As the electronic backbone expands its power and reach to enable information interchange and transaction processing on a global dimension, the risks and potential consequences of security breaches grow correspondingly acute. Members' personal and financial information presents an attractive target for identity thieves, who are increasingly skilled at penetrating data networks. Privacy of personal health information, today mandated by HIPAA and stringently regulated by state and federal agencies, requires the users and keepers of that information to go beyond the traditional IT security boundaries of applications, networks, and firewalls. Payers should integrate security measures and privacy policies into all business functions, from enrollment to claims processing to call centers and throughout the organization, whether accomplished in-house or offshore.
Attack-and-penetration engagements with payers tell a disturbing tale — diligent hackers can almost always gain access to members' personal health information. Typically, the human factor is the weak link. Employees use passwords that are easy to remember and hence easy to guess. They use the same passwords for multiple logins and change them infrequently if at all. Employees with ID badges will politely hold the door open for an unauthorized person, who can then connect to an on-premises network. To protect sensitive data, payers need to develop and enforce standardized security policies. Employees, customers, and suppliers must understand the risks of inadequate security and their responsibilities to prevent unauthorized access or use of member information.
A big challenge is to balance security of exclusion — keeping the bad guys out — with security of inclusion — giving controlled access to the right people. Too many security roadblocks will hinder the system's usefulness. Managing access rights to networks gives access only to people authorized to use them. Categorizing data lets payers impose safeguards appropriate to the sensitivity of the information.
When payers integrate security into every business process, and make security and control a part of every business transaction, privacy and security become business enablers, standardizing processes and protecting assets.
How we can help you
PricewaterhouseCoopers can help you integrate security and privacy practices with IT risk management into a single, enterprise-wide framework. We're able to evaluate your information security and get at the root causes of vulnerabilities to remedy them, not just in a single application but throughout your enterprise. We have deep industry knowledge and global experience with the critical issues of privacy, security, and compliance to help you implement and maintain a secure, high-performance business infrastructure. A recent Forrester Wave™ report comparing security consulting firms said that we have "the best balance between strategy services and design and implementation services," and also rated us best in client and account management.
