At eHealthInsurance Services, we know information security is important to our Customers, and Business Partners. We are committed to maintaining Information Security through responsible management, appropriate use, and protection in accordance with legal and regulatory requirements and our agreements.
Information Security is an integral part of eHealth and everyone at eHealth understands that Information Security is “Everyone’s Responsibility.”
Information Security Program
eHealth maintains an Office of the Chief Information Security Officer (CISO) focusing on information and systems technology and corporate governance to drive security best practices. The Office of the CISO concentrates on technology, behaviors, and operational excellence to safeguard information from unauthorized or inappropriate access, use, or disclosure. The Information Security Program supports the following endeavors:
eHealth utilizes industry recognized frameworks:
- HITRUST – Health Information Trust Alliance
eHealth is in compliance with HITRUST which leverages the internationally accepted standards of ISO 27001 and 27002 providing best practice recommendations for initiating, implementing, or maintaining information security systems and compliance.
- NIST – National Institute of Standards and Technology
eHealth’s Information Security Program’s Policies and Procedures are in alignment with the NIST Cybersecurity Framework; the internationally recognized security control framework used by companies to assess and improve their ability to prevent, detect, and respond to security events.
- PCI DSS – Payment Card Industry Data Security Standard
Where eHealth processes payment card information, eHealth is in alignment with PCI DSS, which provides technical and operational standards that businesses follow to secure and protect credit card data provided by cardholders and transmitted through card processing transactions.
- CIS – CIS Controls and CIS Benchmarks provide global standards for internet security and are a recognized global standard and best practices for securing IT systems and data against attacks.
At eHealth we believe that aligning with and leveraging these frameworks for our Information Security Program is critical in light of changes to the security landscape, new technologies, and emerging legal and regulatory requirements.
eHealth’s Security Policies and Procedures are built upon these frameworks and are reviewed and updated regularly to facilitate compliance with regulatory, industry, and contractual requirements and recommendations, as well as to address new and emerging security threats.
Security Assessments and Processes
eHealth performs critical security assessments and defines processes for secure organizational operations.
- Security Risk Assessments – eHealth has a defined process in place to identify, quantify, assess, manage, and report on potential security risks and their respective risk levels and can present plans of actions to eHealth’s Senior Management and Board of Directors (See “Governance and Risk Management Practices”).
- Application and Infrastructure Security Assessments – eHealth uses a comprehensive System Development Life Cycle (SDLC) framework that requires applications and related infrastructure to be reviewed and assessed before being implemented. This review is intended to verify eHealth’s Security Policy requirements and system security standards are in place. The Assessment includes reviewing network and website vulnerabilities using industry-standard scanning software.
- Identity and Access Management – Access to eHealth’s information and systems is managed using a Role Based Access Control (RBAC) methodology, which defines the access a user receives to eHealth’s information systems based on job function and includes a process to validate that user access rights remain appropriate over time. Privileged or elevated access to eHealth’s systems is subject to heightened internal approval.
- Security Awareness and Training – eHealth’s Security Awareness and Training Program includes initial security awareness training for new employees and contractors, followed by ongoing, annual security awareness refresh courses. New employees must sign an acknowledgement, showing receipt and understanding of the responsibility to comply with eHealth’s Code of Ethics, including the eHealth Information Security and Acceptable Use Policies. Employees also must provide an annual affirmation of this policy. Developers and Privileged Users are subject to additional security training requirements due to the increased inherent risk associated with these roles.
- Third Party Vendor Oversight – Third Party Vendors that host transmit, or have access to eHealth data are required to comply with eHealth Security Policies. eHealth conducts Security Reviews and Assessments of Vendors to assess security capabilities and maturity, alignment to industry standards, and management of threats and vulnerabilities.
- Security Operations and Monitoring – Security event data is monitored by staff with industry recognized systems, which perform event correlation and identification to flag event anomalies and potential threats. The eHealth Security Management team also monitors the security industry for the latest threats, exposures, and patches.
