Cyber insurance provides an opportunity to address residual risk in your information security program to offset the costs due to a data breach of ePHI. However, individuals polices, coverage and exclusions are highly variable, so just like any security control it's important to understand your security risk profile before an appropriate security insurance policy can be defined. An assessment, such as a HIPAA Security Risk Analysis should be the first step in any insurance policy strategy. Here's why: A) You'll have to do it anyway, B) The safest approach is to avoid a breach in the first place, C) Your risk profile will enable a better tailored policy.
In June 2012, a hacker posted 8 million “hashed” passwords on an underground forum, looking for assistance in cracking them. About a fifth of the user credentials appeared to have come from eHarmony.com, an online dating site, with the remainder stolen from LinkedIn. At the time, most security experts advised all LinkedIn users to change their passwords.
Earlier this week, LinkedIn notified all of its users that they had become “aware that data stolen from LinkedIn in 2012 was being made available online.” Presumably, LinkedIn learned of this development from LeakedSource, a self-described “scavenger” website that hosts a fee-based, searchable database of previously stolen credentials. In a May 17th blog post LeakedSource announced that it had acquired emails and passwords on 167,370,910 LinkedIn accounts for $2,300.
The LinkedIn notification was striking in several respects. First, it appears that LinkedIn only realized the full extent of the original heist four years after the fact. As Fortune Magazine wrote today “Better late than never, I suppose.” It is true that in 2012 LinkedIn never confirmed how many credentials were compromised. But the number widely-reported in the news media was that it was about 6.5 million. If the company knew it was far more extensive than that, I believe they would have and should have informed its members.
So as much as LinkedIn assures us that they have “taken significant steps to strengthen account security since 2012,” I am still left wondering how thoroughly they investigated the original incident. This week, the company also informed its member base that it “took immediate steps to invalidate the passwords of all LinkedIn accounts that we believed might be at risk. These were accounts created prior to the 2012 breach that had not reset their passwords since that breach.” OK, good move – but four years after the fact?
I am not letting LinkedIn users off the hook either. Password protection is a joint responsibility. In 2012, the number 1 password on LinkedIn by far was “123456” and it was used by over 750,000 members. Pick strong passwords, change them frequently, and consider two-factor authentication (which LinkedIn now supports).
I’ll close with one additional thought. Hacking attacks that result in major breaches of personally-identifiable information (PII) have become so commonplace that the very notion of online privacy has been challenged. As a result, many Internet users have adopted a “laissez-faire” attitude toward their personal information, particularly on social networking sites. Let’s hope that both companies and people invest the time and money necessary to preserve the expectation of security and privacy online. The alternative could be crippling to the economic efficiency and progress the Internet has created in so many industries.