Cyber Vulnerabilities ‘Easy to Find’
Verizon’s “2015 Data Breach Investigations Report” (DBIR), published earlier this month, paints a disturbing picture for organizations and their customers.
The 2015 report analyzed more than 2,100 confirmed data breaches and approximately 80,000 reported security incidents in 2014. The previous year’s report, which covered 2013, looked at 1,367 data breaches and analyzed more than 63,000 security incidents.
In about 70 percent of the new cases, decades-old ploys such as phishing and hacking are still successful because companies haven’t kept up with patching.
The question is, why are so many companies still not ahead of the curve when these cyber attacks can have such a devastating impact? The reasons boil down to priorities, process, and people.
“The bad guys don’t really have to work too hard to do this,” said Mark Weatherford, principal at The Chertoff Group and former deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security.
“They are looking for vulnerable people all the time, and unfortunately it’s far too easy to find them.”
To help organizations assess these threats more effectively, Verizon Managing Principal and report author Bob Rudis said the report — for the first time — includes an impact section that ties dollars and cents to each data record compromised.
“We now have impact information that folks can use for risk management purposes, including enterprise risk management and financial risk management,” said Rudis.
“It’s a model for looking at breaches at a whole new way that we couldn’t talk about before.”
The model shows different loss forecasts for different volumes: the average loss for a breach of 1,000 records is between $52,000 and $87,000; for 10 million record losses, it’s $2.1 million to $5.2 million.
As for the types of cyber attacks plaguing organizations, about 83 percent of security incidents involve compromising websites and servers to go after a secondary victim by denial-of-service attacks, host malware, or to repurpose the site for phishing. This is up from 76 percent from the 2014 report.
Additional top threat patterns include: miscellaneous errors, such as sending an email to the wrong person; crimeware (malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; cyber espionage; point-of-sale intrusions, and payment card skimmers.
The industries most affected by cyber attacks are the same as in recent years: public, information, and financial services.
How to respond? First, look at different industries that are experiencing the same kind of attacks as you are — no matter how different they seem, advised Verizon Senior Analyst Suzanne Widup: “See if you can make contact with them and not stay within your same silo.”
To start closing the high volume of vulnerabilities organizations often have, Weatherford advised developing better patch management programs that include testing and a timeframe for implementation.
“I hate to sound that simplistic but really that’s why [threats from] 2007 pop up in companies – because companies haven’t done their due diligence to do the [security] hygiene that they need to do,” he said.
Marc Spitler, Verizon senior analyst, puts it more colorfully: “Instead of just playing Whack-A-Mole with the particular vulnerabilities, [companies] need to understand why they were actually visible to begin with.”
Finding qualified IT people to tackle the security problems is another reason companies aren’t keeping up with patches and other protections, said Mike VanDenBerg, a managing director in KPMG’s cyber services and information protection practice based in Dallas.
“There’s an undercurrent not mentioned in the report: that the supply and demand of labor in this industry is very unbalanced,” he said.
“Every single client that I have in the Fortune 50 cannot find enough qualified people to do what needs to be done in this space. If I were to invest the next million dollars in my security problem … it would be [in] trying to solve the problem that I’ve had for several years, which is people. It’s just a matter of priorities.”
For VanDenBerg, consistently covering the entire data environment will make the biggest difference to companies.
“Some of the constraints are: legacy systems that can’t be patched, are out of support, [or] are off the books from an accounting perspective but are still functional from a technology and business perspective. [These are] great from a financial standpoint but it’s bad from a security standpoint,” he said.
“Shutting down those assets and moving to new and different technology ultimately will increase your security. Yes, it will open up to holes in the future but I’d rather have something that I can do something about than have old technology that I can’t.”
Looking to trends in 2015, Verizon’s Rudis had this to say: “My prediction is a non-prediction; if the status quo [within organizations] stays, we are pretty much going to see almost a mirror image of the report next year.”
CROs Gaining Authority, Survey Finds
The forces of change are continuing to reshape the insurance industry and its chief risk officers (CROs) are at the forefront of that change, reports Ernst & Young Global, aka EY.
The professional services multinational just published its fifth annual survey of CROs in the insurance sector. Conducted between December 2014 and February 2015, the survey canvasses views from various senior risk executives at 20 North American insurance companies, with life, P&C and multi-line insurers all represented.
