Risk of IT security breach on exchanges ‘very real’

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://ebn.benefitnews.com/blog/ebviews/risk-of-it-security-breach-on-exchanges-very-real-2744923-1.html

As the Affordable Care Act moves forward, benefits enrollment and
management will increasingly be done online. Enrollment systems don’t
typically collect credit card information, but do they collect a lot of
personally identifying data – names, addresses, phone numbers, birth dates,
and Social Security numbers. This makes them an ideal target for identity
theft. While there hasn’t been a major breach in the benefits world yet,
the risk is very real.

Whether you’re a broker evaluating carriers and exchange partners or an
employer looking at broker exchange offerings, you need to do a thorough
security evaluation of any vendor you’re thinking doing business with.
Considering today’s highly evolved and aggressive cyber criminals you
should look for evidence of a major investment in secure processes, people
and systems.

An annual SOC 2 audit should be the minimum requirement for anyone you’re
considering doing business with.

First, let’s look at what SOC 2 is and is not. It’s expensive and intense,
but it is not a security audit so much as it is an operational audit,
making sure that IT, HR and operations have foundational controls and
processes in place.

A SOC 2 audit evaluates criteria such as what kind of background checks the
employer performs or whether they require visitors to sign in and out. It
also examines the data center’s physical security as well as firewalls,
intrusion detection systems, and the like.

It will also look at some of the basic processes performed by IT, such as
backups and deployments, and how they are controlled. How does each firm
make sure that an intruder can’t inject harmful or malicious source code
into the system?

What SOC 2 does not do is get into actual scanning of systems, or
evaluating software directly. Compliance with SOC 2 gives you a good
indicator of how involved the business is with security issues, and moves
you towards having the right processes to catch problems. But when you get
down in to the specifics of information security, you have to go much, much
deeper than just SOC 2.

One thing to check for is an ongoing investment in people – specifically
the compliance committee, which should include people from legal, IT,
information security, software development, product management, and
operations.

Their charter is to keep up to date on individual state regulations and
federal regulations such as HIPAA, which covers personally identifying
information. Those rules evolve over time, so compliance can be a bit of a
moving target.

Security threats change over time as well. At my company, we have a
dedicated information security specialist who stays on top of the newest
threats and works with our software development and IT groups to make sure
we install patches and take other mitigation measures for those risks as
quickly as possible.

Then there are systems. Most companies invest in hardware, but they often
neglect processes. Without getting too technical, there are three critical
areas of investment in processes: Vulnerability scanning, penetration
testing and code analysis.

Vulnerability scanning

With any system that is exposed to the Web, there are a lot of moving
parts: Web servers and other components, as well as the software and all of
the systems that it runs on. These should all be assessed automatically
with tools that continually scan to make sure that you are not running
anything that has known problems or vulnerabilities that might be exploited.

There are hundreds of these vulnerabilities being discovered every month.
When the scanning tools detect an issue, it should be followed by a risk
assessment process and appropriate action depending on the risk level and
the severity of consequences.

These are pretty sophisticated tools, often run by third parties that are
specialists in this area and do it on a much larger scale than an
individual organization ever would. A significant investment in
vulnerability scanning is an absolute necessity to stay out in front of
continually evolving methods of cyber-attack.

Penetration testing

Any system that can be logged into can also be broken into. Penetration
testing involves making sure that when people are logged into the system,
they are basically kept in their authorized box where they can see only the
information they need. They can't break out of that box and gain access to
somebody else’s data, or do harm to the system.

Penetration testing is another fairly involved process, also often
contracted to a third party. You want that specialized expertise and
outside opinion. You can trust self-certification to a certain extent but I
think it’s better to rely on experts with much broader knowledge and
experience of all the ways things can happen.

Penetration testing should be done at least annually, sometimes more
frequently. A fair number of companies do this, but a fair number don’t.
What an exchange does in this area is a good indicator of how serious they
are about security.

Static code analysis

Unlike penetration testing, which attacks the system as it’s running,
static code analysis tools scan the source code of your software, analyze
it to see if there are problems with the structure of the source code, the
way you’re building queries and other elements in the system that could
lead to security issues.

This is tougher to outsource to a third party, as it requires a much higher
level of expertise and familiarity with the platform, language, and the way
the system is constructed.

How often should you do this? We do two major releases a year, and static
code analysis is always part of any major development milestone. We also
run an analysis if we release off-schedule, smaller features that are
needed at a certain time for a certain customer.

It doesn't matter if you have five employees or 100,000 – they look to
their employers to protect their data. There are multiple levels of
businesses between health care exchange providers and the individual
employees that use our system to enroll, so they’re not in a position to be
able to assess how secure these vendor systems are. It’s incumbent on the
bigger players – carriers, brokers and employers to understand the
landscape and ask the questions of health care exchange vendors. Once you
get past SOC 2 compliance and audits, which is the minimum bar that just
about any vendor is going to clear, gauging their investment in these three
areas can help you evaluate just how serious a company is about maintaining
trust and confidence, and how effective their security efforts are likely
to be.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!