Digital transformation has been a hot topic in our industry for the last six to 12 months, and for good reason. Digital technologies have revolutionized how benefits packages are sold and administered. Yet despite everything that digital transformation offers, it is not without its concerns. Among them is the secure transmission of data.
By law, brokers are required to protect personally identifiable information (PII) and protected health information (PHI). Exposing either type of information can result in significant financial penalties. HIPAA violations alone can garner fines ranging from $100-$50,000.
As a broker with access to very sensitive information, it's in your best interests to make sure you constantly maintain the latest security best practices in the following three areas:
1. Email Communications
Despite its effectiveness as a communication tool, email can be risky. That's why it's advised to avoid using it as a means of transmitting PII and PHI. But even doing so doesn't guarantee absolute security. Email is vulnerable because it goes right to the source of compromised information: users.
Today's cyber thieves have gone beyond the security perimeters of the past to focus on a new perimeter: identity. In other words, they no longer spend hour after hour trying to break into networks. It is a lot easier to go after identities. Stealing one user's identity opens the door to a vast network of very lucrative data.
What does this mean for you as a broker? Use email cautiously. Also, make a point to educate your customers about phishing attempts. Create email policies that insure, as much as possible, recipients of your emails can tell the difference between legitimate messages and phishing attempts. Finally, encourage clients to never reveal or send PII or PHI in an email message.
2. Open Enrollment
Likewise, open enrollment is a gold mine of information for cyber thieves. If you are handling open enrollment online, and you should be, your technology platform should be protected with all the latest software and hardware solutions. Clients should be strongly urged to never share usernames and passwords. Moreover, they should be encouraged to choose new passwords on a regular basis.
All the data you maintain for open enrollment purposes needs to be protected in a secure and encrypted environment. It should be protected by file permissions as well. You can go a long way toward protecting data by limiting permissions accordingly.
3. Policy Development
Embracing the digital transformation is not limited to adopting new technology. Along with that technology comes policies designed to protect PII and PHI. Your brokerage needs to develop and maintain appropriate policies now and in the future. Those policies should be supported by regular privacy risk assessments.
A quality assessment looks at what data is being collected, why it is being collected, how it is stored, and who has access to it. As previously stated, limiting permissions establishes a line of defense that is difficult to get past as long as identities are secured. Restrict data access as much as possible. The fewer people with the credentials to access sensitive information, the lower the risk of a breach.
It's also a good idea to automate security procedures where possible. Your automation capabilities are likely determined by the software you use, so consult with your service provider or developer for more information. The point is that digital automation makes your business more secure by removing the human element where possible.
As a broker with a commitment to the digital transformation, you have an obligation to protect sensitive data. You owe it to your clients to keep their data safe, especially when that data is being transmitted between parties.