Skip to content
Baldwin Bulletin

October Is Cybersecurity Awareness Month: Ensure Your Cybersecurity Preparedness Plan is in Place

The Baldwin Group
|
Updated: October 15, 2024
|
2 minute read

October is Cybersecurity Awareness Month. It is a collaborative effort between government and industry to enhance cybersecurity awareness, encourage actions by the public to reduce online risk, and to generate discussion on cyber threats on a national and global scale. 

Employer Action Items

  • Employers and plan sponsors should hire a consultant to assist in prudently selecting a service provider with strong cybersecurity practices, and subsequently monitoring the activities of any engaged provider.
  • Employers should develop a cybersecurity program, along with essential best practices for privacy and security inside and outside their walls.
  • Employers should also develop written privacy and security assuredness policies and procedures, governing the administration of confidential and protected health information, and to mitigate related, interconnected, and arising security risks.
  • Employers should contemplate and explore cybersecurity insurance offerings, ideally underwriting such coverage prior to the occurrence of a cybersecurity event affecting the organization’s operations or data. 

Summary

Employees are often targeted by cyberattacks. While it is important and beneficial for employers to foster a strong cybersecurity culture, the HIPAA Security Rule actually requires it!

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires the performance of certain security preparedness operations by covered entities (“CE’s”). Performance of these preemptive preparedness operations is mandated by US Department of Health and Human Services (“HHS”) and The U.S. Department of Labor (“DOL”) regulations. A HIPAA covered entity’s failure to assure and provide evidence of the performance of these essential requirements is enforced by the cumulative efforts of the DOL and the Office for Civil Rights (“OCR”), the investigative and enforcement division of HHS charged with enforcement of HIPAA Privacy and Security, as well as enforcement of Title VII of the Civil Rights Act. The Security Rule requires that HIPAA Covered Entities:

  • Ensure the confidentiality, integrity and availability of electronic personal information (e-PHI); 
  • Identify and protect against reasonably anticipated threats to the security or integrity of the information;
  • Protect against reasonably anticipated, impermissible uses or disclosures; and
  • Ensure compliance by their workforce.

In September of 2024, the DOL updated current cyber security guidance previously released in 2021. This guidance applies to all types of plans governed by the Employee Retirement Income Security Act (“ERISA”), including health and welfare plans.

The release updates the 2021 guidance of the Employee Benefits Security Administration (“EBSA”) and includes the following:

  • Tips for Hiring a Service Provider: helps plan sponsors and fiduciaries prudently select a service provider with strong cybersecurity practices to monitor their activities, as ERISA requires.

Below we have provided an additional resource to assist CEs in creating and improving security preparedness operations and ensuring they are following the Security Rule.

Additional Resources

To obtain additional support for performance of these and other HIPAA requirements, as mandated by the Security and Privacy Rules, please reach out to your local service colleague or your client advisor. The Baldwin Group maintains an extensive suite of support solutions such as HIPAA Complete and advisory guidance capabilities respecting a covered entity’s performance of the HIPAA administrative simplification mandates. The BRCC also offers a carefully curated range of consultative and advisory support solutions related to the administration of US-based employee benefit plans, program, and other offerings.


Related Insights

Stay in the know

Our experts monitor your industry and global events to provide meaningful insights and help break down what you need to know, potential impacts, and how you should respond.

Upcoming Compliance Deadlines - June 2025
Employers must comply with numerous reporting and disclosure requirements in connection with their group health plans. Please note the following upcoming...
Baldwin Bulletin
Form 5500 Deadline is July 31, 2025, for Calendar Year Plans
June 2025 Caitlin Hillenbrand, Associate Director, Benefits Compliance Many organizations that are subject to the Employee Retirement Income Security Act...
Baldwin Bulletin
IRS Releases 2026 Inflation-Adjusted Amounts for HSAs, HDHPs and EBHRAs
June 2025 Stephanie Hall, Associate Director, Benefits Compliance The Internal Revenue Service (“IRS”) is required to announce annual inflation-adjusted limits...
Baldwin Bulletin
The Department of Labor Issues Guidance on Independent Contractor Misclassification
June 2025 Natashia Wright, Associate Director, Benefits Compliance On May 1, 2025, the U.S. Department of Labor (“DOL”) issued Field...
Baldwin Bulletin
Health and Human Services Office for Civil Rights Reaches Settlement for Potential HIPAA Violations
June 2025 Natashia Wright, Associate Director, Benefits Compliance The Department of Health and Human Services (“HHS”) Office of Civil Rights...
Let's make it possible

Partner with us to build solutions that align with your business, individual, or employee needs and open new possibilities for your future.

Connect with us