Claims Handling Security Risks – Document Management

Posted on: November 4, 2015

Each year computers, operating systems, and the associated software that is running on them become more and more sophisticated. However, the unfortunate reality is that individuals and groups with malicious intent are equally sophisticated and in some respects data handled in a traditional manner is less secure now than it was even two years ago.

This challenge is not restricted to smaller companies with less IT knowledge and fewer security resources. For example, UPS (United Parcel Service) reported a data breach leading to the potential theft of customer debit and credit card information. JP Morgan Chase, the largest US bank, recently acknowledged a massive data breach that affected 76 million households and 7 million small businesses – customer names, phone numbers, and email addresses among other personal details were all exposed. Probably the most highly publicized data breach was Sony’s recent incident that resulted in five unreleased movies leaked, 47 thousand social security numbers stolen, and all the personal data of approximately 15 thousand current or former employees.

As a result, any company or individual in the insurance industry, particularly those on the property and casualty side handling sensitive health care information need to be highly aware and cautious of potential security exposures. Below we will discuss some of the most common areas of concern.

Fax machines are actually a much larger risk than many people realize and the reality is that they are still heavily used particularly in casualty claims management such as accident benefits. There are several issues with fax machines including something as simple as the machine’s location. A fax machine sitting in a common area such as a hallway or copy room is a potential exposure because of how easily accessible the information is. Even if there is no intent to access sensitive data, simple mix-ups such as fax piggy-backing (one page mixed in with another fax) or the mixing up of large piles of faxes can lead to unintended theft and potential distribution of the information to the wrong parties. There can also be “with intent” risks where a guest, maintenance person, or any other person that happens to be in the office can walk past the machine and conveniently grab sensitive information in an inconspicuous manner. Traditional fax machines will also automatically continue to try sending numerous times and a fax sent near the end of the work day may not end up at the recipient’s destination until after hours and could be accessible to curious cleaning staff in the evening. Finally, the fax machine is actually a risk in itself because, since 2002, most fax machines have been equipped with a hard drive that stores an image of every document ever scanned, copied, or faxed, and thousands of these machines end up in garbage dumps or electronics recycling yards with the hard drive still intact and unwiped. As a result, it is important to pay attention to the location of your fax machine, be diligent with preventing accidental mixing of faxes, and always destroy the hard drive of the machine prior to recycling.

Email is also a communication method that has elements of risk and the usage of email needs to be closely evaluated. It is unclear if email communication is compliant with PIPEDA or PHIPA and if it is what mechanisms need to be undertaken – such as permanently storing the email – as proof of compliance. In addition to the lost productivity email generates due to spam, personal email, and potential viruses most confidentiality breaches come from within a company and email is one of the major vehicles for this transfer of data. The breaches can be accidental, but also can be intentional and uncontrolled email makes these types of breaches unnervingly all too common. Email is also, generally, a free form method of communication and damage to a company’s reputation can result from unprofessionally written emails or even employees that do not respond to their emails in a timely fashion when addressing client issues and inquiries. The other major challenge with email is the pure technical security threat that it presents; an email travels through many routers and servers on the web on its way to the recipient and is inherently vulnerable to both physical and virtual eavesdropping. Current industry standards do not place an emphasis on security and information is transferred in plain text and leaves a digital paper trail on the many servers it passes through that can easily be inspected months or years later by a curious third party. Email has its place and isn’t going to go away any time soon but for professional communication on sensitive topics, such as accident benefit claim files, email is certainly not an ideal tool.

Even your own computer and network presents potential security risks such as file shadow copies, temporary files, and data remanence which leaves a residual representation of all data on the hard drive even after data has been erased or written over. The list of potential security threats is nearly endless and it’s time to acknowledge the futility of focusing solely on defending impregnable data fortresses and equipping remote computers with antivirus and group policy rules. While this is still important, alone it is no longer enough. Next week we will look at practical solutions that can proactively address these security concerns while improving efficiency at the same time.