Nightmare on TPA Street

What do the Voice of America, the BBC, an Indiana tree service firm, a Michigan pediatrician and a midwestern TPA all have in common? They all had their websites defaced by a group of hackers with ties to the Iranian Revolutionary Guard. 

In the past, occurrences such as these were treated as “cyber graffiti.” Some hackers deface multiple sites to gain notoriety among their hacker peers. Others feel it is their “duty” to exploit security weaknesses. And of course, money is also a universal motivator.

According to experts, today’s defacements are more than just mischief; they act as a gateway to more serious security breaches. These breaches are usually caused by weak or compromised passwords.

In the Anthem data breach earlier this month, criminals were able to access 80 million Social Security numbers and other personal information because the company stored the data without encryption — reportedly because they were balancing security with ease of use. Encrypting the data would have made the data less valuable to the criminals. It would also have made it more difficult to use by legitimate Anthem employees.

 

To those of us in the TPA world, this should sound like a familiar scenario. 

The personal information stolen from Anthem is actually more valuable than credit card numbers. According to insurance underwriter Beazley, credit card numbers are worth $4 or $5 on the black market. The personal data stolen from Anthem can bring $40 to $50 per record.

Habeeb Habeeb, president of BPC, a CEFEX-certified firm in Champaign, Ill., describes their IT and data security initiatives from a customer service perspective: “Everything we do at BPC is designed around first class quality customer service. It is impossible to provide quality service without protecting your client’s data.”

Habeeb goes on to say, “Our data security initiatives are comprehensive and ongoing. Our employees are trained on the significance of data security and risk management. All hardware and software are monitored and maintained on a regular basis. We communicate with our clients regarding data security issues. We also purchased cyberliability insurance. Even though it is more expensive than our E&O insurance, we feel that coverage is a must-have for all top TPAs.”

The hacking of the TPA website is a wakeup call to all TPAs. You are not under the radar, nor are you too small to attract a hacker’s attention. We all have access to the ASPPA/CEFEX best practices for IT. At a minimum, we should all refamiliarize ourselves with them. Ignore them at your own peril.

Encrypting your data would be a great first step. However, most record keeping systems rely on passwords for security. Secondly, who is working for you? Without a national background check, you can only know what has been presented to you. I find during my CEFEX audits that many small and mid-size firms haven’t done this. Others have implemented this process for future hires but not for existing staff. If this is the case, then you need walk-round management to continue to know your employees. 

It isn’t just the employee, it’s also their family situation (i.e., loss of a spouse’s job, children’s education expenses, parents’ health issues, etc.). It is important to truly understand that your employee may be your best worker but it only takes one serious financial disaster for them to risk their livelihood and gained trust. If you couple that with easy access to valuable data, then you have failed your clients. 

If you outsource your IT functions, then you owe it to your clients to understand the vendor’s hiring process and what steps they take to monitor their employees.

What do you think about this article? Click here to discuss with your colleagues in the BMOC Discussion Forum.