Cybersecurity Best Practices for Insurance Agents

You receive an email from Susan, a carrier representative that you’ve talked to before, but it seems… off. You notice she’s sending from a different email address than usual. Do you open the attachment she’s sent?

Alarmingly, according to the Cybersecurity & Infrastructure Security Agency (CISA), Americans’ private health data is worth up to 20 times the value of financial data on the dark web. That makes the health and public health sector, which agents selling health insurance are a part of, a primary target for cybercriminals.

Listen to this article:

Cybersecurity threats have been on the rise since the pandemic, so it’s critical for you to adhere to cybersecurity best practices for insurance information, for not only your sake, but your clients’ as well. We developed the following guidelines with help from our IT department. Two of our members hold the CISSP designation, a globally recognized certification specializing in securing the storage and transfer of highly sensitive data, so it’s safe to say we take this subject seriously! Follow these best practices, and you’ll be equipped to keep attacks at bay.

Why Cybersecurity Is Important

Not only are you morally bound to protect your clients’ sensitive information, but you’re legally bound, too.

PII & PHI

The number one reason to have strong cybersecurity for your business is to protect your clients’ personal identifying information (PII) and protected health information (PHI). PII includes anything that can trace an individual’s identity, like Social Security Number and address, while PHI, a subset of PII, includes additional identifiable health information that is protected by law, like insurance information and medical records.

Cybercriminals steal PHI to sell on the dark web for a healthy profit (up to $1,000 per full medical record). Then the purchasers, or the cybercriminals themselves, can use the information to purchase medical equipment or drugs (often to resell), receive expensive medical procedures, or commit extortion, fraud, identity theft, or data laundering.

Cyberthieves steal PHI to sell on the dark web for a healthy profit (up to $1,000 per full medical record).

Your clients trust you to do all you can to protect their PHI and PII. If subjected to PHI and PII theft, your client could spend months, or even years, rectifying the damage. They might have to prove to medical providers that claims were fake or that they didn’t receive expensive procedures. They might have to report an incident to the local police department and Federal Trade Commission. And don’t forget the potential headache of working with financial account providers to prove fraudulent activity and recover your credit score. It’s not a bad idea to ask your clients whether they have identify theft protection services.

You’re Legally Obligated

Congress is serious about protecting sensitive information. In 1996, they passed the Health Insurance Portability and Accountability Act (HIPAA) that created national standards for privacy and protection in the insurance and medical industries. They’ve since added more layers to the act, including the HIPAA Privacy Final Rule in 2000, Security Standards Final Rule in 2003, and the Omnibus HIPAA Final Rule that implements certain provisions of the Health Information Technology for Economic and Clinical Health (HITECH) Act. All these regulations work together to provide safeguards for your clients’ information.

Read what insurance agents are responsible for under HIPAA

Besides being bound under U.S. law to protect data, you’re obligated as part of your agreements with insurance companies and organizations. As part of HIPAA compliance, carriers incorporate privacy and security compliance requirements into their business associate agreements, i.e., the contract you sign to sell their products. Don’t gloss over this part of the contract. Read it thoroughly and understand what the carrier requires of you.

How Insurance Agents Can Boost Cybersecurity

Unfortunately, there’s no magic wand you can wave for strong cybersecurity. Creating a fortified citadel is about building many layers of protection and implementing such measures can take time and effort. Focus on one layer at a time and build up your protection gradually, as you can. If you’re just starting out as an agent, consider these best practices in your business planning before you start seeing clients.

Purchase Anti-Virus/Anti-Malware Software

Malware, or malicious software, is any program or file, like a virus, that is harmful to a computer user and can cause problems, including loss of data, leaking of sensitive information, disrupting daily operations, locking up important files, and spam. These problems can lead to identity theft, fraud, and even irreparable damage to equipment and brand.

Anti-malware software scans a computer system to prevent, detect, and remove malware, and it’s important that you have this software on your devices. We suggest you do your own research when choosing this software, but keep these criteria in mind when choosing a provider:

• Price and your budget
• Support options
• Documentation for troubleshooting
• Availability of instructional materials (how-to’s)
• Reputation in the community

Keep Your Software Updated

Keeping the software on your phones, laptops, and desktop computers up to date ensures that you’re using the most recent and secure version available. Your device will likely prompt you to update your software when a new version is released. Once your device can no longer support updates, it’s reached its end-of-life (EOL) date and is a security vulnerability. You can easily find information online about whether your device is still supported. Before your device reaches the EOL date, it’s time to shop for a new phone, laptop, or desktop computer.

Encrypt Your Data

Encryption of your data can protect information kept on your devices (data at rest) and information sent to others (data in motion). When encrypted, your data is scrambled by an algorithm so that anyone trying to intercept that data won’t be able to read it.

Data at Rest

Modern operating systems offer full-disk encryption to protect the data that lives on your devices. Mobile smartphones, Windows, MacOS, and even Linux have pre-installed solutions to secure your data free of charge. This ensures that, if your hard drives are stolen, the data on them is protected. This option should be turned on or enabled, whenever available, in your device’s settings.

Data in Motion

Data that you’re sending online also needs encryption. For example, let’s say you sign up for your medical provider’s online portal. Is your very sensitive PHI being securely sent to the company, or could hackers easily poach your information in transit?

When using web browsers, look at the URL closely. Does it have https or http at the beginning? Does it have a lock icon? Only websites using https (the s stands for secure) and/or that have a lock icon are encrypting their data in transit (although this doesn’t ensure the entire site is safe). Avoid sites that only use http in their URL. Also keep an eye on what the domain name is in the URL. You could easily fall victim to a cyberattack that uses easy-to-miss typos. Consider Google.com vs. Goog1e.com. Can you spot the difference? Submit your data through one of these fraudulent sites, and you’ve sent your info right to the cybercriminal.

Any emails you send with PHI or PII need encryption. Sending an email from your Outlook, Yahoo, AOL, or Gmail account is not automatically encrypted.

As an agent, you probably rely heavily on email. Email can be a major cybersecurity liability if you don’t follow best practices. Any emails you send with PHI or PII need encryption. Sending an email from your Outlook, Yahoo, AOL, or Gmail account is not automatically encrypted. You must use encryption software to do this, and we encourage you to do your own research and select the best option for your budget. Start with an online search for “best email encryption software solutions.”

Maintain Good Password & Login Hygiene

Good password and login management adds an essential layer of protection to your fortress. Think of all the passwords you use with different carrier portals!

What Makes a Password Strong

With passwords, length is king. Making your passwords 16 characters or longer will create better layers of protection. Complexity takes a back seat to length, although you can strengthen your long passwords by using a random combination of upper- and lower-case letters, numbers, and special characters. Itakeawalkdowntheroadandseeabeautifulbirdandwanttosing is a far stronger password than g7Fj*3, which would take a password-cracking software less than a second to figure out.

It can be tempting to recycle or reuse passwords if you’re afraid you won’t remember all of them. However, each of your logins should have a totally unique long password. If your device or an account came with a default password, change it as soon as possible.

Follow these do’s and don’ts for creating strong passwords:

Password Managers & Generators

If you use a unique password for each of your logins, how will you keep them all straight?! We don’t expect you to remember 25 separate 16-character passwords. That’s where a password manager comes in.

A password manager stores your login information, which you can then access with a master password. Instead of remembering 25 unique passwords, you only need to remember one, since accessing your vault of saved passwords and selecting the one you need to login to an account will autofill the information. When choosing a manager, research thoroughly and consider whether they’ve been breached, what was their response, and how do they ensure your data stays safe. Password managers should utilize industry standard or greater encryption standards and be transparent about how they secure your data.

Password managers should utilize industry standard or greater encryption standards and be transparent about how they secure your data.

You can also rely on password software to generate passwords for you, taking even more effort out of the equation.

Multi-Factor Authentication

After you put in your username and password, a login may ask you to enter a code they text or email to you for verification. That’s multi-factor authentication (MFA), and it’s another key to strengthening your cybersecurity. If there’s ever an option to opt-in for MFA — do it! This is an easy and quick way to add layers of protection.

We’ve added MFA to Ritter’s Platform login so you can feel secure when using our technology. When you first log in to the Platform, you’ll be prompted to enter a code that you can receive through text or email. MFA is automatically turned on, so you don’t have to worry about opting in.

When available, non-SMS-based MFA (non-text-message-based MFA) should be used, since it’s more secure; however, any MFA is better than no MFA. If SMS-based MFA is the only option, turn it on!

Log Out When You’re Done

When you’re done using a certain account, log out of it. If you don’t, hackers could possibly highjack your session and have access to your account, easily pretending to be you on whatever service you’re still logged into.

Guard Mobile Devices

Mobile devices (e.g., phones, smart watches) are just as vulnerable as our laptops and desktops. Keeping these devices secure is just as important as securing your other devices.

To add layers of protection to your mobile device, make sure you have:

• A PIN/biometrics for login — Ensure your data is kept private by creating a secure PIN, unlock shape, or scanned biometrics. By locking your devices, you maintain physical security of your data from any malicious actors.
• Short lockout timers — Even the savviest users have human habits, including putting your phone down without locking it. If a lockout timer is not set, this leaves your data and your clients’ data up for grabs. Using short (< 1 minute) lockout timers minimizes this risk greatly.
• Full-disk encryption — Android and iOS phones come with built-in mobile device encryption. Again, keeping your data encrypted protects it against theft. Even if an attacker has physical control of your phone, the data on it is useless if kept encrypted behind a strong unlock password or PIN code.
• Encrypted emails — If you plan to use email on your phone, make sure you have the same encryption capabilities in place as you do on your other devices. If you don’t, wait until you’re at your laptop or desktop computer to send an email containing PHI or PII.

