Health, Higher Ed Most Vulnerable to Cyber Attacks
As cyber risk management comes of age, more data and better analysis are leading to new realizations. One is that health care and higher education are the most vulnerable sectors, followed closely by financial services.
Another is that the vast majority of security breaches could be forestalled using simple measures, such as ensuring all updates and patches to software are installed and tested.
However, studies are starting to show that cheap, low-tech email attacks remain stubbornly effective despite expensive, high-tech protections.
All of those ideas were advanced and detailed at a fast-moving panel discussion May 11 in New York, sponsored by brokerage Crystal & Company.
Actuarial data is still thin in cyber, but Christopher Liu, head of cyber risk in the financial institutions group at AIG, said that “institutions in health care and higher education are the most hazardous classes of insureds. That is because they have the most sensitive information and that there is high turnover. Also, they usually do not have big budgets, so security is often not well supported.”
Financial institutions, especially asset managers, are the second-most hazardous class, Liu added.
“They have the same attractive information, plus they have money.”
Mitigating that, they also tend to have better funded and supported security, and they have heavy government regulation. That both keeps them on their toes, and also means greater external surveillance. Several panel members noted that firms became aware of breaches when regulators noticed unusual activity.
“We find that we deal primarily with three areas,” said Austin Berglas, senior managing director at K2 Intelligence.
“Those are: unpatched vulnerabilities in software, misconfiguration of internal systems, and misplaced trust by employees. We get called in to handle a breach, and 99 percent of the time we find the vulnerability is unpatched.”
Berglas explained that the software companies race each other to send out new versions that often are not completely functional or secure. So they send out patches. “Windows does it every week on ‘patch Tuesday.’ But users don’t have any regular schedule or system for installing and testing patches. We find unpatched vulnerabilities dating back as far as 1999.”
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.” — John F. Mullen, managing partner, Lewis Brisbois Bisgaard & Smith
The challenge of unsecured configurations between systems was dramatically demonstrated with the infamous attack on retailer Target, which came through the air-conditioning vendor. But Berglas emphasized the persistent and pernicious problem of simple phishing.
“It is estimated that 30 percent of individuals within a company will open an email, and 13 percent will click on an attachment, even if they have been warned not to,” Berglas warned.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing email by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense. Now they are inside, with credentials, and you can’t detect them.”
The quickest and easiest thing that any company can do, “is to look for unpatched vulnerabilities in public-facing systems,” Berglas urged.
On the same theme, John F. Mullen, managing partner of the law firm Lewis Brisbois Bisgaard & Smith, stressed that “security goes way beyond IT.
“This is not just about the tech guys. Cyber security tends to get pushed downhill.” And that tends to mean lack of coordination on all fronts.
“I have been to meetings of the cyber response team, and everyone in the room is introducing themselves. This is the response team. Everyone in the room has to know everyone in the room.”
Similarly, “insureds have to know the coverage that they have bought. Is there a mandated forensics group? Outside counsel? If so, go meet with them. If you have options, vet them,” Mullen exhorted.
“You spent half a billion dollars on security systems and firewalls, and one click on one phishing e-mail by someone with elevated system privileges, and the bad guys have just defeated your half-billion-dollar defense.” — Austin Berglas, senior managing director, K2 Intelligence
He expects the cyber insurance business to triple or quadruple in the next five years, in terms of premium spending.
Cycling back to the theme of internal responsibility, Paul Miskovich, senior vice president and global practice leader of cyber and technology errors and omissions coverage at Axis, said that 67 percent of cyber claims presented to his firm involved insider activity of some kind: clicking on a phishing email or failing to install a patch or use a firewall. Further, 25 percent of claims involved third parties such as vendors.
For all the focus on the breach itself, Miskovich added that “regulatory costs can be more than the costs of the breach, especially if you don’t have documentation of your security policies and protocols.” That includes documentation that the policies are in place and are rehearsed.
Noting previous comments that many losses are traced to breaches that have gone undetected for years, Miskovich said that a new area within cyber insurance is full coverage for prior acts.
Health Care Coalitions Can Effect System Change
Michael Thompson likes to hit the ground running. In his new role as president and CEO of the National Business Coalition on Health for just a few days, he’s already going full steam ahead with an ambitious agenda to tackle many of the challenges facing the health care industry.
He believes, for example, that the administration of occupational and nonoccupational injuries and illnesses should be integrated wherever possible to provide more effective care for patients.
Among his other goals are: fostering an independent system to evaluate returns-on-investment to identify truly effective health care strategies, helping employers generate employee engagement in their own health care decision-making, incorporating community resources into wellness campaigns, and creating a strong infrastructure on the topic of well-being.
