Securing Data in the Insurance Industry? Use the NIST Framework as a Guide
If you work in the insurance industry, you’re used to dealing with enormous amounts of highly sensitive information that must be kept secure. Similar to health care organizations, insurance companies must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to ensure the confidentiality, integrity and availability of electronic medical information.
Unfortunately, protecting the sensitive data you handle is neither easy nor inexpensive. To assist in this process, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity. The goal of the NIST framework is to help organizations — including those in insurance — assess and manage cybersecurity risks in several key categories and functions through existing best practices.
Barriers to NIST Framework Implementation
Although the NIST cybersecurity framework is widely recognized as a standard for security best practices, Dark Reading reports that the high cost of implementation is preventing many organizations from fully adhering to its guidelines. The source notes that 64 percent of organizations are using part of the NIST framework but not all of its recommended controls.
For organizations that have already aligned their security programs to the NIST framework or the HIPAA Security Rule, the Office of Civil Rights also issued a “crosswalk” document that can be used to identify potential security gaps. By addressing these gaps, insurance companies can bolster their compliance with the Security Rule and improve their ability to secure personal health information and other sensitive business data.
NIST Guidelines for Data Security
The NIST framework outlines five categories of core functions for achieving effective cybersecurity:
- Respond; and
Data security, a subcategory of “protect” in the NIST framework, is an area of particular concern for organizations in the insurance industry when addressing security requirements for crucial data. According to the NIST framework, data security can best be achieved when:
- A baseline configuration of IT/operational technology systems is created.
- A system development life cycle is implemented to manage these systems.
- Configuration change control processes are in place.
- Data backups are managed.
- Policies and regulations on the physical operating environment for organizational assets are met.
- Information is destroyed according to policy and related requirements.
- Protection processes are continuously improved.
- Information sharing occurs among appropriate parties.
- Response plans — business continuity, disaster recovery and incident handling plans — are in place and managed.
- Response plans are exercised.
- Cybersecurity is included in human resources practices, including de-provisioning, personnel screening and others.
Of course, data security is just one small piece of the entire NIST framework. As insurance companies apply these guidelines, they should pay close attention to shifting threats and how they can improve their ability to meet industry best practices.
Is Outsourcing the Answer?
To address data security and other security categories, subcategories, implementation tiers and framework profiles, insurance companies may want to consider partnering with a third-party security provider.
A security partnership can help insurance organizations more easily navigate the NIST framework’s implementation tiers to close security gaps. By partnering with a reliable security provider, organizations can ensure cost efficiency, simplify management and provide the scalability and flexibility necessary to avoid gaps in coverage as threats to data security continue to evolve.