- A new Ohio Senate Bill will go into effect on March 20, which will create new cybersecurity requirements for insurance companies, including health plans.
The bill is based on the National Association of Insurance Commissioners’ Insurance Data Security Model Law. Ohio is the second state to adopt a similar legislation; North Carolina also has a version.
According to the legislation, insurers will be mandated to develop, implement, and maintain a comprehensive security program based on their risk assessment. It applies to all private individuals or non-government bodies required to be registered or licensed under Ohio’s insurance laws.
The security program must also include an established incident response plan, which will ensure companies respond to and recover from cybersecurity events that could potentially impact the confidentiality, integrity, and availability of private data stored on its systems.
Private data is classified as healthcare data, financial information, or personal identifiers, such as Social Security numbers.
Under the bill, the security program must be adequate for the size and complexity of the organization and the nature and scope of its business activities, such as contracting with third-party services providers and the nature of the data it collects and uses.
The program must include tools and policies to protect the confidentiality and security of private data and its systems and protect against unauthorized access, while defining and routinely evaluating the schedule of retaining data and way to delete the data when it’s no longer used by the company.
Insurers will also be required to designate a person responsible for the security program and to act on behalf of the company. Further, the company must be able to assess the likelihood and potential data of these threats based on data sensitivity, as well as the sufficiency of its safeguards. These safeguards must also include threat management.
There also must be a means to reasonably identify internal and external threats that could lead to unauthorized access, disclosure, misuse, alteration, and the like – including those held by third-party vendors.
In fact, under the legislation, insurers are mandated to ensure their vendor’s information security programs are adequate. And the security program must be annually assessed to determine the effectiveness of the security controls, systems, and procedures.
Also notable, Ohio insurers must now report a security incident to the state Superintendent of Insurance within three days of discovery. Those entities already compliant with HIPAA will be seen as compliant with the new legislation. All insurers will be given a year to become compliant with the law.