“We really want to make sure the focus of NBCH is leveraging the collective efforts of the coalitions,” Thompson said. “This coalition infrastructure is an unbelievable opportunity to accelerate the change that we, as employers, or the country is looking for.”
The National Business Coalition on Health is a 24-year-old not-for-profit company consisting of 51 purchaser-led health care coalitions. Described as a “coalition of coalitions,” the organization “provides expertise, resources, and a voice to its member coalitions across the country and represents each community coalition at the national level,” according to its website.
Thompson, who was named to the top post after spending 20 years with PricewaterhouseCoopers LLP where he was a principal, says that by getting the coalitions to work in a coordinated manner, he hopes to make meaningful inroads in the delivery of health services and reform of the nation’s health care system.
Advancements in the medical delivery system are happening so rapidly it’s difficult for organizations to know what they are, let alone how effective each is. It’s an area where a coordinated effort can allow the coalitions to more easily reveal the strategies that are working best.
“One of the weaknesses in the system today is too often people will tell you what their ROI is, but it’s all self-reported based on their own analysis,” Thompson said. “We need a system that’s more accountable and leads to independent evaluation so we can share that and accelerate the success of those delivering results and cause others to look seriously about making improvements.”
“There’s a lot of movement underway to start to change the way we pay for and deliver and even the way we organize around health care and provide value based care.” — Michael Thompson, president and CEO, National Business Coalition on Health
Such a system would allow the coalitions to support those organizations and strategies that are most effective, and it would help people to become healthier. “What could be healthier to the system than a system that’s accountable?” Thompson said. “We need to develop accountability and improvement that will help us turn the corner in health care.”
Reform of the health care delivery system involves many players, including employers. One of the most pressing issues involved is the affordability of health care — or lack thereof.
“There’s a lot of movement underway to start to change the way we pay for and deliver and even the way we organize around health care and provide value based care,” Thompson said.
“It’s incumbent upon us to figure out how to get the multiple players on the same page. It won’t happen overnight, but you’re already seeing a lot of activity around bundle payments, accountable care organizations in both the public and private sectors. Coalitions become very important to engage stakeholders to rationalize that in the community and NBCH needs to keep that broader picture in mind and facilitate and support the development of that.”
Wellness and Integration
The idea of wellness is being challenged and criticized within the health care industry, Thompson says. He believes the coalitions can help by integrating them into local communities.
“Wellness and population health is a local issue, it’s not limited to the four walls of work,” Thompson said. “Many employers are in multiple communities. We must find a way to help them connect in the communities.”
Along with wellness, Thompson supports what he says is the emerging issue of well-being. Where wellness refers to encouraging people to develop better habits, well-being is a broader concept.
“Well-being is enabling people to be the best they can be so they can thrive in their lives and perform optimally in their chosen work,” Thompson explained. “Well-being is a much higher order conversation, and it doesn’t start and stop with a health risk assessment.”
It also does not necessarily start and stop within the U.S. but can involve any areas of the world. Companies that are global should focus on well-being and integrate it into their cultures, Thompson said.
He endorses the idea of integration overall, including occupational and nonoccupational injuries and illnesses.
“Good health is good health. Good safety is good safety. How do you separate where work ends and life starts? The two are very much intertwined,” Thompson said. “The laws around workers’ compensation are certainly siloed and the processes are siloed, but companies, when they step back, have to deal with the administrative arm on a silo basis but more holistically if they are looking to enhance wellness or health.”
One area that deserves a more holistic approach is mental health. Beyond providing care to people who have mental illnesses are issues related to the stigma associated with it. Increased access to mental health care could help improve employees’ overall health and cut costs for payers.
“What’s even more concerning is in many ways it’s getting worse because we are getting used to the idea that if people want [mental health] services they should go out of network … that’s not sustainable or legal,” Thompson said. “If we can create a system with a more holistic view on treating the whole person, everybody wins, including those paying the bills … it’s one of the areas I’d describe as low hanging fruit.”
Advocacy: The Impact of Continuous Triage
In the world of workers’ compensation, timing is everything. Many studies have shown that the earlier a workplace incident or injury is acted upon, the more successful the results*. However, there is further evidence indicating there is even more of an impact seen when a claim is not only filed promptly, but also effective triage is conducted and management of the claim takes place consistently through closure.
Typically, every program incorporates a form of early intervention. But then what? While it is common knowledge that early claims reporting and medical treatment are the most critical parts of a claim, if left alone after management, an injured worker could – and often does – fall through the cracks.
