An Electrifying Threat
Energy and the natural resources industry face especially grim cyber threats.
“If there is a cyber attack, you can’t see or touch that attacker so your ability to quickly respond may or may not be successful,” said Norma Krayem, a senior policy adviser at the Patton Boggs law firm and co-chair of the firm’s homeland security, defense and technology transfer practice group.
“I think the likelihood of such an attack absolutely exists,” she said. “I think the question becomes more about who, when and why.”
According to Symantec, a data security company, the energy sector “has become a major focus for targeted attacks and is now among the top five most targeted sectors worldwide.”
The threats may come from competitive spying, corporate espionage, cyber criminals, hacktivism, disgruntled employees and state-sponsored disruptions, it said.
A bad result doesn’t even necessarily have to begin with bad intent, said Cliff Lancaster, senior risk analyst at Hartford Steam Boiler Inspection and Insurance Co. (HSB).
At the Davis–Besse Nuclear Power Station in Ohio, for example, the network became infected with a worm that shut it down for five hours in 2003 because a software consultant had created a shortcut for his own convenience that bypassed the firewall, he said.
Possible Widespread Devastation
As security measures increase, employees and vendors may be ever more tempted to bypass procedures, just to more easily get their work done.
Between July 2012 and June 2013, 16 percent of all cyber attacks each day targeted companies in the energy sector, according to Symantec. Only the government or public sector had more targeted attacks.
And should the energy delivery system be disrupted, that threatens the country’s finance, transportation, health care, water supply and emergency services systems — all of which depend on reliable energy.
– Norma Krayem, senior policy adviser, Patton Boggs
Electric grid vulnerabilities that lead to power disruptions are estimated to cost the U.S. economy between $119 billion to $188 billion each year, according to a 2013 report on grid vulnerability by Rep. Edward J. Markey, D-Mass., and Rep. Henry A. Waxman, D-Calif.
“Power disruptions today generally do not lead to insured losses,” said Robert Hartwig, president of the Insurance Information Institute.
“However, it seems only a matter of time before a major cyber attack leads to the type of damage covered by standard property and liability policies,” he said.
“As we look at what hackers have been able to do in terms of infiltrating presumed secure systems — even entities like the Department of Defense — it seems there must be vulnerabilities in the systems associated with major infrastructure in this country, whether it’s electric, water, transportation or communications.”
Complex Risk Management
The degree to which computer technology and networking are integral to the energy sector in an operational sense makes it a particularly complex risk-management challenge, said John Kerns, executive managing director of Beecher Carlson Financial Services.
“There was a question posed to us by a client earlier this year: What if there were a denial-of-service attack or virus that shut down the gas pipelines coming into Chicago in the middle of winter. Homes went cold and people went to the hospital or even died. There was no physical damage, but clearly there was a serious impact, and loss,” he said.
The challenges are not confined to traditional energy markets either, said Charles Long, vice president of renewable energy and green technology at William Gallagher Associates. “Many computers are covered under a basic commercial package, and wind farms have separate coverage. If there is a lightning strike, that is surely covered. If data just failed, that can be covered by E&O, but data corruption or a virus, that kind of thing is very much still under consideration.”
Fred Podolsky, executive vice president, executive risk, Alliant Insurance Services, said that “only a small fraction,” maybe 10 percent of U.S. based utility companies have bought cover, and most of the policies that have been purchased relate to data breach exposures.
Some companies, however, have “woken up and are looking for cover” to help them repair their power-generation network and computer systems should they be damaged, or to protect them from other service interruption or customer liability issues, he said.
But many utilities refuse to provide underwriters with sufficient information to get the coverage they need, he said.
The main reason? “It’s just a pure confidentiality concern. IT folks are just so fearful to release any information to anyone having to do with their security procedures, though pressure is building from risk management and others in the C-suite to address these exposures,” Podolsky said.
While protecting the actual control systems of energy companies is a high priority that is audited by the federal government, the smart grid — that measures and creates a more efficient distribution of electricity based on use — is vulnerable, said HSB’s Lancaster.
