Cyber Threats

Heading Off ‘Cybergeddon’

Cyber experts say resistance is futile, but resilience is paramount.
By: | May 8, 2014 • 3 min read
Cyber dragon

In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”

Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.

Advertisement




Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.

The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.

Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.

Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.

Second, Healey said, defenders have to be right every time, and attackers have to be right only once.

Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.

Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.

Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:

  • Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
  • Advertisement




  • Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
  • Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
Susannah Levine writes about health care, education and technology. She can be reached at riskletters@lrp.com.
Share this article:

Vendor Vulnerabilities

Risky Business

Being vigilant on cyber security requires companies to have confidence in the IT protections of their vendors and partners.
By: | December 18, 2014 • 3 min read
RiskyBusiness

Like everyone else, I shop at Target, Home Depot and TJ Maxx and as a consequence of their security breaches and for my future protection, I have had to exchange my credit card several times.

Advertisement




Although I am very careful about sharing personal data and keep a shredder very busy, clearly the companies with whom I do business have vulnerabilities that they and I were unaware of.

Such vulnerabilities impact our industry as well.

In July, the Consero group conducted a survey of Fortune 1000 companies that indicated that 65 percent of their executives do not believe their vendors are sufficiently focused on minimizing risk.

We are in an industry where vendors abound and we rely heavily on them to provide services to our clients, our employees, our medical and ancillary providers, and to each other.

What are the risks if our vendors do not meet the highest standards and have vulnerabilities that affect the various stakeholders in our business?

Data security – We must be certain that all the data we collect and share (much of which is highly personal and confidential) is secure. How can we be sure that all of our vendors have the “right” level of controls to keep all of your and your client’s data secure?

Financial impact – Financial transactions are at the core of our businesses. In today’s highly technology-based business practices, many of these transactions are performed electronically. How do you know if your and your vendor’s systems are protected against unauthorized access?

Compliance/regulatory impact – Is your vendor’s system processing complete, accurate, timely, regulatory compliant and authorized?

Controls – Exactly what controls do your vendors have in place to prevent the security breaches that have become all too frequent?

Compliance Standards

Remember the SAS 70? Since 1992, SAS 70 has provided the auditing standard guidance for internal controls, including IT-related controls, of service organizations.

However, two key authorities, the American Institute of Certified Public Accountants (AICPA) and the International Auditing and Assurance Standards Board (IAASB) identified the limits of the SAS 70 and acknowledged the need for greater controls.

Certainly, our recent experience of all types of security breaches would indicate that we do need to do more. Thus in 2011, new standards specifically for service organizations were developed with the SSAE 16 Trust Services Principles and Criteria.

Sparrow, Johnson and Ursillo, a full service accounting and technology firm serving a wide variety of clients all over the country including members of the banking community, describes the SSAE 16 standards this way:

“These attestation standards address engagements undertaken by a service auditor for reporting on controls at service organizations that provide services to user entities (customers). User entities in reality take on many of the risks of their outsource partners. These attestation standards provide the framework for CPAs to report on the internal controls over financial reporting as well as compliance and operations of the service organizations in order to determine and demonstrate the effectiveness of internal controls.”

With these new standards, entities can describe and document more precisely how services are being delivered and how controls are utilized within finance, operations and compliance. This new certification can be utilized to identify risks, evaluate the effectiveness of internal controls and provide assurances that we all need as it relates to our vendor partners.

Focus on Vendors

I would suggest that you make this a high priority in your organization.  We are, after all, in the business of risk management and we need to ensure that our vendors/partners are as focused as we are on minimizing risks.

Advertisement




Ask yourself these questions:

• How do you know that your vendors are doing what it takes to protect your systems and data?

• Have you talked to your vendor partners about their internal controls as they relate to their business with you?

• Is your vendor management department knowledgeable about the Trust Service Principles?

• Are you — or should you be — requiring your vendors to be SSAE 16 compliant?

