This page is provided to answer questions asked in RFP’s regarding the security practices and policies within BenefitElect. This page is reviewed annually.
BenefitElect Security Policy
BenefitElect’s Internal Security Policy documents are an ongoing work that have not yet been completed. The policies therein are loosely based upon the NIST framework, and are reviewed annually.
BenefitElect Attestations and Certifications
Anyone examining security matters understands that a company cannot rely upon the security certifications and attestations of the company hosting their environment. For full disclosure, BenefitElect does not maintain any third-party certifications, audits or attestations. However, we do undergo periodic third-party HIPAA audits. The results of these audits are not published, but rest assured that any remediation is handled swiftly. We also use other methods to mitigate security problems.
BenefitElect does not hire third-party Penetration Testing services.
BenefitElect uses Nessus to weekly scan our environments for vulnerabilities and remediation is handled by our internal IT department.
Presently, the person ultimately responsible for security is: Ken Fayal, CTO, firstname.lastname@example.org
Our Security Officer is: Ken Adams, email@example.com
We keep up with security initiatives and stay current with the threat landscape by subscribing to a few well-known newsletters from SANS.org
BenefitElect Geographical/Physical Structure
The structure of the company is such that we have a location in Bend, Oregon where our employees work. However, the system and data are hosted in the Amazon AWS Cloud environment. Connectivity between our main office in Bend, Oregon and the Amazon AWS Cloud environment is protected by a secure VPN and firewalls are utilized at both locations.
AWS Cloud Environment
BenefitElect utilizes the following AWS services on which we host our system and data: EC2, S3, SES, SQS, Lambda and Route 53 (for domain hosting)
AWS Security Documentation
AWS maintains many certifications and attestations from multiple standards all over the world. Details on these certifications and attestations can be found on the web site below:
Additionally, Amazon AWS provides a general security page describing various aspects of the subject at:
We help you focus on your business, not your busyness.
Give Us a Call Today.
Home Office Environment
BenefitElect’s home office utilizes a 24/7 security system for fire and intrusion detection. A device is required for entry into our offices, and entry logging is maintained for at least 6 months and reviewed monthly. Visitors are logged and escorted. No CCTV cameras are present at our office location.
Our internal servers are separated from the main office by further physical security. Only authorized personnel have physical access to the server area.
We utilize a wireless network inside our home office which does not have access to resources on our internal network.
All workstations connected to our internal network are protected by a centrally controlled leading business anti-virus and anti-malware system.
Our current domain password policy requires that the password be at least 7 characters in length, contain at least one capital, one lowercase and one numeric character as the password.
Our internal domain workstations are also centrally monitored by our IT department. Updates to workstations are performed weekly. Employees are expected to lock their workstations when they leave the vicinity of their desks.
Removable media is generally prohibited by domain security policy, but special access can be granted on an as needed basis.
Destroying of Notes Containing Client Data
In the process of the workday, occasionally notes are made on sticky pads and pads of paper regarding specific client issues. Our internal BenefitElect employees are expected to destroy these paper records via the use of our shredding bin service as soon as they are no longer needed. And any client data of this sort are not to be left on the desk overnight, instead it must be locked in their locking desk drawer.
BenefitElect Human Resource Security
We recruit from a known talent pool and rely on previous experience as well as trusted references to ensure we are hiring the right people. We go through onboarding procedures and require all employees to undergo online HIPAA courses through Litmos.com, regardless of access to client data.
BenefitElect does not utilize background
screening or recurring background screenings
Passwords are initially assigned for new employees for the various systems that will be required by the employee to perform their duties. Initial passwords are required to be changed upon the first login by the employee, and are required to be changed every 40 days.
Client Data Access
We utilize a “least privilege” philosophy to enforce client data security. This is a safeguard in place to enforce our internal policy that no employee shall have access to data to which they do not need access. We do this by Windows Domain security policies and Amazon AWS IAM security policies. Internal analysts who are given access to client data must first complete the online HIPAA course mentioned previously.
Security Awareness Program
February is the BenefitElect Annual Security Month. All employees are subject to annual security awareness training. The security awareness training covers topics such as:
• Physical access security
• Workstation security
• Password policy
• Phishing and social engineering topics
• Current events in the threat landscape
• Data privacy
Employees who knowingly violate security policies are terminated. Employees who unknowingly violate security policies are given a verbal and/or written warning about the violation.
Employees who are, in general, terminated from employment have their physical access, and network/system access revoked immediately.
You will find our incident management and communication requirements defined in our HIPAA Business Associate agreement that will be executed upon engagement.
As of the time of this writing, we have had 0 security incidents in the past 12 months.
BenefitElect Access Control
Passwords are required for all systems.
Remote Desktop Access
Employees can be given remote access to their company desktops on an as needed basis. Presently, multi-factor authentication is not enforced on remote access. Remote access is encrypted with TLS and is also logged on the Terminal Services Gateway server. Presently, this access log is maintained indefinitely, and reviewed monthly.
Access to Amazon AWS Resources
Access to the Amazon AWS Console requires Multi-Factor authentication. Access to EC2 instances
via RDP protocol can only be accomplished from inside our internal network because of firewall policies in place.
By the nature of our business, we regularly transmit client data that can be classified as NPI, PII and PHI to various payroll systems, insurance carriers and databases to which we were contracted to do so by our clients. At the forefront of this kind of data are individual Social Security Numbers and enrollment information in Health plans. However, no data of this sort is transmitted to, accessed or received by countries outside of the United States, and no data is transmitted or disclosed to any third-parties.
Any vendors or contractors that must have access to client data must engage with BenefitElect via a HIPAA Business Associate Agreement, whereby they agree to be held to the same security standards
Data accuracy is the very core of what we do at BenefitElect. We could not stay in business nor gain the word-of-mouth referrals and customer retention rates that we enjoy. Every client expects BenefitElect to maintain data accuracy and we take it very seriously. All incidents where clients have concerns about data accuracy are handled by an internal analyst and resolved immediately.
Client data is retained indefinitely or as specified by our clients. However, upon termination of a client engagement, all client data is destroyed. Any data on paper is destroyed via our locked shred bin service, and any digital data must be deleted from electronic data stores.
General Cloud Security Topics
Each client’s data is housed in their own SQL relational database. These databases are only accessible by internal BenefitElect employees who need to access the data to perform their duties.
Client data is encrypted “in flight” via the SSL protocol and encrypted at rest on via AES-256. Key management is accomplished through FIPS 140-2 approved algorithms and logical security controls. Clients are not given an option on encryption keys and where they want to store their data. Through authentication protocols, our internal BenefitElect employees who have access, can see the data unencrypted but do not have access to the encryption keys.
A “cold” failover environment is maintained in a different physical location in the Amazon AWS environment. This cold failover environment can be enabled within 4 (four) hours of a disaster.
BenefitElect maintains a standard business E&O policy, but has not yet secured a Cyber Liability and Data Breach policy.
Because of the size of our company, we have not encountered a situation that would warrant a financial audit. However, we have a CPA on staff to ensure that the company is following generally accepted accounting principles.
At Communication Partners, Inc., we support HR teams and brokerages by creating, writing, and designing cohesive communication strategies that efficiently and accurately convey benefits and employment programs.
What if managing benefits could be enjoyable?
Through intuitive technology and a streamlined data collection process, BenefitElect removes the complexity and frustrating learning curve associated with insurance benefits management.