Target Breach a Threat to All
Computer security breaches that enable the theft of confidential financial information are no laughing matter. Just ask the 110 million or so people who have been affected by the infamous hack into Target’s customer-facing systems. So why should we in the insurance industry be sitting up and taking notice?
Internet sources report that this particular break-in used a form of memory-scraping malware technology that captures information as it is being input at the point of sale, but before it can be encrypted in the retailer’s systems.
We in the seemingly safe insurance sector may feel bad for our friends in retail, but before we get to feeling too comfy, it would be wise to consider that retail isn’t the only industry using point-of-sale (POS) devices. In fact, such input devices are used in lots of industries — retail, hospitality and health care among them.
It is that final class of users that should give us pause in the insurance sector. In case you weren’t paying attention, the Affordable Care Act requires electronic record-keeping. This naturally involves uncountable points of sale in doctors’ offices, clinics, and hospitals, not to mention places like Wal-Mart that are beginning to offer insured health care services.
Many of the individuals affected by the Target, et al., breach are promising never to do business with the involved retailers again. But what if the breached party was a major broker or insurer?
In the Target heist, an executive reported that someone had actually installed the malware on its POS systems. How that was done is a mystery at this writing, but one has to assume that these systems were connected to the Internet — which would allow the thieves to then retrieve the stolen data remotely. So, it seems likely that the malware was also remotely introduced into Target’s systems, as well as those of Nieman Marcus and other affected retailers.
These kinds of attacks are not exactly on the cutting edge of technology, however. According to InformationWeek, “Memory-scraping attacks date from at least 2011, when security researchers first spotted an advanced version of the Trackr (a.k.a. Alina) malware, which can be controlled via a botnet.” So, it won’t just be the most advanced thieves who pull off these kinds of crimes. The less-sophisticated, whether here or abroad, will likely be able to do the same.
Personal financial information is an extremely valuable commodity on the black market, and if you’re a criminal, it seems surprisingly easy to steal. Hackers can sell the credit card numbers for $35 to $100 each, while gold or platinum credit cards go for $60 each, business credit cards for $80 and some platinum cards for $100, said Cisco security researcher Levi Gundert in a blog posting. Interestingly, the information stolen in the Target incident includes names, addresses, credit card numbers, PINs and other data that enable thieves to assume an individual’s identity — which could lead to far bigger losses for those who are victimized.
Here’s the bottom line. Many of the individuals affected by the Target, et al., breach are promising never to do business with the involved retailers again. But what if the breached party was a major broker or insurer? Can insurance companies and brokers — already involved in a dog-eat-dog competition for insureds — afford to have that kind of backlash aimed at them?
The answers remain to be seen, but it is clear that with cyber crime escalating and becoming easier to perpetrate, our industry cannot stand back and hope the boogeyman goes away.
Coping with Cancellations
Airlines typically can offset revenue losses for cancellations due to bad weather either by saving on fuel and salary costs or rerouting passengers on other flights, but this year’s revenue losses from the worst winter storm season in years might be too much for traditional measures.
At least one broker said the time may be right for airlines to consider crafting custom insurance programs to account for such devastating seasons.
For a good part of the country, including many parts of the Southeast, snow and ice storms have wreaked havoc on flight cancellations, with a mid-February storm being the worst of all. On Feb. 13, a snowstorm from Virginia to Maine caused airlines to scrub 7,561 U.S. flights, more than the 7,400 cancelled flights due to Hurricane Sandy, according to MasFlight, industry data tracker based in Bethesda, Md.
Roughly 100,000 flights have been canceled since Dec. 1, MasFlight said.
Just United, alone, the world’s second-largest airline, reported that it had cancelled 22,500 flights in January and February, 2014, according to Bloomberg. The airline’s completed regional flights was 87.1 percent, which was “an extraordinarily low level,” and almost 9 percentage points below its mainline operations, it reported.
And another potentially heavy snowfall was forecast for last weekend, from California to New England.
The sheer amount of cancellations this winter are likely straining airlines’ bottom lines, said Katie Connell, a spokeswoman for Airlines for America, a trade group for major U.S. airline companies.
“The airline industry’s fixed costs are high, therefore the majority of operating costs will still be incurred by airlines, even for canceled flights,” Connell wrote in an email. “If a flight is canceled due to weather, the only significant cost that the airline avoids is fuel; otherwise, it must still pay ownership costs for aircraft and ground equipment, maintenance costs and overhead and most crew costs. Extended storms and other sources of irregular operations are clear reminders of the industry’s operational and financial vulnerability to factors outside its control.”
