4. Cybersecurity And Privacy Flashcards
Discuss EB plans’ vulnerability to cyberattacks and other data breaches
EB plans are susceptible to forms of data malfeasance due to the broad range of personal, identifiable info involved in plan admin, and its potential market value. Healthcare systems & insurers appear to be at significant risk bc EHRs are valuable to criminals and the security measures protecting EHRs are often improperly implemented. Breaches are quite common. Significant costs are incurred when attacks succeed.
What challenges do plan sponsors & fiduciaries confront in dealing with cyberattacks & other breaches?
- Limited resources
- Insufficient technical expertise
- Lack of clear standards.
More detail >
BP management folks rarely have cybersecurity expertise but are charged with protection of significant, sensitive individual data. Consulting experts can be prudent, but small firms might not have the resources/capacity to develop a customized, robust risk mgmt strategy, and may need to consider using cloud-based resources to offload security burdens to a cloud provider.
Alternatively, cyber insurance or other tools may be useful in designing a cost-effective program.
The data elements that BPs typically maintain that are subject to regulatory oversight are classified as (2 options)
- PII = personally identifiable information
- PHI.= HIPAA-defined Protected Health Information
Define PII
Personally Identifiable Information can be used to distinguish or trace an individual’s identity, such as their name, SSN, biometric records, etc., both alone or when combined with other personal or identifying info that’s linked/likable to a specific individual - such as date and place of birth, mother’s maiden name, etc.
Define PHI
Protected Health Information is a term derived from HIPAA Privacy Rule standards, that address the use and disclosure of individuals’ health information. Defined as information that is a subset of health information, including demographic information collected from an individual, and:
- Is created or received by a healthcare provider, health plan, employer, or healthcare clearinghouse, and
- Relates to the past/present/future physical/mental health or condition of an individual; the provision of healthcare to an individual; or the past/present/future payment for the provision of healthcare to an individual; and i) that identifies the individual OR ii) wrt which there is a reasonable basis to believe the info can be used to ID the individual
What arrangements linked to EB plan admin are likely to increase privacy risks?
Plan sponsors assume greater privacy risks when providing sensitive personal data of participants to service providers for plan admin. This additional risk is unavoidable, sine admin’ing an EBP typically involves the assistance of service providers such as TPAs, outside payroll, benefits consultants, investment funds, investment advisors, and others. Service providers acting on behalf of EBPs collect & process large amounts of personal, medical, and financial info wrt participants & beneficiaries. Among the info are SSNs, email accounts, retirement assets & income figures. The collection and processing function is done thru automated systems that rely on the internet and thus call for close monitoring of the way service providers manage the info.
Describe the non-HIPAA compliance issues associated with the info accumulated by medical plans and their service providers
More than just HIPAA compliance is at stake with protecting the massive amount of info accumulated by med plans! A plan fiduciary cannot assume that service providers will handle all compliance obligations. Failure to identify & address privacy & security concerns with service providers may create exposure for ERISA fiduciaries.
Section 404a of ERISA requires a fiduciary to discharge their duties wrt a plan “solely in the interest of the participants and beneficiaries” and with “the care, skill, prudence, and diligence under the circumstances then prevailing that a prudent man acting in a like capacity and familiar with such matters would use in the conduct of an enterprise of a like character and with like aims.” Hiring a service provider to provide services to an ERISA-covered EBP is itself a fiduciary act, bc it req discretionary control or authority over plan admin. Similarly, removing/retaining a service provider is a fiduciary act.
Describe an example of the cyber threat “Ransomware”
Cyber criminals encrypt and seize an entire hard drive and will only release it for a high ransom
Describe an example of the cyber threat “phishing”
Fraudulent emails are sent with the objective of enticing the user to interact and inadvertently provide an avenue for a criminal to infiltrate a computer network
Describe an example of the cyber threat “wire transfer email fraud”
Criminals pretend to be senior executives asking EEs to transfer funds
Describe an example of the cyber threat “Malware via external devices”
Intrusive and harmful software is stored on an external drive that is inserted into and executed on a network computer
Give 5 examples of data breaches that have occurred with retirement plans
- Failure to install security system updates
- Email hoax / phishing attack
- Downloads of plan info to a home computer
- SSNs mailed to wrong address
- Using the same paw for multiple clients
Give 5 examples of data breaches that have occurred with medical plans (HIPAA-covered entities)
- Unencrypted info on laptops
- Failure to implement physical safeguards at workstations
- Return of photocopiers without erasing data contained on hard drives
- Lost documents with PHI
- Disposal of Rx in trash containers accessible to the public
What is meant by the cautionary statement, “You can outsource the work, but you cannot outsource the responsibility”?
The message is to be prudent in selecting service providers capable of protecting sensitive participant/Ben info, and to obligate providers by written contract to protect the info. It’s essential to get verification that the provider implements appropriate privacy/security systems, and that all groups with access to the plan’s sensitive personal info are obligated to protect that info. These relationships should be subject to substantially similar risk mgmt, security, privacy, and other policies that would be expected if the fiduciary were conducting the activities directly.
Following a data breach, regulators often review & evaluate the role of the service provider, the due diligence that was performed before the provider’s selection, and the contract provisions wrt privacy and data security obligations and responsibilities. Plan fiduciaries that fail to address these issues rigorously can be vulnerable on many fronts.
What are key governing laws, enforcement actions, and industry standards requiring service provider management of regulated personal info? (5)
- HIPAA and its business associate reqs
- Federal Trade Commission (FTC) data security enforcement actions against company failures to oversee service providers with access to personal info
- State info sec laws requiring oversight of data-related service providers
- The Gramm-Leach-Bliley Act controlling the ways financial institutions deal with private information of individuals
- Payment Card Industry Data Security Standards