View All Blog Posts

CoreSource is Committed to Keeping Your Data Secure

When it comes to information security and data protection of health information (PHI), the bar continues to be raised. Benefit administrators, such as CoreSource, need to be prepared to respond to this ever-growing challenge.

Oh, how fondly we recall the days when HIPAA was our greatest compliance hurdle. Today, with cyber-attacks, malware and data theft being both top-of-mind and omnipresent, CoreSource is educating and engaging its workforce in keeping our customers’ data safe and secure. To do that takes more than deep pockets. It takes knowledge, resources, processes, controls and technology. Only with command of those items can you focus on prioritization, investment and execution objectives. CoreSource is committed to protecting our customers’ data and will continue to make the necessary strategic investments to establish and sustain an information security program to protect against today’s threats and position us for tomorrow.

Threats keep evolving. Attacks are becoming more sophisticated, nuanced and complex. Organizations can get lost trying to manage the security requirements needed to meet compliance standards from federal and state agencies. Establishing a thoughtful and strategic security roadmap that encompasses people, process and technology is essential and CoreSource is delivering on that mission today.

CoreSource’s security investments continue to keep us on par with the largest of our competitors while differentiating us from comparable or smaller benefit administrators that have been slow to respond or do not have the capabilities to confront these very real threats.

When comparing Benefit Administrators through the lens of data protection and security, it’s important to evaluate both their current capabilities and their long-term commitment.

Do they have?

  • A dedicated information security team led by a fulltime Chief Information Security Officer.
  • A process to perform security risk assessments of their vendors and sub-contractors.
  • A data loss prevention (DLP) solution to protect confidential and critical information from being emailed out of the organization accidentally or maliciously.
  • A file integrity solution to enable a recoverable file system that guarantees data consistency by using standard transaction logging and recovery techniques.
  • An intrusion detection system (IDS) designed to monitor internal network activity and identify any suspicious patterns that may indicate a network or system attack.
  • A formal information security education and awareness program that educates and engages every employee in the protection of customer data and has the ability to train employees around security best practices for keeping data secure.
  • A security information event management (SIEM) system that provides a holistic view of their organization’s information security by –
  • Centralizing the storage and interpretation of logs and allowing near real-time analysis that enables defensive actions to be taken more quickly.
  • Collecting data into a central repository for trend analysis and providing automated reporting for compliance and centralized reporting.
  • An annual penetration testing program for both internal and external facing systems as well as a recurring vulnerability scanning capability for internal systems of record.
  • A solution to detect and protect against malware and ransomware.
  • Published IT control policies and governance to ensure documented and consistent review of procedural best practices.

Are they advancing on?

  • The capability to provide and restrict privileged access to only those individuals within their organizations that need it and only at the time they require it.
  • The capability to provide visibility to, and control of, how computers connect to their network and identify and restrict those that do not meet security requirements.
  • The capability to ensure software updates are administered both timely and effectively to protect and remediate against known vulnerabilities.
  • Improvements in their password strength, adoption of two-factor authentication (2FA) and data encryption in anticipation of future compliance requirements.
  • The adoption and pursuit of alignment to the NIST cybersecurity framework.

Can they provide?

  • Evidence-based third party attestations, such as the SOC 1 and SOC 2, that credibly confirm they are HIPAA compliant and have the necessary controls in place.

To serve as an aid when matching various administrators to your client’s health plan needs, we’ve created a checklist to help assess whether their data security measures match up to those we follow.

Download our Commit To Keeping Health Data Secure Checklist

CoreSource will continue to take the long-view on information security and will never stop taking threats to our customers’ data seriously. We will continue to educate, learn, invest, execute and respond to the threats and vulnerabilities around us today. We will evolve and mature to keep pace with the ever-changing landscape of risk and in so doing, grow our customers’ confidence in our ability to keep their data secure and earn their trust.

Posted on February 15, 2017 in Compliance-Regulatory

Tagged as data security