Secure Physical Devices

Don’t leave your devices unattended, especially in public. If you work in an office and from a laptop, don’t leave your laptop at the office overnight. Take it home at the end of the day. If you’re in the office and need to use the bathroom, lock your computer before walking away. If you’re working from a Starbucks (which we caution against below) and need to use the bathroom, it may seem silly, but pack up and take your laptop with you.

Consider Internet Access & Networks

Protecting your device and client data also means protecting how your device connects to the internet. You have some options, with a secure, private network being the best.

Secure Wi-Fi & Hardwired Internet

When possible, conduct business on a network you trust (e.g., your office, your home, a network you control). If you do not control the network, you should assume it’s a minefield and keep business functions to a minimum. Open, unrestricted, and public Wi-Fi networks (e.g., at Starbucks or McDonalds) are not secure locations to do business. Data submitted to a CRM on an open Wi-Fi network, for example, could be easily poached by someone else using the same network.

If you do not control the network, you should assume it’s a minefield and keep business functions to a minimum.

Virtual Private Networks

Virtual private networks (VPNs) are a way internet users can establish a protected network connection when using public networks. Picture yourself holding a package of data. VPNs protect your data by creating an encrypted tunnel between you, your VPN provider, and the destination website. This tunnel ensures that anyone else on the untrusted network cannot read your data.

Using a VPN comes down to your comfort level with risk and whether you trust the VPN you’re using. If the VPN is provided and maintained by your employer, for example, then you can likely trust it’s secure. If it’s a VPN through a third-party provider, only you can decide if you trust that VPN enough to do business over it. Either way, we recommend keeping the exchange of PHI and PII to a minimum when using a VPN. Wait until you’re back on a secure private network to update that client’s file on your CRM or send an encrypted email or handle any PHI or PII!

Wait until you’re back on a secure private network to update that client’s file on your CRM or send an encrypted email or handle any PHI or PII!

Fine Tune Your Phishing Radar

Phishing, or the fraudulent practice of making calls or sending emails or other messages posing as a reputable company to steal sensitive data, is a very common type of cyberattack. Remember the email from Susan with the suspect attachment? That’s an example of phishing. (Don’t open the attachment, by the way!) Ever received a text from “Amazon” wanting you to click on a link to verify your account? That’s likely also phishing.

Knowing how to spot phishing can be very useful for you and your clients, especially since scammers tend to target older populations. When you receive an email, even from a trusted contact, take a couple seconds to go through this checklist:

• Is this email from the same address they always use? If the sender typically uses Gmail and is now using Ymail, be suspicious.
• Does this sound like them? Ask yourself if the email’s content or tone sounds normal or if something seems off (e.g., grammar, spelling, context, subject).
• If the email is a response, is this a response from a recent email? Attackers can use old emails to reestablish communications, for example, by replying to an email from two years ago.
• Did I ask for or should I expect an attachment? If you do not expect an attachment or the attachment has a non-standard file format (e.g., .exe, .vbs, .py), this should raise concern.
• If there are links, where will they take me? Hovering over links before clicking shows the destination. If you receive a link for Home Depot products but hover over the link to reveal a Lowe’s destination, this is not normal and should be considered malicious.

With a fine-tuned radar for phishing, you’ll be able to stop attackers in their tracks. When in doubt, contact the company, carrier rep, or client by some other means than email to verify the claims made in the suspicious email, message, or phone call.

One Layer at a Time

All these different layers of protection can quickly get overwhelming. Remember, start with one and then build up more gradually. We recommend starting with some simple wins, like checking to make sure your full-disk encryption is activated on your laptop, seeing if your device is up to date, or going into an online account and turning on MFA. Then turn your attention to bigger projects, like overhauling your passwords or installing email encryption software. Create manageable goals, like updating the passwords on three accounts per day. Adding one guard at a time instead of a whole army all at once will make the whole process much easier.

Cybersecurity is extremely important and deserves your attention. If you do the heavy lifting and set yourself up for success at the start or now during the slower season, you’ll be able to focus more on your business later during busy times of the year. But remember, vigilance is a year-round responsibility, so get started now with one layer of protection. Before you know it, your defenses will deter attackers looking for low-hanging fruit.

We’re here if you have questions! Reach out to [email protected] and check out our page on Ritter Docs for more info.