Heart-Healthy Insurance Information Security Policy Review
In an effort to ensure Heart-Healthy Insurance’s Information Security Policy is up to date, complies with current regulatory requirements, takes advantage of industry standards, utilizes recognized frameworks, is relevant, and meets the requirements of all relevant regulations and standards, a review of the current Information Security Policy has been performed. The following recommendations on how users are provided access to the information systems used by Heart-Healthy Insurance and the password requirements for each system will ensure that the company’s policy is in compliance with all relevant federal regulations and industry standards. As an insurance company, Heart-Healthy Insurance works with and stores personal health information, financial information, and credit card information of clients and business partners. Data of this type is required to be protected by the United States Federal Government under several privacy acts. Heart-Healthy Insurance must also be Payment Card Industry Data Security Standard (PCI-DSS) compliant due to the fact the company takes credit cards to pay for premiums and deductibles. Below is information on each privacy act and security standard that Heart-Healthy Insurance must be in compliance with.
The Payment Card Industry Data Security Standard (PCI-DSS)
The Payment Card Industry Data Security Standard (PCI-DSS) was developed “to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally” (PCI Security Council, 2010 p. 5). PCI-DSS provides the following requirements for passwords and user access:
-Each user must be assigned a unique ID for system access.
-A user’s identity must be verified before passwords are reset.
-Passwords for new users and reset passwords for existing users must be set to a unique value for each user and reset after first use.
-Group or shared passwords are strictly forbidden and must not be distributed by system administrators, even if requested.
-Users must change passwords at least once every 90 days (PCI Security Council, 2010).

Gramm-Leach-Bliley Act (GLBA)
The Gramm-Leach-Bliley Act (GLBA) repealed part of the Glass-Steagall Act of 1933, which prevented financial institutions from acting as any combination of a commercial bank, investment bank, or insurance company (Gramm–Leach–Bliley Act, 2014). The GLBA also put into place safeguards governing the disclosure, and protection of consumers’ personal information (Gramm–Leach–Bliley Act, 2014). The following are requirements for passwords and user accounts:
-Each user must have a unique user id.
-Passwords must be changed on a regular basis.
-Passwords must be at least 6 characters using a combination of letters, numbers, and symbols.
-Passwords cannot be shared.
-Immediately deactivate the passwords and user accounts for terminated employees (Federal Trade Commission, 2006). Health Insurance Portability and Accountability Act (HIPPAA) and Health Information Technology for Economic and Clinical Health (HITECH) The Health Insurance Portability and Accountability Act of 1996 (HIPPAA) established national standards for electronic health care transactions and also addresses the security and privacy of health data (Health Insurance Portability and Accountability Act., 2014). HIPPAA security and privacy requirements were later strengthened by the Health Information Technology for Economic and Clinical Health (HITECH) Act, in 2009 (Dowdell, N.D.). HIPPA and HITECH require the following password and user account procedures to be in place when accessing a system containing personal health information:
-Passwords must be 8-10 characters and include at least 1 letter, 1 number, and 1 special character value (Trendmicro, 2012).
-Passwords must be renewed every 90 days (Trendmicro, 2012).
-System Administrators should specify a period of inactivity (in minutes) in which inactive users must re-authenticate to continue accessing the system (Trendmicro, 2012).
-Passwords should not be based on or contain usernames (Wyman, N.D.).
-Written down passwords should be stored in a secure location and not near the computer (Wyman, N.D.).

Summary The current Information Security Policy in place at Heart-Healthy Insurance regarding User Accounts and Passwords meets some, but not all of the requirements outlined in HIPPA, HITECH, GLBA, and PCI-DSS. In order to be compliant in all required areas it is recommended that the following additional requirements be added:
User Accounts: Each user must be assigned a unique ID for system access. Users will be required to re-authenticate after 30 minutes of inactivity. All user accounts must be deactivated immediately upon termination of employment.
Passwords: Passwords must include at least 1 letter, 1 number, and 1 special character. Passwords cannot be based on, or contain the user name. Passwords must be reset every 90 days. Passwords for new user accounts and reset passwords for existing user accounts must be a unique value and reset upon first use. A user’s identity must be verified before passwords are reset. Securing the personal information of Heart-Healthy Insurance’s clients and business partners is not only required by federal law requirement under the HIPPA, HITECH, GLBA acts, but it is also in the best interest of our clients and business partners. It is important for Heart-Healthy Insurance to participate and implement standards and best practices as defined in industry security standards such as PCI-DSS. As innovations in information technology continue to advance and the electronic storage, retrieval, and transmission of personal health information become more common, we must maintain the faith and confidence of our clientele and business associates that their personal data will be secured. By adopting the proposed changes to the Heart-Healthy Insurance Information Security Policy listed below, we can insure that Heart-Healthy Insurance is taking every precaution with personal health data and is in compliance with both Federal Law and industry standards and best practices.
Updated Heart-Healthy Insurance Information Security Policy
Updated New User Account Policy:
“Each user must be assigned a unique ID for system access. New users are assigned access based on the content of an access request. The submitter must sign the request and indicate which systems the new user will need access to and what level of access will be needed. A manager’s approval is required to grant administrator level access. Users will be required to re-authenticate after 30 minutes of inactivity while logged into any of Heart-Healthy Insurance’s Information Systems. All user accounts will be deactivated immediately upon termination of employment.”

Updated Password Requirements Policy:
“Passwords must be at least eight characters long and contain a combination of upper and lowercase letters, at least 1 number, and at least 1 special character. Passwords cannot be based on or contain the user’s username. Shared passwords are not permitted on any system. Passwords for new user accounts and reset passwords for existing user accounts must be a unique value and reset upon first use. Passwords must be reset every 90 days. When resetting a password, users cannot reuse any of the previous six passwords that were used. Users entering an incorrect password more than three times will be locked out for at least 15 minutes before the password can be reset. A user’s identity must be verified before passwords are reset.”

References

Dowdell, S. (N.D.) . The HITECH Act & HIPAA. ehow.com. Retrieved April 12, 2014 from http://www.ehow.com/facts_7384264_hitech-act-hipaa.html

Federal Trade Comission. (2006, April) . Financial Institutions and Customer
Information: Complying with the Safeguards Rule. Retrieved April 13, 2014 from http://www.business.ftc.gov/documents/bus54-financial-institutions-and-customer-information-complying-safeguards-rule

Gramm–Leach–Bliley Act. (2014, April) . wikipedia.com. Retrieved April 12, 2014, from http://en.wikipedia.org/w/index.php?title=Gramm%E2%80%93Leach%E2%80%93Bliley_Act&oldid=602731130

Health Insurance Portability and Accountability Act. (2014, April) . wikipedia.com.
Retrieved April 12, 2014, from http://en.wikipedia.org/w/index.php?title=Health_Insurance_Portability_and_Accountability_Act&oldid=603796422

PCI Security Standards Council. (2010, October) . Requirements and Security Assessment
Procedures v. 2.0 [PDF Document] . Retrieved April 12, 2014 from https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Trend Micro, Inc.. (2012) . Addressing the Data Protection Requirements of the HITECH
Act [PDF Document] . Retrieved April 13, 2014 from http://www.mclellancreative.com/files/trend_micro_white_paper_hitech_compliance.pdf

Wyman, C. M. (N.D.) . HIPAA Password Requirements. ehow.com. Retrieved April 13,
2014 from http://www.ehow.com/list_7434736_hipaa-password-requirements.html