RiskIQ Reveals Top Online Threats at NH-ISAC Healthcare Cyber Security Summit
December 04, 2014
Hosted Websites, Mobile Apps and Third-Party Code Pose Biggest Risk to Customers of Leading Health Insurance Providers
SAN FRANCISCO, NH-ISAC Healthcare Cyber Security Summit -- Dec. 4, 2014 -- RiskIQ, the company that enables organizations to detect and mitigate customer facing threats, today announced research findings it disclosed yesterday at the Healthcare Cyber Security Summit on the leading online threats to customers of health insurance providers. According to the report, websites hosted by external providers, excessive mobile app permissions and third party code libraries represent the biggest risks to users of health insurance web and mobile self-service tools. The full report is available here.
Health insurance providers are investing heavily in web and mobile app infrastructures to establish new customer touch points and gain a competitive edge in an increasingly competitive marketplace. This has created a host of new external facing security challenges for providers. To assess the top risks to customers, RiskIQ analyzed live data gathered from web and mobile resources accessible from the public web that are operated by dozens of the nation's leading health insurance companies.
“New competitive pressures in healthcare are forcing insurance providers to expand their web and mobile self-service assets, which opens up new attack vectors for targeting customers that use them,” said Elias Manousos, CEO of RiskIQ. “These research findings provide a valuable benchmark for understanding and mitigating the top threats to insurance providers' customers.”
Top Three Online Threats
Based on an analysis of live data gathered by the global RiskIQ network from web and mobile assets associated with dozens of the nation's leading health insurance providers, the top threats to customers are:
Websites Hosted by Third Parties
While organizations typically rely on hosting partners to serve up websites, this approach dramatically alters the chain of control and can undermine efforts to enforce standardized security policies. The study found that 31 percent of health insurance websites are hosted by third party providers.
Excessive Mobile App Permissions
Permissions within mobile applications allow developers to pull personal data from a user's device. According to the research, typical healthcare applications have 11 permissions. Of the company apps surveyed, nearly 50 percent gather location data, nearly 20 percent connect to external storage, and almost 15 percent access contact lists.
Third-Party Code Libraries
Code libraries developed by third-party providers are routinely used to add functionality and shorten mobile app development times. In Google Play, RiskIQ identified 12 separate libraries being used in applications belonging to healthcare companies. The One to Many Connector Framework, which is used to connect patient recorded data from digital health applications, devices and wearables to healthcare providers like wellness companies, hospitals and pharmaceutical companies, was present in half of the applications.