> Sedgwick Connection - >
>
  • 5 factors for fifteen - A solid grasp of past and present industry trends can help you prepare for challenges ahead. Sedgwick’s thought leaders are helping clients by forecasting five primary factors that will impact our industry this year. Learn more.
  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print

SupremeCourt-ACA-workerscomp-blLast week the Supreme Court ruled 6-3 to uphold the Affordable Care Act’s (ACA) health exchange subsidy. What does the ruling mean for workers’ compensation going forward?

The ACA’s subsidy ruling has been a roller coaster ride for most of the major players in the healthcare industry. There were a lot of predictions and contingency talks to avert any impact, mostly negative, should the Supreme Court shut down the premium subsidy that supports millions of Americans. Based on projections by the Congressional Budget Office, the healthcare industry was bracing for a big shockwave potentially affecting close to 19 million insured Americans and adding more than $100 billion to the country’s deficit over a 10-year period. Sedgwick was in the front row watching how the subsidy ruling unfolded and anticipating how the market would react. With the ruling behind us, we anticipate that things will continue to move forward as they were for employers and the healthcare industry in general.

One notable sign that the healthcare industry is back on track is the sudden uptick in the healthcare mergers and acquisitions (M&A) scene. Over the last two years, the ACA has been the catalyst for much of the provider consolidations in the healthcare industry and the subsidy lawsuit put a halt on this trend. Coincidentally and immediately following the subsidy ruling, news of mergers involving big insurers – including UnitedHealth Group, Anthem, Humana and Cigna – made headlines in the marketplace. Soon, the rest of the market will follow, including a projected surge in private exchanges and the continuous growth of accountable care alliances between providers. Further consolidation is anticipated in the healthcare sector to align with the new value-based healthcare model. Employers should examine how new relationships will affect continuity of care, including any potential cost implications. Nevertheless, the healthcare industry and workers’ comp will continue to work with the challenges of the aging workforce, shrinking access to care, cost-shifting and containing the rising healthcare cost now that the ACA provision continues.

The subsidy ruling came as a big relief to all parties involved, interestingly, including those who challenged the law. Unfortunately, however, the ACA’s road to maturity will continue to face tough political challenges down the road as the country’s leadership continues to shift. For now, a sense of normalcy and progressive movement is back in the healthcare industry. Overall, this new development should have a positive impact in workers’ comp; increased stability in the healthcare industry has a direct positive impact on the managed care services we provide our clients. We can now refocus all our energy toward keeping our workforce healthy and ready to return to work – until the next challenger to the law comes along…

Kimberly George, SVP, Corporate Development, M&A, Healthcare

Click here for more Sedgwick Connection posts on the Affordable Care Act

For ongoing discussion on ACA, workers’ compensation and healthcare reform, join our LinkedIn group Transforming Healthcare for Tomorrow

  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print

same-sex-marriageThe United States Supreme Court has ruled in a 5-4 decision that same-sex couples have the right to marry anywhere in the United States. This decision just made life easier for employers and TPAs who are responsible for administering leaves. We can now uniformly apply the Family and Medical Leave Act’s (FMLA) definition of spouse (reflected below) regardless of where same-sex couples were married or reside, including in the states of Texas, Louisiana, Arkansas and Nebraska where a federal judge in Texas had previously placed an injunction on adopting the Department of Labor’s definition of spouse since these states did not recognize same-sex marriage.

Spouse, as defined in the statute, means a husband or wife. For purposes of this definition, husband or wife refers to the other person with whom an individual entered into marriage as defined or recognized under state law for purposes of marriage in the State in which the marriage was entered into or, in the case of a marriage entered into outside of any State, if the marriage is valid in the place where entered into and could have been entered into in at least one State. This definition includes an individual in a same-sex or common law marriage that either:

(1) Was entered into in a State that recognizes such marriages; or

(2) If entered into outside of any State, is valid in the place where entered into and could have been entered into in at least one State.”

Reminders for employers:

  • Update FMLA policies if they currently include a detailed definition of spouse
  • Use caution in requiring proof of same-sex marriage if you do not require proof of marriage for opposite-sex spouses for purposes of taking leave
  • Train supervisors or anyone involved in the FMLA process of the change in definition as some employees will be entitled to FMLA protection where they were not in the past
  • Remember this change does not impact state leave laws that provide leave for Domestic Partners or Civil Union partners; while the employee would not be eligible to take leave under the FMLA (only applies to legal same-sex marriages), they still may be allowed leave under state law

Sharon Andrus, Director National Technical Compliance, Disability Administration

  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print

nurse-staffingDuring hospital and healthcare facility risk assessments around the country, we often hear nurses’ feedback about staffing challenges and heavy workloads. Is this perception or is it a reality that nurse staffing levels are impacting safety?

