Heading Off ‘Cybergeddon’
In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”
Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.
Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.
The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.
Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.
Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.
Second, Healey said, defenders have to be right every time, and attackers have to be right only once.
Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.
Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.
Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:
- Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
- Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
- Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
Some of us are old enough to remember when our stand-alone computers first became networked with other computers. Who over 40 years old doesn’t recall sending and receiving that first email?
That profound technological development – networked computing – brought enormous advantages but also set the stage for security concerns, like viruses and malware, which can be an Achilles heel of computer technology.
With the rise of the Internet of Things (IoT), we find that it is more than just our computers that are connected. Our homes, possessions and even our physical bodies are becoming connected.
Many IoT products can actually reduce exposures.
Arrays of smart, sensor-equipped, connected devices that collect and digitize a wide variety of data are already being used, with exponentially more in development.
Literally tens of billions of “things” containing sensors – cars, homes, medical devices – will be connected in the next several years. A range of twenty to 50 billion of these “things” are estimated to be installed by 2020, with a vast amount more to follow.
An example is car manufacturers’ strategies to sell “tires as a service.” The car manufacturers use embedded technology to detect tire wear and under-inflation, which improves service and increases safety.
The IoT phenomenon is unfolding faster than developers can address the accompanying security vulnerabilities and risk management concerns. We are living in a new world in which our “things” can tattle on us, compromise our privacy or even harm us.
While telematics in vehicles or home appliances may seem helpful when we need roadside assistance or to diagnose maintenance issues, they can also report our speed or our diet, which to some may seem invasive.
Drones, hidden cameras and driverless cars once seemed like fantasy objects in a futuristic world, but suddenly that future is here, and it is unclear how liability would be assigned when one of these “things” misbehaves or is used to harm another.
On the contrary, not all IoT innovations are necessarily harmful. Many IoT products can actually reduce exposures. Home automation startups being incubated by Microsoft Ventures carry a number of safety benefits, such as turning off your stove or protecting your home from water damage.
IBM just announced a $3 billion investment in IoT and is launching a multitude of services that will help make us safer, such as alerting car insurance policyholders of storms to help prevent damage. So it’s important to remember that IoT exposures are not necessarily negative, just different.
With the increased use of internet-connected devices, however, new types of exposures have arisen to increase the possibility of certain damages. This creates an enterprise risk management challenge as businesses seek to harness the exciting potential of this evolving technology while managing the related cyber threats.
The data gathered by IoT is often quite vulnerable. According to a study by HP, it’s estimated that 70 percent of the most commonly used devices contain serious vulnerabilities. Potential concerns include a dangerous hacker disabling a life-sustaining medical device, the brakes in an automobile, or aviation systems from Wi-Fi or power grids.
As it has repeatedly done throughout history, our ability to create new technology is opening up worlds of opportunity. It’s also creating new types of risk.
Plaintiffs’ attorneys will look to those involved in the design, production, delivery and servicing of the IoT device that allegedly causes economic loss, bodily injury or tangible property damage.
While it is impossible to predict the exact impact of the IoT on the insurance industry, this much is clear: future IoT evolution will force the insurance industry to better clarify where coverage starts and stops under each type of policy.
Managing Chronic Pain Requires a Holistic Strategy
Chronic, intractable pain within workers’ compensation is a serious problem.
The National Center for Biotechnology Information, part of the National Institutes of Health, reports that when chronic pain occurs in the context of workers’ comp, greater clinical complexity is almost sure to follow.
At the same time, Workers’ Compensation Research Institute (WCRI) studies show that 75 percent of injured workers get opioids, but don’t get opioid management services. The result is an epidemic of debilitating addiction within the workers’ compensation landscape.
As CEO and founder of Integrated Prescription Solutions Inc. (IPS), Greg Todd understands how pain is a serious challenge for workers’ compensation-related medical care. Todd sees a related, and alarming, trend as well – the incidence rate for injured workers seeking permanent or partial disability because of chronic pain continues to rise.
Challenges aside, managing chronic pain so both the payer and the injured worker can get the best possible outcomes is doable, Todd said, but it requires a holistic, start-to-finish process.
Todd explained that there are several critical components to managing chronic pain, involving both prospective and retrospective solutions.
Prospective View: Fast, Early Action
“Having the wrong treatment protocol on day one can contribute significantly to bad outcomes with injured workers,” Todd said. “Referred to as outliers, many of these ’red flag’ cases never return to work.”
