Financial services companies as popular targets of cybercriminals for the obvious reason -- they're where the money's at. And health care companies have medical records, which are very valuable on the black market since the information there can be abused in so many ways, and doesn't expire.
HealthExpense, which provides health care payment services to banks and their enterprise customers, straddles both worlds.
"When we started, every new client asked us about security," said Marco Smit, CEO at Sunnyvale, Calif.-based Health Expense.
"It has to do with the data we're collecting," said company CSO Ken Lee. "We are definitely bound by HIPAA compliance, and we hold all the personal health information and financial information."
Meanwhile, due to the seasonal nature of the business, scalability was very important.
"We have open enrollment periods with one of our partners," said Smith. "It's in the fourth quarter, but people don't start logging in and setting up their accounts until January, so our payments went up two times, and then another 50 percent in February. A year ago, we had one client put 1.2 million data records in within 24 hours -- normally we get a few thousand. We're in a business where peaks and spikes happen. Seasonal ups and downs happen."
Another complication is that the service needs to be accessible via the Web, so that the end users -- corporate employees -- can easily log in to use the system.
The company opted for a cloud-based infrastructure, hosting everything with Amazon.
Security is multi-layered. There are local backups of end point devices, which are also copied to the cloud, with multiple versions of the backups stored so that the company can go back to previously saved content in case of, say, a ransomware infection.
Company data is stored in multiple Amazon locations, so that the recent outage in Amazon's Northern Virginia region didn't affect service availability.
Data is encrypted both at rest and in transit.
Then, for visibility into network traffic in the cloud environment, HealthExpense uses Alert Logic, which not only provides the application that HealthExpense uses to monitor all traffic, but also analytics and a security operation center.
"That's a reduction in-house of the cost of the people I need to do the work," said Lee.
The company is in the process of adding another level of security, two-factor authentication.
"Today, most of the logins are through single sign-on," said Lee. "With our biggest partner, users log in through their site and get ported over to us. They have security levels on their end, before they come to our site. It's very consumer-friendly, but on top of that we have more security layers post-login."
Sign up for CIO Asia eNewsletters.