The healthcare industry has taken its share of hits this year when it comes to cybersecurity, and healthcare insurance companies may be facing a tough diagnosis of their own.
A recent report from RiskIQ laid out the three main challenges to online security for health insurance companies: websites hosted by third-parties, third-party code libraries in applications and excessive permissions for mobile applications.
“New competitive pressures in the healthcare industry are creating increased customer demand for online information and account portals, which is spawning a whole new crop of digital web and mobile assets,” according to the report. “During this rapid build-out, it’s easy for organizations to lose sight of all their assets. Meanwhile, criminals are constantly looking for ways to exploit the web and mobile footprints of leading brands to commit fraud and steal data that can be monetized later. Unfortunately, customers are often unable to distinguish between legitimate and malicious assets when they are lumped together. These lapses in control can put both customers and healthcare provider brands at risk.”
According to the report, 31 percent of health insurance websites are hosted by third-party providers. While organizations often rely on hosting partners to serve up websites, this approach dramatically alters the chain of control and can undermine efforts to enforce standardized security policies, RiskIQ found.
When it comes to third-party-hosted websites, organizations need to be careful not to lose sight of their digital footprint and how host-partner relationships are affecting their assets, Elias Manousos, CEO of RiskIQ, told SecurityWeek.
“Third party providers have become an attractive attack vector since a successful compromise can open up access to multiple client sites,” he said. “Given the high premium placed on medical records in the black market, healthcare providers must continuously and closely monitor the security posture of their hosting partners and take immediate action in the event of a hack since their websites are at risk of being compromised.”
Similar issues pop up when it comes to third-party code libraries. These libraries are developed by third-parties and routinely used to add functionality and shorten mobile app development times, Manousos said. In Google Play, RiskIQ identified 12 separate libraries being used in applications belonging to healthcare companies, including the One to Many Connector Framework, which was present in half of those applications.
“The extended IT supply chain is increasingly being targeted by attackers to compromise brands,” Manousos said. “By embedding malicious capabilities in third party code, criminals are able to silently steal data and commit fraud. As we’ve seen in the case of the SEA and jQuery this year, third party code is a favored attack vector for compromising websites and their users. This threat also applies to mobile code libraries. Routine monitoring and assessment of mobile applications for the presence of unapproved and unvetted third party libraries must become a standard practice for health insurance providers in order to prevent damaging data breach incidents.”
Mick Coady, a principal at PricewaterhouseCoopers, said a key issue with third-party libraries is that changes to them may be made on the fly and not subject to the level of scrutiny and testing that they should be.
“If they have to dial-in and make a change to an application that ties the payments, remits, processing…for a claim, and that change takes place in the middle of the night or depending on when they do it on the weekend, the way that they go about making those changes and the rigor that goes around testing security all those kind of pieces sometimes doesn’t fall into what we’ll call best practice,” Coady said.
When it comes to mobile app permissions, RiskIQ found that the average healthcare app had 11 permissions. Many of these permissions are “intrusive,” such as location gathering, camera access and access to contacts. Of the company apps surveyed, nearly 50 percent gathered location data, and almost 20 percent connect to external storage, Manousos said.
“Mobile app developers typically program more permissions than necessary or appropriate into their apps for ease of use and to future proofing reasons,” he said. “This becomes a security threat when attackers create copycat apps that are distributed via second tier app stores that do not police content in the same way that Apple and Google’s enterprise stores do. By taking advantage of permissions such as location, contacts and external storage these copycat apps can triangulate and extract valuable user data. To protect their customers, insurance providers should monitor all app stores for the presence of copycat apps and make sure these are taken down. In addition, providers should only turn permissions that are absolutely necessary and turn off those that are not required.”
The full report can be downloaded here.