Health Insurers’ Digital Footprint Widening Attack Surface

Insurers are ripe targets for attackers since they’re efficient concentrators of every kind of data needed for identity theft, credit card and insurance fraud. Here’s proof.

Peter Zavlaris, Analyst, RiskIQ

April 21, 2015

2 Min Read
Dark Reading logo in a gray background | Dark Reading

The value of healthcare related personally identifiable information (PII) led to a 60% increase in detected incidents in 2014, with financial losses skyrocketing 282% over 2013. Although cyber thieves and nation state actors have differing motives, they share a common appetite for PII and protected health information (PHI). As technology improves and more devices connect more people around the globe, the attack surface for PII and PHI is only getting wider.

Case in point. The recent security breaches and data losses at insurers, including Premera Blue Cross, Anthem, Community Health Services and American Income Life.  Combined, these breaches have impacted the data and identities of about 93 million customers. To put that in perspective, that’s nearly 30% of the US population. This massive number does not even include many smaller, undetected, or undisclosed breaches.

Insurers are ripe targets for attackers since they’re efficient concentrators of every kind of data needed for identity theft, credit card and insurance fraud, and even blackmail. Primarily because their IT systems typically store a broad and deep mix of financial records, PII and PHI.

To assess the risks facing insurance firms, RiskIQ researchers recently conducted an in-depth quantitative survey of the top 41 insurance companies in the US.  We cataloged and examined over 200,000 web assets and 770 individual mobile apps associated with the surveyed insurers.

The results were both compelling and concerning.  Key metrics for the insurers’ websites and web assets showed:

  • 60% were hosted on external, potentially unsecured servers

  • 88% had analytics or tracking services that might be compromised

  • 66% had ad networks connected to their site

  • 100% had a minimum of 6 broken SSL certificates with 20% having over 900 broken certs each, opening to door for man in the middle attacks and domain squatting by phishing websites

 Data from just 770 surveyed mobile apps showed even more potential security risks:

  • An average 18 apps per insurer

  • But 17% of the apps were from unauthorized developers and 72% were found outside of official app stores

  • 50% of the apps required 10 or more permissions - an excessive number that could be leaving customers facing a range of possible security risks

While these findings are not very encouraging, some insurers did present a minimal attack surface to potential security threats. What this data shows is that insurers need to inventory, monitor and bring under security control their expanding digital footprint. Left unchecked, it provides attackers with an effective platform that can be exploited to launch attacks against unsuspecting customers.  

About the Author

Peter Zavlaris

Analyst, RiskIQ

Peter Zavlaris is one of the primary analysts and contributors to the RiskIQ blog, which provides weekly insights on the latest threats and attacks that target companies outside the firewall and put customers at risk. He has held various customer satisfaction positions with providers of cloud hosting, IaaS, and enterprise security services. 

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights