Security

This page is provided to answer questions asked in RFP’s regarding the security practices and policies within BenefitElect.  This page is reviewed annually.

BenefitElect Security Policy

BenefitElect’s Internal Security Policy documents are an ongoing work that have not yet been completed.  The policies therein are loosely based upon the NIST framework, and are reviewed annually.

 

BenefitElect Attestations and Certifications

Anyone examining security matters understands that a company cannot rely upon the security certifications and attestations of the company hosting their environment.  For full disclosure, BenefitElect does not maintain any third-party certifications, audits or attestations.  However, we do undergo periodic third-party HIPAA audits.  The results of these audits are not published, but rest assured that any remediation is handled swiftly.  We also use other methods to mitigate security problems.

 

Penetration Testing

BenefitElect does not hire third-party Penetration Testing services.

 

Vulnerability Scanning

BenefitElect uses Nessus to weekly scan our environments for vulnerabilities and remediation is handled by our internal IT department.

 

Internal Responsibility

Presently, the person ultimately responsible for security is: Ken Fayal, CTO, kfayal@benefitelect.com

Our Security Officer is: Ken Adams, kadams@benefitelect.com

 

We keep up with security initiatives and stay current with the threat landscape by subscribing to a few well-known newsletters from SANS.org

 

BenefitElect Geographical/Physical Structure

The structure of the company is such that we have a location in Bend, Oregon where our employees work.  However, the system and data are hosted in the Amazon AWS Cloud environment.  Connectivity between our main office in Bend, Oregon and the Amazon AWS Cloud environment is protected by a secure VPN and firewalls are utilized at both locations.

 

AWS Cloud Environment

BenefitElect utilizes the following AWS services on which we host our system and data: EC2, S3, SES, SQS, Lambda and Route 53 (for domain hosting)

 

AWS Security Documentation

AWS maintains many certifications and attestations from multiple standards all over the world.  Details on these certifications and attestations can be found on the web site below:

https://aws.amazon.com/compliance

 

Additionally, Amazon AWS provides a general security page describing various aspects of the subject at:

https://aws.amazon.com/security

We help you focus on your business, not your busyness.

Give Us a Call Today.

541.323.1600

Security

BenefitElect
Home Office Environment

BenefitElect’s home office utilizes a 24/7 security system for fire and intrusion detection.  A device is required for entry into our offices, and entry logging is maintained for at least 6 months and reviewed monthly.  Visitors are logged and escorted.  No CCTV cameras are present at our office location.

 

Our internal servers are separated from the main office by further physical security.  Only authorized personnel have physical access to the server area.

 

Wireless Networking

We utilize a wireless network inside our home office which does not have access to resources on our internal network.

 

Anti-Virus/Anti-Malware

All workstations connected to our internal network are protected by a centrally controlled leading business anti-virus and anti-malware system.

 

Password Policy

Our current domain password policy requires that the password be at least 7 characters in length, contain at least one capital, one lowercase and one numeric character as the password.

 

Workstation Policy

Our internal domain workstations are also centrally monitored by our IT department.  Updates to workstations are performed weekly.  Employees are expected to lock their workstations when they leave the vicinity of their desks.

 

Removable Media

Removable media is generally prohibited by domain security policy, but special access can be granted on an as needed basis.

 

Destroying of Notes Containing Client Data

In the process of the workday, occasionally notes are made on sticky pads and pads of paper regarding specific client issues.  Our internal BenefitElect employees are expected to destroy these paper records via the use of our shredding bin service as soon as they are no longer needed.  And any client data of this sort are not to be left on the desk overnight, instead it must be locked in their locking desk drawer.

 

BenefitElect Human Resource Security

We recruit from a known talent pool and rely on previous experience as well as trusted references to ensure we are hiring the right people.  We go through onboarding procedures and require all employees to undergo online HIPAA courses through Litmos.com, regardless of access to client data.

BenefitElect does not utilize background
screening or recurring background screenings
of employees.

Passwords

Passwords are initially assigned for new employees for the various systems that will be required by the employee to perform their duties.  Initial passwords are required to be changed upon the first login by the employee, and are required to be changed every 40 days.