News reports and lawsuits related to nurse staffing issues suggest the problem is more than perception. It is important for risk and safety managers to be aware of staffing concerns in order to support nurses and help hospital management develop solutions. Identifying and maintaining an appropriate number and mix of nursing staff is critical to the delivery of safe patient care. At the same time, reductions in nursing budgets have resulted in fewer nurses working longer hours caring for sicker patients – and the problem may continue to increase as hospitals face challenges in recruiting and retaining adequate numbers of qualified nursing and other staff into the next decade and possibly longer.

Research suggests that improved nurse staffing has a beneficial effect on patient outcomes. Conversely, research shows that the likelihood of patient mortality in the hospital following a complication associated with failure to rescue increases by 7% for each additional patient added to the average registered nurse workload. A similar study focused on in-hospital cardiac arrest found a 4% decrease in the odds of survival for patients on hospital medical-surgical units with each additional patient per nurse.

Legislation requiring adequate nurse staffing at state and federal levels has been introduced in both the House and the Senate. The Registered Nurse Safe Staffing Act of 2014 (S. 2353) was introduced in the U.S. Senate on May 15, 2014 and was referred to the Committee on Finance. The bill requires unit-by-unit staffing plans and public reporting of the plans, but does not impose nurse-patient ratios. It also provides whistleblower protections for nurses and others who file a complaint for inadequate staffing. Additionally, some state boards of nursing have adopted rules of practice to protect nurses who believe they have been given an unsafe assignment. Currently, fifteen states and the District of Columbia have enacted legislation and/or adopted regulation to address nurse staffing.

How can hospitals and healthcare professional organizations address concerns about staffing shortages?  In its report Workforce 2015: Strategy Trumps Shortage, the American Hospital Association (AHA) Long-Range Policy Committee developed recommendations and strategies that include:

  • Hospital work redesign to maximize efficiency, effectiveness and staff satisfaction
  • Retention of existing workers, some of whom are near retirement
  • Attracting a new generation of workers to replace a large group of retiring workers

Redesigned work models are most successful when developed by nursing staff at the bedside in collaboration with leadership and consider patient care needs, staff skills competencies and hospital characteristics. In 2003, the Institute for Healthcare Improvement and the American Organization of Nurse Executives launched the Transforming Care at the Bedside Project (TCAB), funded by The Robert Wood Johnson Foundation, in an effort to improve hospital patient care and work environment by empowering front-line nurses to implement innovative practices on their units. Since that time, hospitals across the country and internationally are now applying TCAB principles and processes in their work. A toolkit containing best practice policies to involve staff, generate ideas and set goals to increase excellence of care and efficiency was created by 10 hospitals that participated in TCAB.

The Workforce 2015: Strategy Trumps Shortage report also encourages adoption of tools such as TeamSTEPPS to improve communication and support redesigned healthcare teams to accomplish work in a more effective and efficient way. Sedgwick’s Healthcare Risk Management team provides TeamSTEPPS training and coaching for teams in hospitals, long-term care and outpatient facilities and physician practices.

Whether perception or reality, hospital staffing concerns must be heard and resolved. Research demonstrates the strong correlation between lower nurse-to-patient ratios and improved patient and nurse satisfaction, better care outcomes and error reduction. Risk and safety leaders have an opportunity to collaborate with nurses at the bedside to create innovative strategies and develop solutions to build a safer environment for patients and nurses.

Ann Gaffey, RN, MSN, CPHRM, DFASHRM, SVP, Healthcare Risk Management and Patient Safety and Cynthia Hartsfield, BSN, RN, MA, CPHRM, contributor and former Sedgwick Healthcare Risk Management Consultant

  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print

marijuana-rxOver the last several years, I’ve been talking about how medical marijuana will ultimately become an issue in workers’ compensation and, with several cases we’ve seen across the country, this has become a reality. In each of my pieces, there is always a note that, even though states are moving to legalization (currently 23 states, the District of Columbia and Guam), the possession of medical marijuana remains a federal crime as it is a schedule I substance under the Controlled Substances Act (CSA). However, over the last couple of years, things have been changing very quickly relative to the federal government’s position on medical marijuana. It’s not just the President’s comments or revised Department of Justice policies that have raised the possibility the federal government is going down a path that could ultimately legalize medical marijuana; other areas of government are taking action too.

