Privacy & Information Protection
Anthem is committed to safeguarding the personal information we receive from our consumers, customers and employees. We impose standards to maintain the confidentiality of personal information, and we use physical, technological and administrative safeguards to protect it.
Our comprehensive program of security procedures, programs and protocols is designed to ensure that:
- Our consumers’ personal information is secure;
- Anthem employees are well trained in our security program;
- Everyone involved is encouraged to actively ensure that Anthem and its vendors are meeting the high standards we set;
- Our vendors meet or exceed the security requirements prescribed by Anthem so that we can put our full faith and trust in their products and services; and
- Our employees are personally safe, both physically and in the virtual world.
Anthem uses the Health Information Trust Alliance (HITRUST), an industry-leading framework, and performs regular reviews by trusted third parties to provide independent confirmation of our cybersecurity program. The HITRUST Common Security Framework (CSF) is structured on International Organization of Standards (ISO) and International Electrotechnical Commission (IEC) standards and incorporates other healthcare information security-related regulations, standards and frameworks, including those of federal, state and industry organizations, to provide comprehensive and prescriptive coverage.
Information Security and Risk
Information Security and Risk is managed by a multifaceted team of Information Technology Security professionals with the primary goal of ensuring that our consumers’ personal information remains secure. This unique group of talented professionals is divided into teams that address all aspects of information security, including application security, infrastructure security, security architecture and forensic investigations. The Detection Analytical Response Team (DART) uses cybersecurity Hunting and Cyber Threat and Intelligence analytics to actively research, analyze, respond to and remediate cyber threats to Anthem’s environment.
Due to increasingly sophisticated methods of cybercrime, equipping employees with the tools and skills needed to uphold Anthem’s high standards of information security is more important than ever.
Mandatory annual security awareness training is one of the ways Anthem helps ensure that employees are educated about everyday threats.
The expanded and enhanced information security awareness training covers social engineering, phishing, password protection, Anthem’s Workforce Information Security Program, data protection, asset use and mobile security.
Physical Security Training
In 2017, the Anthem Corporate Security team was recognized with a United States Outstanding Security Performance Award in the category of Outstanding Security Training Initiative at the 2017 American Society for Industrial Security (ASIS) International 63rd Annual Seminar and Exhibits in Dallas, TX.
Corporate Security received the award specifically for a situational awareness training initiative launched for Anthem employees earlier in 2017. This training elevates awareness of employees’ physical security and the steps employees can take to stay safe regardless of workspace or location. The comprehensive online training program and corresponding “meeting in a box” address a number of security situations, including an active-shooter scenario, safety working at home, personal safety, tips for visiting nurses, hostile-intruder steps and domestic and international business travel.
Vendor Oversight Programs
Anthem delivers quality healthcare benefit management through high-quality and innovative solutions for its customers. When Anthem engages outside vendors to help provide these solutions, protecting Anthem consumers’ personal information is a top priority. Anthem’s vendors must follow applicable state and federal privacy and information-security laws. Anthem reinforces these laws through both contractual requirements and our own internal oversight. Key to this is the use of administrative, physical and technological safeguards, which are enforced through a variety of programs and committees.
Anthem operates in a highly regulated industry with many federal and state laws and contractual commitments related to the collection, use and disclosure of protected health information and personally identifiable information. Anthem’s privacy program is designed to comply with these requirements. We realize that our success is influenced by maintaining a high level of confidence and trust among consumers, customers, providers, regulators and our employees. Protecting this information is crucial and is embedded in our Standards of Ethical Business Conduct and privacy policies.
Our Privacy Office is responsible for the development of Anthem’s privacy program, which includes formulating privacy policies, reviewing proposed privacy laws and helping business leaders implement new privacy requirements. We also develop and deliver privacy training and communications, identify and monitor privacy risks and issues and lead the privacy incident response and prevention program.
We are focused on continuously improving our program. Our policies are updated at least annually to incorporate necessary changes. We explore different ways of training and communicating with our employees to help ensure that they have the information and tools they need. For example, we have developed interactive decision-making guides for call center employees that provide real-time guidance, and we have used humorous videos and games to help make the trainings “stick.”
We also have a comprehensive privacy incident response and prevention program. We educate employees on the importance of immediate reporting of all incidents. All incidents are reviewed, and action is taken to address each issue, mitigate the impact and assess our obligations to notify individuals, clients, regulators, the media and others. When appropriate, we offer the affected individuals identity protection and credit monitoring services. We learn lessons, and in turn we use that information to help prevent future issues where possible.