Insurance companies handle vast amounts of personal data, and they can be held liable for any compromise of that data. While adequately protecting data must include a multi-pronged strategy that includes user education, information technology (IT) oversight, and constant vigilance, the strategy must also have a secure filesharing system at its core.
Three Risks Presented by File Sharing Within the Insurance Industry
While insurance companies need a way to store their files securely, simply storing documents isn’t enough (although it is often challenging on its own). Insurers also need a way to share files safely—and the need for secure file sharing is only increasing as the healthcare industry trends toward being more remote.
Sharing Files Within Departments and Across Offices
Insurers have long needed a way to securely share files within their company. Departments have to share various personally identifiable information (PII), and the sharing sometimes must be done between different locations. Even within the company, secure sharing is necessary.
The need to securely share files isn’t limited to intra-office activities, however. Insurers must have the means to share files with other organizations in the healthcare industry and among employees who work remotely.
Sharing Files With Other Healthcare Agencies
PII is regularly shared between healthcare organizations, including insurance companies. Names, dates of birth (DOBs), social security numbers (SSNs), and health records must be shared between providers and insurers so patients’ accounts can be accurately billed and paid.
Moreover, PII is frequently shared with healthcare organizations of all sizes—and many smaller practices don’t have adequate file protection in place. A solo practitioner’s office likely can’t afford a robust digital security solution and will often have a mediocre system in place as a result.
If PII is compromised because of a smaller (or larger) organization’s system or error, the liability usually ultimately lies with that organization. Such liability doesn’t mean that an insurer won’t have significant associated expenses, though.
In any situation where any organization compromises PII, the default is often to sue all parties that might be responsible—and possibly to focus most efforts on the largest party. The strategy can quickly lead to substantial legal costs for insurers, as they defend themselves against one or more lawsuits.
Sharing Files With Remote Employees
The rapid transition toward remote working due to the Covid-19 pandemic has affected virtually every industry, but the insurance industry was particularly impacted. Since so much information was already shared between locations and employees don’t have to be in-person to perform their jobs, many insurance companies transitioned toward a largely remote model. And today, a number of employees have chosen to remain working from home.
With more people working remotely, the quantity of files being shared across networks has increased substantially. So too has the risk of a data breach that exposes PII information. The data-related risks that remote workers present are especially pronounced, for they frequently aren’t working within the safe structure of a company network. Employees may log in on unsecured networks (e.g., coffee shops’ networks), not have a properly secured network at home, fail to properly update their devices, not properly handle files, or commit any number of other infractions that potentially expose PII.
The Need of Insurance Companies to Securely Share Files
The necessity to securely share files across departments, organizations, and employees has dual components. Should an insurance company fail to properly secure files during transfer, a breach could result in regulator fines and/or class-action lawsuits.
Regulatory Requirements for Insurers to Follow
In the United States, health insurers face the most severe regulatory risks. The Health Information Portability and Accountability Act (HIPAA) specifically addresses data breaches, including those that occur while sharing files. Almost any breach that compromises health records is a breach of HIPAA and will frequently result in fines. The fines can easily reach seven or eight figures.
This isn’t to say that HIPAA regulations are the only ones that insurers are subject to. Any incident of compromised information, such as credit card numbers and social security numbers, might violate a federal or state regulation.
Regulations outside of the United States are often similarly strict on health records and other PII.
Class-Action Lawsuits From PII Breaches
Should many patients’ PII be compromised in a data breach (and usually a breach involves many accounts), multiple affected individuals may ban together and file a class-action lawsuit. The costs of such a lawsuit can be enormous if the case goes to court, and settlements are often also high. Even if a suit is eventually settled for relatively little or dismissed altogether, legal costs still add up.
The Cost of a PII Data Breach
The cost of a data breach is only compounded by the type of PII that insurance companies store. Health records and other insurance-related PII are far more valuable on the black market than other data, largely because advances in EMV technology have made credit card fraud more difficult to execute. In general, health records will go for 10 to 20 times more than credit card numbers and names.
The actual cost of a major data breach is around $4.2 million for insurers, including an average aggregate of 25,575 records. At that ratio, each compromised document can cost $164 on average to resolve.