Bob Mann, an independent airline analyst and consultant who is principal of R.W. Mann & Co. Inc. in Port Washington, N.Y., said that two-thirds of costs — fuel and labor — are short-term variable costs, but that fixed charges are “unfortunately incurred.” Airlines just typically absorb those costs.
“I am not aware of any airline that has considered taking out business interruption insurance for weather-related disruptions; it is simply a part of the business,” Mann said.
Chuck Cederroth, managing director at Aon Risk Solutions’ aviation practice, said carriers would probably not want to insure airlines against cancellations because airlines have control over whether a flight will be canceled, particularly if they don’t want to risk being fined up to $27,500 for each passenger by the Federal Aviation Administration when passengers are stuck on a tarmac for hours.
“How could an insurance product work when the insured is the one who controls the trigger?” Cederroth asked. “I think it would be a product that insurance companies would probably have a hard time providing.”
But Brad Meinhardt, U.S. aviation practice leader, for Arthur J. Gallagher & Co., said now may be the best time for airlines — and insurance carriers — to think about crafting a specialized insurance program to cover fluke years like this one.
“I would be stunned if this subject hasn’t made its way up into the C-suites of major and mid-sized airlines,” Meinhardt said. “When these events happen, people tend to look over their shoulder and ask if there is a solution for such events.”
Airlines often hedge losses from unknown variables such as varying fuel costs or interest rate fluctuations using derivatives, but those tools may not be enough for severe winters such as this year’s, he said. While products like business interruption insurance may not be used for airlines, they could look at weather-related insurance products that have very specific triggers.
For example, airlines could designate a period of time for such a “tough winter policy,” say from the period of November to March, in which they can manage cancellations due to 10 days of heavy snowfall, Meinhardt said. That amount could be designated their retention in such a policy, and anything in excess of the designated snowfall days could be a defined benefit that a carrier could pay if the policy is triggered. Possibly, the trigger would be inches of snowfall. “Custom solutions are the idea,” he said.
“Airlines are not likely buying any of these types of products now, but I think there’s probably some thinking along those lines right now as many might have to take losses as write-downs on their quarterly earnings and hope this doesn’t happen again,” he said. “There probably needs to be one airline making a trailblazing action on an insurance or derivative product — something that gets people talking about how to hedge against those losses in the future.”
The Promise of Technology
The field of workers’ compensation claims management seems ideally suited as a proving place for the power of technology.
Predictive analytics in the hands of pharmacy and medical management experts can give claims managers the data they need to intervene in troublesome claims. Wearables and other mobile technologies have the potential to give healthcare providers “real-time” reports on the medical condition of injured workers.
Never before have the goals of quick turnaround and transparency in managing claims appeared so tantalizingly achievable.
In the effort to learn more about technology’s potential, in September, Risk & Insurance® partnered with Duluth, Ga.-based Healthcare Solutions to convene an information technology executive roundtable in Philadelphia.
The goal of the roundtable was to explore technology’s promise and to gauge how advancements are serving the industry’s ultimate purpose, getting injured workers safely back to work.
Big Data, Transparency and the Economies of Scale
Integration is a word often heard in connection with workers’ compensation claims management. On one hand, it refers to industry consolidation, as investors and larger service providers seek to combine a host of services through mergers and acquisitions.
In another way, integration applies to workers’ compensation data management. As companies merge, technology is allowing previously siloed stores of data to be combined. Access to these new supersets of data, which technology professionals like to call “Big Data,” present a host of opportunities for payers and service providers.
Through accessible exchange systems that give both providers and payers better access to the internal processes of vendors, a service provider can show the payer the status of the claim across a much broader spectrum of services.
“One of the things I see with all of this data starting to exchange is the ability to use analytics to predict outcomes, and to implement workflows to intervene.”
–Matthew Landon, Vice President of Analytics, Bunch CareSolutions.
“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes,” said roundtable participant Chuck Cavaness, chief information officer for Healthcare Solutions.
Integration across multiple product lines also produces economies of scale for the payer, he said.
Big Data, according to the roundtable participants, also provides claims managers an unparalleled perspective on the cases they manage.
“One of the things that excites us as more data is exchanged is the ability to use analytics to predict outcomes, and to implement workflows to intervene,” said roundtable participant Matthew Landon, vice president of analytics with Lakeland, Fla.-based Bunch CareSolutions, A Xerox Company.
