Pentesting for Health Insurance Guaranty Association Revealed Vendor Vulnerabilities

About Our Client

The Client is a state-based, non-profit association in the United States that protects policyholders when health and life insurers become insolvent.

Insurance Guaranty Association Sought BFSI Cybersecurity Expertise

The Client operates a proprietary web application that serves as a central access point for members, employees, and affiliated organizations. Through this portal, users log in and perform sensitive tasks such as accessing accounts, handling claims, managing retirement and benefits, and completing financial transactions.

In addition to the proprietary app, the Client uses integrated third-party services for financial management, investment and wealth management, and HR administration. The Client also relies on online platforms for data exchange and coordination with other guaranty associations.

Ensuring the security of this ecosystem was essential to safeguard personal, financial, and health information, while also preventing business disruptions from potential security breaches.

Because the Client processes sensitive policyholder data, it is required to comply with federal and state regulations (including HIPAA and GLBA) and align with recognized security standards such as ISO 27001, the NIST Cybersecurity Framework, and CIS Controls to safeguard information and manage third-party risks.

The Client was looking for a US-based cybersecurity partner with deep knowledge of the threat landscape in the healthcare insurance sector. Trusting our extensive experience in insurance and healthcare IT, the Client engaged ScienceSoft.

External Pentesting of Guaranty Association’s Integrated Systems

Following the OWASP Web Security Testing Guide, ScienceSoft’s team performed black-box penetration testing focused on the Client’s web application and its integration points with external services. The testing covered the following assets controlled by the Client:

• The Client’s web application, which serves as the main entry point for users.
• Perimeter infrastructure: assigned IP ranges and cloud-hosted servers supporting authentication and domain control.

The test also covered integration points with external services connected to the Client’s web platform, such as:

• Cloud accounting and financial management platforms.
• Banking, invoicing, payment, and reconciliation services.
• Market research and analytics platforms.
• Human Capital Administration services.
• Investment and wealth management systems.
• Retirement and employee benefits portals.
• Health and dental insurance portals.
• Online platforms for coordination among insurance guaranty associations.

After completing the penetration test, ScienceSoft’s security engineers were pleased to confirm that the Client’s proprietary web application and infrastructure showed no security gaps. However, 7 out of 11 integrated third-party services contained vulnerabilities. In total, the team identified 11 security issues, which they classified using OWASP Top 10 and NIST CVSS standards. Seven of the detected security flaws were rated as medium severity — a level at which an attacker could gain partial control of the affected systems or potentially take full control under certain conditions.

Based on the criticality of each integrated service and the risks the discovered vulnerabilities could pose to the confidentiality, integrity, and availability of data, the testers recommended the following corrective measures:

• Implement CAPTCHA for repeated login attempts to prevent automated attacks, such as password guessing or account harvesting.
• Validate and sanitize all user inputs to ensure that harmful commands or scripts cannot be injected.
• Restrict cross-origin requests to trusted domains to prevent arbitrary websites from sending requests and reading their responses.
• Audit and restrict server-side functions in web applications that can send requests to other systems (for example, DNS lookups or system calls). Only safe, verified operations should be allowed. This prevents attackers from exploiting the application to target other networks or services (a class of risks known as Server-Side Request Forgery, or SSRF).
• Keep software, libraries, and servers updated to patch known vulnerabilities before attackers can exploit them.
• Upgrade encryption protocols to TLS 1.2 or higher to secure communications between users and affected systems, preventing attackers from intercepting or tampering with transmitted data.

While the Client could not fix those third-party vulnerabilities directly, the report findings gave the organization:

• Evidence for compliance and audits (due diligence performed).
• The ability to notify vendors of found vulnerabilities and request targeted security fixes.
• Information to reassess the IT integration architecture and potentially replace high-risk vendors that lacked mature security controls.

Pentesting Provided Crucial Insights for Compliance, Data Protection, and Vendor Risk Management

ScienceSoft conducted a black-box penetration test for a US life and health insurance guaranty association, covering the Client’s public website, infrastructure, and 11 integrated third-party services. The test revealed 11 vulnerabilities across the integrated services, 7 of which were severe enough that attackers could potentially exploit them to gain unauthorized access to sensitive data or control of the affected systems.

The assessment provided the Client with crucial insights into external risks affecting its operations and sensitive data. The findings strengthened the Client’s ability to:

• Demonstrate compliance with regulations and industry standards.
• Enhance data protection by understanding and mitigating threats to data confidentiality, integrity, and availability.
• Improve vendor risk management, using the results to engage third-party providers and make informed decisions about ongoing integrations.

Technologies and Tools

Dirsearch, BurpSuite, Acunetix, SSLScan, Python, C, Perl.