Several notable data breaches illustrate just how much a breach can cost, sometimes reaching far above that average figure:
- Anthem: Anthem’s network was compromised by a basic password attack that allowed hackers to steal 8 million records containing PII. The breach was the largest in the healthcare industry to date, affecting around 1 out of every 4 Americans. Mitigation costs are ongoing and are expected to far exceed the company’s $100 million insurance limit. A $1.5 million fine was issued for violating HIPAA, and there are still multiple class-action lawsuits pending.
- Excellus BCBS: Excellus Blue Cross Blue Sheild was compromised from 2013 through 2015, during which time hackers were able to obtain 10 million customers’ documents. The compromised PII included credit cards, social security numbers, and other information. This breach is expected to cost somewhere around $4 billion and see an average expense of $363 per record.
- Premera BCBS: For a year, hackers had access to claims data, including social security numbers, birth dates, banking account numbers, and other PII that Premera BCBS stored. The breach ultimately affected 11 million customers.
- Zurich Insurance: UK insurer Zurich Insurance lost 46,000 customers’ PII when unencrypted backup data was compromised. The company was fined £2 million by the Information Commissioner’s Office (ICO) and another £2.275 million by the Financial Services Authority.
- WellPoint: WellPoint didn’t actually suffer a successful attack, but it still had to pay a $1.7 million fine to the Department of Health and Human Services (HHS) for violating HIPAA practices.
With such high costs, no insurance company can sustain a data breach without feeling the consequences. Even a relatively small or benign incident can affect balance sheets by millions, and large incidents have the potential to bankrupt companies altogether. Even the largest and most established could succumb to these risks, for a multi-billion expense will have a major and lasting impact.
Moreover, these aren’t risks that companies can fully protect themselves from. Hackers are constantly targeting the PII that insurance companies store, and a single successful attack is enough to compromise thousands of customers’ information. Insurers must defend against every attack, but hackers need to breach security protocols just one time.
Consumer-Grade File Sharing Doesn’t Meet Insurers’ Needs
When looking for a suitable file-sharing platform, insurance companies have to look beyond consumer-grade platforms. Although the affordability and features of these programs might make them look promising on the surface, deeper investigation usually reveals that these solutions don’t adequately meet the needs of insurers.
First, no file-sharing platform should be chosen based solely or primarily on price. While overhead and software expenses are always a consideration, the cost of a solution must be compared to the potential costs of a breach that occurs because the platform’s security protocols fail.
Other businesses that handle less sensitive information may get by with cheaper solutions, but insurance companies should invest in higher-grade systems. Saving a few dollars doesn’t make sense when the consequence can be a potentially company-bankrupting breach.
Second, a robust file-sharing platform should guard against both external and internal risks. Although most of the above-mentioned breaches result from bad design and/or external activities, internal threats are also present—especially when a company has so many employees that can access sensitive documents. Any solution employed must protect against both threats equally.
Third, insurers need file-sharing solutions that meet all national and state regulations. These are primarily HIPAA regulations in the U.S., and the WellPoint fine illustrates how costly not meeting these regulations can be even if there is no actual incident.
Fourth, providing security alone isn’t enough. A file-sharing platform ought to also make sending and using documents easy. This includes having a user-friendly interface and efficient means of sending and receiving documents. A platform should also be able to manage the growing size of files, which is consistently about 15 to 20% (~3.13 MB) per year.
SmartFile Provides Professional File Sharing for Insurance Companies
SmartFile is a high-quality and professional file-sharing platform that’s designed with insurance companies in mind. In addition to providing an intuitive user interface and efficient sharing, the platform also meets all of the fundamental other needs that insurers have:
- Internal Protection: Protect sensitive documents from internal leaks with active monitoring and specific user permissions.
- External Protection: Guard documents from online attacks and other external threats with multiple automated protections. Keep files safe without making employee use cumbersome (which can lead to not employing protections).
- Granular Permissions: Well-designed protection requires dictating exactly what different users can and can’t do with files. Granular permissions make it easy to control access and use across many documents and employees.
- File Versioning: Keep track of changes that are made to files over time and in real-time. Seeing what’s been altered previously and who’s made the changes helps employees work more efficiently, provide better customer service and reconcile discrepancies more quickly.
- Branded Portals: Client portals don’t show SmartFile as the provider, but they’re branded to reflect the insurer’s name, logo, and color scheme for consistent branding.
If you’re looking for a stress-free file-sharing solution that will work well for your insurance company, contact us at SmartFile. A representative will be happy to explain features in fuller detail and explain exactly how the solution can be tailored to suit your business well.