If false data were injected into that system, it could potentially cause turbine generators to speed up when they shouldn’t. “If you can get it spinning at the wrong speed,” he said, “it can just shake itself to death.”
Once a turbine or transformer is damaged, there is a limited amount of replacement equipment.
And once a turbine or transformer is damaged, there is a limited amount of replacement equipment, he said. “If you are able to damage many pieces of equipment at once, it would take a lot of time to fix it because you have to build and rebuild lots of equipment,” Lancaster said.
Krayem said the connectivity of entities that distribute electric power, for example, means there could be “cascading failures” throughout the country.
“You have this patchwork of systems that are being cobbled together, a lot of them are legacy systems, and they are not necessarily all at the same level of security,” she said.
According to KPMG, which cited data from the U.S. Department of Homeland Security, the “constant barrage of cyber attacks” on water and energy companies “usually take the form of cyber espionage or denial-of-service attacks against industrial-control systems.”
Inadequate Security Controls
The consultancy also noted that a survey by The Centre for Strategic and International Studies in 2010, found that critical infrastructure, including power grids, industrial control networks and oil refineries “are not adequately prepared to defend themselves.”
Video: Dissecting Stuxnet
The most famous of all attacks on an energy system occurred in Iran when unknown forces — believed to be the United States and Israel — created the Stuxnet worm, specially designed to target Iran’s specific industrial control system and reprogram it so that the nuclear centrifuges spun out of control and damaged themselves while the displays indicated normal functioning.
Most notably, Stuxnet spread using a USB drive, infecting networks that were unreachable by the Internet.
Another disturbing attack occurred in 2012, when a cyber attack hit Saudi Aramco, one of the largest oil producers in the world. The disruption, which continued for two weeks, disabled more than 30,000 of the company’s workstations.
The virus, later named “Shamoon,” was the first significant cyber attack on a commercial target to cause real damage. It is also the most destructive attack the private sector has experienced to date, said Malcolm Marshall, global leader for information protection at KPMG, based in London.
Marshall said that “one senior oil-industry executive to whom I spoke shortly after the Shamoon incident told me, ‘Well, there goes our worst-case scenario.’ ”
That same month, Rasgas, in Qatar, was hit by the same virus and forced to bring its entire network off line.
In 2011, hackers were able to install malware and “evidence of a sophisticated threat actor” was found in the U.S. energy sector, according to the U.S. Government Accountability Office.
An Active Market
Marshall noted that, in the aggregate, the global oil and gas industry “is effectively self-insured, but cyber security is an active and growing commercial market, especially in the U.S. It seems likely that will become an economic necessity.”
Kerns at Beecher Carlson said, “We are seeing multiple policies responding to these threats. Those include dedicated cyber policies, D&O coverage, and in the energy sector, even general liability policies are responding.”
That said, he added that “the insurance market is looking aggressively at cyber risk, and is putting on new exemptions, restrictions, and limits. The gray areas are still some GL, bodily injury, and third-party injury. Mostly, we are seeing GL carriers not willing to pick up many risks. That leaves owners and brokers to see what the cyber market is willing to do.
“There is capacity to address business interruption, but we are having to press on bodily injury and property damage as they relate to cyber,” he said.
Complete coverage on the inevitable cyber threat:
Risk managers are waking up to the reality that the cyber risk landscape has changed.
Cyber: The New CAT. It’s not a matter of if, but when. Cyber risk is a foundation-level exposure that must be viewed with the same gravity as a company’s property, liability or workers’ comp risks.
Critical Condition. The proliferation of medical devices creates a host of scary risks for the beleaguered health care industry.
Disabled Autos. It’s alarmingly easy for a hacker to take control of a driverless vehicle, tampering with braking systems or scrambling the GPS.
Unmanned Risk. The dark side of remote-controlled drones, which have already been hacked — by students.
Risk Technology: Risk Managers Lead from Within
This year marks my twentieth in the risk management field. Now I would never call myself a risk manager. Far from it: I’m a computer geek, and proud of it. Today we refer to the Internet, Cloud, Mobile and Big Data, but I’ve been working with technology my entire life. So much has changed in those twenty years. Networking computers together was rudimentary and extremely limited when I started. Now everything, and everyone, is interconnected, and that has changed everything.
