90% of health insurers surveyed have had a data breach 3. 72% increase in cyberattacks against healthcare companies occurred between 2013 and

Transcription

1 Health Savings Account (HSA) Data security and employee benefits providers by Elon Ginzburg, Information Security Officer, Wells Fargo Wholesale Banking Information security is a critical corporate responsibility. High-profile breaches make national and international headlines, with impacts across the spectrum. Financial liability to your customers may lead the way, but close behind are damages to your brand, negative public relations, loss of consumer trust, and the expense to mitigate the breach. In this paper, we will explore the entities committing the crimes that result in these breaches, what they hope to accomplish, common tactics used today, and the controls that organizations are putting in place to keep attackers at bay. With recent healthcare breaches, companies are zeroing in on their employee benefits providers. Healthcare records contain personally identifying information, and employers want to understand the potential risk of sharing data with the vendors they use, including Health Savings Account (HSA) administrators. Recent breaches bring added scrutiny to security for organizations The stakes are increasing as the pace of high-profile breaches escalates. The average cost of a data breach is now $3.8 million. 1 Security is no longer the siloed domain of IT professionals. It now receives board-level attention, as no company wants to be in the headlines, and no executive wants to lose their job over a data breach. The past few years have shown that legacy technologies are less effective at detecting advanced malware and new threats, which are growing in volume and sophistication. As a result, there is a tremendous need for companies to upgrade their information and cyber defense programs and invest in next-generation security solutions. Healthcare is hard hit by security breaches The healthcare industry has been profoundly impacted by cyberattacks. The recent Anthem breach affected as many as 80 million Americans and included names, addresses, and Social Security numbers. More than 90% of health insurers surveyed have had a data breach, and 0% have had more than five, over the past two years. 3 This has served as a wake-up call to some HR leaders, since employers may share detailed employee Breaches are directly affecting the healthcare industry: 90% of health insurers surveyed have had a data breach 3 7% increase in cyberattacks against healthcare companies occurred between 013 and million Americans were affected by the recent Anthem breach 10x A person s medical information is worth 10 times more than his or her credit card number on the black market 5 information with many benefits vendors. A person s medical information is worth 10 times more than their credit card number on the black market. 5 Who are the hackers and what are they trying to accomplish? Cyberspace has experienced a significant growth in the number, type, and sophistication of malicious entities. These include nation-states, organized crime, hacktivists, and cyberterrorists groups with sizable resources and enough patience to probe until they find something they can exploit.

2 Impact of breaches has far reach: $3.8 million is the average cost of a data breach 1 10% increase in total breaches occurred between 013 and million identities were exposed by cybercriminals in ,000 pieces of malware are being deployed every day. Malware is responsible for 95% of stolen data and twothirds of all breaches days Are companies responding quickly enough? is the number of days on average that a breach goes undetected 6 Breaches are causing organizations to double down on data security of respondents say their organizations made sure the IT function had the budget necessary to defend itself from data breaches 99.9% of exploitations happen at least one year after a patch was announced 6 7% of organizations enhanced tools and personnel to contain and minimize breaches of victims investigated by Mandiant did not discover the breach themselves, but were informed by a third party of organizations enhanced their budgets to defend the company from data breaches The Target breach was a turning point: Management is more concerned about data breaches now than they were before the Target breach. Management concern about breach on a 10-point scale Before Target 7.8 After Target Before the Target breach, only 13% of respondents thought senior management was extremely concerned (ranked as a 9 or 10) about a possible data breach. After Target, that rose to 55%. Before Target 13% After Target Percentage of respondents who thought senior management was extremely concerned about possible data breach 55%

