Heading Off ‘Cybergeddon’
In April’s R&I cover story, Cyber: The New CAT, experts called catastrophic cyber attacks “inevitable” and the prevailing attitude in the C-Suite “denial.”
Jason Healey, director, Atlantic Council’s Cyber Statecraft Initiative, says that in order for organizations to weather the inevitable attacks, the key will be resiliency. “The organizations that fare best,” he said, “will be those that have the size, agility and resilience to bounce back as quickly as possible.” Healey is also author of Beyond Data Breaches: Global Interconnections of Cyber Risk, commissioned by Zurich Insurance Company Ltd. and published in April 2014.
Developing resilience would include conducting exercises, developing response playbooks, increasing funding and grants for large-scale crisis management and developing redundant data storage in case one is compromised.
The tangle of Internet information that companies and countries depend on to function is now so complex, Healey said, that companies and governments can’t manage the risk from within their own four walls. Beyond Data Breaches notes that Internet failures could cascade directly to Internet-connected banks, water systems, cars, medical devices, hydroelectric dams, transformers and power stations.
Like superstorms such as Hurricane Sandy, cyber risks are inevitable and unstoppable, and like the financial crisis of 2008, they can’t be contained, because of organizations’ interconnection and interdependency. The worst-case scenario, stemming from the principle that everything is connected to the Internet and everything connected to the Internet can be hacked, is “Cybergeddon,” where attackers have an overwhelming, dominant and lasting advantage over defenders.
Even now, Healey said, attackers have the advantage. The Internet’s original weakness — that it was built for trust, not security — perpetuates defenders’ vulnerability. “Some ‘serious’ thinkers suggest we should start over” rather than try to retrofit an Internet so flawed by weak security as to threaten every user, he said, despite the impracticality of a do-over.
Second, Healey said, defenders have to be right every time, and attackers have to be right only once.
Third, technology evolves very quickly, and most people don’t understand it well enough to lock out intruders. “Every time we figure out what we’re supposed to be doing right, the technology has moved on and once again we don’t know how to properly secure our data,” Healey said.
Software is still poorly written and so insecure that “a couple of kids in a garage” can hack into corporate and government systems just for a naughty thrill. “Bad guys” with theft or sabotage on their minds can work their mischief behind a veil of anonymity. “The Internet almost encourages bad behavior because of the anonymity involved,” Healey said.
Companies, governments and risk managers should shift the drumbeat from resistance to resilience, and to expand cyber risk management from individual organizations to a resilient and responsive Internet system, Healey said. For systemic risk management, Beyond Data Breaches recommends:
- Putting the private sector at the center, not the periphery, of cyber risk efforts, since they have the advantage in agility and subject matter expertise.
- Using monetary or in-kind grants to fund effective but underfunded non-government groups already involved in minimizing the frequency and intensity of attacks. Governments and others with system-wide concerns (such as internet service providers and software and hardware vendors) should advocate for this research.
- Borrowing ideas from the finance sector. This could include examination of “too big to fail” issues of governance and recognition of global significantly important internet organizations.
Cyber Vulnerabilities ‘Easy to Find’
Verizon’s “2015 Data Breach Investigations Report” (DBIR), published earlier this month, paints a disturbing picture for organizations and their customers.
The 2015 report analyzed more than 2,100 confirmed data breaches and approximately 80,000 reported security incidents in 2014. The previous year’s report, which covered 2013, looked at 1,367 data breaches and analyzed more than 63,000 security incidents.
In about 70 percent of the new cases, decades-old ploys such as phishing and hacking are still successful because companies haven’t kept up with patching.
The question is, why are so many companies still not ahead of the curve when these cyber attacks can have such a devastating impact? The reasons boil down to priorities, process, and people.
“The bad guys don’t really have to work too hard to do this,” said Mark Weatherford, principal at The Chertoff Group and former deputy undersecretary for cybersecurity at the U.S. Department of Homeland Security.
“They are looking for vulnerable people all the time, and unfortunately it’s far too easy to find them.”
To help organizations assess these threats more effectively, Verizon Managing Principal and report author Bob Rudis said the report — for the first time — includes an impact section that ties dollars and cents to each data record compromised.
