Pretty much everyone knows the acronym FYI means "for your information." But what if something is "not for your information," especially when it comes to benefits vendors securely managing employees' data? What's the handy acronym for that?
Turns out there are several. OWASP, DLP, TLS, SOC2 — and more. These acronyms stand for various aspects of information protection, and if you don’t know them, you should ensure your healthcare benefits vendor does.
But more than that, you want whoever is managing and protecting your organization’s personal health information (known as PHI) to not only use these acronyms, but actively manage and stay current on the requirements behind them.
As data security breaches reach an all-time high, PHI is especially vulnerable because it can contain layers of patient data, from patient demographics to family email address(es). Nearly 95% of health care organizations experienced at least 1 data security breach in 2016 and 2017. And more than 950 major data breaches occurred from 2015 and 2017, affecting 41% of the U.S. population.
But data breaches aren’t always intentional
While the number of breaches seem extraordinarily high, thankfully, they don’t always involve theft. In fact, more than 1/3 of them are accidents. In 1 case earlier this year, nearly 6 million health records were discovered to have been exposed on an unsecure fax server in California (the result of a vendor error).
As a benefits administrator or broker, you should look to your benefits vendor to be transparent about its processes and policies and how it secures, manages and verifies member healthcare data.
To help you break it down, you can read our whitepaper that sizes up data security threats, suggests best-practice precautions and recommends security protocols you should look for when gauging the data security of your vendors. Throughout it, you’ll see many data security-related acronyms — ones we think every benefits pro should understand.
So test yourself, and your vendor. We’ve compiled a list of several data protection-related acronyms our security specialists use here at EyeMed, and what they mean, in plain language.
Breaking down the lingo of information security
First up: SDM--secure data management. It should be among your organization’s top operational priorities, along with ROI (return on investment) because PHI has a pretty high ROI on the black market — it’s worth 10 to 40 times more than credit card numbers.
What your vendor knows about the following 8 common data security acronyms (and how they implement them within their business practices) could help you make the right choice and help you sleep at night:
1. CSF (Common Security Framework): Sometimes called an IT Security Framework, this is the set of policies and procedures followed when implementing and managing an organization’s information security program.
2. TLS 1.2 (Transport Layer Security): This is the latest version of payment card industry (PCI) compliance standards. It provides security guidelines on how computers, phones and other digital devices can communicate without exposing information to outsiders. 
3. SSL (Secure Sockets Layer): While the TLS mentioned above is the latest of standard security technology creating an encrypted link between a web server and a browser, millions of websites use SSL to protect their online customer transactions.  The technology keeps data private as it passes between the server and a browser. Note—businesses should no longer be using SSL 3.0 or older.
4. OWASP (the Open Web Application Security Project): A global non-profit dedicated to improving software security through free, open-community collaboration. The widely accepted development standards of OWASP help ensure developers are well-trained in secure coding practices.
5. SSAE-18 (Statement of Standards for Attestation Engagements): An assessment that ensures an organization’s controls conform to the recommended standards of design and operating effectiveness. SSAE-18 is the latest iteration in a series of such frameworks and it’s critical the vendor’s team stays current on these controls.
6. SOC1 and SOC2 (Service Organizational Control): These are reports generated from audits of the SSAE mentioned above. SOC1 assesses the internal controls over financial reporting. SOC2 focuses on non-financial reporting in terms of security, availability, processing integrity, confidentiality and privacy. The vendor you’re working with should be able to provide a Type II attestation from a Certified Public Accounting firm confirming the appropriate SOC internal controls are in place and are designed and operating effectively.
7. AICPA-certified specialist: A certified public accountant (CPA) who has achieved specialized training through the American Institute of Certified Public Accountants. CPAs could, for example, earn a data analytics certificate or cybersecurity certificate. Ask whether your vendors undergo thorough reviews of standards and controls like the above-mentioned SSAE-18, SOC1 and SOC2 Type II by an AICPA-certified specialist.
8. Uptime Institute certification: This certification ensures a data center can run uninterrupted during equipment replacement or maintenance. All critical operating components, including power and cooling systems, are duplicated so any part of IT processing can be shut down and maintained without affecting operations.
Data protection: more FYI on PHI
Data protection isn’t just for your information, it’s for employers’ information, and therefore may be the most important service you never see.
The good news is, your benefits vendors can have the tools to prevent it, including your vision benefits company. They should be trained to see what you do not see — through a protected platform equipped to manage, secure and verify personal data for your employees and clients.
Ask your vision benefits company how it keeps your data secure. To learn how to perform a security checkup, download our free data protection and security whitepaper , as well as our infographic on “measuring up” your vendor against the highest standards.
If you enjoyed this article, you may also want to read:
1: SecurityMagazine.com: https://www.securitymagazine.com/articles/89315-five- steps-to-developing-a-healthcare-information-technology-security-plan; reviewed March 19, 2019
2: The HIPAA Journal: https://www.hipaajournal.com/security-breaches-in-healthcare-in-the-last-three-years/ ; reviewed March 19, 2019
3: “Breach Level Index Report: 2018 First Half Review,” Oct, 16, 2018, Gemalto. https://safenet.gemalto.com/resources/data-protection/breach-level-index-2018-h1/ ; reviewed March 19, 2019
4. Health IT Security: “Meditab Medical Records, Physician Notes Breached by Vendor Error,” by Jessica Davis, March 19, 2019, https://healthitsecurity.com/news/meditab-medical-records-physician-notes-breached-by-vendor-error; reviewed March 19, 9019
5: CyberPolicy: “Why Medical Records are 10 Times More Valuable than Credit Card Information,” https://cyberpolicy.com/cybersecurity-education/why-medical-records-are-10-times-more-valuable-than-credit-card-info; reviewed March 19, 2019
6: Logicalis Insights: “What is a Common Security Framework?” by Ron Temske, April 7, 2017, https://logicalisinsights.com/2017/04/07/what-is-a-common-security-framework-csf/; reviewed March 19, 2019
7: SSL.com: “What is SSL?” http://info.ssl.com/article.aspx?id=10241; reviewed March 19, 2019
8: Appointment Plus: “The Top 8 Things You Need to Know About TLS 1.2,” https://www.appointmentplus.com/blog/top-8-things-know-about-tls-1-2/
9: OWASP.org home page; https://www.owasp.org/index.php/Main_Page ;reviewed March 19, 2019
10. Radar Blog: “Lions and Tigers and SOC2 – Oh My! Tips for Navigating the SOC 2 Process,” by Andrew Migliore, Oct. 13, 2015, https://www.radarfirst.com/blog/lions-and-tigers-and-soc-2-oh-my-tips-for-navigating-the-soc-2-process ;reviewed March 19, 2019
13: AICPA website: https://www.aicpa.org/ and https://certificates.aicpastore.com/#explore-all; reviewed March 19, 2019
14: Cyxtera: “Demystifying Data Center Tier Ratings,” by Sabrina Donley, June 28, 2018, https://www.cyxtera.com/blog/demystifying-data-center-tier-ratings; reviewed March 19, 2019