3 Certain nation-states have moved from traditional government-level espionage to infiltrating private companies to get their intellectual property or, in some well-publicized cases, to cause them harm. Examples include China spying on an insurgent through a 010 Google hack 9 and Iran with distributed denial of service attacks against U.S. banks. 10 Some organized crime groups, with increasing sophistication, have turned to cyberattacks for financial gain. They plan and execute complex crimes, gathering detailed consumer data to sell personal identities and commit fraud. The recent Home Depot and Target attacks are suspected to have been perpetrated by organized crime units from Eastern Europe. Hacktivists are activists who try to further their social protest agendas on the web by disrupting businesses. They typically have nonfinancial motivations, but are looking to gain power or to simply disrupt business or society similar to cyberterrorists, whose main objectives are also to gain power and cause disruption. Current tactics and tools While attack methods vary and continue to evolve, the most common tactics currently include social engineering, exploiting vulnerabilities in webfacing infrastructure, and gaining access through third parties. Social engineering. Social engineering is a nontechnical way of breaching an organization that relies on tricking people into circumventing certain security procedures. Imposter fraud is a current example of social engineering, where a fraudster poses as a company executive and initiates a fraudulent wire transfer. Social engineering typically involves many steps before achieving results, and having procedural controls in place for key organizational processes can help alleviate the risk. Training and awareness, as well as checks and balances, are the controls typically used by companies today to combat breaches that involve social engineering. Exploiting vulnerabilities in web-facing infrastructure. The 01 J.P. Morgan Chase & Co. breach was executed through their public website hackers found a misconfigured remote-access server and gained access to 80 million records.11 External websites are the most likely to be attacked, since they are publicly available. Coding vulnerabilities can allow external access to your systems and allow for malware to be deployed. Malware is malicious software that can help someone gain unauthorized access to systems. Once in, the intruder can expand their footprint into other areas of the business. Hacking through third-party vendors. In highprofile breaches, such as the recent Target breach, the hacker looked for the weakest link a third-party system that had access to Target s main systems.1 The third-party vendor didn t have the same level of sophisticated security parameters in place that Target had, which illustrates the challenge with outsourcing and highlights the importance of being sure that the vendors your company works with have effective oversight of their outsource partners. What are the key controls an organization should have in place today? Security experts suggest focusing on the following key areas to help control the risk of potential data breaches. These controls are generally expensive and require ongoing commitment at the highest levels of the company. Staying up-to-date with software patches issued by software companies. Patches fix flaws in software programs that have been exposed by hackers. Having the patch in place will prevent hackers from exploiting the loophole, yet many organizations don t stay current with patches, or it takes months to get a new patch deployed. A recent Verizon study found that 99.9% of exploits happened when known vulnerabilities remained unpatched for at least a year after the patch was announced meaning companies were slow to respond and remediate known flaws. Implement data encryption for all transactions. Comprehensive data encryption makes it nearly impossible to do anything with the data if it s stolen. Encrypting data immediately, at the point of entry into systems, keeps hackers at bay. Vulnerability management of web-facing systems. Ongoing review of web-facing code and environmental scans to detect and remediate vulnerabilities are baseline components of advanced security programs. Third-party vendor management programs. Strong due diligence and oversight of vendors is another key control for limiting the potential of breaches. Auditing vendors can be time-consuming and expensive, but since outsourcing is so common today, companies need to be vigilant about choosing vendors whose security programs have been validated. 3

