Hacking into cars is not a future concern. It is possible now, and the potential danger will increase as carmakers continue to enhance connectivity features in automobiles.
But even that threat pales against the potential damage cyber attacks could wreak when driverless cars take to the roads for real.
One common perceived threat here and now comes from the ease of access that manufacturers have built in for drivers. If a driver can unlock a car door and start the engine using a cell phone, an unauthorized person can turn off that engine and lock the doors from a cell phone.
Taking a drive into the near future, could someone arrange for all of the cars on a Los Angeles freeway to have their engines turned off at the exact same time?
Even now, the ability to hack into and remotely control a car is a clear and present danger.
Video: Behind the wheel of a car, you may be able to text, watch a movie or even sleep — if it’s a computer-controlled, driverless car. The WSJ’s Michael Kofsky heads to the test track to show how it works and safety questions it raises.
A pair of security engineers — doing their research with an $80,000 grant from the Pentagon — were able to hack into the systems of Toyota and Ford cars, and override a driver’s braking attempts, according to an account of the scenario in Forbes.
The pair was able to “demonstrate a range of nasty surprises: everything from annoyances like uncontrollably blasting the horn to serious hazards like slamming on the Prius’ brakes at high speeds. They sent commands from their laptops that killed power steering, spoofed the GPS and made pathological liars out of speedometers and odometers,” according to Forbes.
Expanding such abilities simultaneously to a fleet of cars is a feat yet to be accomplished.
“It could be possible to hack into one or another vehicle, but there is nothing that can stop the whole fleet at the same time,” said Mark Brooks, senior research engineer at the Southwest Research Institute (SwRI) in San Antonio. “Current levels of connectivity are not seen as major threats because they are not continuous.”
No One at the Wheel
“Even when a driver is using a navigation system, that is just a single download. The industry is much more concerned about continuous streaming back and forth, as with driverless cars,” he said.
Driverless cars rely on a number of sensors to operate, and are definitely vulnerable to attack, according to one of the hackers at the Def Con Hacking Conference in August.
“I’m a huge fan of unmanned vehicles,” said a hacker who goes by the name of Zoz to Venture Beat, a blog that focuses on technology. “I love robots. I think they’re the future. But, like everything else humans ever made, it’s going to get hacked.”
Google’s driverless car’s primary system is a “laser range finder mounted on the roof of the car,” which generates a 3D map of the area, according to IEEE, a technology professional organization.
“The vehicle also carries other sensors, which include: four radars, mounted on the front and rear bumpers, that allow the car to ‘see’ far enough to be able to deal with fast traffic on freeways; a camera, positioned near the rear-view mirror, that detects traffic lights; and a GPS, inertial measurement unit, and wheel encoder, that determine the vehicle’s location and keep track of its movements.”
Zoz told Venture Beat that it would not require sophistication to attack and derail those sensors, and he pointed out that engineers in Iran were able to hack and capture a U.S. drone by “spoofing” the GPS and feeding it incorrect location information.
Death and destruction are always a worry when hackers can subvert an operating system, but apportioning liability is also a major concern, SwRI’s Brooks said.
“If there were any problems, whose fault would it be? The carmaker? The navigation OEM? The software company? The driver? These are the discussions everyone is starting to have.”
Those initial conversations can be difficult, said Dave Wasson, professional and cyber liability practice leader at brokerage Hays Cos. in Chicago.
“The issues are known. People are aware of the risks. But at the moment there is kind of a paralysis because it is unclear how to quantify these risks, and also because even if we could quantify them, there are very limited options yet in how to deal with them.”
A Flawed System
Wasson added that a reordering of the current liability structure is both necessary and inevitable. “Right now, you have a pull market, with small OEMs seeking coverage because the first-tier OEMs and carmakers demand that they be indemnified. But that is not sustainable. A client might demand a $15 million cover from a small supplier, but that cover could cost the supplier $50,000 when he only grosses $100,000 on the contract.”
It is a situation where bigger companies are offloading their risk management onto smaller ones, and that, Wasson said, is flawed.
“Even when the suppliers comply, often the package does not work the way either the supplier or the OEM client thinks it will,” he said.
