We believe health care data and related information should be used solely for the purposes of improving individual health, advancing health system performance and to aid in new health care discoveries.
While health care data and information are critical to our ability to serve our customers and the health system, this information is highly sensitive and personal. As a result, we have an obligation to build and maintain the trust and confidence of our customers and stakeholders, ensuring we can protect the information for all those we serve and fulfill our obligation to appropriately and properly use this information. The primary tools we use to fulfill these obligations are our cybersecurity and privacy and data governance programs.
UnitedHealth Group manages cybersecurity and privacy and data governance through a framework that provides our team members with training and resources that support their day-to-day activities, assesses the risks our company faces and establishes polices and safeguards to protect our systems and the information of those we serve.
Our Code of Conduct outlines our commitment to protecting the information with which we are entrusted.
Supported by a comprehensive set of principles, our policies and programs describe appropriate uses of data and the safeguards that protect the confidentiality and integrity of our systems, including:
UnitedHealth Group’s chief information officer, chief privacy officer and chief information security officer are responsible for administering our data privacy and security programs. The Audit Committee of the Board of Directors receives regular updates on critical issues related to our information security risks, cybersecurity strategy and business continuity capabilities.
We are establishing a Cybersecurity Leadership Council (CLC) to enable aligned executive ownership and delivery of information security initiatives across UnitedHealth Group. The chief information officer of each line of business or a chief information security officer will sponsor each initiative and lead implementation. The CLC will oversee analysis, risk tolerance, policy, funding and implementation of information security initiatives, and the transition to standard operating processes to ensure sustainability.
We regularly evaluate the security maturity of our systems. This assurance program includes vulnerability assessments and penetration tests conducted by our internal team and qualified external assessors. These efforts allow us to identify operational and design risks and vulnerabilities in our systems. We use these tests to help us identify opportunities to address emerging security threats and improve the security of our systems as we continually work to enhance our ability to protect the information and data to which we have access.
Annually, we conduct an enterprise information risk assessment (EIRA) in conjunction with UnitedHealth Group’s overall enterprise risk management assessment. In the EIRA, we complete a comprehensive review of internal and external threats and evaluate changes to the information risk landscape to inform the investments and program enhancements we will make in the coming year.
Our IT infrastructure and information security management system have been audited by external auditors in the last fiscal year – including HITRUST CSF – and through internal audits.
We believe protecting personal health information is the responsibility of the entire health care system. In 2008, UnitedHealth Group entered into a partnership with organizations from across our industry to develop a common security framework for the health care industry. The result of this collaboration is the HITRUST Risk Management Framework, which combines best practice standards from frameworks such as HIPAA, ISO, EU GDPR, NIST and PCI to provide a scalable, risk-based certification for health care organizations and organizations that participate in the health care supply chain. UnitedHealth Group uses this framework in conjunction with other vulnerability and risk assessments as part of our continuous monitoring framework to assess our key application and technical systems and continually enhance our cybersecurity practices.