It’s always a great time to review EBSA’s suggested cybersecurity best practices for ERISA Plan sponsors, fiduciaries, and service providers, as well as Plan participants and beneficiaries, focusing on applicability to health Plan compliance.
Cybersecurity & HIPAA Compliance
Cybersecurity is the security of electronic systems. Plans subject to HIPAA must comply with varying levels of compliance. Bottom line: If you sponsor an ERISA health plan, you must also comply with HIPAA. If it is a self-insured health plan, or you offer a fully insured plan and receive more than summary health data for limited purposes, protection of PHI, (including electronic PHI “ePHI”) is required. Strong cybersecurity is your best defense. For additional information, refer to our blog on Cybersecurity and the HIPAA Security Rule.
What does the EBSA Suggest?
EBSA’s guidance released three documents, each targeted to a different audience:
- Cybersecurity Best Practices (ERISA Plans);
- Tips for Hiring a Service Provider (401(k) and Pensions Plans); and
- Online Security Tips (Plan participants and beneficiaries).
EBSA’s 12 Best Practices for Cybersecurity Programs:
- Create, document, and maintain a formal cybersecurity program. This includes a full risk assessment, risk management plan, and accompanying policies and procedures. Annual review of the program is suggested.
- Conduct a thorough risk assessment. This includes assessing every detail of your organization’s information systems.
- Consider a third-party audit of your systems. This is key; EBSA outlines their expectations for an “effective audit program” including reports, files, test reports, and documentation of identified weaknesses.
- Clearly assign and define security roles and responsibilities. HIPAA Rules require Plans to appoint Privacy and Security Officials. EBSA’s guidance follows suit. An effective cybersecurity program requires appointed leaders to implement and oversee the program. EBSA suggests criteria for an optimal appointee within the Best Practices Document.
- Control access. EBSA outlines: companies must create strong processes and procedures to ensure people accessing data “are who they say they are.”
- Cloud Access Cybersecurity. Cloud systems are often maintained by third-party service providers. If this is a Plan provider, then under HIPPA, a Business Associate Agreement is likely warranted (that brings it’s own host of regulatory requirements). The message? Oversee your Plan providers.
- Cybersecurity Training. Conduct periodic cybersecurity awareness training and specialized HIPAA training for those with access to ePHI and PHI. For real world training materials, checkout our Cybersecurity: Real Life Scenarios.
- Secure Life Cycle Program. A secure SDLC process will include penetration testing, code review, regular vulnerability testing (also a HIPAA Security risk analysis practice) and assessment of program structure.
- Continuity Plans. EBSA suggests organizations implement a thorough “business resiliency program” to enhance “bouncebackability” in the event of a data breach or disaster. Such a program includes business continuity, disaster recovery, and incident response plans.
- Current Encryption Standards. To stay ahead of hackers and protect confidential information, consider implementing the most current form of data encryption programs.
- Controls: Implement strong technical solutions. Among several recommendations, a business’ hardware, software, and firmware must be kept up-to-date, and routine data backups should be performed.
- Communication: Responsive Corrective Action. If a breach does occur, a company must respond timely, accurately, and thoroughly to appropriate persons and authorities, whether that be HHS, insurers, or participants.
EBSA’s guidance addresses elements of HIPAA’s Security Rule. If you’re an ERISA Plan sponsor, take note of your HIPAA compliance. Can you identify areas for improved cybersecurity? If so, learn more about our upcoming HIPAA solution to keep you on a secure compliance path: HIPAA10.