“Eventually the large firms will realize that they need to take this as primary,” Wasson said. “They have the assets, the skills, the risk managers, and the brokerage relationships to get it done properly.
“Besides, they are the ones who are going to get sued. They can turn to their indemnification contracts, but if the small supplier with few assets goes bankrupt, then what? It’s the company with the badge on the car that people are going to go after.”
As those issues percolate, commercial vehicle operators have other challenges as well.
“One really big cyber issue for a logistics company or express delivery service would be to have the GPS signals for their vehicles scrambled, or the electronic shipment documents tampered with,” said Steve Surber, area vice president for Arthur J. Gallagher in Irvine, Calif.
A cyber attack could be used to divert a shipment, cover theft, tamper with cargo, or even just to delay a shipment that is time sensitive. And the theft could be of the truck or trailer itself, some of which are worth up to $60,000, he said.
On another level, hacking can be used to disrupt the loss control systems of trucking lines, many of which use GPS and electronic reporting to track their fleet performance, Surber said.
Cyber alterations of such reporting could hide potential liability issues such as speeding, sleeping, unauthorized stops, fuel diversion, or many other misdeeds by shippers, loaders, drivers or consignees.
“Companies already rely heavily on computer systems and networks to help with loss control,” he said.
Among insurers, coverage is still evolving, he added. “There is some coverage from cyber policies, but mostly we are still seeing claims handled through general liability.”
Wasson, at Hays Cos., said that while the cyber risk and liability markets are pull markets at present, with owners seeking to transfer risk, the business is not without push.
“We are energetic about working with our carriers,” he said. “There is coverage and there is capacity.”
Cyber Security Efforts
In April, an automotive consortium started revving up its efforts to enhance cyber security.
The Automobile Consortium for Embedded Security — a part of SwRI — includes automakers, original equipment manufacturers, other suppliers, and cyber security experts.
The program aims to provide “pre-competitive and non-competitive research in automotive embedded systems security to protect the safety, reliability, brand image, trade secrets and privacy of client members’ future products,” according to the organization.
“As soon as they start claiming their vehicles are secure, they would paint a target on themselves. It’s not like safety or fuel economy. With security, there are bad guys and you don’t want to attract their attention.”
The consortium, Brooks said, “is looking at emerging research both in new technologies and new protections for embedded security for the automotive world.”
“There are lots of theoretical threats,” he said, “but we want to be sure we are focusing our efforts on the most relevant ones.”
The unique challenge is that automakers want to enhance the protections in their vehicles, but ironically, it is not something they want to advertise.
“As soon as they start claiming their vehicles are secure, they would paint a target on themselves.
“It’s not like safety or fuel economy. With security, there are bad guys and you don’t want to attract their attention.”
He said that automakers also are hesitant to unilaterally invest in cyber security efforts.
“As we started talking to automakers, we found them eager to be part of developing security, but it’s tough for them to take the lead or commit a lot of money to something that will not help them sell cars,” Brooks said.
“They also don’t want to reinvent the wheel,” he said. “They are very interested in solving common problems with peer-reviewed research and applications.”
Complete coverage on the inevitable cyber threat:
Risk managers are waking up to the reality that the cyber risk landscape has changed.
Cyber: The New CAT. It’s not a matter of if, but when. Cyber risk is a foundation-level exposure that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.
Critical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.
Unmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.
An Electrifying Threat. There is a very real possibility hackers could devastate the nation’s power grids — for a potentially extended period of time.
Risk Technology: Risk Managers Lead from Within
This year marks my twentieth in the risk management field. Now I would never call myself a risk manager. Far from it: I’m a computer geek, and proud of it. Today we refer to the Internet, Cloud, Mobile and Big Data, but I’ve been working with technology my entire life. So much has changed in those twenty years. Networking computers together was rudimentary and extremely limited when I started. Now everything, and everyone, is interconnected, and that has changed everything.