Client Data Access

We utilize a “least privilege” philosophy to enforce client data security.  This is a safeguard in place to enforce our internal policy that no employee shall have access to data to which they do not need access.  We do this by Windows Domain security policies and Amazon AWS IAM security policies. Internal analysts who are given access to client data must first complete the online HIPAA course mentioned previously.

 

Security Awareness Program

February is the BenefitElect Annual Security Month.  All employees are subject to annual security awareness training.  The security awareness training covers topics such as:

• Physical access security

• Workstation security

• Password policy

• Phishing and social engineering topics

• Current events in the threat landscape

• Data privacy

Termination Policy

Employees who knowingly violate security policies are terminated.  Employees who unknowingly violate security policies are given a verbal and/or written warning about the violation.

 

Employees who are, in general, terminated from employment have their physical access, and network/system access revoked immediately.

Incident Management

You will find our incident management and communication requirements defined in our HIPAA Business Associate agreement that will be executed upon engagement.

 

As of the time of this writing, we have had 0 security incidents in the past 12 months.

 

BenefitElect Access Control

Passwords are required for all systems.

 

Remote Desktop Access

Employees can be given remote access to their company desktops on an as needed basis.  Presently, multi-factor authentication is not enforced on remote access.  Remote access is encrypted with TLS and is also logged on the Terminal Services Gateway server.  Presently, this access log is maintained indefinitely, and reviewed monthly.

 

Access to Amazon AWS Resources

Access to the Amazon AWS Console requires Multi-Factor authentication.  Access to EC2 instances

via RDP protocol can only be accomplished from inside our internal network because of firewall policies in place.

 

Transmitted Data

By the nature of our business, we regularly transmit client data that can be classified as NPI, PII and PHI to various payroll systems, insurance carriers and databases to which we were contracted to do so by our clients.   At the forefront of this kind of data are individual Social Security Numbers and enrollment information in Health plans.  However, no data of this sort is transmitted to, accessed or received by countries outside of the United States, and no data is transmitted or disclosed to any third-parties.

 

Vendors/Contractors

Any vendors or contractors that must have access to client data must engage with BenefitElect via a HIPAA Business Associate Agreement, whereby they agree to be held to the same security standards

as BenefitElect.

 

Data Accuracy

Data accuracy is the very core of what we do at BenefitElect.  We could not stay in business nor gain the word-of-mouth referrals and customer retention rates that we enjoy. Every client expects BenefitElect to maintain data accuracy and we take it very seriously.  All incidents where clients have concerns about data accuracy are handled by an internal analyst and resolved immediately.

 

Data Retention

Client data is retained indefinitely or as specified by our clients.  However, upon termination of a client engagement, all client data is destroyed.  Any data on paper is destroyed via our locked shred bin service, and any digital data must be deleted from electronic data stores.

 

Data Privacy

General Cloud Security Topics

 

Data Segregation

Each client’s data is housed in their own SQL relational database.  These databases are only accessible by internal BenefitElect employees who need to access the data to perform their duties.

 

Data Encryption

Client data is encrypted “in flight” via the SSL protocol and encrypted at rest on via AES-256.  Key management is accomplished through FIPS 140-2 approved algorithms and logical security controls. Clients are not given an option on encryption keys and where they want to store their data. Through authentication protocols, our internal BenefitElect employees who have access, can see the data unencrypted but do not have access to the encryption keys.

 

Failover Environment

A “cold” failover environment is maintained in a different physical location in the Amazon AWS environment.  This cold failover environment can be enabled within 4 (four) hours of a disaster.

Insurance

BenefitElect maintains a standard business E&O policy, but has not yet secured a Cyber Liability and Data Breach policy.

Financial Audit

Because of the size of our company, we have not encountered a situation that would warrant a financial audit.  However, we have a CPA on staff to ensure that the company is following generally accepted accounting principles.

 

At Communication Partners, Inc., we support HR teams and brokerages by creating, writing, and designing cohesive communication strategies that efficiently and accurately convey benefits and employment programs.

BENEFITELECT TEAM

 

Contact Information:

541.323.1600  info@benefitelect.com

 

 

 

 

 

 

What if managing benefits could be enjoyable?

Through intuitive technology and a streamlined data collection process, BenefitElect removes the complexity and frustrating learning curve associated with insurance benefits management.

 

BenefitElect ©2019