Websites hosted by external providers, excessive mobile app permissions and third party code libraries represent the biggest risks to users of health insurance web and mobile self-service tools, according to RiskIQ.
Health insurance providers are investing heavily in web and mobile app infrastructures to establish new customer touch points and gain a competitive edge in an increasingly competitive marketplace. This has created a host of new external facing security challenges for providers.
To assess the top risks to customers, RiskIQ analyzed live data gathered from web and mobile resources accessible from the public web that are operated by dozens of the nation’s leading health insurance companies.
“New competitive pressures in healthcare are forcing insurance providers to expand their web and mobile self-service assets, which opens up new attack vectors for targeting customers that use them,” said Elias Manousos, CEO of RiskIQ.
The top threats to customers according to RiskIQ are:
Websites hosted by third parties
While organizations typically rely on hosting partners to serve up websites, this approach dramatically alters the chain of control and can undermine efforts to enforce standardized security policies. The study found that 31 percent of health insurance websites are hosted by third party providers.
Excessive mobile app permissions
Permissions within mobile applications allow developers to pull personal data from a user’s device. According to the research, typical healthcare applications have 11 permissions. Of the company apps surveyed, nearly 50 percent gather location data, nearly 20 percent connect to external storage, and almost 15 percent access contact lists.
Third-party code libraries
Code libraries developed by third-party providers are routinely used to add functionality and shorten mobile app development times. In Google Play, RiskIQ identified 12 separate libraries being used in applications belonging to healthcare companies. The One to Many Connector Framework, which is used to connect patient recorded data from digital health applications, devices and wearables to healthcare providers like wellness companies, hospitals and pharmaceutical companies, was present in half of the applications.