- Cyber Security Incident Response Planning – eHealth has a formal Incident Response Plan in which predefined escalation paths are followed when a cybersecurity or other incident occurs. The Incident Response Team consists of key Security, Privacy, and Legal members who work with eHealth Technology and Business Teams, and our managed security services partners to manage the incident.
- Additional Processes and Controls – eHealth Information Security implements a broad spectrum of technical controls in connection with these processes, including data loss prevention, role-based access, application/desktop logging, data encryption, and others. eHealth also maintains several technologies that are used to enhance customer’s information security, such as multi-factor authentication and enhanced web application firewall controls including geo-fencing, brute force logon mitigation, IP intelligence and reputational blocking, and bot detection and prevention.
eHealth’s Information Security Program is frequently evaluated and audited by reputable and independent firms for adherence to our controls and frameworks. Cybersecurity assessments such as external penetration tests, advanced attack simulations, vulnerability scans and Phishing exercises are also regularly performed. Security control benchmarking and monitoring of operational security metrics are utilized to identify opportunities to strengthen eHealth’s cyber security program.
Governance, Risk Management, and Compliance Program
The Governance, Risk Management and Compliance (GRC) Program works to provide direction, monitor governance, maintain compliance, and manage eHealth’s enterprise risk to protect the Information Privacy and Security of our Customers, Clients, and Business Partners.
The GRC Program is responsible for the following:
- Governance – The enterprise oversight and direction for all Security governance activities that include the time sensitive scheduling and support of GRC related events, metrics reporting, policy and procedure creation and management, training, and culture development.
- Risk Management – Governance for risk related activities includes Risk Identification, Management, Mitigation, and Remediation, Risk Assessments of internal and external risks and threats, Reviews of Third Party Vendors and tools and Customer and Client support for contractual reviews and requirements.
- Compliance – Responsibility for the planning, execution, and adherence with eHealth Security Policies and Procedures, legal, regulatory, and contractual requirements.
The Information Security Program has dedicated liaisons working with our business both domestically and internationally providing insights for actions and needs relevant at the local level. These liaisons strive to ensure that business and functional area employees have easy access to Subject Matter Experts who can provide guidance, assist with answering questions, provide help with issues, and mitigate related privacy and information protection risks. The collective combinations of these efforts help drive privacy and security compliance across the enterprise.
Incident Response Plan and Protocol
eHealth is dedicated to protecting the security of our Customers’, Clients’, and Business Partners’ information, however, security incidents may occur. Events such as human errors, computer viruses or other malicious code, unauthorized access, cyber-attacks, or Phishing attempts are a concern for all organizations. We maintain and test our protection programs to prevent these events from occurring and to mitigate damage if they did. In the event of an incident, the Incident Response Team is trained to contain the incident, mitigate impact, resolve or remediate, and notify affected parties as quickly as possible.
Enterprise Risk Management
Enterprise Risk Management (ERM) is a company-wide initiative that involves the Board, eHealth’s Management, CISO, Privacy Officer, and internal audit functions. ERM is an integrated effort to (1) identify, assess, prioritize, and monitor a broad range of risks, including privacy and information protection risks, and (2) formulate and execute plans to monitor and, to the extent possible, mitigate the effect of those risks.
eHealth’s Board of Directors has ultimate oversight over the Privacy, Information Security, and Governance, Risk Management and Compliance Programs and strategies. The Board executes this oversight both directly and through its’ Audit Committee. Together, the Board and the Audit Committee ensure that eHealth has Privacy and Information Protection management policies and processes in place. The Board and the Audit Committee are regularly briefed on issues related to the eHealth’s risk profile. These briefings are designed to provide visibility about the identification, assessment, and management of critical risks, audit findings, and management’s risk mitigation strategies.
Management briefs the Audit Committee on a Quarterly basis about eHealth’s protection programs, with a focus on items such as current trends in the environment, incident preparedness, business continuity management, program governance, and program components, including updates on security processes, external testing, and employee training and awareness initiatives.