Health insurance—it’s a political football in the United States—and an important industry vertical. When it comes to online threats to customers of health insurance providers, it turns out that websites hosted by external providers, excessive mobile app permissions and third party code libraries represent the biggest risks.
That’s according to RiskIQ, which announced research findings at the Healthcare Cyber Security Summit this week.
Health insurance providers are investing heavily in web and mobile app infrastructures to establish new customer touch points and gain a competitive edge in an increasingly competitive marketplace. It’s great for consumers—except for the fact that it has created a host of new external facing security challenges for providers.
“New competitive pressures in healthcare are forcing insurance providers to expand their web and mobile self-service assets, which opens up new attack vectors for targeting customers that use them,” said Elias Manousos, CEO of RiskIQ, in a statement. “These research findings provide a valuable benchmark for understanding and mitigating the top threats to insurance providers’ customers.”
For instance, organizations typically rely on hosting partners to serve up websites, which saves administrative and personnel costs, but which dramatically alters the chain of control and can undermine efforts to enforce standardized security policies. The study found that 31% of health insurance websites are hosted by third party providers.
Meanwhile, permissions within mobile applications allow developers to pull personal data from a user’s device. According to the research, typical healthcare applications have 11 permissions. Of the company apps surveyed, nearly 50% gather location data, nearly 20% connect to external storage and almost 15% access contact lists.
And finally, code libraries developed by third-party providers are routinely used to add functionality and shorten mobile app development times. In Google Play alone, RiskIQ identified 12 separate libraries being used in applications belonging to healthcare companies.
The One to Many Connector Framework, which is used to connect patient recorded data from digital health applications, devices and wearables to healthcare providers like wellness companies, hospitals and pharmaceutical companies, was present in half of the applications.