The two primary ways to change the scheduling of marijuana are congressional action or administrative action; there have been moves on both fronts that bear watching.

The Compassionate Access, Research Expansion and Respect States Act (CARERS), Senate Bill 683, was introduced in the U.S. Senate on March 10, 2015 by Rand Paul (R-KY), Corey Booker (D- NJ) and Kirsten Gillibrand (D-NY). Barbara Boxer (D-CA) joined as a co-sponsor on March 17, 2015. The major aim of the six-part legislation is to reclassify marijuana under the CSA from schedule I to schedule II in recognition that the substance has some medical uses. In addition, this bill would permit interstate commerce in cannabidiol (CBD) oils, allow banks to provide checking accounts and other financial services to marijuana dispensaries, allow Veterans Administration physicians to recommend medical marijuana to veterans and eliminate barriers to medical marijuana research. The bill is currently pending in the Committee on the Judiciary.

The 1,603-page $1.1 trillion federal omnibus spending bill signed into law by President Obama on December 16, 2014, provides in Section 538 that none of the funds made available to the Department of Justice could be used to prevent states listed from implementing their own state laws that authorize the use, distribution, possession or cultivation of medical marijuana. To block implementation of the recreational marijuana initiative voters in the District of Columbia approved during the November 2014 election, Section 809 of the bill prohibits the use of federal or any other funds contained in the bill to legalize or otherwise reduce penalties associated with the possession, use or distribution of marijuana.

The process for administrative rescheduling is specified by 21 USC 811. The Attorney General on his or her own or through the Drug Enforcement Administration (DEA) requests a scientific and medical evaluation and recommendation to determine whether a drug should be scheduled, rescheduled or removed from control entirely. Bloomberg Business reported June 2014 that the Food and Drug Administration (FDA) is studying, at DEA request, whether the classification of marijuana should be changed. A presentation prepared March 2015 by the FDA on its work on medical products containing marijuana describes the FDA’s role in scheduling and indicates that scientific review of public data and an 8-factor analysis is ongoing.

Previous requests to reschedule marijuana were denied due to a lack of existing scientific and clinical evidence to warrant the change. The National Institute on Drug Abuse (NIDA), part of the National Institutes of Health, grows marijuana for approved research in partnership with the University of Mississippi. Last year the DEA increased NIDA’s production quota from 46.3 pounds to 1,433 pounds, citing urgent need for research. Reportedly of the 100 grants for marijuana research, at least 28 studies are of the plant’s potential therapeutic uses in treatment of pain, inflammation, seizures, autoimmune disease and addiction.

Federal action on marijuana is at a crossroads. Not only do we have a new Attorney General with the swearing in of Loretta Lynch on April 27, 2015, a new DEA Chief will be named to replace Michele Leonhart who resigned on April 21, 2015. During confirmation hearings, Ms. Lynch testified that she is opposed to the legalization of marijuana. It remains to be seen what changes in policy will occur during her tenure.

In the meantime, employers contending with this complex and rapidly changing issue can refer to the guidance published in the April 2015 issue of the Journal of Occupational and Environmental Medicine. The report jointly prepared by the American College of Occupational and Environmental Medicine (ACOEM) and the American Association of Occupational Health Nurses (AAOHN) addresses temporary impairment as it relates to the workplace, discusses prevention of injuries related to impairment and suggests various strategies available to employers for monitoring workers for marijuana use.

Darrell Brown, Chief Claims Officer

  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print

fall-prevention-button-bed-alarmFall prevention has been one of the most challenging issues facing providers of healthcare for as long as, well, for as long as there have been providers of healthcare.

Not only do falls have serious impacts on patients, but healthcare facilities themselves are impacted negatively by falls. A Centers for Medicare & Medicaid Services (CMS) Final Rule in 2007 meant hospitals no longer receive payments for treating injuries resulting from in-hospital falls.

Not only are Americans living longer, but their list of co-morbidities is growing longer and the potential for falls is increasing as well. Those most vulnerable among us are receiving care by facilities experiencing intense regulatory, financial and ethical pressure to prevent falls. Thought leaders, experts on falls and healthcare providers are analyzing data and outcomes in attempt to identify effective and ineffective means of fall prevention.

