Você está aqui: Página Inicial / Blog / 5 ways data classification can prevent an insurance data breach

5 ways data classification can prevent an insurance data breach

ffInsurance firms collect and process large amounts of policyholder data including personally identifiable information (PII) and protected health information (PHI), as well as sensitive employee and company information that must be protected. Confidential data is the core of the business, and companies that collect and analyze it more effectively have a competitive advantage. And with the cost of file sharing and synchronization technology decreasing, actuaries are able to analyze and share data in real time. However, this also increases the number of unnecessary copies of sensitive business and consumer data. 

Unchecked, proliferation of sensitive data makes it easier for cyber criminals to gain access and increases the likelihood that sensitive information will be mishandled. Safeguarding such information against cyber-attacks as well as mishandling has been technologically challenging and expensive. But there are critical steps you can take in order to thwart a data breach incident. Spirion CEO Todd Feinman offers examples of how insurance firms can leverage data classification to reduce the risk of data theft and costly compliance violations. 

Legacy insurance paper work flows pose a risk

Legacy insurance paper work flows consist of a wealth of inbound and outbound documents coming to and from multiple sources. For example, employees scan inbound paper documents, then email, fax or submit them through online forms. Paperwork that is translated into scanned images contain vast amounts of sensitive data. Furthermore, JPEGs of scanned documents or ID cards are an examples of unstructured data at its finest. Legacy systems that don´t identify faxed and scanned documents as sensitive data that needs to be secured just as tightly as prototypical PII (Social Security numbers, birthdates, etc) are putting their customers at risk. Legacy insurance billing systems are another related threat vector for PII and sensitive information to make it into current systems and data repositories that need to be remediated and monitored closely.

Sniff out PDFs that could hold sensitive data

A major privacy concern resides within electronic documents, such as PDF and other sharable files. These unstructured documents can contain just as much sensitive information as structured databases. There is an underlying format to PDF documents that can pose a major security threat - PDFs have layers of data. For example, a user could have a single word "Social Security" typed next to digits in PDF document, but under the hood of the PDF, the letter "e" in the word "security" could be on the 50th layer, while the "t" and "y" letters could be resting up on the first layer. These multiple layers make it difficult to do simple optical character recognition (OCR). data classification tools with the ability to piece together layers and analyze them as a whole are essential to ensuring sensitive data isn´t glanced over and lost in the shuffle of common PDF document email exchanges. 

Age only myth that faxes are safer than email

In the insurance industries there are two main steps in the customer journey. The first step is the enrollment and onboarding period. The second step is the claims process. The exchange of PII happens in the both instances and both have a common incoming source of PII - fax machines. During the claims process in particular, customers are sending insurance firms PII without giving it a second thought - after all it´s just a faxed form they filled out with a pen. It´s true that sending faxes using the Public Switched Telephone Network (PSTN) is inherently secure. Hacking into the PSTN would require direct manual access to the telephone line, and even if a file was intercepted it would appear as noise, making it impossible to decipher. But unfortunately for the insurance firm, "security" isn´t all about how safe docs are during the sending process. Firms must ensure data is securely sent, received, and stored. Insurance firms are receiving PII in an uncontrolled, unorthodox way by today´s standards - through faxed documents that are then scanned into a system. 

Click to submit, but make sure it´s secure

There are particular insurance policies that require and record more PII than others. For example, a key man insurance policy takes down your Social Security number, blood test results, physical results, and more. They´re collecting a wealth of sensitive data - both financial and health related - arguably the biggest PII collection process of any industry. But this extensive PII collection process starts at one place - the online submit form. These insurance providers have information on every person that has applied to these extensive policies, whether they made it through the complete process or not. Imagine if a hacker hit a historical database for applicant information and held it for a ransom. It´s up to insurance providers to make sure they know where this user submitted sensitive data is being held, and data discovery and classification tools can help accomplish that. On the consumer side, applicants should make sure they read the fine print before they submit via an online form and understand where and for how long their sensitive data is being held to protect themselves. 

Regulations leave no room for error

 High-profile data breaches continue to expose the data of millions of consumers, revealing the gaps in current data protection practices and technologies. Regulators have responded with increased enforcement and the introduction of new requirements. The National Association of Insurance Commissioners (NAIC) also responded by publishing "Principles for Effective Cybersecurity: Insurance Regulators Guidance". the NAIC document provides best practices for insurance regulators and companies, focusing on the protection of the sector´s sensitive data from cyberattacks. Guidance offered by the NAIC includes ensuring that confidential documents and PII that entities hold is protected from cybersecurity risks. 

Adaptado de: https://www.csoonline.com/article/3186852/5-ways-data-classification-can-prevent-an-insurance-data-breach.html#slide5