When it comes to assessing security risk, the insurance industry has a leg up on certain other sectors of the U.S. economy.
Insurance companies are likely to be for-profit, tightly structured, top-down organizations in which it is relatively straightforward to impose consistent security controls. They are also long used to meeting government regulations and typically have a formal, staffed information security program. These historic conditions have advanced the insurance industry to more rigorous and mature security programs compared to retail, healthcare, and other industries.
On the other hand, insurance companies face a number of specific challenges when it comes to managing risks to the information they collect and use.
Laws and regulations
Insurance companies must deal with numerous federal and state laws and regulations governing the industry. Companies commonly operate in multiple states, and each state has its own regulatory bodies and set of regulations. Federal laws such as the Gramm-Leach-Bliley Act (GLBA) superimpose additional requirements on insurers. The regulations can and do change, requiring industry attentiveness.
Further, laws and regulations may apply to specific lines of business. For example, the Commonwealth of Massachusetts significantly changed its approach to regulating auto insurance as of 2008.
This dynamic regulatory environment demands that insurance companies expend ongoing resources in identifying new and changed regulations, interpreting their impact, and implementing modified or new controls. Therefore, the risk assessment process must be flexible to adjust to new regulations. Testing controls that comply with out-of-date regulations waste resources and may cause an organization to overlook newer requirements, leading to compliance as well as potential security issues.
New business initiatives
For an insurance company, gaining a competitive edge can depend on initiatives such as finding new, creative ways to use customers' data or implementing technical communications efficiencies for customers, agents, and employees. These initiatives may be driven by powerful business motivations, but establishing a new business process should not be rushed at the expense of assessing the risk involved.
This calls for a flexible risk assessment approach to incorporate a company's new business and/or technical processes. It also requires inclusive communications with the security and risk assessment teams to ensure they are on board with new initiatives.
Volume of data and users
Insurance companies during the course of doing business collect and handle vast amounts of data -- the personal data of thousands or millions of customers, plus their personally identifiable claims data. This data is an asset, as data mining reveals trends and new business opportunities. But this same data is also a vulnerability.
Such a wealth of information provides an attractive target for data theft. As valuable as data mining exercises can be, broad data access by numerous users is an additional exposure. While numerous users will need authorization and have a business need to access certain records, there are opportunities for unauthorized browsing, as well as copying and modification of records. Recognizing that people are the weakest link in the security chain, there is a significant risk of unauthorized disclosure of information in this environment.
Once this risk is assessed, taking steps such as limiting access to employee claims and auditing all records access, including read-only access, should be standard procedure. Companies should be diligent in monitoring access, investigating anomalies, and in imposing sanctions on violators, as well as routinely reviewing user access to ensure stringent compliance with the "least necessary" principle.
Insurance companies should assess and manage information security risk by accounting for the standard threats and vulnerabilities all industries face, and also by recognizing special challenges significant to their industry.
About the author:
Kate Borten is president and founder of The Marblehead Group, Inc. She led the first corporate-wide information security program at Massachusetts General Hospital, and she is the former Chief Information Security Officer at CareGroup, a major healthcare system based in Boston. Ms. Borten is a nationally-recognized expert on HIPAA and health information privacy and security, and a frequent speaker on the topic. She is a contributing author to Auerbach Publications' Information Security Management Handbook; author of HIPAA Security Made Simple (HCPro, Inc. 2003) and Guide to HIPAA Security Risk Analysis (HCPro, Inc. 2004); contributor to newsletters on HIPAA privacy and security; and three-year chair of HealthSec, the premier annual conference on information security in healthcare.