The findings show that “the most profound forces of change” are reflected in an evolution of the CRO role. They have greater authority, are assuming greater responsibilities and gaining an enhanced profile across the organization, with effective risk management increasingly regarded as contributing to market success.
Ways in which this enhanced profile is evidenced include direct participation on key strategic business matters, larger staffs than before and a wider use of stress testing. Nearly three in four CROs told EY that their department had expanded in the past year.
Along with more stress tests, additional staff are needed for operational risk, the own risk and solvency assessment (ORSA) and model risk management. Risk management today is closely “integrated with the business, rather than being an afterthought,” according to one survey respondent.
The report identifies three current key themes cited by CROs:
Capital Standards Still Confuse
The lack of common accounting standards and capital measures makes it difficult to compare performance and solvency across companies. Insurers employ various capital measures, many specific to the company, to analyze their risk exposures over a range of time periods and under different normal and adverse scenarios. The quantitative impact survey (QIS) launched last September by the Federal Reserve Board and field testing by the International Association of Insurance Supervisors (IAIS) persuaded several companies to consider new approaches to regulatory capital treatment.
Expanding risk management capabilities and the hiring of more risk staff confirms that it has become a team activity, played across and at every level of the enterprise.
More Regulations and Intrusive Regulatory Oversight
CROs from insurers not already regulated by the Federal Reserve Board accept, grudgingly, that they will also come under its spotlight. Until recently these CROs were confident that current state-based requirements would remain unchanged, but now accept that the two regulatory regimes, with different risk management standards, will probably converge around more stringent guidelines.
Risk Management Is a Team Sport
The 2015 survey shows CROs spending more time and effort on integrating risk management practices into the business. For some, the risk management function’s value is chiefly measured through its integration with the business. Expanding risk management capabilities and the hiring of more risk staff confirms that it has become a team activity, played across and at every level of the enterprise.
Past and Future Challenges
Asked to identify the main risk challenges currently occupying the insurance industry, 40 percent of CROs surveyed cite the slew of regulation and pending common capital standards. Although a distant second, 14 percent picked cyber risk, showing the CRO’s agenda now extends beyond financial risk. Easing concerns over interest rates and the economy as well as renewal of the Terrorism Risk Insurance Act (TRIA) saw both dip from a year ago to 13 percent and 10 percent respectively. Lingering worries that TRIA might not be extended was subsequently resolved at the end of January. Competition and pricing levels also scored 10 percent.
Looking ahead to the main risk challenges of the next 12 months, 28 percent of CROs surveyed cited capital modeling and stress testing. Three tasks: establishing an enterprise risk management (ERM) framework and governance; integration and transparency; and assessing risk appetite each attracted 15 percent, while both emerging risks and operational risks were cited by 9 percent. Still a high priority a year ago, ORSA has since fallen off the list as many institutions have since participated in one of the three pilots or produced an ORSA draft.
Longer-term, insurance industry CROs expect greater authority and accountability, increased influence and broader interaction over the next few years, with their role becoming more visible and more accountable as it becomes better defined. In the meantime, they are focused on performance and creating value for the business. As one respondent commented, “we are spending less time on defining and debating the role and approach and more time on executing our risk plan.”
Mitigating Fraud, Waste, and Abuse of Opioid Medications
There’s a fine line between instances of fraud, waste, and abuse. One of the key differences is intent and knowledge. Fraud is knowingly and willfully defrauding a health care benefit program for personal gain or profit. Each of the parties to a claim has opportunity and motive to commit fraud. For example, an injured worker might fill a prescription for pain medication only to sell it to a third party for profit. A prescriber might knowingly write prescriptions for certain pain medications in order to receive a “kickback” by the manufacturer.
Waste is overuse of services and misuse of resources resulting in unnecessary costs, whereas abuse is practices that are inconsistent with professional standards of care, leading to avoidable costs. In both situations, the wrongdoer may not realize the effects of their actions. Examples of waste include under-utilization of generics, either because of an injured worker’s request for brand name medication, or the prescriber writing for such. Examples of abusive behavior are an injured worker requesting refills too soon, and a prescriber billing for services that were not medically necessary.
