Benefits Technology Data Security Best Practices

Benefits Data Security: 9 Tech Questions You Should Be Asking

Benefits are all about protection, right?

You offer benefits to your employees to give them financial security and peace of mind so they can give your company their best work - unencumbered by the fear of a sickness or other emergency completely derailing their lives. Benefits ultimately protect your employees' health, wealth and happiness, which in turn protects the productivity and success of your business.

But as benefits management moves online for greater simplicity and efficiency, the idea of protection has extended. Today, a responsible benefits program protects employee health, wealth and happiness not only through the actual benefits you offer, but also through how you handle the capture and transfer of benefits data.

Since, in benefits management, you’re dealing with personally identifiable information (PII) and protected health information (PHI), unsecured data can seriously damage your company—its brand, its reputation and, most importantly, its people. With such high stakes, you need to know that your benefits technology provider will keep your employees' sensitive information safe, regardless of when, where and with whom it is shared.

Here are nine questions you can ask your current or prospective benefits technology provider - and why to ask them - to help make sure your data security needs are covered.

1. What is your company’s security philosophy?

A company large enough to handle group data should have a dedicated security and compliance team with documented philosophies on data security and compliance.

2. Do you have a security audit or attestation report on your company itself (not just a leased data center)?

Many vendors tout their Service Organization Controls (SOC) audits, but a lot of times these audits are only conducted on leased data centers. By asking the question this way, you can ensure that the controls and practices at the vendor's own facilities will keep your data safe.

3. Has the system been properly hardened?

System hardening minimizes security risks by disconnecting all non-essential software programs and utilities from the system. It protects the usage of the system during critical times of the year (i.e., open enrollment).

4. Is all data stored in your database encrypted at rest?

Encrypting data at rest is not a required security control for most data. You should ask because this is an expensive undertaking for the vendor and it shows a commitment to the security of group information under any circumstance.

5. Is all data in motion inside the network encrypted in transit?

Like encryption at rest, encrypting data in transmission is not strictly a requirement but displays the vendor’s commitment to security.

6. Does your network provide warm failover as opposed to antiquated tape backups?

With natural disasters an ever-present threat, you need to know that your vendor is backing up your data with the most modern techniques available (i.e., having backup servers ready to take over immediately in the event of an emergency).

7. Is multi-factor authentication required for remote users to the internal network?

Many recent large-scale breaches could have been prevented with multi-factor authentication methods, in which a user is granted access only after successfully presenting several separate pieces of identification evidence. You need to ensure that your vendor's internal networks are safe for your data.

8. Do you have a team of security employees and a different team of compliance employees that concentrate only on those activities?

Proper security means having a team of employees focused on security year-round. Many smaller organizations lump several of these full-time roles into one or two people. To ensure your PII and PHI is secure, look for commitment in this area.

9. How often are your security and compliance systems audited, and by whom?

Enterprise security is a 24/7/365 activity. The security environment changes on a constant basis. You need to know that the safety of your data will be regularly audited by your vendor, its clients and third-party auditing companies.

For more on specific questions you can ask to evaluate (or re-evaluate) the technology company you're entrusting with your benefits program, download your free copy of our Buyer's Guide to Effective Benefits Management Technology.