Compliance or Opportunity? Understanding Cyber Security in Health and Human Services Sector

February 5, 2018 by

If you live outside of New York State and haven’t heard of the New York State Department of Financial Services 23 NYCRR Part 500 (DFS 500), you should pay very close attention.

Earlier this year, New York implemented the most comprehensive cyber security law in the nation, impacting the financial services and insurance industries. While for the average insurance agent, this may appear as an arduous process and a “box to check,” we implore agents to evaluate the process through a different lens. Not one of security for the sake of compliance, but security for the sake of security. As the journey of implementation of the regulation continues, we’d like to share some experiences and potential things to consider if you are insuring the health and human services industry.

The Regulation and Challenges Ahead

The introduction of the New York state regulation came in late 2016 with an effective date of March 1, 2017. There are several key dates along the way. However, final implementation of the full regulation will come on March 1, 2019, proving that these comprehensive cyber security programs are not built overnight.

Some key challenges that organizations will face regarding anticipated future regulations like DFS 500 will be getting the key people in place to manage the cybersecurity program. Most, if not all agencies, have the basic security measures in place. These basic measures might include firewalls, antivirus protection, minimum password standards and automatic updates of critical patches to all systems.

However, having dedicated IT staff and expertise in areas outlined in the regulation for conducting risk assessments, vulnerability and penetration testing, multifactor authentication and encryption of data will most likely require the engagement of third-party vendors to meet the requirements.

It is no secret that human error is the No. 1 cause of data breaches. While ongoing data security training and awareness are important, having data access privileges according to an employee’s corresponding job duties is a critical control in managing the “human error” exposure. If data security is not currently a top priority for your agency, it certainly should be in 2018.

For those insuring the health and human services industry, chances are your clients are covered entities as it pertains to HIPAA and the iterations it has gone through over the years (HITECH ACT, Omnibus Final Rule). For this reason, we recommend ensuring the appropriate HIPAA assessment is conducted in conjunction with any required cybersecurity risk assessment.

With a large majority of health and human service providers already having moved to an electronic health record, you as an agent are far more likely to possess ePHI (electronic protected health information) than any hard copy data (although physical controls of hardcopy PHI are also required). By conducting both cyber security and HIPAA assessments simultaneously, you’ll find that much of what is required in one assessment is also covered in the other.

For example, part of having a HIPAA-compliant program is implementing procedures as to who can access certain information. This again can be controlled through technical control discussed previously, limiting data access privileges according to an employee’s job duties. In October 2017, the Identity Theft Resource Center reported that there had already been 4.8 million medical records stolen. This is not an exposure that is going away, and it is reaching epidemic proportions.

While there are challenges in enhancing your cyber security program, there are plenty of benefits from undergoing a risk assessment of this magnitude.

First, becoming intimately familiar with your organization’s processes will allow you to implement efficiencies and safeguards to strengthen business processes. Perhaps the biggest benefit is obtaining a far better understanding of the cyber exposure and necessary controls. This allows agents to engage in conversations with their clients about the exposure in a thoughtful and intelligent way.

The added value that agents can show through their intellectual capital and the comfort that a client receives knowing the information they provide you is protected is priceless. This truly epitomizes the concept of selling cyber insurance from the inside out.

To learn more about New York’s Cybersecurity 23 NYCRR Part 500, visit: www.dfs.ny.gov/about/cybersecurity.htm