5 Tools to Help Risk Managers Before a Cyber Loss
Risk management professionals in health care have to be both paranoid and hyper-diligent because organizations in that sector face threats from multiple fronts that can put them out of business.
Every patient is potentially a plaintiff. Regulators are reviewing a lengthy list of concerns, including employee safety, employment practices, patient safety, patient privacy, facility safety, Medicare billing, environmental impact and tax status.
There have been a myriad of articles outlining the benefits of cyber liability Insurance after a data breach. While most people know that cyber liability insurance pays for claims following a loss, many overlook the benefits for risk managers prior to a breach and even in absence of a data breach.
Here are five pre-breach benefits provided by leading insurers and their partner vendors that may reduce the potential for a breach as well as possibly reduce the damages.
1. Compliance training.
Some insurers provide customized web-portal delivered training to employees regarding the handling of personally identifiable information (PII) and personal health information (PHI).
One way risk managers can improve their organization’s cyber liability risk profile is to train their employees how to properly handle private information. Privacy attorneys will tell you that their discussions with regulators are far more pleasant when they can quickly demonstrate that an honest mistake was made by well-trained employees rather than negligence or indifference.
2. Test your network.
Insurers have partnered with well-known security firms to help assess the strength of an organization’s network security. This shouldn’t be viewed as a threat to the competence of an IT department, but rather an additional assessment that doesn’t deplete an IT budget.
3. Manage risk.
Most insurers offer risk management content from highly specialized vendors on a web portal specifically for the use of the insurance buyer. These portals typically contain sample privacy policies for websites and employee handbooks, data breach examples, loss calculation tools, risk management tips, news articles and claim contact information.
4. Call an expert.
Some insurers will provide access to both legal and IT professionals to ask questions about incidents that may or may not constitute a breach. The lawyers help understand the various state and federal regulations and what needs to be reported.
5. Develop a breach response plan.
Included with the cyber liability insurance policy, risk managers will often find a roadmap of what to expect in the event of a breach. On that list they may find a “breach coach” that coordinates forensic security vendors, law firms, public relations professionals, insurance company claims contacts and more.
Sometimes you get what you pay, but in the case of cyber liability insurance policies, risk managers get an insurance product in addition to a host of services that help lower their risk profile.
When you’re ready to purchase cyber liability insurance, make sure you review the additional service offerings to be sure it includes these additional benefits.
Can ‘Ebola-mania’ Give Way to a National Reset?
Ebola is not a new contagion and it is one for which the United States has been preparing for since at least post-9/11 heightened bioterrorism concerns.
While some may be critical of the care provided to the first patient with Ebola in Dallas, as well as resulting communication issues involving hospital and medical officials, clearly all involved intended to do their very best under uniquely stressful conditions that rarely any American hospital had faced before.
In what will surely be a repeating pattern in the near-term, American hospitals, clinics and doctors, as well as employers and other entities will continue to periodically encounter individuals that have acquired the Ebola virus and require treatment. The country will also have periods where there may be no known cases.
As of Nov. 11, and for the first time in 41 days since the initial U.S. patients, there were no known cases of Ebola in the U.S. That was short-lived as within days thereafter a surgeon who had contracted the Ebola virus in West Africa was transferred to the United States for treatment, but unfortunately the patient died.
I believe we should attempt a national “reset” to manage this public health issue in America — based on science and evidence.
In order to do so, it is important to understand the causative factors leading to the arguably explicable initial national panic surrounding Ebola. In the early moments of a risk crisis, leaders get limited chances to establish credibility and trust. The populace and media want to know the risk is understood and under control.
Early slips in Dallas failed this test, as I mention in my first article on this subject.
While some may feel on edge with regard to changing CDC guidance, in fact, the CDC is adjusting to new information and changing their guidelines appropriately; not dissimilar to how managers of risk adjust to any hazard exposure.
As managers of risk, we should be assessing the risks Ebola presents.
Ebola is really no different than other significant risks (e.g., terrorism post-9/11, Y2K, swine flu, grounding of certain airplanes).
There is a common pattern that moves from initial organic obsession to an easing, understanding, and respect of the risk that becomes balanced with other important considerations such as civil liberties, promoting international health, and maintaining world economic balance, for examples in the context of contagion risks.
For the emerging risk of Ebola in America, we are at a pivotal point to learn from the recent past and venture forward with the best of science and evidence-based risk management.
Will America press the reset? As risk managers, we stand in an influential position within our organizations to utilize the proven methods and tools of managing enterprise risks, including contagion risk.
As such, risk managers are in a unique position to lead with others; to reset the response to the Ebola virus in our unique national microcosm and move to a balanced American view appropriately and respectfully managing our interests while simultaneously attending to world health risk issues, especially in West Africa.
Read all of Jeff Driver’s Risk Insider articles.
The Promise of Technology
The field of workers’ compensation claims management seems ideally suited as a proving place for the power of technology.
Predictive analytics in the hands of pharmacy and medical management experts can give claims managers the data they need to intervene in troublesome claims. Wearables and other mobile technologies have the potential to give healthcare providers “real-time” reports on the medical condition of injured workers.
Never before have the goals of quick turnaround and transparency in managing claims appeared so tantalizingly achievable.
In the effort to learn more about technology’s potential, in September, Risk & Insurance® partnered with Duluth, Ga.-based Healthcare Solutions to convene an information technology executive roundtable in Philadelphia.
The goal of the roundtable was to explore technology’s promise and to gauge how advancements are serving the industry’s ultimate purpose, getting injured workers safely back to work.
