No Time Off for Insurance Compliance
- August 24, 2020
The urgency of the COVID-19 pandemic has required the insurance industry to rapidly deploy the majority of their workforces to a remote work environment. Creating dynamic workforces of these kinds — that combine a new level of digital operations and modified physical workspaces to meet employees’ needs for an unhindered and reliable work experience while simultaneously ensuring employee safety — is a radical change from the confined facilities insurance companies have operated in historically. The vast amount of regulations and regulatory oversight did not evolve as quickly as the pandemic. As such, the existing data protection, HIPAA requirements, data security and consumer data rights are just as comprehensive today as they were before the U.S. had its first case of COVID-19. Given the speed at which the industry has had to adjust its operating model to a Work From Home (WFH) environment, organizations must review their WFH situation through the lens of these regulatory requirements. A review will ensure that they are continuing to comply and, more importantly, to protect the critical confidential consumer information that the insurance industry maintains and processes daily.
Rigorous regulator scrutiny
The regulatory agencies that govern the insurance industry are not changing or relaxing the standards or compliance requirements that were in place pre-COVID 19. The regulations around data security and consumer privacy will likely be strengthened, or at the very least more scrutinized, as a result of the WFH model that many insurance companies and third-party administrators transitioned to. Organizations must evaluate the physical, administrative, and technical controls that are in place to see if they continue to meet the needs and requirements while in a remote environment.
Physical controls
The physical controls in place in a brick-and-mortar facility may not be the same as the physical controls needed when working remotely or out of ones’ home. Therefore, organizations must ensure their physical controls are evaluated for a remote workforce. Where the implementation of similar physical controls is not possible, organizations should determine if these gaps can be mitigated with newly developed administrative or technical controls.
A primary example is how insurance organizations use a variety of physical controls to safeguard the tremendous amounts of protected information. The use of locked suites, secure facilities, dedicated office space or conference rooms, as well as white noise/noise-canceling machines, are all examples of how insurance organizations control and prevent the unintended or unauthorized disclosure of protected information to unauthorized individuals. Within the secure and controlled workspaces, associates were able to quickly interact and communicate with clients, coworkers and leaders with minimal risk that those interactions could lead to unintended or unauthorized disclosure of protected information.
However, in the remote work environment, those physical controls are no longer in place, while the need for efficient and timely communication has only increased. With many associates working from their homes, gone are those dedicated offices, conference rooms, noise-canceling equipment, and locked spaces. To mitigate the absence of these physical controls, insurance organizations could leverage a combination of technology and administrative controls designed to work together with each other.
Group chat platforms (such as MS TEAMS, Skype, and others) are a great way to foster efficient communication, build teams and engage your remote workforce globally. However, it is critical to develop and implement physical, administrative, or technical controls (such as providing coaching and FAQ documentation) to ensure that digital tools are used appropriately and not in such a way that could disclose protected information to unauthorized people. State data protection requirements are both broad and specific in that reasonable safeguards must be implemented “to protect the security, confidentiality, and integrity of consumer information.” These requirements have not changed in our new, remote world.
Administrative controls
Administrative controls, such as training programs, will need to be reviewed and potentially enhanced to ensure their effectiveness and appropriateness in identifying foreseeable internal and external risks with a predominately remote workforce. For example, existing data security and privacy training programs geared toward traditional, brick-and-mortar buildings should be reviewed and updated to account for a remote workforce. They should remind associates that insurance and data protection regulations have not changed, and their continued diligence and adherence is required. The privacy training module taken by associates before the first U.S. case of COVID-19 instructed them on how to use their physical controls in a brick-and-mortar building (e.g., how to use their company-issued badge to gain access into a secure suite). Now, associates need instruction on how to operate from their remote location while simultaneously protecting the confidential information they have access to (e.g., how to password-protect their home internet network so that it cannot be publicly accessed).
The tremendous flexibility and reduced physical oversight inherent in a remote work environment require diligence and a comprehensive approach when reviewing administrative controls. For example, quick implementation of virtual learning could be a very effective way to adapt and strengthen existing training offerings around data protection, cybersecurity and the numerous insurance-related regulations.
Another administrative control that the current COVID-19 pandemic has highlighted as being critical relates to how insurance organizations review and assess their strategic vendors, such as a third-party administrator who may be providing a full range of insurance operation services. Before COVID-19, organizations should have implemented a robust and formal vendor governance program that would assess the capabilities of their vendors to comply with insurance and data protection regulations. Please note, assessing compliance is more than just the identification of a high-quality data center or infrastructure. Secure data center providers will help to safeguard your data while it is in the systems. Still, organizations must account for the additional administrative controls of how vendors and third-party service providers access and use protected data in a remote setting. For example, are the associates continually trained on security in a remote setting? Are existing policies and practices sufficient for an isolated environment?
Technical controls
Beyond physical and administrative controls, one area of risk heightened in a remote work setting is the technical controls an insurance organization has in place. Part of the assessment for an organization’s controls is not just safeguarding your data, but also reviewing your existing security policies to ensure they translate to a remote environment. This assessment may take the shape of reviewing an organization’s IT security policy to verify if any updates should be accounted for with a remote workforce. It may also be additional controls or changes put in place to strengthen the IT security posture. For example, in response to NTT DATA Services’ use of Zoom, a full risk assessment was conducted with clear mitigation steps identified. As part of our mitigation implementation, we put multiple policy directives and systematic enhancements in place. These measures strengthened data security, enhanced our password requirements, and updated our internal policy for use. We also published a Zoom Best Practices Guide for employees and pushed IT security upgrades for Zoom along with other identified systems and applications.
In the remote work setting, it is even more critical that organizations evaluate their posturing and controls as it relates to technology. Organizations should assess their technical control environment to determine whether their existing controls are still appropriate while operating in a remote work environment. As part of these assessments, organizations should evaluate their network design, how data or information is being transmitted, and account for a global workforce with multiple geographic-based challenges (e.g., how life insurance claims associates access and handle ePHI data from remote locations). Organizations may need to react quickly to address newly identified geographic challenges, such as a country’s infrastructure and its ability to support power and internet requirements or its ability to deploy staff rapidly. It is critically important that any changes to existing technical controls are reviewed for effectiveness and adherence to existing regulatory requirements.
Global workforces come with inherent geographical differences, but that can be further complicated from a technical control standpoint in a remote setting. It is a best practice to assess your new infrastructure footprint as well as look at what is required to support operations outside of the traditional brick-and-mortar building. An organization should examine their existing network monitoring applications to ensure they are appropriate to monitor data traffic from countless remote locations versus a finite number of select facilities.
Another area of technical control brought to the forefront due to COVID-19 relates to the quick deployment of assets to a global workforce, designed to operate within a facility. Allowing thousands of associates to freely access protected information from remote locations without adding or updating additional technical controls is a dangerous approach. It arguably runs afoul of the countless data protection and cybersecurity requirements currently in place. To mitigate these new risks, insurance organizations could elect to implement a variety of solutions to strengthen existing technical controls (e.g., USB disablement for all assets, deployment of biometric readers, or a variety of monitoring software).
Our mission remains unchanged: safeguard consumer data
The insurance industry’s obligation to protect data and consumers’ information remains unchanged even during a global pandemic. Our challenge is to re-evaluate our operations in a predominantly global work environment thoroughly. That must be done to strive for compliance with our existing obligations. As a compliance professional, I do not see the regulatory oversight being more permissive for unsecured data or unsecured data practices as a result of the pandemic. There are inherent vulnerabilities with thousands of people working from their homes with no substantive physical oversight. Insurance organizations should expect further change, whether from an operating model standpoint or regulatory oversight, and they must remain flexible with their dynamic workforce. A meaningful partnership between an insurance organization’s compliance department and their C-suite will help to adapt to these changing times, create their dynamic workforce, and still ensure the regulatory obligations continue to be met.
Contact an expert
Find out more about how NTT DATA can help insurance companies manage third-party risk and address the needs of new, dynamic workplaces.
Subscribe to our blog