Securing Data in the Insurance Industry? Use the NIST Framework as a Guide

By: Katie Daggett| - Leave a comment


If you work in the insurance industry, you’re used to dealing with enormous amounts of highly sensitive information that must be kept secure. Similar to health care organizations, insurance companies must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule to ensure the confidentiality, integrity and availability of electronic medical information.

Unfortunately, protecting the sensitive data you handle is neither easy nor inexpensive. To assist in this process, the National Institute of Standards and Technology (NIST) released the Framework for Improving Critical Infrastructure Cybersecurity. The goal of the NIST framework is to help organizations — including those in insurance — assess and manage cybersecurity risks in several key categories and functions through existing best practices.

Barriers to NIST Framework Implementation

Although the NIST cybersecurity framework is widely recognized as a standard for security best practices, Dark Reading reports that the high cost of implementation is preventing many organizations from fully adhering to its guidelines. The source notes that 64 percent of organizations are using part of the NIST framework but not all of its recommended controls.

For organizations that have already aligned their security programs to the NIST framework or the HIPAA Security Rule, the Office of Civil Rights also issued a “crosswalk” document that can be used to identify potential security gaps. By addressing these gaps, insurance companies can bolster their compliance with the Security Rule and improve their ability to secure personal health information and other sensitive business data.

NIST Guidelines for Data Security

The NIST framework outlines five categories of core functions for achieving effective cybersecurity:

  1. Identify;
  2. Protect;
  3. Detect;
  4. Respond; and
  5. Recover.

Data security, a subcategory of “protect” in the NIST framework, is an area of particular concern for organizations in the insurance industry when addressing security requirements for crucial data. According to the NIST framework, data security can best be achieved when:

  • A baseline configuration of IT/operational technology systems is created.
  • A system development life cycle is implemented to manage these systems.
  • Configuration change control processes are in place.
  • Data backups are managed.
  • Policies and regulations on the physical operating environment for organizational assets are met.
  • Information is destroyed according to policy and related requirements.
  • Protection processes are continuously improved.
  • Information sharing occurs among appropriate parties.
  • Response plans — business continuity, disaster recovery and incident handling plans — are in place and managed.
  • Response plans are exercised.
  • Cybersecurity is included in human resources practices, including de-provisioning, personnel screening and others.

Of course, data security is just one small piece of the entire NIST framework. As insurance companies apply these guidelines, they should pay close attention to shifting threats and how they can improve their ability to meet industry best practices.

Is Outsourcing the Answer?

To address data security and other security categories, subcategories, implementation tiers and framework profiles, insurance companies may want to consider partnering with a third-party security provider.

A security partnership can help insurance organizations more easily navigate the NIST framework’s implementation tiers to close security gaps. By partnering with a reliable security provider, organizations can ensure cost efficiency, simplify management and provide the scalability and flexibility necessary to avoid gaps in coverage as threats to data security continue to evolve.

Topics: , ,


About The Author

Katie Daggett

Freelance Writer

Katie Daggett is owner and chief content strategist of KD Copy & Content. She is an agency-caliber copywriter with more than 15 years' experience in marketing communications and specializes in creating exceptional B2B and B2C marketing content. Katie has worked with clients big and small in a variety of industries, writing everything from direct mail pieces to television ad campaigns. She's learned what it takes to write an effective headline or email subject line, how to engage readers emotionally so that they keep reading and encourage them to take the next step with a strong call to action. Today, Katie specializes in writing SEO website copy and online marketing content directly for client companies. She is passionate about helping B2B and B2C marketers create content that generates more leads and convert those leads into sales.

Articles by Katie Daggett
See All Posts