Big Data, Transparency and the Economies of Scale
Integration is a word often heard in connection with workers’ compensation claims management. On one hand, it refers to industry consolidation, as investors and larger service providers seek to combine a host of services through mergers and acquisitions.
In another way, integration applies to workers’ compensation data management. As companies merge, technology is allowing previously siloed stores of data to be combined. Access to these new supersets of data, which technology professionals like to call “Big Data,” present a host of opportunities for payers and service providers.
Through accessible exchange systems that give both providers and payers better access to the internal processes of vendors, a service provider can show the payer the status of the claim across a much broader spectrum of services.
“One of the things I see with all of this data starting to exchange is the ability to use analytics to predict outcomes, and to implement workflows to intervene.”
–Matthew Landon, Vice President of Analytics, Bunch CareSolutions.
“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes,” said roundtable participant Chuck Cavaness, chief information officer for Healthcare Solutions.
Integration across multiple product lines also produces economies of scale for the payer, he said.
Big Data, according to the roundtable participants, also provides claims managers an unparalleled perspective on the cases they manage.
“One of the things that excites us as more data is exchanged is the ability to use analytics to predict outcomes, and to implement workflows to intervene,” said roundtable participant Matthew Landon, vice president of analytics with Lakeland, Fla.-based Bunch CareSolutions, A Xerox Company.
Philadelphia roundtable participant Mike Cwynar, vice president of Irvine, Calif.-based Mitchell International, agrees with Landon.
“We are utilizing technology to consolidate all of the data, to automate as many tasks as we can, and to provide exception-based processing to flag unusual activity where claims professionals can add value,” Cwynar said.
Technology is also enabling the claims management industry to have more productive interactions with medical providers, long considered one of the Holy Grails of better case management.
Philadelphia roundtable participant Jerry Poole, president and CEO of Malvern, Pa-based claims management company Acrometis, said more uniform and accessible information exchange systems are giving medical providers access to see how bills are moving through the claims manager’s process.
“The technology is enabling providers to call in or to visit a portal to figure out what’s happening in the process,” Poole said.
Another area where technology is moving the industry forward, according to the Philadelphia technology roundtable participants, is mobile technology, which is being used to support adjustors and case managers and is also contributing to quicker return to work and lower costs for payers.
The ability to take a digital tablet to a meeting with an injured worker or a health care provider is allowing case managers to enter data and give feedback on a patient’s condition in real time.
“Our field-based case managers have mobile connectivity to our claims systems that they use while they’re out of the office attending doctor’s appointments, and can enter the data right there into the system, so they’re not having to wait until they are back at the office to enter critical clinical documentation,” said Landon.
Injured workers that use social media, e-mail and the texting function on their mobile phones are staying in better touch with those that are charged with insuring that they are in compliance with their treatment plans.
Wearable devices that provide in-the-moment information about an injured workers’ condition have the potential to recreate what is known in aviation as the “black box,” a device that will record and store the precise physical state of an employee when they were injured. Such a device could also monitor their recovery process.
But as with many technologies, worker and patient privacy also needs to be observed.
“At the end of the day, we need to make sure that we approach technology enhancement that demonstrates value to the client, while ensuring patient advocacy,” Landon said.
As payers and claims managers set out to harness the power of computing in assessing an injured worker’s condition and response to treatment, the cycle of investment in companies that serve the workers’ compensation space is currently playing a significant role.
The trend of private equity investing in companies that can establish one-stop shopping for such services as medical case management, bill review, pharmacy benefit management and fraud forensics has huge potential.
“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes.”
— Chuck Cavaness, Chief Information Officer, Healthcare Solutions.
The challenge now facing the industry, one the information technology roundtable participants are confident it can meet, is integrating those systems. But doing so won’t happen overnight.
“There’s a lot of specialization in the industry today,” said Jerry Poole of Acrometis.
Years ago there was a PT network. Now there’s a surgical implant guy, there’s specialized negotiations, there’s special investigations, said Poole.
The various data needs to be integrated into an overall data set to be used by the carriers to help lower the cost of risk.
Securing Sensitive Information
Long before hackers turned the cyber defenses of major national retailers inside out, claims management professionals have focused increased attention on the protection of data shared across multiple partners.
Information security safeguards are changing and apply to what technology pros refer to “data at rest,” data that is stored on a particular company’s servers, and “data in flight,” data that is transferred from one user to another.
Mitchell’s Cwynar said carriers want certification that every company their data is being sent to needs to have that information and that both data at rest and data in flight is encrypted.
The roundtable participants agreed that the industry is in a conundrum. Carriers want more help in predictive analytics but are less willing to share the data needed to make those predictions.
And as crucial as avoiding cyber exposures and the corresponding reputational damage is for large, multinational corporations, it is even more acute for smaller companies in the workers’ compensation industry.
Healthcare Solutions’ Cavaness said the millions in loss notification and credit monitoring costs that impact a Target or a Home Depot in the case of a large data theft would devastate many a workers’ compensation service vendor.
“They’d be done in a minute,” Cavaness said.
The barriers to entry in this space are higher now than ever before, continued Cavaness, and companies wishing to do business with large carriers have the burden of proving that its security standards are uncompromising.
Workers’ compensation risk management in the United States is by its very nature, complex and demanding. But keep in mind that those charged with managing that risk get better results year after year.
Technology has a proven capability to iron out the system’s inherent complications and take its more mundane tasks off of the shoulders of case adjustors.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Healthcare Solutions. The editorial staff of Risk & Insurance had no role in its preparation.