That interconnectivity has allowed organizations to move away from the isolated, siloed processes of the past, and produced dramatic changes in the way we conduct our business and our lives. I’ve watched risk management evolve from a department called upon primarily when things go wrong, to a pervasive philosophy for running a successful business. Fewer and fewer risk managers I speak to work in isolation, reacting to claims as they come in. Rather they are a collaborative lynchpin to manage risk. They don’t wait for bad things to happen. They proactively put safety programs in place, analyze loss data and make their organizations more risk-aware. They know an enormous amount about the inner workings of their organization, its suppliers, distributors, vendors and team members. This is a fundamental transition from a middle management, administrative function, to an executive level function that is key to the organization’s success.
But risk managers are increasingly finding that email and spreadsheets are clumsy, inefficient, and ultimately create obstacles to managing risk throughout their company. With the speed and global reach of business, when even ‘local’ businesses rely on a far-flung supply chain, yesterday’s technology introduces risk, inefficiencies and increased levels of error. Today’s business demands technology that facilitates decisions for tomorrow’s business challenges. Organizations need a platform – a platform that provides secure, efficient and consistent methods of communicating risk-related events and data. Fortunately this need comes at a time when we have a convergence of technologies that can make this vision a reality.
This is a fundamental transition from a middle management, administrative function, to an executive level function that is key to the organization’s success.
Just imagine running your business on technology of twenty years ago. Sending paper memos (when CC referred to a literal ‘carbon copy’), using a phone tethered to your desk, taking delivery of policy documents in hard copy – oh wait, they still do that. Would that put your business at a competitive disadvantage? Of course it would – and risk management would suffer too.
Risk management no longer has to take a back seat to other parts of the organization. Quite the opposite. By leveraging commercial cloud platforms, the pervasiveness of the Internet and the interconnectivity of everyone and everything, the risk management team can be the most modern, forward-looking part of the company. Risk management has become the bellwether of change – actually bearing the standard for technology-enabled collaboration and productivity across the organization. Imagine that.
Changing the WC Medical Care Mindset
Controlling overall workers’ compensation medical costs has been an elusive target.
Yet, according to medical experts from Healthesystems, the Tampa, Fla.-based specialty provider of innovative medical cost management solutions for the workers’ compensation industry, payers today have more powerful options for both offering the highest quality medical care and controlling costs, but they must be more thoroughly and strategically executed.
Specifically as it relates to optimizing patient outcomes and controlling pharmacy costs, the key, say those experts, is to look beyond the typical clinical pharmacy history review and to incorporate a more holistic picture of the entire medical treatment plan. This means when performing clinical reviews, taking into account more comprehensive information such as lab results, physician notes and other critical medical history data which often identifies significant treatment plan concerns but frequently aren’t effectively monitored in total.
Healthesystems’ Dr. Robert Goldberg, chief medical officer, and Dr. Silvia Sacalis, vice president of clinical services, recently weighed in on how using a more holistic, comprehensive strategy can make the critical difference in the ongoing medical care cost control battle.
Fragmentation, Complexity Obscure the Patient Picture
According to Dr. Goldberg, fragmentation remains one of the biggest obstacles to controlling overall healthcare costs and ensuring the most successful treatment in workers’ compensation.
Robert Goldberg, MD, discusses obstacles to controlling overall medical costs and ensuring the best treatment in workers’ compensation.
“There are several hurdles, but they all relate to the fact that healthcare in workers’ comp is just not very well coordinated,” he said. “For the most part, there is poor communication between all parties involved, but especially between the payer and the provider. Unfortunately, it’s rare that all the stakeholders have a clear, complete picture of what’s happening with the patient.”
Dr. Goldberg explains that health care generally has become a more complex landscape, and workers’ comp adds another level of complexity. Physicians have less time to spend with patients due to work loads and other economic factors, and frequently there isn’t adequate time to develop a patient specific treatment strategy.
“Often we don’t have physicians properly incentivized to do a complete job with patients” he said, adding that extra paperwork and similar hurdles limit communication among payers, nurse case managers and other players.
In fact, Dr. Sacalis emphasized that it’s not only the payer, but often the healthcare provider who is not getting a complete picture. For example, a treating doctor may not be the primary care physician and therefore they may not have access to the total healthcare picture for the injured worker.
“Most of all, payers need to adopt a more collaborative approach in their relationships with physicians, employers and patients, as well as networks involved. It will result in getting people back to work through appropriate medical care and moving the case along to a prompt closure.”
