Aetna Launches Broker Encryption Requirement
July 30, 2018
Can you name the five cyber attack types you are most likely to face?
- Socially engineered malware
- Password phishing attacks
- Unpatched software
- Social media threats
- Advanced persistent threats.
According to CSO, these are the five cyber attack types you’re most likely to face. With so much of our sensitive data stored online, it’s no surprise that cybercrime is on the rise. Data breaches have long been a problem for businesses and individuals, but criminals are increasingly ramping up attacks.
What’s one of the best ways to ensure an attack won’t hit your organization? Encryption. Encrypted data can only be decrypted with a key or password. While encryption cannot protect against all cyber attacks, the technology makes data theft a much more difficult task for hackers. Many businesses are increasingly turning towards security compliance requirements like encryption to protect their customers and businesses.
One such company is the health insurance carrier Aetna. The Aetna Global Security team identified the Broker space as an area where large volumes of Aetna member data is processed or managed, making it a target for cyber crime. Consequently, Aetna is requiring encryption on all Broker devices to mitigate risk exposure.
As of July 9, 2018, Aetna requires full-disk encryption on all Broker devices used to access and/or store Aetna member data, including laptops, personal computers (PCs), smartphones and tablets. – Aetna Broker FAQs
Full-Disk Encryption Requirement
Since early July 2018, Aetna has randomly verified that broker devices that visit the Aetna website are properly encrypted. At a future date, Broker devices that are not fully encrypted will not be able to access Aetna Broker websites. While Aetna is granting a grace period for accessing their site without encryption or a verification program, soon you will have to comply! Once this happens, you will not be able to offer Aetna coverage to your clients if you are not in compliance.
What’s Full-Disk Encryption?
Full-Disk Encryption is a technology that automatically converts all data stored on your computer into a form that cannot be read by anyone who does not have the password. Think of encrypted data like lines and lines of unreadable letters that don’t form words. For encryption to take place, encryption software must be installed on a device (e.g., PC, laptop, smartphone or tablet) to convert the data to a secure, unreadable format. To read the data, the user enters a user-defined password to convert the data back to a readable format. Encryption is valuable so that if the device is stolen or improperly accessed, its data would not be legible to the intruder without this password, making it useless to them.
Aetna allows you to use any encryption software your business chooses as long as it meets the following requirements:
- Full-disk encryption
- Advanced Encryption Standard (AES) encryption
- Encryption key strength of 128 bits or higher
AlertSec ACCESS Verification Download
How will Aetna know that your device has encryption software installed? Aetna requires that Brokers install a verification program called AlertSec ACCESS. After instillation, the application verifies whether your device has encryption software in place and then reports the findings back to Aetna. When you visit an Aetna Broker site, a pop-up message may appear directing you to download AlertSec ACCESS. Now, the message appears at random, but in coming months, all users will be required to install the program. It does not monitor your device, does not have access to device data, and does not encrypt your device. There is no cost to you to download and install the AlertSec ACCESS application. However, the cost of encrypting your devices is solely your responsibility.
Aetna has provided a helpful AlertSec ACCESS FAQ sheet to help you better understand the product and how it affects your organization. In addition, the FAQs describe numerous encryption products that are acceptable.
Insurance carriers are taking HIPAA compliance seriously, and so should you. You can expect more carriers to force their agents and brokers to comply with HIPAA’s privacy and security standards in the coming months, and Total HIPAA will continue to alert you to these developments.
If you have questions about where you are in the HIPAA Prime™ process or if your current encryption standards will pass the AlertSec ACCESS audit, please feel free to reach out!