Philadelphia roundtable participant Mike Cwynar, vice president of Irvine, Calif.-based Mitchell International, agrees with Landon.
“We are utilizing technology to consolidate all of the data, to automate as many tasks as we can, and to provide exception-based processing to flag unusual activity where claims professionals can add value,” Cwynar said.
Technology is also enabling the claims management industry to have more productive interactions with medical providers, long considered one of the Holy Grails of better case management.
Philadelphia roundtable participant Jerry Poole, president and CEO of Malvern, Pa-based claims management company Acrometis, said more uniform and accessible information exchange systems are giving medical providers access to see how bills are moving through the claims manager’s process.
“The technology is enabling providers to call in or to visit a portal to figure out what’s happening in the process,” Poole said.
Another area where technology is moving the industry forward, according to the Philadelphia technology roundtable participants, is mobile technology, which is being used to support adjustors and case managers and is also contributing to quicker return to work and lower costs for payers.
The ability to take a digital tablet to a meeting with an injured worker or a health care provider is allowing case managers to enter data and give feedback on a patient’s condition in real time.
“Our field-based case managers have mobile connectivity to our claims systems that they use while they’re out of the office attending doctor’s appointments, and can enter the data right there into the system, so they’re not having to wait until they are back at the office to enter critical clinical documentation,” said Landon.
Injured workers that use social media, e-mail and the texting function on their mobile phones are staying in better touch with those that are charged with insuring that they are in compliance with their treatment plans.
Wearable devices that provide in-the-moment information about an injured workers’ condition have the potential to recreate what is known in aviation as the “black box,” a device that will record and store the precise physical state of an employee when they were injured. Such a device could also monitor their recovery process.
But as with many technologies, worker and patient privacy also needs to be observed.
“At the end of the day, we need to make sure that we approach technology enhancement that demonstrates value to the client, while ensuring patient advocacy,” Landon said.
As payers and claims managers set out to harness the power of computing in assessing an injured worker’s condition and response to treatment, the cycle of investment in companies that serve the workers’ compensation space is currently playing a significant role.
The trend of private equity investing in companies that can establish one-stop shopping for such services as medical case management, bill review, pharmacy benefit management and fraud forensics has huge potential.
“Any time that we can integrate with a payer across multiple products such as pharmacy, specialty and PPO services, what it does is gives us a better picture of the claim and that helps us to drive better outcomes.”
— Chuck Cavaness, Chief Information Officer, Healthcare Solutions.
The challenge now facing the industry, one the information technology roundtable participants are confident it can meet, is integrating those systems. But doing so won’t happen overnight.
“There’s a lot of specialization in the industry today,” said Jerry Poole of Acrometis.
Years ago there was a PT network. Now there’s a surgical implant guy, there’s specialized negotiations, there’s special investigations, said Poole.
The various data needs to be integrated into an overall data set to be used by the carriers to help lower the cost of risk.
Securing Sensitive Information
Long before hackers turned the cyber defenses of major national retailers inside out, claims management professionals have focused increased attention on the protection of data shared across multiple partners.
Information security safeguards are changing and apply to what technology pros refer to “data at rest,” data that is stored on a particular company’s servers, and “data in flight,” data that is transferred from one user to another.
Mitchell’s Cwynar said carriers want certification that every company their data is being sent to needs to have that information and that both data at rest and data in flight is encrypted.
The roundtable participants agreed that the industry is in a conundrum. Carriers want more help in predictive analytics but are less willing to share the data needed to make those predictions.
And as crucial as avoiding cyber exposures and the corresponding reputational damage is for large, multinational corporations, it is even more acute for smaller companies in the workers’ compensation industry.
Healthcare Solutions’ Cavaness said the millions in loss notification and credit monitoring costs that impact a Target or a Home Depot in the case of a large data theft would devastate many a workers’ compensation service vendor.
“They’d be done in a minute,” Cavaness said.
The barriers to entry in this space are higher now than ever before, continued Cavaness, and companies wishing to do business with large carriers have the burden of proving that its security standards are uncompromising.
Workers’ compensation risk management in the United States is by its very nature, complex and demanding. But keep in mind that those charged with managing that risk get better results year after year.
Technology has a proven capability to iron out the system’s inherent complications and take its more mundane tasks off of the shoulders of case adjustors.
This article was produced by the R&I Brand Studio, a unit of the advertising department of Risk & Insurance, in collaboration with Healthcare Solutions. The editorial staff of Risk & Insurance had no role in its preparation.