“We now have impact information that folks can use for risk management purposes, including enterprise risk management and financial risk management,” said Rudis.
“It’s a model for looking at breaches at a whole new way that we couldn’t talk about before.”
The model shows different loss forecasts for different volumes: the average loss for a breach of 1,000 records is between $52,000 and $87,000; for 10 million record losses, it’s $2.1 million to $5.2 million.
As for the types of cyber attacks plaguing organizations, about 83 percent of security incidents involve compromising websites and servers to go after a secondary victim by denial-of-service attacks, host malware, or to repurpose the site for phishing. This is up from 76 percent from the 2014 report.
Additional top threat patterns include: miscellaneous errors, such as sending an email to the wrong person; crimeware (malware aimed at gaining control of systems); insider/privilege misuse; physical theft/loss; web app attacks; cyber espionage; point-of-sale intrusions, and payment card skimmers.
The industries most affected by cyber attacks are the same as in recent years: public, information, and financial services.
How to respond? First, look at different industries that are experiencing the same kind of attacks as you are — no matter how different they seem, advised Verizon Senior Analyst Suzanne Widup: “See if you can make contact with them and not stay within your same silo.”
To start closing the high volume of vulnerabilities organizations often have, Weatherford advised developing better patch management programs that include testing and a timeframe for implementation.
“I hate to sound that simplistic but really that’s why [threats from] 2007 pop up in companies – because companies haven’t done their due diligence to do the [security] hygiene that they need to do,” he said.
Marc Spitler, Verizon senior analyst, puts it more colorfully: “Instead of just playing Whack-A-Mole with the particular vulnerabilities, [companies] need to understand why they were actually visible to begin with.”
Finding qualified IT people to tackle the security problems is another reason companies aren’t keeping up with patches and other protections, said Mike VanDenBerg, a managing director in KPMG’s cyber services and information protection practice based in Dallas.
“There’s an undercurrent not mentioned in the report: that the supply and demand of labor in this industry is very unbalanced,” he said.
“Every single client that I have in the Fortune 50 cannot find enough qualified people to do what needs to be done in this space. If I were to invest the next million dollars in my security problem … it would be [in] trying to solve the problem that I’ve had for several years, which is people. It’s just a matter of priorities.”
For VanDenBerg, consistently covering the entire data environment will make the biggest difference to companies.
“Some of the constraints are: legacy systems that can’t be patched, are out of support, [or] are off the books from an accounting perspective but are still functional from a technology and business perspective. [These are] great from a financial standpoint but it’s bad from a security standpoint,” he said.
“Shutting down those assets and moving to new and different technology ultimately will increase your security. Yes, it will open up to holes in the future but I’d rather have something that I can do something about than have old technology that I can’t.”
Looking to trends in 2015, Verizon’s Rudis had this to say: “My prediction is a non-prediction; if the status quo [within organizations] stays, we are pretty much going to see almost a mirror image of the report next year.”
Mitigating Fraud, Waste, and Abuse of Opioid Medications
There’s a fine line between instances of fraud, waste, and abuse. One of the key differences is intent and knowledge. Fraud is knowingly and willfully defrauding a health care benefit program for personal gain or profit. Each of the parties to a claim has opportunity and motive to commit fraud. For example, an injured worker might fill a prescription for pain medication only to sell it to a third party for profit. A prescriber might knowingly write prescriptions for certain pain medications in order to receive a “kickback” by the manufacturer.
Waste is overuse of services and misuse of resources resulting in unnecessary costs, whereas abuse is practices that are inconsistent with professional standards of care, leading to avoidable costs. In both situations, the wrongdoer may not realize the effects of their actions. Examples of waste include under-utilization of generics, either because of an injured worker’s request for brand name medication, or the prescriber writing for such. Examples of abusive behavior are an injured worker requesting refills too soon, and a prescriber billing for services that were not medically necessary.
Actions that Interfere with Opioid Management
Early intervention of potential fraud, waste, and abuse situations is the best way to mitigate its effects. By considering the total pharmacotherapy program of an injured worker, prescribing behaviors of physicians, and pharmacy dispensing patterns, opportunities to intervene, control, and correct behaviors that are counterproductive to treatment and increase costs become possible. Certain behaviors in each community are indicative of potential fraud, waste, and abuse situations. Through their identification, early intervention can begin.
