DOL’s Cybersecurity Guidance: 12 Essential Practices for Health Plans

The U.S. Department of Labor (DOL) has recently expanded its cybersecurity guidance to encompass all employee benefit plans, including health plans, broadening the previous focus that was limited to ERISA retirement plans. This change means that health plan sponsors now face the task of aligning their cybersecurity practices not only with HIPAA/HITECH but also with the updated DOL standards. The goal is to provide a consistent, proactive approach to securing sensitive participant data, as well as ensuring ongoing risk management processes.

The DOL’s 12 recommended practices emphasize that cybersecurity is an ongoing responsibility, requiring regular updates and assessments. Below, we provide an overview of each key component:

1. Formal Cybersecurity Program: Establish a detailed cybersecurity program that outlines policies and procedures to safeguard data against threats. This program should be regularly reviewed and updated to meet current best practices.
2. Annual Risk Assessments: Conduct yearly assessments to identify and address vulnerabilities. Document risks, evaluate controls, and implement adjustments to stay ahead of evolving threats.
   1. Incorporating Penetration Testing: As part of these assessments, plan sponsors should conduct regular penetration testing (pen testing) to simulate real-world cyberattacks. Pen testing identifies exploitable vulnerabilities that may not surface in traditional risk assessments, allowing organizations to proactively address security gaps.
3. Third-Party Security Audits: Arrange for an independent, third-party audit each year to assess security measures objectively. This ensures potential weaknesses are addressed and security practices remain effective.
4. Defined Security Roles and Responsibilities: Clearly assign cybersecurity roles to qualified personnel, such as a CISO, who will oversee the program. Staff should be trained and certified in relevant cybersecurity practices.
5. Access Control Procedures: Limit access based on roles and use multi-factor authentication where possible. Regularly review user permissions to ensure only necessary access is granted.
6. Third-Party Provider Security Reviews: Regularly assess and review the security practices of third-party vendors managing plan data. Establish security requirements in contracts, including encryption and data access protocols.
7. Cybersecurity Awareness Training: Provide annual cybersecurity training to all staff. Focus on recognizing and responding to common threats like phishing and identity theft attempts.
8. Secure System Development Life Cycle (SDLC): Incorporate security protocols into every stage of system development. Conduct regular testing and reviews to identify vulnerabilities in new software.
   1. Integrating Pen Testing in SDLC: Beyond development stages, pen testing should be applied to new systems before deployment to identify weaknesses and ensure robust security from the start.
9. Business Resiliency and Incident Response: Develop and annually test plans for disaster recovery and incident response. Set clear roles and protocols to ensure quick, effective responses to cybersecurity incidents.
10. Data Encryption: Use strong encryption for data in storage and during transmission to protect it from unauthorized access. Keep encryption methods updated to current standards.
11. Technical Security Controls: Implement security controls like firewalls, antivirus software, and system hardening measures. Perform regular updates and network segmentation to secure data.
    1. Complementing Controls with Pen Testing: Technical security controls should be validated through periodic pen testing to ensure they effectively deter or mitigate cyberattacks.
12. Incident Response Protocols: Prepare a detailed response plan for cybersecurity incidents, including notification protocols for affected individuals. Address any vulnerabilities to prevent recurrence.

Distinctions Between DOL Guidance and HIPAA/HITECH

While HIPAA/HITECH regulations focus primarily on protecting the privacy and security of health data, the DOL guidance goes beyond by introducing specific protocols tailored to managing cybersecurity risks for employee benefit plans. For instance, the DOL requires more rigorous monitoring and annual auditing practices that address the broader cybersecurity environment, impacting the full spectrum of health plan operations.

Key Takeaway: Cybersecurity is an Ongoing Obligation

The most critical aspect of the DOL’s updated guidance is that cybersecurity management is not a “one-and-done” task. Health plan sponsors must integrate these practices into their ongoing operations, performing annual reviews, assessments, and updates to their cybersecurity measures. This continual attention to cybersecurity is essential for managing emerging threats effectively and upholding the fiduciary responsibilities required under ERISA.

For health plan sponsors, the message is clear: adopting the DOL’s guidance is not only about compliance but about proactively protecting plan participants’ sensitive information.

Check out the DOL’s official Press Release to learn more about the updated guidance. And if you need further guidance or have any questions on this topic, we are here to help. Please do not hesitate to reach out to discuss your specific situation.

This material has been prepared for general, informational purposes only and is not intended to provide, and should not be relied on for, tax, legal or accounting advice. Should you require any such advice, please contact us directly. The information contained herein does not create, and your review or use of the information does not constitute, an accountant-client relationship.