Looking for a Business Associate Agreement? Download our FREE starter template.
Total HIPAA Logo

Aetna Launches Broker Encryption Requirement

This week, we break down Aetna’s new broker encryption requirement. Read on to learn all you need to know about this new rule. 

Can you name the five types of cyber-attacks you are most likely to face? 

  1. Socially engineered malware
  2. Password phishing attacks
  3. Unpatched software
  4. Social media threats
  5. Advanced persistent threats.

According to CSO, these are the five cyber attack types you’re most likely to face. With so much of our sensitive data stored online, it’s no surprise that cybercrime is on the rise. Data breaches have long been a problem for businesses and individuals, but criminals are increasingly ramping up attacks.

What’s one of the best ways to ensure an attack won’t hit your organization? Encryption. You can only access encrypted data with a key or password. While encryption cannot protect against all cyber attacks, the technology makes data theft a much more difficult task for hackers. Many businesses are increasingly turning towards security compliance requirements like encryption to protect their customers and businesses.

One such company is the health insurance carrier Aetna. The Aetna Global Security team identified the Broker space as a target for cybercrime. Large amounts of data are processed and managed there. Consequently, Aetna is requiring encryption on all Broker devices to mitigate risk exposure.

As of July 9, 2018, Aetna requires full-disk encryption on all Broker devices used to access and/or store Aetna member data, including laptops, personal computers (PCs), smartphones and tablets. – Aetna Broker FAQs

Full-Disk Encryption Requirement

Since early July 2018, Aetna has randomly verified that broker devices that visit the Aetna website are properly encrypted. At a future date, Aetna broker websites will not accept non-fully encrypted devices. While Aetna is granting a grace period for accessing their site without encryption or a verification program, soon you will have to comply! Once this happens, you will not be able to offer Aetna coverage to your clients if you are not in compliance.

What’s Full-Disk Encryption?

Full-Disk Encryption is a technology that automatically converts all data stored on your computer into a form that cannot be read by anyone who does not have the password. Think of encrypted data like lines and lines of unreadable letters that don’t form words. For encryption to take place, encryption software must be installed on a device (e.g., PC, laptop, smartphone or tablet) to convert the data to a secure, unreadable format. To read the data, the user enters a user-defined password to convert the data back to a readable format. Encryption is valuable so that if the device is stolen or improperly accessed, its data would not be legible to the intruder without this password, making it useless to them.

Aetna allows you to use any encryption software your business chooses as long as it meets the following requirements:

  • Full-disk encryption  
  • Advanced Encryption Standard (AES) encryption  
  • Encryption key strength of 128 bits or higher

AlertSec ACCESS Verification Download

How will Aetna know that your device has encryption software installed? Aetna requires that Brokers install a verification program called AlertSec ACCESS. After installation, the application verifies whether your device has encryption software in place and then reports the findings back to Aetna. When you visit an Aetna Broker site, a pop-up message may appear directing you to download AlertSec ACCESS. Now, the message appears at random, but in coming months, all users will be required to install the program.  It does not monitor your device, does not have access to device data, and does not encrypt your device. There is no cost to you to download and install the AlertSec ACCESS application. However, the cost of encrypting your devices is solely your responsibility.

Aetna has provided a helpful AlertSec ACCESS FAQ sheet to help you better understand the product and how it affects your organization. In addition, the FAQs describe numerous encryption products that are acceptable.

Insurance carriers are taking HIPAA compliance seriously, and so should you. You can expect more carriers to force their agents and brokers to comply with HIPAA’s privacy and security standards in the coming months, and Total HIPAA will continue to alert you to these developments.  

If you have questions about where you are in the HIPAA Prime™ process or if your current encryption standards will pass the AlertSec ACCESS audit, please feel free to reach out!h


Sharing is caring!


Looking for a Business Associate Agreement?

Download our free template to get started on your path toward HIPAA compliance.

Download Now

Let's keep in touch

Stay up to date on the latest HIPAA news, plus receive tons of free tools and info.

Navigating HIPAA Compliance in 2023

Watch the recording of this webinar to learn more about how you can become and stay HIPAA compliant!


Related Posts

What is Access Control in terms of HIPAA?

What is Access Control in terms of HIPAA?

Access control, in terms of cybersecurity, refers to the practice of managing and regulating who can access specific resources, systems, or data within an organization's network or information...

Comparing HIPAA and NIST

Comparing HIPAA and NIST

In the ever-evolving landscape of data security and privacy, two key frameworks have emerged as significant players: HIPAA and NIST. Both emphasize the importance of safeguarding sensitive...

Save & Share Cart
Your Shopping Cart will be saved and you'll be given a link. You, or anyone with the link, can use it to retrieve your Cart at any time.
Back Save & Share Cart
Your Shopping Cart will be saved with Product pictures and information, and Cart Totals. Then send it to yourself, or a friend, with a link to retrieve it at any time.
Your cart email sent successfully :)