There is a war waging over consumers' identities. Insurance companies and other financial services institutions are surrounded by relentless hostiles who have targeted their customer data and seemingly will stop at nothing to get it. While carriers must secure their systems against ever-more-sophisticated attacks, they also must provide safe access to these systems for customers and business partners. For the financial services institutions around the world that store databases of priceless consumer information, losing a battle can result in immeasurable monetary and reputational harm.
"It is amazing how vulnerable the insurance system is to fraud and abuse," observes Tom Brennan, director of special investigations at Pittsburgh-based Highmark. "Nationally, 3 to 10 percent of what was paid out annually in the healthcare industry last year can be attributed to fraud and abuse. If you're looking at $1.7 trillion in payouts and take 3 percent of that - that is an annual figure in the hundreds of billions," adds Brennan, who serves as chair for the National Healthcare Anti-Fraud Association and is a member of the Blue Cross Blue Shield Anti-Fraud Advisory board.
Bank of America, Wachovia and Citigroup are just some of the financial services giants that have fallen victim to identity theft. And while the growing number of security breaches has led to the implementation of more-secure processes - such as two-factor authentication and Internet-based transport and storage of information, rather than the storage and transport of data tapes - identity theft and the resulting fraud remain a serious problem for the insurance industry, according to Mark Rasch, founder of the U.S. Department of Justice computer crime unit, and SVP and chief security counsel for Solutionary, an Omaha-based managed security services provider. An increasingly common form of insurance fraud involves perpetrators who use stolen customer identities to file false claims, he points out. "Insurance companies need to understand that information has a value and a life cycle, and that the legacy systems we've had for data aggregation in the past have become pools of data where thousands of people potentially have access to information about individuals," Rasch warns.
Growing Web of Vulnerabilities
And, as insurance companies have grown - through both natural business expansion and mergers and acquisitions - and adopted new technologies to support that growth, they actually have increased the potential for damage, Rasch contends. "Over time, insurers have collected much more data on people that is now being held in much more complicated systems with vulnerabilities we only slightly understand," he explains. And these vulnerabilities often are exposed to millions of external computers over the Internet. "Even if a company stores its information in a closed loop, if any one computer in that loop has been on the Internet, there could be anything on that machine to affect the integrity of the company's data," Rasch continues.
For insurance companies, which increasingly rely on electronic data exchange among producers, carriers and healthcare providers, for example, this presents a particular dilemma, according to Highmark's Brennan. "The way the healthcare industry is constructed, claims generally need to be processed very quickly, and the number of claims processed annually is very high - about 72 million," explains Brennan. "Healthcare regulations call for prompt payment, which makes it impossible to assign a single person to a claim, so the majority of our business is done electronically," he continues. "As a result, we need to have the technology in place to detect irregularities when they appear in the system."
Highmark ($7.9 million in premium revenue) has employed data warehouse technology from Dayton, Ohio-based Teradata, a division of NCR, to scan and capture claims activity. "We have data mining software looking at medical services coming in the door, which have many pieces involved, including hospitals, pharmacies, therapists and claimants," says Brennan. Using methods similar to those employed by credit card processors, the carrier is able to identify irregular behavior and detect potentially fraudulent claims. The technology can result in either early detection of fraudulent claims, preventing payment, or in an accelerated response to a payment that may have been made under false pretenses, Brennan notes.
Monitoring the Tricks of the Trade
Of course, as is the nature of progress, as the technology of business evolves, so too does the technology of thieves. "In the last three years, fraud and identity theft threats have changed dramatically," says Bob Walters, CEO of Teros, an application security provider located in Sunnyvale, Calif. "Before, all of the talk was of viruses and widespread germs over e-mail, and today, we are dealing with much-more-targeted attacks." Often, the targets of those attacks are the Web sites of financial services organizations, which are "big and easily reached," according to Walters.
As a software and application services provider for financial institutions, St. Paul-based Baker Hill is keenly aware of the methods used by hackers to compromise corporate Web sites. According to Eric Beasley, senior network administrator for Baker Hill, hackers often launch attacks on the application layer, attempting to gain entry to a company's systems through its Web-based applications. To beef up security for its clients, Baker Hill leverages Teros' technology between its application servers and its institutional clients' browsers. The Teros solution observes "regular" traffic between the browser and the application layer, and stores these patterns in a learning engine. The solution then can block any traffic that does not match normal activity, creating what Beasley calls a positive security model.
Though the solution employed by Highmark similarly flags unusual activity, the Teradata technology takes a slightly different approach to protecting consumers' identities by alerting the customer in question rather than simply blocking traffic, according to Brennan, who notes that he is working with Teradata to improve the technology. The vendor is developing predictive analysis technology that will use behavioral models run on trained algorithms to make certain faulty claims are stopped before being paid. "We will give our fraud detection system the ability to evolve right along with the fraud technology, since groups looking to burglarize insurance companies and claimants are only coming up with increasingly complicated approaches," explains Brennan.
