Information security is vital to the Marketplaces. The goal of an information security program is to understand, manage, and reduce the risk to information under the control of the organization.
Information security refers to the protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.
There are three key elements to protecting information:
Confidentiality: Protecting information from unauthorized disclosure to people or processes.
Availability: Defending information systems and resources from malicious, unauthorized users to ensure accessibility by authorized users.
Integrity: Assuring the reliability and accuracy of information and information technology (IT) resources.
Threats and vulnerabilities put information assets at risk.
A threat is the potential to cause unauthorized disclosure, changes, or destruction to an asset. Impacts of a threat can include a potential breach in confidentiality, a potential breach in integrity, and the unavailability of information. There are different types of threats. Threats can be natural, environmental, and man-made.
A vulnerability is any flaw or weakness that can be exploited and could result in a breach or a violation of a system’s security policy.
A risk is the likelihood that a threat will exploit a vulnerability. For example, a system may not have a backup power source; hence it is vulnerable to a threat such as a thunderstorm. The thunderstorm creates a risk to the system
It is essential that computers used to conduct business in the Federally-facilitated Marketplaces are protected from harmful computer programs, applications, and malware. As an agent or broker, it is your responsibility to ensure that the computer you use to access a Federally-facilitated Marketplace is regularly updated with the latest security software to protect against any cyber-related security threats.
Malware, short for malicious software, is software designed to harm or secretly access a computer system without the owner's informed consent. It is a generic term used by computer professionals to mean a variety of forms of hostile, intrusive, or annoying software or program code. Malware is also known as pestware.
Types of malware include (click on each for more information):
To best protect your computer, ensure that your system has up-to-date malware protections installed.
Anti-virus software is a computer program that identifies and removes computer viruses and other malicious software like worms and trojan horses from an infected computer. It also protects the computer from further virus attacks.
Anti-virus software examines every file in a computer with the virus definitions stored in its virus dictionary: an inbuilt file that contains code identified as a virus by the anti-virus authors.
You should regularly run an anti-virus program to scan and remove any possible virus attacks from a computer. Most commercially-available anti-virus software automatically provides virus updates daily.
Anti-spyware can also provide real-time protection against the installation of spyware on your computer. This type of spyware protection works like anti-virus protection by scanning and blocking all incoming network threats. It also detects and removes spyware that has already been installed into the computer. Anti-spyware scans the contents of the windows registry, operating system files, and installed programs on the computer and provides a list of any threats found.
Agents and brokers can apply certain controls to protect information within the Marketplace. Controls are policies, procedures, and practices designed to manage risk and protect IT assets.
Common examples of controls include:
There are steps agents and brokers can take to help promote information security in the Marketplaces.
Patches are updates issued by the vendor that fix a particular problem or vulnerability within a software program. Patch management is a critical business function for effective data risk management.
To mitigate the impact of any potential attacks, agents and brokers should ensure the operating systems and applications on their computers remain patched with the latest security updates from their vendors.
In addition to the security consequences of not installing the most recent patches to your system, recovery from attacks and infections can be expensive and prolonged. To limit risk and vulnerability, pay attention to security alerts and conduct patch management systematically. Schedule patching activities as a regular part of your business routine, and allow flexibility for emergencies.
In addition to protecting your computer and related systems, it is critical that you protect various media forms as well. Click on each of the following to read more:
Security incidents are a potential threat to the integrity of PII. A security incident occurs when there has been an attempted or successful unauthorized access, use, disclosure, modification, or destruction of data; or interference with system operations in an information system.
Examples of security incidents include:
When the security incident involves the actual or even suspected loss of PII, that incident is considered a privacy breach.
Agents and brokers should have documented procedures for incident handling and breach notification. These procedures should address how to:
Consistent with federal law, an agent or broker must report all PII incidents to the Marketplace, and make reasonable efforts to mitigate such incidents.
Any incident involving the loss or suspected losses of PII should be reported in accordance with health insurance issuer requirements or state laws in which an agent or broker operates.
Additionally, if the incident involves a possible improper inspection or disclosure of federal tax information (FTI), the individual making the observation or receiving information should contact the office of the appropriate Special Agent-in-Charge, Treasury Inspector General for Tax Administration (TIGTA), and the Internal Revenue Service (IRS). Agents and brokers in the Individual Marketplaces may possibly encounter FTI when assisting with an eligibility appeal. Remember, FTI may not be disclosed to anyone without proper authorization.
The organization that experiences a breach must determine whether or not to provide notice to individuals whose data has been lost or breached, and will bear any costs associated with the notice or any necessary mitigation actions.
Agents and Brokers are required to be trained to assist consumers with the application and decision making process. Using an Agent to enroll in a ObamaCare Health Plan will be the primary choice of many americans. After all agents have the inside track on companies and their promptness to handle claims and pay benefits in atimely fashion.
Next Topic: Coverage Basics