Health Insurance Association Hardens Cybersecurity through Data Governance
In this case study
A large health insurance association, with a network of insurance companies serving more than 80 million members across all 50 states, needed to bolster its security posture by preventing the use of sensitive patient data in non-production environments — a practice that could put its members and the greater organization at risk.
To mature its security posture, the insurance association needed help remediating existing risks related to its sensitive data and implementing a long-term strategy for maintaining data standards, classification, environment standards and security production controls across its network of insurers.
The insurance association reached out to WWT for assistance in developing a roadmap to achieve its cybersecurity and data governance objectives.
After investigating the client's challenges, current state and business goals, our experts performed a deep dive into the network of IT environments in question. During this assessment period, we identified more than 65 applications containing sensitive data in non-production application environments.
To address the immediate security concerns and prepare for downstream risk mitigation, the client needed a holistic and scalable data security strategy that encompassed its people, processes and technologies across its dispersed IT footprint.
Our data governance and security professionals developed a solution spanning strategy development through a pilot phase, including the following elements:
- An environment strategy with a common framework that ensures application environments are properly managed and maintained throughout their lifecycles.
- Data classification standards that communicate requirements for the appropriate use and consumption of enterprise data, including physical and digital formats.
- An application assessment template for classifying application uses and risks for sensitive data, providing visibility into remediation efforts along with an ability to prioritize initiatives.
- A remediation plan comprising a durable and rigorous process application teams can use to remediate the data risk in non-production environments, including reusable remediation templates.
- A remediation pilot for one application, completed via collaboration between security, application, business and technical teams from both organizations.
- An application remediation roadmap for the insurance association to apply to its remaining 64 applications across its network of insurance companies.
- Mitigation and governance recommendations spanning the insurance association's people, processes and technologies (see image below) for the prevention of future risks, including the implementation of controls for cyber risk, data, architecture and the IT environment.
Technology validation and recommendations
As part of the engagement, the insurance association leveraged the expertise of our engineering teams to compare solution capabilities across a range of security and data governance products and platforms:
- Sensitive data monitoring and scanning
- Data substitution and data masking
- Access controls and governance
- Automatic tagging
- Customizable workflows
Below is a snapshot of the capability comparison matrix our engineers compiled for the insurance association:
This level of tailored market research helped the insurer accelerate the decision-making process.
Following the successful security and data governance engagement, the insurer now has well-defined governance standards for data classification, a holistic and scalable environment strategy, and best-in-class security production controls. Moreover, after a successful pilot phase, the insurer's employees now have a proven remediation plan, assessment templates and valuable hands-on experience to remediate the remaining applications and guide them through future issues.
By taking the time to invest in a holistic data strategy and leveraging our engineering expertise to compare potential toolsets, the insurance association is well-positioned to continue its security transformation efforts across its network of insurers with confidence in its enhanced ability to protect its members, its brand and the bottom line.