Insurance companies are facing two big challenges, and both have to do with content. The first challenge is making content available to an increasingly mobile workforce, despite the fact that it is distributed across multiple data silos and protected by rigorous security controls. The second challenge is content security—keeping personally identifiable information (PII) safe from malicious or careless insiders and dangerous outsiders, like hackers and criminal syndicates. Last month, we addressed the first challenge. In this blog post, we will focus on the second challenge.
Challenge #2: Data Breaches Are Common and Costly
The headlines tell the story–along with retailers and hospitals, insurance companies are under attack from hackers and criminal syndicates. Successful data breaches against insurance companies have yielded private data on hundreds of millions of consumers and led to regulatory penalties and costly lawsuits. In a few cases, hackers did not have to break into company networks at all; security lapses exposed unencrypted data to the public.
Here are some recent example of data breaches affecting insurance companies:
- When hackers breached Anthem’s network using a simple password hack, they were able to steal unencrypted personally identifiable information (PII) for 78.8 million current and previous customers and employees. The breach, which affected approximately one in four Americans, was the largest in healthcare history. Mitigation costs are projected to exceed $100 million—the amount covered by the company’s data security insurance through AIG. The company is still facing a fine that could reach $1.5 million for violating the data security rule of the Health Insurance Accountability and Portability Act (HIPAA). In addition, several class action lawsuits are pending. They could end up costing the company billions of dollars.
- Centene Corporation lost six unencrypted disk drives cumulatively storing customer records for approximately 950,000 members. Announcing the loss in January 2016, the company noted that the disk drives “contained the personal health information of certain individuals who received laboratory services from 2009-2015 including name, address, date of birth, Social Security number, member ID number and health information.” The company is offering free healthcare and credit monitoring to consumers affected by the breach. Regulatory investigations are pending.
- Excellus Blue Cross Blue Shield was probably breached sometime in 2013. Over the next two years, hackers stole PII of over 10 million consumers, including some Social Security numbers and credit card information. Information about the cost of the breach is still pending. The Ponemon Institute has estimated that the typical cost of a data breach in the healthcare industry is $363 per record. Were this estimate to apply to the Excellus breach, the total cost could approach $4 billion.
- Premera Blue Cross Blue Shield was hit by a data breach affecting 11 million customers, the company announced in March 2015. For the previous year, hackers may have had access to “claims data, including clinical information, along with banking account numbers, Social Security numbers, birth dates and other data.” The breach was the largest to date involving patient records.
- WellPoint failed to protect over 600,000 medical records from Internet access. For this violation of Health and Insurance Portability and Accountability Act (HIPAA) Security Rule, the U.S. Department of Health and Human Services (HHS) fined the company $1.7 million.
- Zurich Insurance lost an unencrypted backup tape with PII for 46,000 customers in 2010. The UK Information Commissioner’s Office (ICO) fined the company £2,000,000, then the Financial Services Authority hit the company with a separate fine of £2,275,000.
The risks here are obvious. Hackers are targeting insurers for valuable PII. On the black market, healthcare records now sell for 10-20 times as much as credit card records, in part because EMV technology is making credit card fraud more difficult to perpetrate.
But PII can be divulged even without hackers. Removable media like the unencrypted disk drives used by Centene Corporation create their own content security risks. In its annual report on data breaches, Verizon noted 9,701 incidents of laptops, backup tapes, or other media being lost or stolen in 2015. The problem is most widespread in government and healthcare. (For more about the data security risks of removable media, see our blog post: Keeping Enterprises Safe from Risky Removable Media.)
Clearly, insurance companies need to redouble their efforts at data security. Strengthening password protection, encrypting data, using secure cloud storage instead of removable media—these and other security best practices would greatly reduce the chances of a company succumbing to a data breach.
The Solution: Secure Content Collaboration
Fortunately, technology is available to address the challenges of content security.
To prevent costly data breaches, insurance companies should implement a secure content collaboration solution that spans ECM systems and provides uniform, secure content access for employees. A secure content collaboration platform protects PII and other content from data breaches by enforcing state-of-the-art security controls to protect that content wherever it is—in the cloud, in transit, on a desktop, laptop, tablet or mobile device.
kiteworks, Accellion’s enterprise-class, private cloud content collaboration solution enables secure collaboration among employees and authorized external parties. The kiteworks solution also enforces data sovereignty for global deployments, ensuring that data governance complies with local laws and regulations.
More than 15 million business users and 2,500 of the world’s leading enterprises—including insurance companies such as Pacific Life, Kaiser Permanente, Sequoia, and many more—trust kiteworks to securely connect people to enterprise information from any device. Accellion has been named a leader in the Enterprise File Sync and Sharing category by Forrester Research and won top awards for security and knowledge management.
To help insurance companies and other enterprises address the challenges of data security, kiteworks provides:
- External Content Collaboration with Private Cloud kiteworks improves collaboration by providing enterprise users, project teams, and virtual data rooms with powerful, secure file sharing. Users can easily share files with other authorized users. Threaded discussions in workspaces give mobile workers instant access to the context of content so they can understand how and why files have changed.
- Secure Access Across All Devices kiteworks enables employees to access content and collaborate securely from any mobile device—without a VPN. kiteworks protects PII and other confidential data by storing it in secure containers (protected storage areas and protected memory) on mobile devices, and includes automatic malware scanning to ensure that on-device data is always safe.
- Enterprise Data Security and Compliance Insurance companies can protect sensitive information and intellectual property with enterprise-grade security features, including encryption of data in transit and at rest, granular access controls, monitoring of content distribution, digital watermarking, secure editing on mobile devices, and integration with other enterprise IT solutions, such as single sign-on and Data Loss Protection (DLP).
- Leverage Private Cloud Whether on-premises or in a dedicated hosting facility, private cloud content collaboration helps ensure the security, confidentiality, integrity, and availability of enterprise content. kiteworks customers have full control over their content and the encryption keys used to encrypt it.
The risk of data breaches will continue. And enterprises of all sizes will continue feeling the pressure to secure their most sensitive content while increasing productivity and operational efficiency.
Secure content management—delivered through kiteworks—can help insurance companies address both these challenges and make data access both rigorously secure and convenient.
To learn more about the kiteworks solution, please contact us.