All of us need to be more vigilant and better protected against security breaches. Are you and your company as protected as you need to be?

Maddy Bowling is a principal in Maddy Bowling Consulting, Inc., a WC consulting firm. Bowling has 35 years of broad-based executive management experience within operating, corporate and consulting environments. She can be reached at mb@maddybowlingconsult.com.
Share this article:

Sponsored: Healthcare Solutions

The Promise of Technology

A roundtable in Philadelphia explores the power of technology in WC and its potential to take us where we have never been before.
By: | December 10, 2014 • 7 min read

SponsoredContent_HCS
The field of workers’ compensation claims management seems ideally suited as a proving place for the power of technology.

Predictive analytics in the hands of pharmacy and medical management experts can give claims managers the data they need to intervene in troublesome claims. Wearables and other mobile technologies have the potential to give healthcare providers “real-time” reports on the medical condition of injured workers.

Never before have the goals of quick turnaround and transparency in managing claims appeared so tantalizingly achievable.

In the effort to learn more about technology’s potential, in September, Risk & Insurance® partnered with Duluth, Ga.-based Healthcare Solutions to convene an information technology executive roundtable in Philadelphia.

The goal of the roundtable was to explore technology’s promise and to gauge how advancements are serving the industry’s ultimate purpose, getting injured workers safely back to work.

 

Big Data, Transparency and the Economies of Scale

Integration is a word often heard in connection with workers’ compensation claims management. On one hand, it refers to industry consolidation, as investors and larger service providers seek to combine a host of services through mergers and acquisitions.

In another way, integration applies to workers’ compensation data management. As companies merge, technology is allowing previously siloed stores of data to be combined. Access to these new supersets of data, which technology professionals like to call “Big Data,” present a host of opportunities for payers and service providers.

Through accessible exchange systems that give both providers and payers better access to the internal processes of vendors, a service provider can show the payer the status of the claim across a much broader spectrum of services.

SponsoredContent_HCS“One of the things I see with all of this data starting to exchange is the ability to use analytics to predict outcomes, and to implement workflows to intervene.”
–Matthew Landon, Vice President of Analytics, Bunch CareSolutions.

“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes,” said roundtable participant Chuck Cavaness, chief information officer for Healthcare Solutions.

Integration across multiple product lines also produces economies of scale for the payer, he said.

Big Data, according to the roundtable participants, also provides claims managers an unparalleled perspective on the cases they manage.

“One of the things that excites us as more data is exchanged is the ability to use analytics to predict outcomes, and to implement workflows to intervene,” said roundtable participant Matthew Landon, vice president of analytics with Lakeland, Fla.-based Bunch CareSolutions, A Xerox Company.

Philadelphia roundtable participant Mike Cwynar, vice president of Irvine, Calif.-based Mitchell International, agrees with Landon.

Jerry Poole, President and Chief Executive Officer, Acrometis

Jerry Poole, President and Chief Executive Officer, Acrometis

“We are utilizing technology to consolidate all of the data, to automate as many tasks as we can, and to provide exception-based processing to flag unusual activity where claims professionals can add value,” Cwynar said.

Technology is also enabling the claims management industry to have more productive interactions with medical providers, long considered one of the Holy Grails of better case management.

Philadelphia roundtable participant Jerry Poole, president and CEO of Malvern, Pa-based claims management company Acrometis, said more uniform and accessible information exchange systems are giving medical providers access to see how bills are moving through the claims manager’s process.

“The technology is enabling providers to call in or to visit a portal to figure out what’s happening in the process,” Poole said.

More efficient data storage and communication is also resulting in quicker turnaround times, which is shortening the duration of claims and driving down the overall cost of risk, according to Cwynar.

 

Going Mobile

Another area where technology is moving the industry forward, according to the Philadelphia technology roundtable participants, is mobile technology, which is being used to support adjustors and case managers and is also contributing to quicker return to work and lower costs for payers.

