts!

 

1 2015 Cost of a Data Breach: United States, Ponemon Institute, May 2015

© 2020 Word of Mouth

Theme by Anders NorenUp ↑