That interconnectivity has allowed organizations to move away from the isolated, siloed processes of the past, and produced dramatic changes in the way we conduct our business and our lives. I’ve watched risk management evolve from a department called upon primarily when things go wrong, to a pervasive philosophy for running a successful business. Fewer and fewer risk managers I speak to work in isolation, reacting to claims as they come in. Rather they are a collaborative lynchpin to manage risk. They don’t wait for bad things to happen. They proactively put safety programs in place, analyze loss data and make their organizations more risk-aware. They know an enormous amount about the inner workings of their organization, its suppliers, distributors, vendors and team members. This is a fundamental transition from a middle management, administrative function, to an executive level function that is key to the organization’s success.
But risk managers are increasingly finding that email and spreadsheets are clumsy, inefficient, and ultimately create obstacles to managing risk throughout their company. With the speed and global reach of business, when even ‘local’ businesses rely on a far-flung supply chain, yesterday’s technology introduces risk, inefficiencies and increased levels of error. Today’s business demands technology that facilitates decisions for tomorrow’s business challenges. Organizations need a platform – a platform that provides secure, efficient and consistent methods of communicating risk-related events and data. Fortunately this need comes at a time when we have a convergence of technologies that can make this vision a reality.
This is a fundamental transition from a middle management, administrative function, to an executive level function that is key to the organization’s success.
Just imagine running your business on technology of twenty years ago. Sending paper memos (when CC referred to a literal ‘carbon copy’), using a phone tethered to your desk, taking delivery of policy documents in hard copy – oh wait, they still do that. Would that put your business at a competitive disadvantage? Of course it would – and risk management would suffer too.
Risk management no longer has to take a back seat to other parts of the organization. Quite the opposite. By leveraging commercial cloud platforms, the pervasiveness of the Internet and the interconnectivity of everyone and everything, the risk management team can be the most modern, forward-looking part of the company. Risk management has become the bellwether of change – actually bearing the standard for technology-enabled collaboration and productivity across the organization. Imagine that.
The Next Wave of Workers’ Comp Medical Cost Savings
Managing medical costs for workers’ compensation claims is like pushing on a balloon. As you effectively manage expenses in one area, there are bound to be bulges in another.
Over the last decade, great strides have been made in managing many aspects of workers’ compensation medical costs. Case management, bill review and pharmacy benefits management are just a few categories that produce significant returns.
And yet, according to the National Council on Compensation Insurance (NCCI), medical costs remain the largest percentage of workers’ comp expenses. Worse still, medical costs continue to be the fastest growing expense category.
Many medical services are closely managed through provider negotiations, bill review, utilization review, pharmacy benefits management, to name a few. But a large opportunity for medical cost containment remains largely untouched and therefore represents a significant opportunity for cost savings.
Ancillary medical services is a term used to describe specialty or supplemental health care services such as medical supplies, home health care, durable medical equipment, transportation and physical therapy, etc.
According to Clifford James, Vice President of Strategic Development at Healthesystems in Tampa, Fla., modernizing the process for managing ancillary medical services presents compelling opportunities for cost savings and improved patient care.
Source: 2014 Healthesystems Ancillary Medical Services Survey
“The challenge of managing these types of medical products and services is a cumbersome and extremely disconnected process,” James said. “As a result, it represents a missing link in an overall medical cost management strategy, which means it is costing payers money and patients the most optimal care.”
James singled out three key hurdles:
Lack of transparency
As the adage goes, you can only manage what you can measure.
Yet when it comes to the broad range of products and services that comprise ancillary benefits, comprehensive data and benchmarking metrics by which to gauge success are hard to come by.
The problem begins with an antiquated approach to coding medical services that was developed in the 1970s. The coding system falls short in today’s modern health care environment due to its lack of product and service level detail such as consistent units of measure, quantity and descriptors.
