Itโs always a great time to review EBSAโs suggested cybersecurity best practicesย for ERISA Plan sponsors, fiduciaries, and service providers, as well as Plan participants and beneficiaries, focusing on applicability to health Plan compliance.
Cybersecurity & HIPAA Compliance
Cybersecurity is the security of electronic systems. Plans subject to HIPAA must comply with varying levels of compliance. Bottom line: If you sponsor an ERISA health plan, you must also comply with HIPAA.ย If it is a self-insured health plan, or you offer a fully insured plan and receive more than summary health data for limited purposes, protection of PHI, (including electronic PHI โePHIโ) is required. Strong cybersecurity is your best defense.ย For additional information, refer to our blog on Cybersecurity and the HIPAA Security Rule.
What does the EBSA Suggest?
EBSAโs guidance released three documents, each targeted to a different audience:
- Cybersecurity Best Practicesย (ERISA Plans);
- Tips for Hiring a Service Providerย (401(k) and Pensions Plans); and
- Online Security Tipsย (Plan participants and beneficiaries).
EBSAโs 12 Best Practices for Cybersecurity Programs:
- Create, document, and maintain a formal cybersecurity program.ย This includes a full risk assessment, risk management plan, and accompanying policies and procedures. Annual review of the program is suggested.
- Conduct a thorough risk assessment.ย This includes assessing every detail of your organizationโs information systems.
- Consider a third-party audit of your systems.ย This is key; EBSA outlines their expectations for an โeffective audit programโ including reports, files, test reports, and documentation of identified weaknesses.
- Clearly assign and define security roles and responsibilities.ย HIPAA Rules require Plans to appoint Privacy and Security Officials. EBSAโs guidance follows suit. An effective cybersecurity program requires appointed leaders to implement and oversee the program. EBSA suggests criteria for an optimal appointee within the Best Practices Document.
- Control access.ย EBSA outlines: companies must create strong processes and procedures to ensure people accessing data โare who they say they are.โ
- Cloud Access Cybersecurity.ย Cloud systems are often maintained by third-party service providers. If this is a Plan provider, then under HIPPA, a Business Associate Agreement is likely warranted (that brings itโs own host of regulatory requirements). The message? Oversee your Plan providers.
- Cybersecurity Training.ย ย Conduct periodic cybersecurity awareness training and specialized HIPAA training for those with access to ePHI and PHI.ย For real world training materials, checkout our Cybersecurity: Real Life Scenarios.
- Secure Life Cycle Program.ย A secure SDLC process will include penetration testing, code review, regular vulnerability testing (also a HIPAA Security risk analysis practice) and assessment of program structure.
- Continuity Plans.ย EBSA suggests organizations implement a thorough โbusiness resiliency programโ to enhance โbouncebackabilityโ in the event of a data breach or disaster. Such a program includes business continuity, disaster recovery, and incident response plans.
- Current Encryption Standards.ย To stay ahead of hackers and protect confidential information, consider implementing the most current form of data encryption programs.
- Controls: Implement strong technical solutions.ย Among several recommendations, a businessโ hardware, software, and firmware must be kept up-to-date, and routine data backups should be performed.
- Communication: Responsive Corrective Action.ย If a breach does occur, a company must respond timely, accurately, and thoroughly to appropriate persons and authorities, whether that be HHS, insurers, or participants.
EBSAโs guidance addresses elements of HIPAAโs Security Rule. If youโre an ERISA Plan sponsor, take note of your HIPAA compliance. Can you identify areas for improved cybersecurity? If so, learn more about our upcoming HIPAA solution to keep you on a secure compliance path:ย HIPAA10.
