How to Mitigate the Risks of Cloud Computing
The technology challenges facing insurance agents today might seem insurmountable: The very tools that could revolutionize the industry – like the cloud – could also compromise their security.
Agents are hard-pressed to find solutions, as regulatory oversight is stepping up just as clients are demanding more personalized service. But as employees are increasingly bringing the tools they rely on in their personal lives to work, turning a blind eye to the cloud’s won’t work. File-level, on-device encryption addresses many of these concerns, and it’s the key from which many other solutions flow.
Advantages of the Cloud
It’s no secret that the cloud is simplifying business everywhere. But few industries are as poised to take advantage of the cloud’s productivity advantages as property/casualty insurance. Take, for example, something as routine as contract signings. Consumers are no longer willing to deal with having to open, print, sign, scan and send documents – it’s a lot of work for so simple a task.
As consumers grow increasingly comfortable with enterprise-quality technologies like Dropbox, they’re bringing a new set of expectations to the table: Namely, that agents are as efficient and responsive as they’re able to be.
The cloud helps unlock the full potential of mobile devices, making information available whenever and wherever agents find themselves. The right tools are making it possible to be as efficient out in the field as you can be from the office. It’s also making agents better prepared, ready to address issues as they crop up and respond to inquiries in real time.
The Cloud’s Dark Lining
Shared networks sit at the heart of cloud computing, meaning that when someone backs up data in one place, like a desktop, it syncs to a host of other devices. But this proliferation of files leaves data unprotected on many devices. With more than 4.5 million smartphones lost or stolen in the United States in 2013 according to Consumer Reports, it’s not difficult to imagine a scenario in which a lost laptop, tablet, or phone undermines clients’ security. The convenience of the cloud demands stronger protections to prevent sensitive data from falling into the wrong hands.
Those protections are gradually increasing to address the progress of technology. Their oversight might be seen as crucial catch-up, given that it’s coming at a time when breaches are disproportionately capturing healthcare records. It’s no surprise that medical data has captivated the interest of bad actors when you consider that medical records can fetch more than 10 times as much as financial data on the black market. The fact that medical records are becoming electronic carries more opportunities for mistakes.
For a long time, privacy regulations under the Health Insurance Portability and Accessibility Act (HIPAA) didn’t exactly apply to property/casualty insurers. But all that is changing with recent updates to the law, including The Health Information Technology for Economic and Clinical Health (HITECH) Act, requiring that insurers handling protected health information comply – leaving many struggling to catch up, if they’re thinking about it at all.
Even for agents who only occasionally touch this sensitive data – such as when it’s necessary to obtain a full health history to settle claims – HIPAA compliance and its labyrinth of rules for securing data suddenly come into play. In recent years, the Office of Civil Rights has announced plans to increase its audits – as well as scrutinize business associates like insurance companies.
Mistakes are an important consideration in this context, because user errors are far more likely to cause breaches than hackers. Data from the Ponemon Institute suggests that more than 80 percent of breaches are due to employee mistakes including lost devices and accidental sharing.
What Agents Can Do
It’s true that risks associated with the cloud are broader than HIPAA compliance, but those rules help put threats in context. They also provide a roadmap for how a business should evaluate the strength of a particular solution.
Encryption should form the basis of any strategy to protect insured parties’ information. The right approach will be transparent, so that the extra layer of protection doesn’t require a convenience compromise.
File-level encryption makes it easier to associate every modification, copy, access, or share operation made to encrypted files with a particular user. Encryption can also protect data integrity, making it impossible to modify files without access to the file’s specific encryption keys.
HIPAA requires full audit trails for PHI, but it’s a good practice for any organization. It comes down to knowing what’s happening with your sensitive files. That includes times like when a device is lost or stolen, or when an employee is terminated. Certain cloud security solutions provide a device block feature, which administrators can use to remotely wipe the keys associated with certain devices and users so that the sensitive information cannot be accessed.
The one thing that insurance companies and agents can’t do is ignore the cloud. A recent McAfee-sponsored Frost & Sullivan study found that more than 80 percent of survey respondents admit to using non-approved software-as-a-service (SaaS) applications for work. It also found that people use non-approved services for one reason: They simply need to get their work done, and these tools help.