All Claims Paths are Not Created Equal
Even with early intervention and the best intentions of the adjuster, things can still go wrong. What if we could follow one injury down two paths, resulting in two entirely different outcomes? This case study illustrates the difference between two claims management processes – one of proactive, continuous claims triage and one of inactivity after initial intervention – and the impact, or lack thereof, it can have on the outcome of a claim. By addressing all indicators, effective triage can drastically change the trajectory of a claim.
While working at a factory, David, a 40-year-old employee, experienced sudden shoulder pain while lifting a heavy box. He reported the incident to his supervisor, who contacted their 24/7 triage call center to report the incident. After speaking with a triage nurse, the nurse recommended he go to an occupational medicine clinic for further evaluation, based on his self-reported symptoms of significant swelling, a lack of range of motion and a pain level described as greater than “8.”
The physician diagnosed David with a shoulder sprain and prescribed two weeks of rest, ice and prescription strength ibuprofen. He restricted David from any lifting over his head.
By all accounts, early intervention was working. Utilizing 24/7 nurse triage, there was no lag time between the incident and care. David received timely medical attention and had a treatment plan in place within one day.
A critical factor in any program is a return to work date, yet David was not given a return to work date from the physician at the occupational medicine clinic; therefore, no date was entered in the system.
One small, crucial detail needs just as much attention as when an incident is initially reported. What happens the third week of a claim is just as important as what happens on the day the injury occurs. Involvement with a claim must take place through claim closure and not just at initial triage.
The Same Old Story
After three weeks of physical therapy, no further medical interventions and a lack of communication from his adjuster, David returned to his physician complaining of continued pain. The physician encouraged him to continue physical therapy to improve his mobility and added an opioid prescription to help with his pain.
At home, with no return to work in sight, David became depressed and continued to experience pain in his shoulder. He scheduled an appointment with the physician months later, stating physical therapy was not helping. Since David’s pain had not subsided, the physician ordered an MRI, which came back negative, and wrote David a prescription for medication to manage his depression. The physician referred him to an orthopedic specialist and wrote him a new prescription for additional opioids to address his pain…
Costly medical interventions continued to accrue for the employer and the surmounting risk of the claim continued to go unmanaged. His claim was much more severe than anyone knew.
What if his injury had been managed?
A Model Example
Using a claims system that incorporated a predictive modeling rules engine, the adjuster was immediately prompted to retrieve a return to work date from the physician. Therefore, David’s file was flagged and submitted for a further level of nurse triage intervention and validation. A nurse contacted the physician and verified that there was no return to work date listed on the medical file because the physician’s initial assessment restricted David to no lifting.
As a result of these triage validations, further interventions were needed and a telephonic case manager was assigned to help coordinate care and pursue a proactive return to work plan. Working with the physical therapist and treating physician resulted in a change in David’s medication and a modified physical therapy regimen.
After a few weeks, David reported an improvement in his mobility and his pain level was a “3,” thus prompting the case manager’s request for a re-evaluation. After his assessment, the physician lifted the restriction, allowing David to lift 10 pounds overhead. With this revision, David was able to return to work at modified duty right away. Within six weeks he returned to full duty.
With access to all of the David’s data and a rules engine to keep adjusters on top of the claim, the medical interventions that were needed for his recovery were validated, therefore effectively managing his recovery by continuing to triage his claim. By coordinating care plans with the physician and the physical therapist, and involving a case manager early on, the active management of David’s claim enabled him to remain engaged in his recovery. There was no lapse in communication, treatment or activity.
After 24/7 nurse triage is conducted and an injured worker receives initial care, CorVel’s claims system, CareMC, conducts continuous triage of all data points collected at claim inception and throughout the life of a claim utilizing its integrated rules engine. Predictive indicators send alerts to prompt the adjuster to take action when needed until the claim is closed – not just at the beginning of the claim.
This predictive modeling tool flags potentially complex claims with the risk for high exposure, marking claims that need intervention so that CorVel can assign appropriate resources to mitigate risk.
Claims triage is constant – that is the necessary model. Even on an adjuster’s best day, humans aren’t perfect. A rules engine helps flag things that people can miss. A combination of predictive systems and human intervention ensures claims management is never stagnant – that there is no lapse in communication, activity or treatment. With an advocacy team in the form of an adjuster empowered by a powerful rules engine and a case manager looking out for the best care, injured employees remain engaged in their recovery. By perpetuating patient advocacy, continuous triage reduces claim severity and improves claim outcomes, returning injured workers to the workforce and reducing payors’ risk.