– Robert Goldberg, MD, FACOEM, Chief Medical Officer, Healthesystems
“It’s often difficult for multiple physicians to communicate and collaborate about what’s happening because they may not be aware of each-others involvement in that patient’s care,” she said. “Data sharing is lacking, even in integrated healthcare systems where doctors are in the same group.”
Done Right, Technology Can Bridge the Treatment Strategy Gap
Dr. Sacalis explained the role technology advancements can play in creating a more holistic picture of not only an injured workers’ post-accident state or pace of recovery, but also their overall health history. However, the workers’ comp industry by and large is not there yet.
“Today’s technology can be very useful in providing transparency, but to date the data is still very fragmented,” she said. “With technology advancements, we can get a more holistic patient view. However, it is important that the data is both meaningful and actionable to promote effective clinical decision support.”
Silvia Sacalis, PharmD, explains the role that technology advancements can play in creating a more holistic picture of an injured worker’s overall health.
Healthesystems, for example, offers an advanced clinical solution that incorporates a comprehensive analysis of all relevant data sources including pharmacy, medical and lab data as part of a drug therapy analysis. So, for example, the process could uncover co-morbidities – such as diabetes – that may be unrelated to a workplace injury but should be considered in the overall treatment strategy.
“Healthcare professionals must ensure there are no interactions with any
co-morbidities that may limit or affect the treatment plan,” Dr. Sacalis said.
In the majority of cases where Healthesystems has performed advanced clinical analysis, information gathered from the various sources has uncovered critical information that significantly impacted the overall treatment recommendations. Technology and analytics enable the implementation of best practices.
She cites another example of how a physician may order a urine drug screen (UDS), yet the results indicating the presence of a non prescribed drug were not reflected in the treatment regimen as evidenced by the lack of modification in therapy.
“Visibility and transparency will help with facilitating a truly effective treatment plan,” she said, “Predictive analytics are necessary tools for proactive monitoring and detection of trends as well as early identification of cases for intervention.”
Speaking of Best Practices …
Dr. Goldberg highlighted that the most important overall best practice needed to secure the optimal outcome is centered around getting the right care to the right patient at the right time. To him, that means identifying patients who need adjustments in care and then determining medical necessity during the entire case trajectory.
“It means using evidence-based medical treatment guidelines that are coordinated,” he said.
“You must look at the whole patient, which means avoiding the typical barriers in the workers’ comp treatment system, issues such as delays in authorizations, lengthy UR processes or similar scenarios that are well intentioned but if not performed effectively they can get in the way of expedited care.”
Dr. Goldberg and Silvia Sacalis provide recommendations for critical steps payers should take to achieve the best outcomes for everyone.
Dr. Goldberg noted that seeking out the most effective doctors available in geographic locations is another critical best practice. That requires collecting data on physician performance, patient satisfaction and medical outcomes, so payers and networks can identify and incentivize them accordingly.
“This way, you are getting an alignment of incentives with all parties,” Dr. Goldberg said, adding that it also means removing outlier physicians, those whose tendencies are to over-treat, dispense drugs from their office or order unnecessary durable medical equipment, for example.
“Visibility and transparency will help with facilitating a truly effective treatment plan. Predictive analytics are necessary tools for proactive monitoring and detection of trends as well as early identification of cases for intervention.”
– Silvia Sacalis, PharmD, Vice President of Clinical Services, Healthesystems
“Most of all, payers need to adopt a more collaborative approach in their relationships with physicians, employers and patients, as well as networks involved,” he said. “It will result in getting people back to work through appropriate medical care and moving the case along to a prompt closure.”
Dr. Sacalis added that from a pharmacy perspective, another best practice is becoming more patient-centric, using a customized and flexible approach to help payers optimize outcomes for each patient.
“Focus on patient safety first, and that will naturally drive cost containment,” she said. “Focusing on cost alone can actually drive results in the wrong direction.”
Dr. Goldberg explains how consolidation in the health care and WC markets can impact the landscape and quality of care.
Dr. Goldberg and Silvia Sacalis discuss if injured workers today are getting better treatment than they were twenty years ago.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Healthesystems. The editorial staff of Risk & Insurance had no role in its preparation.