Today, it may seem that insurance carriers and their independent agent partners have harnessed technology and are effectively connecting in real-time to automate and accelerate routine processes while lowering the cost of processing insurance.
However, as insurance carriers and agencies alike embrace information technology advances that accelerate the speed at which new business can be acquired and existing business can be renewed or processed, achieving and maintaining adequate levels of information security becomes more than an item on the “to do” list. It’s now a strategic priority.
Addressing three core concepts of information security–confidentiality, integrity and availability (CIA for short!)–can reduce your risk, even in a connected, real-time world.
Confidentiality ensures only authorized individuals have access to data. With data breach notification laws in many states– and the expanding applicability of federal laws including the Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act, which include information security requirements–maintaining the confidentiality of data in insurance systems is a civic duty.
Integrity ensures information is accurate and cannot be modified or manipulated except by those authorized.
In the interest of being able to trust internal data, it is critical every insurance organization choose network protocols that perform adequate error checking and exception reporting. Data integrity can be further guaranteed by eliminating redundant data entry and potential errors caused by manual processes.
The adoption of real-time tools and automated workflows standard in any enterprise content management project can help achieve data integrity as well.
Availability gives authorized users access to data or systems when and where it is needed. While insurer efforts to eliminate manual processes and paper files are certainly warranted and beneficial, new automated processes and electronic files make availability an even more crucial concept to plan for going forward.
If a catastrophe occurs and your main office location is without electric, phone or Internet service, proper business continuity and disaster recovery protocols–including system redundancy and geographic separation between sites–will ensure you have backup systems that will work as usual if a catastrophe happens.
Working in a real-time world, today’s reality is that day-to-day business demands require a complex web of connectivity between customers, agencies, carriers and managing general agents that can leave critical data susceptible to unauthorized access.
Achieving these goals requires more than use of complicated passwords and isolating networks with firewalls. Maintaining CIA takes vigilant maintenance of security measures at every layer, combined with implementing a “defense in depth” strategy that puts controls around user workstations, the network’s perimeter, internal network, host systems, applications, system interfaces and databases.
Let’s examine “defense in depth” in action.
User workstations (including laptops and mobile devices), have quickly become one of the weakest links in information security. Trends show hackers are more often booby-trapping popular websites with malware that steals confidential data and passwords from visiting workstations as opposed to launching direct attacks against well-protected servers.
User workstations are more susceptible because they are often operated in a privileged mode (a process that allows code to have direct access to all hardware and memory in the computer system), unpatched when it comes to critical security exposures and malware, and operating on new platforms including smart phones.
Therefore, it is important to take the following steps to protect your organization:
o Stay current on security patches for workstations.
o Utilize hard-drive encryption.
o Use “kill-pill” technology, which can send a signal to a stolen device and scramble the data on the hard drive.
o Maintain up-to-date anti-malware.
o Be mindful of Internet usage by users.
At the network perimeter of your organization, you need adequate screening of traffic going out of the network as well as coming in to ensure sensitive data is transmitted only to those who are authorized to access it.
Those devices–such as network firewalls, Web application firewalls, intrusion detection/prevention systems, data loss prevention systems and e-mail filtering systems–help block unauthorized traffic and alert security teams to suspicious activity.
Internally, it is important to design a network with security zones in mind, and to deploy network devices (such as switches and routers) in a hardened manner using security benchmark guides such as those published by the Center for Internet Security (http://cisecurity.org).
Consider the following:
o Host systems: Hosts need to be hardened by changing default configurations in accordance with best practices security benchmark guides, and protected with host intrusion detection systems, anti-malware, and data integrity tools that ensure critical system files are not modified in an unauthorized manner.
It is also necessary that security patches are maintained, not just for the operating system, but also for other software, such as Adobe products or open source tools.
o Applications: Besides security features such as transmission encryption, role-based access and audit trails, it is important for applications to be developed and tested with security in mind.
Observations of recent hacking activities clearly indicate a move from hacking the network and hosts to hacking applications by exploiting security vulnerabilities in the code. Use of a secure development life cycle, including risk assessments during design, secure code reviews before release and ongoing web application penetration testing are essential.
o System interfaces: Well thought-out workflows, appropriate use of encryption technologies and implementation of secure protocols are necessary to maintain secure interfaces.
o Databases: The final layer of defense–appropriate use of encryption, data masking, limits on direct connectivity and maintaining transaction audit trails–are important.
The responsiveness and efficiency benefits of a real-time world depend on the exchange of electronic data and documents. To protect that data, a “defense in depth” strategy with multiple layers of security controls must be implemented.
While the prospect of doing this may feel a little overwhelming, it is an essential part of responsible stewardship of the data entrusted to you by your customers and it cannot be ignored.
All of the participants in this real-time world must embrace this reality, including carriers, managing general agencies, independent agents, and the vendors who serve them.
Fortunately, practices and technology like those above are available today. Now, it’s time to adopt and apply them.
Vance Huntley is the Chief Technology Officer for Bothell, Wash.-based Vertafore. He can be reached via email at email@example.com.