The Department of Labor’s Employee Benefits Security Administration (EBSA) has spoken “officially” for the first time regarding best practices for ERISA Plan fiduciaries regarding cybersecurity. Let’s set the stage for why this is important news, then review the EBSA’s suggested “best practices” for ERISA Plan sponsors, fiduciaries, and service providers, as well as Plan participants and beneficiaries, focusing on applicability to health Plan compliance.
What (and Who) is a Fiduciary?
Simply put, a fiduciary is person with discretionary decision-making power. We’ve posted a previous blog about differences between “named” and “functional” fiduciaries, accessible here: Functional Fiduciary. For ERISA Plans, a fiduciary role is where the rubber meets the road. Fiduciaries must make decisions in the best interests of participants. For Plans, this may look like claim determinations and choice of Plan service providers. Most notably for this article, ensuring Plan data is valid, accessible to authorized entities, and safe from unauthorized ones.
Does this Affect HIPAA Compliance?
Yes! Yes, and YES. Cybersecurity is the security of electronic systems; Plans subject to HIPAA must comply with varying levels of compliance. Bottom line: If you sponsor an ERISA health Plan, you must also comply with HIPAA. If it is a self-insured health Plan, or you offer a fully insured Plan and receive more than summary health data for limited purposes, protection of PHI, (including electronic PHI “ePHI”) is required. Strong cybersecurity is your best defense.
What does the EBSA Suggest?
The EBSA’s news release contained three documents, each targeted to a different audience:
- Cybersecurity Best Practices (ERISA Plans);
- Tips for Hiring a Service Provider (401(k) and Pensions Plans); and
- Online Security Tips (Plan participants and beneficiaries).
EBSA’s 12 “Best Practices” for Cybersecurity Programs:
- Create, document, and maintain a formal cybersecurity program. This includes a full risk assessment, risk management plan, and accompanying policies and procedures. Annual review of the program is suggested.
- Conduct a thorough risk assessment. This includes assessing every detail of your organization’s information systems.
- Consider a third-party audit of your systems. This is key; the EBSA outlines their expectations for an “effective audit program” including reports, files, test reports, and documentation of identified weaknesses.
- Clearly assign and define security roles and responsibilities. HIPAA Rules require Plans to appoint Privacy and Security Officials. EBSA’s guidance follows suit. An effective cybersecurity program requires appointed leaders to implement and oversee the program. EBSA suggests criteria for an optimal appointee within the Best Practices Document.
- Control access. EBSA outlines: companies must create strong processes and procedures to ensure people accessing data “are who they say they are.”
- Cloud Access Cybersecurity. Cloud systems are often maintained by third-party service providers. If this is a Plan provider, then under HIPPA, a Business Associate Agreement is likely warranted (that brings it’s own host of regulatory requirements). The message? Oversee your Plan providers.
- Cybersecurity Training. As ESBA states, employees may be the weakest link in a security program; therefore, training your workforce is necessary – and also a HIPAA Plan requirement.
- Secure Life Cycle Program. A secure SDLC process will include penetration testing, code review, regular vulnerability testing (also a HIPAA Security risk analysis practice) and assessment of program structure.
- Continuity Plans. EBSA suggests organizations implement a thorough “business resiliency program” to enhance “bouncebackability” in the event of a data breach or disaster. Such a program includes business continuity, disaster recovery, and incident response plans.
- Current Encryption Standards. To stay ahead of hackers and protect confidential information, consider implementing the most current form of data encryption programs.
- Controls: Implement strong technical solutions. Among several recommendations, a business’ hardware, software, and firmware must be kept up-to-date, and routine data backups should be performed.
- Communication: Responsive Corrective Action. If a breach does occur, a company must respond timely, accurately, and thoroughly to appropriate persons and authorities, whether that be HHS, insurers, or participants.
EBSA’s guidance addresses elements of HIPAA’s Security Rule. If you’re an ERISA Plan sponsor, take note of your HIPAA compliance. Can you identify areas for improved cybersecurity? If so, learn more about our upcoming HIPAA solution to keep you on a secure compliance path: HIPAA10