In a move aimed at enhancing the security of sensitive participant data, earlier this year the U.S. Department of Labor (DOL) broadened its cybersecurity guidance to cover all employee benefit plans, including health plans. Previously, the DOL’s guidance focused solely on ERISA retirement plans, leaving health plans outside the scope.

With this year’s new expansion, health plan sponsors must now align their cybersecurity practices with updated DOL standards, as well as existing regulations like HIPAA and HITECH. This shift reflects a growing recognition of the risks posed by cyber threats and the need for robust, proactive measures to protect participant data.

The goal of these updated guidelines is to provide a consistent, comprehensive framework for managing cybersecurity risks across employee benefit plans. Health plan sponsors now face the challenge of integrating these practices into their existing operations, ensuring that they not only meet HIPAA/HITECH requirements but also adhere to the DOL's expanded guidance. The ultimate objective is to create a secure environment for sensitive data while maintaining ongoing risk management processes to stay ahead of evolving threats.

The DOL's 12 Recommended Cybersecurity Practices

To help plan sponsors meet this challenge, the DOL has outlined 12 key practices that must become part of an ongoing cybersecurity strategy. These recommendations emphasize the need for continuous improvement and adaptation in the face of rapidly changing cyber risks:

1. Formal Cybersecurity Program

The first step in complying with the DOL's guidelines is to establish a comprehensive cybersecurity program. This program should be designed to outline specific policies and procedures for safeguarding sensitive data. It must be regularly reviewed and updated to reflect current cybersecurity threats and best practices. A formal program ensures that all employees understand their roles in protecting data and helps prevent inconsistencies in security practices.

2. Annual Risk Assessments

Health plan sponsors are required to conduct yearly risk assessments to identify vulnerabilities in their systems. This assessment process should involve documenting any identified risks, evaluating current security controls, and making necessary adjustments to address emerging threats. By staying proactive, organizations can maintain strong defenses and quickly adapt to new vulnerabilities.

3. Incorporating Penetration Testing

Penetration testing (or pentesting) is a crucial component of cybersecurity assessments. This practice involves simulating real-world cyberattacks to identify potential entry points for hackers. Pentests help health plan sponsors uncover weaknesses that might not be apparent through traditional risk assessments, allowing them to address vulnerabilities before they are exploited.

4. Third-Party Security Audits

Given the interconnected nature of modern healthcare and benefit systems, third-party vendors often have access to sensitive participant data. The DOL recommends that plan sponsors arrange for annual third-party security audits to evaluate the effectiveness of security practices implemented by these external providers. These audits help ensure that third-party vendors are maintaining appropriate cybersecurity measures and do not pose an added risk.

5. Defined Security Roles and Responsibilities

A clear organizational structure for cybersecurity is essential. The DOL advises that health plan sponsors assign specific cybersecurity responsibilities to qualified personnel. This might include the appointment of a Chief Information Security Officer (CISO) to oversee the program. Staff should also be adequately trained and certified in relevant cybersecurity practices to ensure that they are capable of responding to emerging threats.

6. Access Control Procedures

One of the most effective ways to prevent unauthorized access to sensitive data is through access control protocols. The DOL’s guidelines stress the importance of limiting access based on job roles and using multi-factor authentication to verify users’ identities. Regularly reviewing user permissions ensures that only those with a legitimate need to access certain data are allowed to do so.

Given the interconnected nature of modern healthcare and benefit systems, third-party vendors often have access to sensitive participant data.

7. Third-Party Provider Security Reviews

Third-party providers that handle health plan data must be regularly assessed to ensure their cybersecurity practices align with industry standards. Sponsors should establish clear security requirements in vendor contracts, including encryption protocols and data access controls. These ongoing reviews help mitigate the risk that a vendor’s lax security measures might compromise participant data.

8. Cybersecurity Awareness Training

Educating staff members about cybersecurity threats is vital to building a strong security culture within an organization. The DOL recommends that health plan sponsors provide annual cybersecurity training to all employees, focusing on recognizing common threats like phishing and identity theft. Well-trained staff can act as a frontline defense against many types of cyberattacks.

9. Secure System Development Life Cycle (SDLC)

Cybersecurity should be integrated into every stage of system development. The DOL urges health plan sponsors to incorporate security measures from the earliest stages of development through to testing, deployment and maintenance. Regular testing during development helps identify potential vulnerabilities before new systems are put into operation.

10. Integrating Pentesting in SDLC

Penetration testing should not be limited to post-deployment assessments; it should also be part of the system development life cycle. By performing pentests on new systems before they are deployed, organizations can identify weaknesses early and ensure that security is built into every phase of development.

11. Business Resiliency and Incident Response

Health plan sponsors are required to create, test and maintain disaster recovery and incident response plans. These plans should outline clear roles, responsibilities, and procedures to follow in the event of a cybersecurity breach. Testing these plans annually ensures that organizations are ready to respond quickly and effectively when an incident occurs.

12. Data Encryption

Encryption is a fundamental aspect of data security. The DOL recommends using strong encryption to protect data both in storage and during transmission. Sponsors should also ensure that encryption methods are kept up to date with evolving technology to maintain robust protection against unauthorized access.

Distinctions Between DOL Guidance and HIPAA/HITECH

While HIPAA and HITECH regulations are designed to protect the privacy and security of health data, the DOL's updated guidance takes a broader, more comprehensive approach to cybersecurity for employee benefit plans. Unlike HIPAA/HITECH, which primarily focuses on the confidentiality of health data, the DOL’s guidelines introduce specific protocols for addressing cybersecurity risks across the full spectrum of health plan operations. The DOL emphasizes ongoing monitoring, annual assessments and auditing practices that are critical to maintaining a secure environment.

Cybersecurity as an Ongoing Responsibility

The most important takeaway from the DOL's updated guidance is that cybersecurity is not a one-time task, but an ongoing responsibility. Health plan sponsors must continuously assess, update and improve their cybersecurity measures to protect sensitive participant data effectively. By adopting the DOL’s guidelines, sponsors are not only ensuring compliance but are also taking proactive steps to safeguard against the increasingly sophisticated and frequent cybersecurity threats that target employee benefit plans.

For health plan sponsors, the message is clear: cybersecurity is a critical aspect of fiduciary duty, and staying ahead of potential threats is crucial to maintaining trust with plan participants and meeting regulatory obligations.