IT and data protection at health insurers: sensitive data requires maximum protection

Health information is extremely lucrative for cybercriminals, as they expect it to increase their willingness to pay ransoms. This makes health insurance companies a prime target for attack. They process and manage personal health data from digital applications such as health insurance and health apps, health trackers, online services and, more recently, the electronic patient record (ePA). The latter was already affected by precautionary measures in the wake of the Log4Shell vulnerability.

IT Security and Data Protection from an External Perspective: Health Insurance Companies in Germany

There is a clear need for action
The requirements for security concepts that health insurance companies have to meet are proving to be particularly diverse and complex. Not only do they have to demonstrate compliance with stringent legal and regulatory requirements, they also have to avoid liability risks and reputational damage. Uur analysis of 144 health insurers revealed that there is still a clear need for action in terms of IT security. The data was collected by gathering and processing information from publicly available sources. 

The Results 

Protected Mail Dispatch
69 percent of the checked health insurance companies sent e-mails partially unprotected (without SPF entry), which makes it easier for attackers to carry out spam and phishing attacks by forging mail.

Accessibility of the System Interfaces
42 percent do not adequately protect all database systems belonging to the company against cyber attacks. Unsecured systems that can be accessed from the outside make it easier for hackers to gain access to sensitive data.

Data Transmission Security
In addition, 85 percent allowed data transmission using outdated transport encryption, which encourages data theft.

Obsolete Applications
At least one application with a potential security vulnerability of high criticality was found in 29 percent. Applications with missing security updates are a welcome gateway for attackers.

GDPR Compliance
44 percent of health insurance companies used tracking cookies without user permission. In these cases, warnings and fines may be imposed.

Gain Insight into Your Organization's External IT Attack Surface

IT managers do their best to ensure the security of their IT systems. But how can the current status of security performance continuously be proven? With LocateRisk's IT security analysis, it's quick and easy. See for yourself: Interested organizations can receive a security assessment of their IT landscape, including a 30minute insight into the detailed analysis, free of charge at: Tel. 06151 6290246 or e-mail to: em@LocateRisk.com

IT in Hospitals: More Protection Urgently Needed

Read now: Data collection on the IT security situation of hospitals

---