Best practice care begins with the use of evidence-based UR recommendations such as ODG. Using a proven pharmacological safety and monitoring opioid management program is a top priority, but needs to be combined with an evidence-based medical treatment and rehabilitative process-focused plan. That means coordinating every aspect of care, including programs such as quality network diagnostics, in-network physical therapy, appropriate durable medical equipment (DME) and in more severe cases work hardening, which uses work (real or simulated) as a treatment modality.
Todd emphasized working closely with the primary treating physician, getting the doctor on board as soon as possible with plans for proven programs such as opioid Safety and Monitoring, EB PT facilities, patient progress monitoring and return-to-work or modified work duty recommendations.
“It comes down to doing the right thing for the right reasons for the right injury at the right time. To manage chronic pain successfully – mitigating disability and maximizing return-to-work – you have to offer a comprehensive approach.”
— Greg Todd, CEO and founder, Integrated Prescription Solutions Inc. (IPS)
Alternative Pain Management Strategies
Unfortunately, pain management today is practically an automatic move to a narcotic approach, versus a non-invasive, non-narcotic option. To manage that scenario, IPS’ pain management is in line with ODG as the most effective, polymodal approach to treatment. That includes N-drug formularies, adherence to therapy regiment guidelines and inclusive of appropriate alternative physical modalities (electrotherapy, hot/cold therapy, massage, exercise and acupuncture) that may help the claimant mitigate the pain while maximizing their ongoing overall recovery plan.
IPS encourages physicians to consider the least narcotic and non-invasive approach to treatment first and then work up the ladder in strength – versus the other way around.
“You can’t expect that you can give someone Percocet or Oxycontin for two months and then tell them to try Tramadol with NSAIDS or a TENS unit to see which one worked better; it makes no sense,” Todd explained.
He added that in many cases, using a “bottom up” treatment strategy alone can help injured workers return to work in accordance with best practice guidelines. They won’t need to be weaned off a long-acting opioid, which many times they’re prohibited to use while on the job anyway.
Chronic Pain: An Elusive Condition
Soft tissue injuries – whether a tear, sprain or strain – end up with some level of chronic pain. Often, it turns out that it’s due to a vascular component to the pain – not the original cause of the pain resulting from the injury. For example, it can be due to collagen (scar tissue) build up and improper blood flow in the area, particularly in post-surgical cases.
“Pain exists even though the surgery was successful,” Todd said.
The challenge here is simply managing the pain while helping the claimant get back to work. Sometimes the systemic effect of oral opioid-based drugs prohibits the person from going to work by its highly addictive nature. In a 2014 report, “A Nation in Pain,” St. Louis-based Express Scripts found that nearly half of those who took opioid medications for more than a month in their first year of treatment then refilled their prescriptions for three years or longer. Many studies confirm that chronic opioid use has led to declining functionality with reduced ability to recover.
This can be challenging if certain pain killers are being used to manage the pain but are prohibitive in performing work duties. This is where topical compound prescriptions – controversial due to high cost and a lack of control – may be used. IPS works with a reputable, highly cost-effective network of compound prescription providers, with costs about 30-50 percent less than the traditional compound prescription
In particular compounded Non-Systemic Transdermal (NST) pain creams are proving to be an effective treatment for chronic pain syndromes. There is much that is poorly understood about this treatment modality with the science and outcomes now emerging.
Retrospective Strategies: Staying on Top of the Claim
IPS’ retrospective approach includes components such as periodic letters of medical necessity sent to the physician, peer-to-peer and pharmacological reviews when necessary, toxicology monitoring and reporting, and even addiction rehab programs specifically tailored toward injured workers.
Todd said that the most effective WC pharmacy benefit manager (PBM) provides much more than just drug benefits, but rather combines pharmacy benefits with a comprehensive ancillary suite of services in a single portal assisting all medical care from onset of injury to RTW. IPS puts the tools at the adjustor fingertips and automates initial recommendations as soon as the claim in entered into its system through dashboard alerts. Claimant scheduling and progress reporting is made available to clients 24/7/365.
“It comes down to doing the right thing for the right reasons for the right injury at the right time,” Todd said, “To manage chronic pain successfully – mitigating disability and maximizing return-to-work – you have to offer a comprehensive approach,” he said.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with IPS. The editorial staff of Risk & Insurance had no role in its preparation.