Heading Off ‘Cybergeddon’
In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”
Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.
Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.
The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.
Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.
Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.
Second, Healey said, defenders have to be right every time, and attackers have to be right only once.
Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.
Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.
Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:
- Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
- Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
- Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
7 Emerging Technology Risks
The Risk List is presented by:
Beware of Medical Hyper-Inflation!
Historically, medical inflation rates nationwide have been fairly consistent. However, data is now showing that medical inflation is not a “one size fits all” phenomenon, with hyperinflation spikes occurring in some locations…but not others.
This geographical conundrum means hyperinflation can occur as narrowly as two hospitals having dramatically different charges on the same street in Anytown, USA. So, uncovering these anomalies is akin to finding the proverbial needle in a haystack.
“In recent years, workers’ compensation saw claim frequency decline, while severity rates went up. This basically means that increased job safety has offset increased medical costs,” explained Jason Beans, CEO of Rising Medical Solutions, a national medical cost management firm. “So, whenever a client’s average cost-per-claim went up, it was almost always caused by catastrophic, outlier-type claims.”
But beginning in 2013 and extending into 2014, Beans said, things changed. “I’ve never seen anything like it in my 20-plus years in this industry.”
“Our analytics made it very clear that small pockets around the country are experiencing what could only be described as medical cost hyperinflation. The big spikes in some clients’ claim costs were driven by a broader rise in medical costs, rather than catastrophic claims or severity issues.”
– Jason Beans, CEO, Rising Medical Solutions
Data dive uncovers surprising findings
On a national level, most experts describe medical costs increasing at a moderate annual rate. But, as often is the case, sometimes a macro perspective glosses over a very different situation at a more micro level.
“Our analytics made it very clear that small pockets around the country are experiencing what could only be described as medical cost hyperinflation,” explained Beans. “The big spikes in some clients’ claim costs were driven by a broader rise in medical costs, rather than catastrophic claims or severity issues.”
This conclusion is supported by several key data patterns:
- Geographic dependency: While many payers operate at the national level, only relatively small, geographically clustered claims showed steep cost increases.
- Median cost per claim: The median cost per claim, not just the average, increased greatly within these geographic clusters.
- Hospital associated care: Some clusters saw a large increase in the rates and/or the number of services provided by hospital systems, including their broad array of affiliate locations.
- Provider rates: Other clusters saw the same hospital/non-hospital based treatment ratios as prior years, but there was a material rate increase for all provider types across the board.
- Utilization increases: Some clusters also experienced a larger number of services being performed per claim.
One of the most severe examples of hyperinflation came from a large Florida metropolitan area which experienced a combined 47 percent workers’ compensation healthcare inflation rate. Not only was there a dramatic increase in the charge per hospital bill, but utilization was also way up and there was a shift to more services being performed in a costlier hospital system setting.
“The growth of costs in this Florida market stood in stark contrast to neighboring areas where most of our clients’ claim costs were coming down or at least had flat-lined,” Beans said.
An Arizona metropolitan area, on the other hand, experienced a different root cause for their hyperinflation. Regardless of provider type, rates have significantly increased over the past year. For example, one hospital system showed dramatic increases in both charge master rates and utilization. “Even with aggressive discounting, the projected customer impact in 2014 will be an increase of $773,850 from this provider alone,” said Beans.
ACA: Unintended consequences?
So what is going on? According to Beans, a potential driver of these cost spikes could be unintended consequences of the Affordable Care Act (ACA).
First, the ACA may be a contributing factor in recent provider consolidation. While healthcare industry consolidation is not new, the ACA can prompt increased merger and acquisition efforts as hospitals seek to improve financials and healthcare delivery by forming Accountable Care Organizations (ACO). ACOs, the theory goes, can take better advantage of value-based fee arrangements in existing and new markets.
“As hospital systems grow by acquisition, more patients are being brought under hospital pricing structures – which are significantly more expensive than similar services at smaller facilities such as independent ambulatory surgery centers and doctors’ offices,” Beans said.
Unfortunately, there is little evidence that post-consolidation healthcare systems have become more efficient, only more expensive. For example, a recent PwC study reported that hospital IT infrastructure consolidation alone is projected to add 2 percent to hospital costs in 2015.
Another potential ACA consequence is group health insurers may have less incentive to keep medical costs down. An ACA provision requires that 85% of premium in the large group market must be spent on medical care and provider incentive programs, leaving 15% of premium to be allocated towards administration, sales and subsequent profits. “Fifteen percent of $5000 in medical charges is a lot less than 15% of $10,000,” said Beans. “This really limits a group health carrier’s incentive to lower medical costs.”
How do increased group health rates relate to workers’ comp? In some markets, a group health carrier may use its group health rates for their work comp network so any rate increase impacts both business types.
In the end, medical inflation is inconsistent at best, with varying levels driven by differing factors in different locations – a true “needle in the haystack” challenge.
What to do?
Managing these emerging cost threats, whether you have the capabilities internally or utilize a partner, means having the tools to pinpoint hyperinflation and make adjustments. Beans said potential solutions for payers include:
- Using data analytics: Data availability is at an all-time high. Utilizing analytical tools to spot problem areas is critical for executing cost saving strategies quickly.
- Moving services out of hospital systems: Programs that direct care away from the hospital setting can substantially reduce costs. For example, Rising’s surgical care program utilizes ambulatory service centers to provide predictable, bundled case rates to payers.
- Negotiating with providers: Working directly with providers to negotiate bill reductions and prompt payment arrangements is effective in some markets.
- Underwriting with a micro-focus: For carriers, it is vital that underwriters identify where these pockets of hyperinflation are so they can adjust rates to keep pace with inflation.
“This trend needs to be closely watched,” Beans said. “In the meantime, we will continue to use data to help payers of medical services be smarter shoppers.”