- Prescriber/Pharmacy Shopping – By going to different prescribers or pharmacies, an injured worker can acquire multiple prescriptions for opioids. They may be able to obtain “legitimate” prescriptions, as well as find those physicians who aren’t so diligent in their prescribing practices.
- Utilizing Pill Mills – Pain clinics or pill mills are typically cash-only facilities that bypass physical exams, medical records, and x-rays and prescribe pain medications to anyone—no questions asked.
- Beating the Urine Test – Injured workers can beat the urine drug test by using any of the multiple commercial products available in an attempt to mask results, or declaring religious/moral grounds as a refusal for taking the test. They may also take certain products known to deliver a false positive in order to show compliance. For example, using the over-the-counter Vicks® inhaler will show positive for amphetamines in an in-office test.
- Renting Pills – When prescribers demand an injured worker submit to pill counts (random or not), he or she must bring in their prescription bottles. Rent-a-pill operations allow an injured worker to pay a fee to rent the pills needed for this upcoming office visit.
- Forging or Altering Prescriptions –Today’s technology makes it easy to create and edit prescription pads. The phone number of the prescriber can be easily replaced with that of a friend for verification purposes. Injured workers can also take sheets from a prescription pad while at the physician’s office.
- Over-Prescribing of Controlled Substances – By prescribing high amounts and dosages of opioids, a physician quickly becomes a go-to physician for injured workers seeking opioids.
- Physician dispensing and compounded medication – By dispensing opioids from their office, a physician may benefit from the revenue generated by these medications, and may be prone to prescribe more of these medications for that reason. Additionally, a physician who prescribes compounded medications before a commercially available product is tried may have a financial relationship with a compounding pharmacy.
- Historical Non-Compliance – Physicians who have exhibited potentially high-risk behavior in the past (e.g., sanctions, outlier prescribing patterns compared to their peers, reluctance or refusal to engage in peer-to-peer outreach) are likely to continue aberrant behavior.
- Unnecessary Brand Utilization – Writing prescriptions for brand medication when a generic is available may be an indicator of potential fraud, waste, or abuse.
- Unnecessary Diagnostic Procedures or Surgeries – A physician may require or recommend tests or procedures that are not typical or necessary for the treatment of the injury, which can be wasteful.
- Billing for Services Not Provided – Since the injured worker is not financially responsible for his or her treatment, a physician may mistakenly, or knowingly, bill a payer for services not provided.
- Compounded Medications – Compounded medications are often very costly, more so than other treatments. A pharmacy that dispenses compounded medications may have a financial arrangement with a prescriber.
- Historical Non-Compliance – Like physicians, pharmacies with a history of non-compliance raise a red flag. In states with Prescription Drug Monitoring Programs (PDMPs), pharmacies who fail to consult this database prior to dispensing may be turning a blind eye to injured workers filling multiple prescriptions from multiple physicians.
- Excessive Dispensing of Controlled Substances – Dispensing of a high number of controlled substances could be a sign of aberrant behavior, either on behalf of the pharmacy itself or that injured workers have found this pharmacy to be lenient in its processes.
Clinical Tools for Opioid Management
Once identified, acting on the potential situations of fraud, waste, and abuse should leverage all key stakeholders. Intervention approaches include notifying claims professionals, sending letters to prescribing physicians, performing urine drug testing, reviewing full medical records with peer-to-peer outreach, and referring to payer special investigative unit (SIU) resources. A program that integrates clinical strategies to identify aberrant behavior, alert stakeholders of potential issues, act through intervention, and monitor progress with the injured worker, prescriber, and pharmacy communities can prevent and resolve fraud, waste, and abuse situations.
Proactive Opioid Management Mitigates Fraud, Waste, and Abuse
Opioids can be used safely when properly monitored and controlled. By taking proactive measures to reduce fraud, waste, and abuse of opioids, payers improve injured worker safety and obtain more control over medication expenses. A Pharmacy Benefit Manager (PBM) can offer payers an effective opioid utilization strategy to identify, alert, intervene upon, and monitor potential aberrant behavior, providing a path to brighter outcomes for all.