Predictive, or "positive," security is the only way to keep up with fraudsters, according to Teros' Walters. "The trend is a truly adaptive, rapidly changing threat that is not amenable to signature-based models, but rather positive policy-based models," he asserts.
The continuous monitoring of large network environments is imperative to react to new threats, regardless of the technology that is already in place, adds Solutionary's Rasch. "Intrusion prevention and detection has to go along with constant data correlation and monitoring in order to mitigate risk and secure information," he says.
But even the most advanced data mining techniques still should be supplemented by basic precautions, such as data encryption and strict data access procedures, Rasch notes. "Having encrypted files is equivalent to having a locked filing cabinet, and although stealing a key to unlock encrypted files is similar to finding the key to the cabinet, it is still an important theft deterrent," he says. And Rasch stresses that advanced authentication technologies, such as biometrics, are only as good as the weakest link in the security chain. "Biometrics ... works, but it only works if you already know who to let in and who not to let in - there is always a threat from insiders as well," he explains. "Security is about having a comprehensive and layered plan."
Who Should Pay for Security?
Beyond planning how to secure sensitive information, insurance companies also are struggling with the question of who should bear the cost if customer information is stolen and then used for something other than filing a faulty claim. "If an insurance customer's information is stolen from their insurer but then used to open a credit card, it often ends up being the merchants that lose money, and the customer who loses a lot of time dealing with the situation and probably deciding to switch insurance carriers in the end," explains Rasch.
Turning the problem into an opportunity, New York-based AIG (first quarter 2005 net income of $3.68 billion) has begun selling personal identity coverage that protects customer members or employees of policyholders against the consequences of identity theft. Benefits include access to a call center for immediate assistance and reimbursement for out of pocket expenses, lost wages (if the insured needs time away from work to resolve the issue) and any charges related to legal assistance needed to settle the loss of identity, according to Nancy Callahan, vice president, AIG Affinity Group Services. "There is a market for identity theft insurance to help safeguard customers of every kind of company, including insurance companies, due to three influences that have come together to create an explosion of virtual theft: a rapid growth in instant credit, aggregation of personal information into huge databases and an increased chance for sizable criminal profit," she contends.
So it seems that another option for insurance companies looking to safeguard customer data is, ironically, insurance. The good news for companies that are still wrestling with internal security controls is that AIG does not take the infrastructure of a company that is applying for insurance into consideration when deciding on policy plans. "We don't examine the nature of policyholders' security systems or procedures because identity theft can come from so many directions that an employee of a policy-holding company can be a victim independent of their relation to that company," says Callahan. "However, this type of insurance is still purchased because identity theft of any type has an effect on an insured employee's time, which can be a productivity drain."
Avoiding the 'Arms Race'
To prevent the possibility of losing its own customers' information, AIG Affinity Group does not aggregate customer information. "For individuals that carry our identity theft insurance, we don't hold their sensitive information until the time they contact us for a claim, so we avoid being a source of identity theft altogether," Callahan explains. But she concedes that identity theft isn't going away. "The problem is a long-term problem because we aren't going to stop granting credit quickly to individuals, and the game of cat and mouse will go on," asserts Callahan.
"We are in an arms race - hackers versus security vendors - and at any given time, the hackers may gain a momentary advantage," Teros' Walters says. The only way to avoid losing the race, he asserts, is to promote awareness. "User education is very important," Walters adds. "Users always need to be updated on the latest threats in order to block any innovative channels into an otherwise secure database system."
Senforce Technologies (Draper, Utah) introduced Senforce Wi-Fi Security (SWIS), a solution that safeguards and enforces security policies on desktops, notebooks and tablet computers within any type of Wi-Fi network, according to the company. The technology has been architected to enforce Wi-Fi security on legacy networks and the newest wireless networks, and works across all Wi-Fi connections, including existing Wi-Fi standards as well as the forthcoming 802.11n standard.
Many internal Wi-Fi security problems occur after employees purposely or accidentally deactivate traditional firewall and antivirus software installed on their systems, according to Senforce. Additional problems arise when well-meaning employees deploy Wi-Fi access points on their own in remote locations (e.g., off-site offices, lobbies, cafeterias, etc.) or when they establish their own wireless networks at their homes. SWIS ensures network security by preventing connections to rogue access points and disabling "at risk" networking behavior, such as network adapter bridging.
SWIS uses customizable system connectivity policies that are centrally managed, automatically distributed to end users and continuously enforced without user intervention so that telecommuters are given the same high level of security protection as users behind the corporate firewall, even when they connect through unmanaged network infrastructure or public access Wi-Fi hot spots, Senforce claims. -W.T.