Chief Marketing Officer, FINEOS
Managing customer data efficiently and safely is a critical concern for any service organization and insurance companies have a greater challenge than most. Insurers compile and manage customer medical, financial and behavioral data leading to regulation under HIPAA, the Financial Service Modernization Act, Fair Credit Reporting Act, and so forth. And the greatest risk is the loss of consumer trust if a material data breach occurs.
Systema Software, a small company that manages insurance claims and utilizes cloud-based Amazon Web Services, inadvertently had customer claim data exposed to the internet on a subsection of Amazon Web Services this week. (https://gizmodo.com/security-hell-private-medical-data-of-over-1-5-million-1731548110). The story is still unfolding and it seems that there was user error by a contractor and no bad actors have acquired the data for nefarious ends but it is clear that customer claims data managed by commercial and government agencies was exposed. Claim data in particular tends to have very personal customer medical and financial information that is highly cross-regulated and presents significant potential regulatory risk to the insurers served by Systema.
Software as a service(SaaS) and infrastructure as a service(IaaS) are great capabilities enabling individuals and companies to access software, data storage and media easily and with much lower capital costs than buying their own servers and building their own data centers. For higher end business services, software hosting has been used for decades to enable insurance companies to focus on core business competencies and get out of the data center business. As these services continue to commoditize, the line between higher end managed hosting of critical business services with strong service level agreements and commodity software/infrastructure as a service has blurred. Often the commodity players, acting in good faith, sign up for a level of data security and operational integrity required by the industries special regulatory requirements, they can’t deliver.
Insurance companies need to understand the services being offered, the service levels explicitly identified in the contract/terms of service and the provider’s ability to comply with the interlocking regulatory requirements required to serve the insurance industry. This applies not only to the primary provider of service in a software as a service offering but also to the underlying infrastructure provider and their back up/disaster recovery provider as outlined in HIPAA “Chain of Trust” agreements for example. The insurance carrier is required to audit and certify the entire chain and is responsible for their compliance in the United States. Other countries often have more severe consumer data privacy laws.
SaaS and IaaS providers do enable insurance carriers to provide great service at a lower cost in many parts of the insurance process especially in new business acquisition and self-service. Back office insurance processes that require the aggregation of customer data, including policy and claims data, require a much higher level of scrutiny and management, as the risks to the customer and the insurer are much higher. This weekend Amazon Web Service had some outage problems leading to problems with Netflix, Reddit, Alexa and IMDB among others (https://venturebeat.com/2015/09/20/amazons-aws-outage-takes-down-netflix-reddit-medium-and-more/). Not a big deal for most of us. Hopefully, your customer data is safe at home, with you.