By Ryan Baldwin CTO of PlanSource
NOTE: This post originally appeared as a featured blog post on Employee Benefit News
As the Affordable Care Act moves forward, benefits enrollment and management will increasingly be done online. Enrollment systems don’t typically collect credit card information, but do they collect a lot of personally identifying data – names, addresses, phone numbers, birth dates, and Social Security numbers. This makes them an ideal target for identity theft. While there hasn’t been a major breach in the benefits world yet, the risk is very real.
Whether you’re a broker evaluating carriers and exchange partners or an employer looking at broker exchange offerings, you need to do a thorough security evaluation of any vendor you’re thinking doing business with. Considering today’s highly evolved and aggressive cyber criminals you should look for evidence of a major investment in secure processes, people and systems.
An annual SOC 2 audit should be the minimum requirement for anyone you’re considering doing business with.
First, let’s look at what SOC 2 is and is not. It’s expensive and intense, but it is not a security audit so much as it is an operational audit, making sure that IT, HR and operations have foundational controls and processes in place.
A SOC 2 audit evaluates criteria such as what kind of background checks the employer performs or whether they require visitors to sign in and out. It also examines the data center’s physical security as well as firewalls, intrusion detection systems, and the like.
It will also look at some of the basic processes performed by IT, such as backups and deployments, and how they are controlled. How does each firm make sure that an intruder can’t inject harmful or malicious source code into the system?
What SOC 2 does not do is get into actual scanning of systems, or evaluating software directly. Compliance with SOC 2 gives you a good indicator of how involved the business is with security issues, and moves you towards having the right processes to catch problems. But when you get down in to the specifics of information security, you have to go much, much deeper than just SOC 2.
One thing to check for is an ongoing investment in people – specifically the compliance committee, which should include people from legal, IT, information security, software development, product management, and operations.
Their charter is to keep up to date on individual state regulations and federal regulations such as HIPAA, which covers personally identifying information. Those rules evolve over time, so compliance can be a bit of a moving target.
Security threats change over time as well. At my company, we have a dedicated information security specialist who stays on top of the newest threats and works with our software development and IT groups to make sure we install patches and take other mitigation measures for those risks as quickly as possible.
Then there are systems. Most companies invest in hardware, but they often neglect processes. Without getting too technical, there are three critical areas of investment in processes: Vulnerability scanning, penetration testing and code analysis.
With any system that is exposed to the Web, there are a lot of moving parts: Web servers and other components, as well as the software and all of the systems that it runs on. These should all be assessed automatically with tools that continually scan to make sure that you are not running anything that has known problems or vulnerabilities that might be exploited.
There are hundreds of these vulnerabilities being discovered every month. When the scanning tools detect an issue, it should be followed by a risk assessment process and appropriate action depending on the risk level and the severity of consequences.
These are pretty sophisticated tools, often run by third parties that are specialists in this area and do it on a much larger scale than an individual organization ever would. A significant investment in vulnerability scanning is an absolute necessity to stay out in front of continually evolving methods of cyber-attack.
Any system that can be logged into can also be broken into. Penetration testing involves making sure that when people are logged into the system, they are basically kept in their authorized box where they can see only the information they need. They can’t break out of that box and gain access to somebody else’s data, or do harm to the system.
Penetration testing is another fairly involved process, also often contracted to a third party. You want that specialized expertise and outside opinion. You can trust self-certification to a certain extent but I think it’s better to rely on experts with much broader knowledge and experience of all the ways things can happen.
Penetration testing should be done at least annually, sometimes more frequently. A fair number of companies do this, but a fair number don’t. What an exchange does in this area is a good indicator of how serious they are about security.
Static code analysis
Unlike penetration testing, which attacks the system as it’s running, static code analysis tools scan the source code of your software, analyze it to see if there are problems with the structure of the source code, the way you’re building queries and other elements in the system that could lead to security issues.
This is tougher to outsource to a third party, as it requires a much higher level of expertise and familiarity with the platform, language, and the way the system is constructed.
How often should you do this? We do two major releases a year, and static code analysis is always part of any major development milestone. We also run an analysis if we release off-schedule, smaller features that are needed at a certain time for a certain customer.
It doesn’t matter if you have five employees or 100,000 – they look to their employers to protect their data. There are multiple levels of businesses between health care exchange providers and the individual employees that use our system to enroll, so they’re not in a position to be able to assess how secure these vendor systems are. It’s incumbent on the bigger players – carriers, brokers and employers – to understand the landscape and ask the questions of health care exchange vendors. Once you get past SOC 2 compliance and audits, which is the minimum bar that just about any vendor is going to clear, gauging their investment in these three areas can help you evaluate just how serious a company is about maintaining trust and confidence, and how effective their security efforts are likely to be.