Actions that Interfere with Opioid Management
Early intervention of potential fraud, waste, and abuse situations is the best way to mitigate its effects. By considering the total pharmacotherapy program of an injured worker, prescribing behaviors of physicians, and pharmacy dispensing patterns, opportunities to intervene, control, and correct behaviors that are counterproductive to treatment and increase costs become possible. Certain behaviors in each community are indicative of potential fraud, waste, and abuse situations. Through their identification, early intervention can begin.
- Prescriber/Pharmacy Shopping – By going to different prescribers or pharmacies, an injured worker can acquire multiple prescriptions for opioids. They may be able to obtain “legitimate” prescriptions, as well as find those physicians who aren’t so diligent in their prescribing practices.
- Utilizing Pill Mills – Pain clinics or pill mills are typically cash-only facilities that bypass physical exams, medical records, and x-rays and prescribe pain medications to anyone—no questions asked.
- Beating the Urine Test – Injured workers can beat the urine drug test by using any of the multiple commercial products available in an attempt to mask results, or declaring religious/moral grounds as a refusal for taking the test. They may also take certain products known to deliver a false positive in order to show compliance. For example, using the over-the-counter Vicks® inhaler will show positive for amphetamines in an in-office test.
- Renting Pills – When prescribers demand an injured worker submit to pill counts (random or not), he or she must bring in their prescription bottles. Rent-a-pill operations allow an injured worker to pay a fee to rent the pills needed for this upcoming office visit.
- Forging or Altering Prescriptions –Today’s technology makes it easy to create and edit prescription pads. The phone number of the prescriber can be easily replaced with that of a friend for verification purposes. Injured workers can also take sheets from a prescription pad while at the physician’s office.
- Over-Prescribing of Controlled Substances – By prescribing high amounts and dosages of opioids, a physician quickly becomes a go-to physician for injured workers seeking opioids.
- Physician dispensing and compounded medication – By dispensing opioids from their office, a physician may benefit from the revenue generated by these medications, and may be prone to prescribe more of these medications for that reason. Additionally, a physician who prescribes compounded medications before a commercially available product is tried may have a financial relationship with a compounding pharmacy.
- Historical Non-Compliance – Physicians who have exhibited potentially high-risk behavior in the past (e.g., sanctions, outlier prescribing patterns compared to their peers, reluctance or refusal to engage in peer-to-peer outreach) are likely to continue aberrant behavior.
- Unnecessary Brand Utilization – Writing prescriptions for brand medication when a generic is available may be an indicator of potential fraud, waste, or abuse.
- Unnecessary Diagnostic Procedures or Surgeries – A physician may require or recommend tests or procedures that are not typical or necessary for the treatment of the injury, which can be wasteful.
- Billing for Services Not Provided – Since the injured worker is not financially responsible for his or her treatment, a physician may mistakenly, or knowingly, bill a payer for services not provided.
- Compounded Medications – Compounded medications are often very costly, more so than other treatments. A pharmacy that dispenses compounded medications may have a financial arrangement with a prescriber.
- Historical Non-Compliance – Like physicians, pharmacies with a history of non-compliance raise a red flag. In states with Prescription Drug Monitoring Programs (PDMPs), pharmacies who fail to consult this database prior to dispensing may be turning a blind eye to injured workers filling multiple prescriptions from multiple physicians.
- Excessive Dispensing of Controlled Substances – Dispensing of a high number of controlled substances could be a sign of aberrant behavior, either on behalf of the pharmacy itself or that injured workers have found this pharmacy to be lenient in its processes.
Clinical Tools for Opioid Management
Once identified, acting on the potential situations of fraud, waste, and abuse should leverage all key stakeholders. Intervention approaches include notifying claims professionals, sending letters to prescribing physicians, performing urine drug testing, reviewing full medical records with peer-to-peer outreach, and referring to payer special investigative unit (SIU) resources. A program that integrates clinical strategies to identify aberrant behavior, alert stakeholders of potential issues, act through intervention, and monitor progress with the injured worker, prescriber, and pharmacy communities can prevent and resolve fraud, waste, and abuse situations.
Proactive Opioid Management Mitigates Fraud, Waste, and Abuse
Opioids can be used safely when properly monitored and controlled. By taking proactive measures to reduce fraud, waste, and abuse of opioids, payers improve injured worker safety and obtain more control over medication expenses. A Pharmacy Benefit Manager (PBM) can offer payers an effective opioid utilization strategy to identify, alert, intervene upon, and monitor potential aberrant behavior, providing a path to brighter outcomes for all.