In a recent American health insurance data breach, personal information from more than 566,000 individuals was exposed by a third-party business partner.
A rise in the number of recent data breaches has shown that many third-party companies may not be protecting shared data as well as they should, putting holes in their own cybersecurity controls. Companies who use the services of third-parties need to ensure that their providers have proper access control processes in place and that they are equally rigorous in protecting sensitive and confidential information.
Health Insurance in the Time of Data Breaches
A recent incident in the US revealed that bad actors had gained access to health insurance provider Humana’s client information by using the system credentials of employees at its partner company – Bankers Life. Their access was used to enter previously secure Bankers Life websites which contained the personal data of individuals who had applied for a health policy from Humana. This sensitive information included customers’ names, addresses, dates of birth, health insurance information and the last four digits of their Social Security Numbers.
Humana employed an external team of forensic investigators to determine what damage had been done. It is believed that the incident didn’t expose the financial information, driver’s license numbers, and sensitive medical data of most affected customers, but the impact of the incident did great damage to Humana’s (and Bankers Life’s) reputation as a company.
Understand your Relationship with Third Parties
No matter what industry you are in, it’s very likely you engage other companies to help run your business. It is often beneficial to outsource non-core activities such as catering, manufacturing, IT support, product design, and legal services.
The most efficient returns from an outsourcing agreement require companies to treat third-party companies as an extension of their own workforce. This means they must share all relevant data about customers, product designs, sales forecasts and other critical information with their suppliers to allow them to fulfill the tasks and deliver their services in the same way they would as if they were being delivered in-house.
Necessity to Share Data
For some outsourcing agreements the information that you need to share might be relatively nondescript. For instance, an external catering service will want to know how many employees will eat lunch, and what proportion of these are vegetarian. Information like this is not generally considered as sensitive, because it is unlikely to cause any serious damage to the company if it ends up in the wrong hands.
However, when you look at an external design firm, lawyer or IT support team, the kinds of information they need to have access to is more sensitive. When dealing with information such as a company’s intellectual property, manufacturing methods, contracts or customer contact data, these are significantly more sensitive because they relate to the company’s operations. If exposed to the wrong people, they have the power to cause negative impacts on the company. Copy-cat products could emerge, a loss of reputation might occur, and they could face legal issues if found to be non-compliant with regulations like GDPR.
When a company decides to work with others, controls should be put in place to manage how they share information with third-parties, to limit or prevent unauthorized access resulting in the unlawful sharing of the data.
So how do you do that?
While you may not work for a large healthcare organization, you almost certainly share information with a number of third parties that currently work with you, so they can perform their services. You need to confidently know how this is done and who has access to it to make sure it is only available by those who need it.
Start by asking the following questions in your organization:
- Which data is critical or sensitive to business operations?
- If this data fell into the wrong hands, what would the outcome be?
- Where is this data currently stored? Make sure you consider business applicants such as CRM and ERP, SharePoint, and other local file sharing, collaboration and cloud-based solutions.
- Are the backups of this sensitive business data secure?
- How well are the third-parties, who have access to your critical data, protecting it?
The answers to these questions will greatly help your organization ensure that the information it relies on to trade, and build its reputation, is both secure and compliant. As a result, you will be much more likely to avoid unnecessary and costly non-compliance fines, maintain your reputation, and stay in business.
The same applies if you are a smaller supplier providing services to a larger company that shares sensitive data with you. You must check that you have implemented adequate security and compliance measures that both support and match your partners’ policies. The growth of third-parties is resulting in the number of potential “gateways” these companies provide into larger organizations also increasing. Hackers know that the chances of being able to breach the security of a smaller organizations is much greater, so use them to attack the larger, often better protected, targets. Make sure you use the help and advice of the larger organizations you work with because they will have dedicated security specialists who can help you understand and deal with your data compliance and security needs.
How do I get Control of my Third-Party Access?
The first step is to find out where all your sensitive data is stored and who currently has access to it. This means both your existing employees and third-party relationships, but it also includes any ex-employees and business partners you no longer work with. If relevant procedures are not in place, they might still have an ability to access your systems and data. The best way to streamline this process, and also improve the governance of sensitive data in the future, is to consider deploying an identity and access governance (IGA) solution to automatically manage the entire identity lifecycle of user access. Such an investment will help you reduce the risk of security and compliance breaches while still allowing you to responsibly share data with your third-parties so they can perform the tasks you have hired them for.
Learn more about how IGA is core to your security infrastructure and can support your cyber defense