As employees share sensitive, complete and up-to-date information during open enrollment periods, those collecting the information are more vulnerable than ever to cyberattacks.
“Insurance open enrollment presents huge opportunities for the bad guys to gain lucrative and exceptionally fresh records,” writes Tim Critchley for BenefitsPro. “Vast amounts of data are exchanged through call and contact centers, online forms and questionnaires. We know with a great deal of certainty that these periods are likely to see an increase in attacks. We must be vigilant during these episodes to safeguard and secure the data in a manner in which our customers expect.”
Here are three tips for safeguarding both your own firm and your clients’ employees.
- Educate Yourself and Your Clients
Some hacking, phishing and ransomware techniques continue to become more sophisticated. Learning more is a key way to guard against them.
“The solution to reducing data breaches is to educate patients and staff to be more aware of sophisticated phishing and spear-phishing schemes being used to access sensitive data,” writes Lucas Mearian for Computerworld. “Phishing is an attempt by cybercriminals to masquerade as a trustworthy entity in an electronic communication to gain sensitive consumer data. Phishing attacks typically come in the form of emails, social network messages or other forms of electronic communication.”
- Use Best Practices
Guarding against cyberattacks may seem complicated, but it doesn’t have to be, writes Erin Moriarty-Siler for BenefitsPro.
“‘Mom and apple pie stuff’ like patching systems, educating users, and using offline backups of data are easy ways for the health care industry to take strides in the right direction,” she writes. “As we raise the bar in health care, the criminal element will look somewhere else. They’ll never go away, but by raising the bar just a little bit, it’s like the bad guy rattling your door knob, noticing it’s locked, and moving on.”
- Avoid storing sensitive data
Another way to prevent the theft of sensitive employee information – don’t store it at all. The PCI Security Standards Council has long suggested that if you don’t need the data, don’t ask for or keep it. Critchley recommends taking that advice a step further.
“Even if you need it, don’t store it,” he writes. “Using encryption, tokenization and virtual technologies properly, you store a bunch of gobbledygook that has no value for the attacker.”
He cites the example of asking a customer to input his or own sensitive data into the phone, and a call center rep routing that information directly to a payment gateway or secure server without seeing it.
“Business is conducted effectively, yet there is little to no possible spillover of the data to unsecured or unmonitored areas of the business,” he writes.