HealthEquity, a custodian of more than 3.4 million health savings accounts, has had a data breach after one employee’s email account was accessed by an unauthorized person. HealthEquity also handles flexible spending accounts, 401(k) accounts and health reimbursement arrangements, providing a range of services for about 40,000 companies. Comments this morning from cybersecurity experts at Bomgar and Panorays.
Sam Elliott, Director of Security Product Management at Bomgar:
“Attacks like phishing and social engineering are among the most common used against businesses. The use of faked user credentials is a tried and true method. Often, attacks like these target privileged users with access to sensitive or valuable systems or data. While companies are aware of this, providing security around these types of users without limiting their ability to do their jobs effectively is difficult. Another aspect to consider is that even companies with a sophisticated security strategy don’t have a great grasp on how to define who represents a ‘privileged’ user. This is true both in the private and public sectors.
One tip for organizations is to treat their IT security as they would physical security—that is, installing privileged access controls to that they’re only granting access to exactly what the user needs within the network, and closing off areas that they aren’t permitted to access.”
Matan Or-El, CEO & Co-founder at Panorays:
“Unfortunately this isn’t the first time we’re witnessing a breach at a healthcare service provider which affects the customers of other companies. Just a month and half ago a breach at MEDantex, exposed thousands of sensitive patient medical records belonging to NYU Medical Center, SF Multi-Specialty Medical Group, Jackson Hospital, Allen County Hospital. In this case, a breach at US HealthEquity impacted 23,000 individuals engaging with two companies in Michigan.
Healthcare providers on their end, hold a plethora of sensitive and confidential data: financial statements, healthcare details as well as insurance policies, and as such are considered a critical supplier. An attacker can use the information to impersonate a candidate in order to commit identity theft and insurance fraud.
In today’s day and age, customer data isn’t stored only in the hands of the company the customer is directly engaged with. Each company relies and depends on an eco-system of service providers accessing and processing the company’s data. Third parties run the gamut, from IT infrastructure, to applications and business firms. Third party security is a rising problem since security team have no visibility – or control, over the systems of their suppliers. The problem is exacerbated with the ever expanding number of suppliers accessing the company’s data. What can be done then? Organizations should be looking at the security posture of their suppliers as part of their third party security evaluation process. Companies must demand a certain benchmark that the supplier needs to achieve prior to engaging with them.”
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.