New Whitepaper Examines Workers’ Comp Data Breach Risk

Because workers’ comp data includes Social Security numbers, demographic and personal health information a data breach could expose employers and carriers to “millions of dollars in litigation, damage control and repair costs,” write the authors of a new GENEX whitepaper.

With healthcare data breaches at an all-time high, workers’ comp stakeholders should be concerned with data security. In addition, the Health Information Technology for Economic and Clinical Health Act known as the HITECH Act, signed into law in 2009, was created to promote the adoption and meaningful use of health information technology.

The act addresses privacy and security issues associated with the electronic transmission of health information and enforcement of the act began in September 2013.

Claim information is exposed to the Internet daily as a result of mobile workplaces, smartphones, tablets and laptops being used.

According to the whitepaper, employers and carriers need to show that there are strong data security controls in place.

There are three primary data security controls:

  1. Administrative – includes background checks and confidentiality agreements, privacy and security awareness training and change/incident/patch management policies and procedures.
  2. Technical – primarily IT functions such as anti-virus, intrusion detection and prevention services, network segmentation and web and email filtering.
  3. Physical – including access to buildings and strict data center access controls, key fob or card entry building access systems, CCTV, BCP/DR plans for critical services and N+1 redundancy for critical environmental items, such as power and HVAC.
Top Domain Risks in Workers’ Comp

Unauthorized access to personal health information is the primary concern, write the authors, which could be used for identity theft or blackmail. Data is moving constantly in workers’ comp claims through multiple vendors, case managers, bill review specialists and independent medical examiners.

The transfer of data to vendors is one of the most common security risks for any industry, according to the white paper. Vetting vendors is one way to ensure security controls are in line with employers’ or carriers’ standards and regulatory controls.

Password management is also critical, the authors noted, recommending that they be changed more than twice a year to reduce potential risks. Employers and carriers should establish password parameters for all applications and networks, including how often passwords are changed and how long and complex they should be.

Some steps companies should follow to ensure security include:

  1. Antivirus programs need to be installed and up to date.
  2. Encrypt data on the C drive, data in transit and databases on servers.
  3. Train employees on data privacy awareness on a regular basis.
  4. Warn employees on email phishing scams.
  5. Make sure vendors are vigilant with data privacy security.