Providing HR benefits information on a corporate intranet can be a balancing act between providing convenience for employees and dealing with liability if that information gets into the wrong hands.
"The dichotomy here is, on the one hand, you want to give people better access to information, and on the other hand, you want to better protect it," said Kevin Haugh, VP of product management at HR intranet company ProAct Technologies.
This balance may get even harder for tech leaders to maintain as they begin dealing with new medical privacy regulations that are likely to affect intranets currently housing employee medical information. Organizations may also need to step up their efforts to prevent internal breaches of sensitive data that's been moved to an intranet.
HIPAA and the intranet
Most companies that have moved internal processes, including employee data, onto intranets will need to start paying attention to the privacy regulations dictated by the Health Insurance Portability and Accountability Act of 1996, which goes into effect April 14, 2003. Although organizations that are nonmedical entities won’t be subject to the strictest HIPAA rules, many of them will still be affected, said John Comerford, an IT and privacy lawyer with the Greenberg Traurig law firm in Phoenix.
For example, companies that carry self-insured plans or collect medical information on their intranets—such as by offering health insurance sign-up forms—could be subject to HIPAA regulations. And companies offering benefits such as flu shots, a company nurse, or a way for employees to check insurance claims through the intranet could also find themselves dealing with HIPAA's privacy rules, said Andy Maxwell, a senior HR technology consultant for HR consulting firm Watson Wyatt.
When the HIPAA privacy regulations go into effect, medical entities will need to adopt written privacy procedures, designate a privacy officer, and establish grievance processes, among other things. But even though nonmedical organizations may have fewer mandates to follow, they need to make sure that their employees' medical information is sufficiently protected. And time is running out.
If a company deals with health information on its intranet and it hasn't begun to understand potential compliance issues, it's already behind the curve, Comerford said.
Other intranet privacy issues
In addition to ensuring that they don't run afoul of HIPAA regs, companies need to focus on another critical intranet security issue: internal breaches. Internet security expert Norbert Kubilus, a member of Tatum CIO Partners, said that in most cases, intranet "hackers" are unhappy employees looking to inconvenience the company or gain some personal advantage.
"Most of what I've heard about and observed is internal abuse," Kubilus said. "You can get a disgruntled employee who gets into the intranet and raises havoc by changing vacation schedules or time cards. If you don't have the right protections in place, or the right education and process in place, you leave yourself vulnerable to a disgruntled employee."
With most internal hacks, the malicious employee doesn't technically hack into the secure intranet server. More often, the person uses a colleague’s password to break in.
"Where we see most security breaches happen is not through the mainline systems,'' said Watson Wyatt's Maxwell. "Usually, it's those other holes—the classic faux pas of leaving a document in the copier. There's where we usually see most of the risk; either that, or just dumb mistakes."
Given the challenges posed by impending privacy regulations, along with the potential for unauthorized access to employee data, CIOs need to implement measures that will safeguard sensitive information. Maxwell and Kubilus recommend several things companies can do to protect against intranet and employee data breaches:
- Require employees to change passwords regularly and be careful about what information is made public. One company Kubilus knows allows every employee to see the entire vacation schedule—not a secure situation.
- Avoid a single sign-in for sensitive HR information. A double password scenario is a stronger deterrent.
- Keep a lid on how to get access to sensitive information. This means even limiting IT staff members' knowledge as well.
- Use a firewall and software that checks for data exit leaks so that breaches are identified immediately.
- Segregate the secure HR server from other servers to narrow access points.
- Don't use e-mail to send confidential information to employees or exchange confidential information about employees. IT departments need to educate HR and other business units on this practice.
- Don't keep secured information on HR workers' PCs—store it on a secure server instead. Educate HR employees on the need for this measure.
Weighing the benefits against the risks
Clearly, maintaining an intranet that's both useful for employees and that doesn't compromise sensitive information is a bit of a high-wire act. In fact, Maxwell believes security, not cost, is the biggest reason companies aren’t jumping to create convenient, full-featured benefits intranets for employees—which can be a big mistake. He advises companies to be careful and stresses that the productivity gains from a good benefits intranet can outweigh the security risks.
"Nothing is risk-free, but you have to weigh the risks," Maxwell said. "My general tone is be careful, be prudent, but don't get all wrapped up in trying to make it 100 percent safe; then you don't do anything."