The ability to take a digital tablet to a meeting with an injured worker or a health care provider is allowing case managers to enter data and give feedback on a patient’s condition in real time.

“Our field-based case managers have mobile connectivity to our claims systems that they use while they’re out of the office attending doctor’s appointments, and can enter the data right there into the system, so they’re not having to wait until they are back at the office to enter critical clinical documentation,” said Landon.

Injured workers that use social media, e-mail and the texting function on their mobile phones are staying in better touch with those that are charged with insuring that they are in compliance with their treatment plans.

Wearable devices that provide in-the-moment information about an injured workers’ condition have the potential to recreate what is known in aviation as the “black box,” a device that will record and store the precise physical state of an employee when they were injured. Such a device could also monitor their recovery process.

But as with many technologies, worker and patient privacy also needs to be observed.

“At the end of the day, we need to make sure that we approach technology enhancement that demonstrates value to the client, while ensuring patient advocacy,” Landon said.

Consolidation

As payers and claims managers set out to harness the power of computing in assessing an injured worker’s condition and response to treatment, the cycle of investment in companies that serve the workers’ compensation space is currently playing a significant role.

The trend of private equity investing in companies that can establish one-stop shopping for such services as medical case management, bill review, pharmacy benefit management and fraud forensics has huge potential.

SponsoredContent_HCS“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes.”
— Chuck Cavaness, Chief Information Officer, Healthcare Solutions.

The challenge now facing the industry, one the information technology roundtable participants are confident it can meet, is integrating those systems. But doing so won’t happen overnight.

“There’s a lot of specialization in the industry today,” said Jerry Poole of Acrometis.

Years ago there was a PT network. Now there’s a surgical implant guy, there’s specialized negotiations, there’s special investigations, said Poole.

The various data needs to be integrated into an overall data set to be used by the carriers to help lower the cost of risk.

“Consolidating all these providers will take standardization of communication pathways and it will likely be led by the vendors,” Poole said.

 

Securing Sensitive Information

Long before hackers turned the cyber defenses of major national retailers inside out, claims management professionals have focused increased attention on the protection of data shared across multiple partners.

Information security safeguards are changing and apply to what technology pros refer to “data at rest,” data that is stored on a particular company’s servers, and “data in flight,” data that is transferred from one user to another.

Michael Cwynar

Michael Cwynar, Vice President, Mitchell International

Mitchell’s Cwynar said carriers want certification that every company their data is being sent to needs to have that information and that both data at rest and data in flight is encrypted.

The roundtable participants agreed that the industry is in a conundrum. Carriers want more help in predictive analytics but are less willing to share the data needed to make those predictions.

And as crucial as avoiding cyber exposures and the corresponding reputational damage is for large, multinational corporations, it is even more acute for smaller companies in the workers’ compensation industry.

Healthcare Solutions’ Cavaness said the millions in loss notification and credit monitoring costs that impact a Target or a Home Depot in the case of a large data theft would devastate many a workers’ compensation service vendor.

“They’d be done in a minute,” Cavaness said.

The barriers to entry in this space are higher now than ever before, continued Cavaness, and companies wishing to do business with large carriers have the burden of proving that its security standards are uncompromising.

In Reality

Workers’ compensation risk management in the United States is by its very nature, complex and demanding. But keep in mind that those charged with managing that risk get better results year after year.

Technology has a proven capability to iron out the system’s inherent complications and take its more mundane tasks off of the shoulders of case adjustors.

The roundtable members agreed that the business goals of a lower cost of risk and an even more productive workforce will follow.
SponsoredContent
BrandStudioLogo

This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Healthcare Solutions. The editorial staff of Risk & Insurance had no role in its preparation.




Healthcare Solutions serves as a health services company delivering integrated solutions to the property and casualty markets, specializing in workers’ compensation and auto liability/PIP.
Share this article: