Data security has become an important part of digitization as it touches all aspects of our life. Insurance & its related ecosystem is not immune to this impact as we directly or indirectly capture, process & transmit Personal Identifiable Information (PII) data.
Security does not only mean how you are handling data as an organization (capture, process & transmit), but also how your organization security processes work. This is the foundation upon which you will then implement data security measures as per national / international guidelines.
Physical infrastructure security –
The office building – the location of your office e.g is it in a secure facility with restricted access and screening done for every individual who enters the office building premises. Also there should be appropriate fire safety mechanisms built at the premises level.
Your office premises – segregation of unrestricted / restricted areas via access cards, maintaining visitor log with CCTV in prominent locations.
Asset management – specifically digital assets have to be maintained in the asset register with details of personnel to whom assets are currently allocated. Retiring a digital asset becomes an important aspect e.g. formatting Hard disk does not wipe out data & can be retrieved.
Server room – highly restricted area in the entire office with clear demarcation of which personnel have access to this room.
Laptop / Desktop – secure hardened assets where all USB drives are disabled & no one can install or uninstall any software on the same. Internet access is restricted by implementation of strict firewall policies on these assets
Printers – restricted rights, printing of sensitive documents restricted to authorized personnel with built-in audit option
Mobile phones – in case your organization is dealing with sensitive user data then restricted areas where smart phones are not allowed
Backup – a comprehensive backup process of all data – access cards, CCTV, all digital assets like laptops/ servers. Is your backup on cloud & do you have a disaster recovery site.
People management security –
Recruitment – what kind of checks are in place in recruiting personnel / consultants. Reference checks of prospective employees viz. previous employment history, credit score check & fitness certificates e.g. a passport means that police verification has happened
Work from home – what security measures are in place to allow employees to login to the corporate network from a remote location
The aforementioned are important aspects of the foundations of data security, although this is just the beginning. If you own/operate a digital platform involving any end user data, then Data security measures implemented on your platform are equally paramount.
Case study – Employee Health & Flex Benefits
This case study reflects our learnings from our Employee Ensurer platform for Employee Health & Flex benefits, live in production across international & domestic entities for over 15 plus years. The platform cumulatively supports 5,000 plus corporates, 15 million lives, and transacts approximately USD 1,000 million premium annually.
The insurance ecosystem comprises primarily of Insurance companies, TPA, and insurance intermediaries like Insurance brokers / agents. Any corporates entity who avails of these services, forms an important part of this ecosystem. With flex benefits (insurance & non-insurance) associated third party providers (like wellness, medical health checkup, gym / yoga organization) also become a part of this ecosystem.
Capturing data – In case of Employee benefits the corporate is the originator of data (employees / dependents). As an Insurance company/ TPA/ or an intermediary, this data should never be received over open email with excel sheets attached. Yet it is absurd how often this happens and is the number one reason for data leakages – despite data security policies in place, this practice is a big red flag.
Alternatives as below can be implemented –
Real time secure API integration with HR / payroll systems
SFTP options
If none of the above are immediately possible, then at minimum excel attachments should be password encrypted, while above options are in process of being implemented
Processing data – once data is securely received, access to this data should be restricted in line with foundational security measures mentioned in earlier section. No amount of security built into your system / platform will be useful if the organizational security policy is not up to the mark e.g. data is received by your system using real time secure API, but if the laptop of the personnel working on it is insecure then it defeats the entire purpose.
Also, access to this processed data needs to be restricted to key operational team members, and corporate HR should also have limited access e.g. HR would know of the claim made by an employee/ dependent but cannot know disease/ ailment details.
Transmitting data – raw data or processed data needs to be shared with various stake holders. Here again data should never be received over open email with excel sheets attached. Secure API integration with these stakeholders is mandatory. For Employee health and Flex benefits, the data is shared between insurance company, TPA & intermediaries. In case of Flex (non-insurance) third party service providers also need to have secure API to send or receive data.
Any system/ platform cannot operate in silos. Data exchange does not only mean transmitting and receiving data, but also making sure that data shared with your service providers is safe, protected and meets data security standards.
Data storage – data in transit as well as data at rest needs to be encrypted. Data in transit means the moment an employee submits their data and before it reaches your database, same should be encrypted. Data at rest means that personnel having access to data residing in the database should not be able to view PII data, even if the database is queried directly.
This article highlights key elements towards achieving data security, but it is also important for the organization to appoint a security consultant to ultimately help you attain necessary certifications.
In conclusion, although data security in the system/ platform is the need of the hour, physically securing the touch points, as well as during data exchange and wherever data resides temporarily or permanently, is of prime importance for all entities in the ecosystem.
Author: Ratnakar Shetty, Co-Founder and MD, Exegesis Infotech
Disclaimer: The opinions expressed within this article are the personal opinions of the author. The facts and opinions appearing in the article do not reflect the views of IIA and IIA does not assume any responsibility or liability for the same.