Ask the Expert: InfoSec Requirements for Health Insurance Providers, Part 2
David Pearson, Co-Founder and CTO of Iceberg Networks sat down with us to answer some more questions on the concerns he’s hearing from insurance providers surrounding security configuration management. The following is an edited transcript of the conversation.
Why should insurance providers be concerned about security configuration management right now?
There are two parts to that, one part is because they have a compliance requirement in order to deliver the service as managed by CMS, but it also feeds straight into the security problem. As a health insurance provider, they collect not just personal information, but personal health information about their clients, so they have a very compelling information security problem of both security and privacy. They need to ensure that when they offer protection for their clients’ information, they need to have assurances that those protections are actually in place. Organizations spend a tremendous amount of energy determining how to best configure their system and that goes down to very detailed settings on a system.
You as the insurance organization want to have some assurances that the way you have designed your system is in fact the way they’re implemented. The whole security configuration management process is to understand what the risks are, make sure you have your settings designed correctly and then make sure you implement those settings and have some ability to report out that the settings are in place. If you’re not able to achieve the settings, some logical explanation as to why not and an assessment of the risk and conscious acceptance of the risk of the settings not necessarily being correct.