4 Key controls an organization should have in place Staying up-to-date with software patches issued by software companies Patches fix flaws in software programs that have been exposed by hackers. Having the patch in place will prevent hackers from exploiting the loophole. Implement data encryption for all transactions Comprehensive data encryption makes it nearly impossible to do anything with the data if it s stolen. Encrypting data immediately, at the point of entry into systems, keeps hackers at bay. Vulnerability management of web-facing systems Ongoing review of web-facing code and environmental scans to detect and remediate vulnerabilities are baseline components of advanced security programs. Third-party vendor management programs Strong due diligence and oversight of vendors is another key control for limiting the potential of breaches. Multi-factor authentication Multi-factor authentication programs require two or more factors to authenticate users before they can access systems. Factors include personal information, unique biometric identifiers, and something in the user's possession, such as a security number on their credit card. Appropriate insurance coverage Many insurance carriers offer network security and privacy coverage. Employers should consider having this in place so they can transfer the financial injury to an insurance product in the event of a breach. Multi-factor authentication. Multi-factor authentication programs are considered a security best practice. These programs require two or more of the following three factors to authenticate users: something the user knows (such as a password or the last of four digits of their SSN), something the user has (such as a mobile phone or the security number on the back of their credit card), and something the user is (biometrics, such as their voice or fingerprint). Appropriate insurance coverage. Many insurance carriers are offering network security and privacy coverage. Employers should consider having this in place to transfer the financial injury to an insurance product in the event of a breach. HSA programs and data security HSAs are an integral part of many employee benefit programs, and HR leaders are now questioning the security environments of the vendors they choose. Some HSA administrators outsource key parts of their HSAs to other vendors, increasing the risk of potential breaches. However, HR decision makers are ramping up their due diligence and verifying that each of their vendors has advanced security and compliance parameters in place, as well as an ongoing commitment to improving and adapting as the security environment changes. Information security is key to maintaining trust in relationships with customers; advanced information security programs are now a competitive advantage. At Wells Fargo, security is everyone s business Wells Fargo has a long-standing focus on data security. Although there are no silver bullets, Wells Fargo deploys a defensive in-depth strategy. This strategy includes controls across multiple systems, processes, and organizational activities. Secure coding, web monitoring, and infrastructure management including network and hardware monitoring and encryption are ingrained in our culture and are part of our everyday business.

5 The Wells Fargo HSA is built on in-house technology Information security is a critical priority at Wells Fargo, and the Wells Fargo HSA is built on our proprietary banking and investment platform, which helps us keep tight control of the security environment. Our commitment to data security includes an enterprise software patching management program, which ensures that we are monitoring and adding software patches as they become available. Data shared outside Wells Fargo is encrypted, and the vendors that support our HSA services (such as Welcome Kit mailings) are subject to a rigorous vendor management program. All our web-facing applications, including our Commercial Electronic Office (CEO ) platform and Online Banking, have ongoing vulnerability management in place. Additionally, multi-factor authentication is required for high-risk online transactions, money movement, and account setup. Contact us for more information on the Wells Fargo HSA Our clients value the Wells Fargo commitment to data security and choose us for our in-house, standalone HSA solution. For more information about the Wells Fargo HSA, contact us at or visit wellsfargo.com/hsa. Elon Ginzburg is responsible for managing information security across the Wholesale division of Wells Fargo, which offers businesses a large selection of products and services including treasury management, insurance, asset management, investment banking, and Health Savings Accounts (HSA). Elon has more than 0 years of diverse financial services experience, bridging the gap between technology and business by managing complex and technology-heavy projects. Over the past 10 years, Elon has focused on information security. Prior to Wells Fargo, Elon worked with Barclays Global Investors, Barclays Capital, and Investor Bank and Trust. Elon served in the Israeli Defense Forces as a soldier, sergeant, and officer in an infantry and parachuting unit. He has a B.Sc. in industrial engineering and management from the Technion (Israel s institute of Technology), and a M.Sc. in information security from Western Governors University. When he is not at work, Elon enjoys spending time with his two daughters and having fun in the great outdoors. 1 Ponemon Institute. USA Today. Massive breach at healthcare company Anthem. February 5, Ponemon Institute s Fifth Annual Benchmark Study on Privacy & Security of Healthcare Data. Ponemon Institute. "01: A Year of Mega Breaches." January, Reuters. Your medical record is worth more to hackers than your credit card. September, Verizon Data Breach Investigation; increase is from 013 to Symantec; increase is from 013 to McAfee. 9 BBC News. China leadership orchestrated Google hacking. December, New York Times. Bank Hacking was Work of Iranians, Officials Say. January 8, Wall Street Journal. Bank Hackers Stole Millions Using Remote Access Tools. February 16, Computer World. Target breach happened because of a basic network segmentation error. February 6, 01. This article provides a high-level summary of current data security best practices and suggestions. Wells Fargo Health Benefit Services (HBS) does not provide data security advice. Consult with your attorney or risk management consultant for guidance on the steps your business can take to reduce data security risk. Deposit products offered by Wells Fargo Bank, N.A. Member FDIC. 015 Wells Fargo Health Benefit Services, a division of Wells Fargo Bank, N.A. All rights reserved. WCS-1679 (8/15) 5