As a result, a meaningful percentage of ancillary benefits spending is coded as “miscellaneous,” which means a payer has little to no visibility into what product or service is being delivered — and no way to determine if the correct price is being applied or if the item is even necessary or appropriate.
Source: 2014 Healthesystems Ancillary Medical Services Survey
“It’s a big challenge. Especially when you consider that for many payers, it’s difficult to determine exactly what they are spending, or identify what the major cost drivers are when it comes to ancillary services,” James said. And when frequently over 20 percent of these types of services are billed as miscellaneous, payers have zero visibility to effectively manage these costs.
Measurement and monitoring
Often, performance that is monitored is given the most attention. Therefore, ancillary programs that are closely monitored and measured against objective benchmarks should be the most successful.
However, benchmarks are hard to determine because multiple vendors are frequently involved using disparate data and processes. There isn’t a consistent focus on continuous quality improvement, because each vendor operates off of their own success criteria.
“Leveraging objective competitive comparisons breeds success in any industry. Yet for ancillary services there is very limited data to clearly measure performance across all vendors,” James said. “And for payers, this is a major area of opportunity to promote service and cost containment excellence.”
Source: 2014 Healthesystems Ancillary Medical Services Survey
If you ask claims executives about their strategies for improving the claims management process, a likely response may be “workload optimization.” The goal for some is to enable claims professionals to handle a maximum case load by minimizing administrative duties so they can leverage their expertise to better manage the outcome of each case.
But the path towards “workload optimization” has many hurdles, especially when you consider what needs to be coordinated and the manual way it frequently is done.
Ancillary benefits are a prime example. For a single case, a claims professional might need to coordinate durable medical equipment, secure translation services, arrange for transportation and confirm the best physical therapy plan. Unfortunately they often don’t have the needed time, or the pertinent information, in order to make quick, yet informed, decisions about the ancillary needs of their claimants.
In addition there is the complexity of managing multiple vendor relationships, juggling various contacts, and accessing multiple platforms and/or making endless phone calls.
“We’ve been called the ‘industry integrator’ by some people, and that’s accurate. We are delivering a proven platform connecting payers with providers and vendors on the ancillary medical benefit front. It’s never been done before.”
– Clifford James, Vice President of Strategic Development, Healthesystems
Modernizing the process
To the benefit of both payers and vendors, Healthesystems offers Ancillary Benefits Management (ABM).
The breakthrough ABM solution consists of three foundational components — a technological platform, proprietary medical coding system and a comprehensive benefits management methodology.
The technological platform integrates payers and vendors with a standardized architecture and processes. Business rules and edits can be easily managed and applied across all contracted vendors. All processes – from referral to billing and payment – are managed on a single platform, empowering the payer with a centralized tool for managing the quality of all ancillary providers.
But when it comes to ancillary products, the critical and unique challenge Healthesystems had to solve is the antiquated coding system. This was completed by developing a highly granular, product-specific coding system including detailed descriptions and units of measure for all products and services. This coding provides payers with the clearest understanding of all products and services delivered including pricing and all the necessary utilization metrics.
“We bring the highest level of transparency and visibility into all ancillary products and services,” James said, adding that the ABM platform uses an extensive preferred product coding system 15 times more detailed than any other existing system or program.
This combination of sophisticated technology, proprietary coding system and benefit management methodology revolutionizes the ancillary category. Some of the benefits include:
- Crystal-clear transparency
- A more detailed and comprehensive view into ancillary products and services
- An automated process that eliminates billing discrepancies or resubmittals
- Integrated and consistent processes
- Strategic program management
Taken together, the system leapfrogs over the existing hurdles while creating entirely new opportunities. It’s a win for vendors and payers, and ultimately for patients, who receive the optimal product or service.
“We’ve been called the ‘industry integrator’ by some people, and that’s accurate,” James said. “We are delivering a proven platform connecting payers with providers and vendors on the ancillary medical benefit front. It’s never been done before.”
To learn more about the Healthesystems Ancillary Benefits Management solution visit: http://www.healthesystems.com/solutions-services/ancillary-benefits