IRS News Release IR-2018-170: Tax Security 101—Security Summit urges tax professionals to educate all employees about data security, computing safeguards (Aug. 21, 2018); OCR Cybersecurity Newsletter: Considerations for Securing Electronic Media and Devices (August 2018)
As part of their ongoing cybersecurity awareness campaigns, the IRS and HHS’s Office for Civil Rights (OCR) have issued newsletters highlighting considerations for securing confidential electronic information. The IRS newsletter, part of the IRS’s Tax Security 101 series, focuses on controlling access to information—for example, by granting access only to employees with a business need to see it, requiring strong passwords, locking computer screens after designated periods of inactivity, securing portable devices, and terminating access when employees no longer need it. The IRS also underscores the importance of training employees on the basic steps for safeguarding information (for example, encrypting sensitive information and not sharing passwords), reminding employees of security policies and their obligation to follow them, and imposing discipline for security policy violations.
OCR’s newsletter also focuses on controlling access, for example, by ensuring that only authorized personnel have physical access to electronic information systems and by implementing processes to govern and track the movement of electronic devices—especially portable devices—into, out of, and within facilities. Citing the HIPAA security standard for device and media controls, OCR notes that covered entities and business entities should consider whether they have adequate records to track the location, movement, modifications, repairs, and disposition of devices and media throughout their lifecycles—including identifying who is responsible for these items. OCR also points out that organizations should use their risk analysis and risk management processes to identify and implement appropriate device and media controls. While smaller organizations may rely on manual tracking processes, larger organizations may use specialized inventory management tools in conjunction with bar-code systems or radio frequency identification (RFID) tags for easier, quicker, and more accurate tracking. In determining appropriate security measures, factors to be considered include an organization’s size, complexity, and technical capabilities; the costs of security measures; and the probability and criticality of potential risks to protected information. Like the IRS, OCR emphasizes the importance of workforce training.
EBIA Comment: While most federal agencies have stepped up their cybersecurity efforts, the views of the IRS and OCR are of particular interest to employee benefit plan sponsors and advisors. Although HIPAA’s security rules directly apply only to covered entities and business associates, the principles are also useful for organizations not subject to OCR enforcement. For example, regularly reviewing records of information system activity—such as audit logs, access reports, and security incident tracking reports—can lead to early detection and effective containment of data breaches. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXX.C (“Physical Safeguards”) and XXX.D (“Technical Safeguards”). See also EBIA’s Cafeteria Plans manual at Section XVI.E (“Electronic Administration”) and EBIA’s Consumer-Driven Health Care manual at Section XXV.I (“Electronic Administration of HRAs”). You may also be interested in our recorded webinar “Learning the Ropes: An Introduction to HIPAA Privacy & Security” (recorded 1/17/18).
Contributing Editors. EBIA Staff.