One device which has recently come under scrutiny is the personal alarm. Personal alarms have been in widespread use for approximately 25 years, since the federal mandate by Congress in the Omnibus Reconciliation Act of 1987 went into effect in October of 1990 mandating the restriction of restraints in nursing facilities.

Personal alarms can come in several forms:

  • A magnet or pull-pin clipped to an item of clothing, which is activated when the person moves forward or otherwise pulls on the cord
  • Pressure-sensitive pads placed in the seat of the patient’s chair or on the mattress, which are activated when the patient lifts off the pad
  • Pressure-sensitive mats placed on the floor, which become activated when a person steps on the mat
  • Light beams directed on the bed or across a doorway which activate when the beam is crossed

Personal alarm use presents several challenges requiring vigilant monitoring by caregivers. Patient compliance is a very common issue. It doesn’t take very much initiative to learn how to turn off the alarms, and many do. The alarms depend on batteries in order to function and sometimes the batteries are not replaced in a timely manner. Caregivers turn the alarms off while providing care and sometimes forget to turn them back on. Let’s not forget that the costs of the devices can be quite high as well.

One major criticism for the use of alarms is this: once the alarm has been activated, the patient is already on the move. Therefore, to intervene in a potential fall, the caregiver must be close enough in proximity to the patient to enable him/her to reach them in time to prevent the fall. Even if close in proximity when an alarm sounds, a caregiver may likely be in the midst of providing care to another patient and unable to respond immediately.

In addition to the questionable effectiveness of personal alarms, some facilities have identified another motivation for eliminating their use: to reduce a culture of “institutionalization” in favor of a culture more conducive to a “living center.” High-pitched piercing alarms are not very fitting for an environment such as a living center.

Some facilities are reporting successful programs wherein they successfully eliminated alarms with no increase in falls or serious injury. The Hebrew SeniorLife Center in Roslindale, MA has done so for its facility of 600 residents by implementing “purposeful rounding.” Purposeful rounding entails more than simply poking one’s head in the room of a patient/resident for a visual check. It involves posing a series of questions related to the individual’s bathroom, hunger, thirst and pain needs and responding accordingly.

Medina Memorial Hospital, a hospital-based skilled nursing facility in Medina, New York, is another facility reporting successful alarm elimination by focusing on each specific resident’s daily life pattern and initiating care plans to address that individualized pattern.

Resources for assistance/tips/guidelines to reduce falls and alarms are growing as well. The Pioneer Network is a nonprofit advocacy group committed to promoting a move “away from institutional provider-driven models to more humane consumer-driven models” in a long-term care culture change movement. Their Starter Toolkit is worth checking out for practical advice in engaging all staff members when implementing practice changes.

Action Pact, another organization committed to culture change in long-term care, is offering a workshop, Eliminating Alarms and Preventing Falls by Engaging with Life. The workshop will take place in San Antonio, TX on June 16, 2015.

The evidence to support “no” as the answer to the use of alarms is increasing. The stakes have never been higher than they are today, as evidenced by increasing regulatory, financial and ethical motivational factors to reduce or eliminate the use. Is your facility/organization considering an answer to the question of alarm use?

Deborah McElhannon, RN, LNCC, RN Consultant Lead – PL

  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print
UIS-Truck-1

Although fires only represent a small fraction of trucking accidents, they can be deadly and costly.

In the fire investigation industry, the cause of a truck fire often relates to preventative maintenance or lack thereof. In fact, the most common causes for truck fires that I have investigated can be broken down into two categories:

  • Wheel, brake or tire failures
  • Hose or wiring insulation failure

In both categories, many of these failures are preventable with proper preventative maintenance. Rigid preventative maintenance inspections that ensure proper lubrication in the wheel bearings and identify any leaks can reduce the risk of a frozen or locked bearing. The National Transportation Safety Board states that “daily inspection of hub oil levels and wheel seals is vital to prevent wheel bearing failure and that bypassing this requirement is a dangerous practice that can lead to a wheel fire or other serious consequences.” Tires in poor condition or severely underinflated also pose a fire risk as does a faulty brake system. Dragging brakes, for example, can produce significant heat and may not be readily identifiable to the operator, who continues to drive the truck unaware of a problem with the brakes. A carefully inspected brake system can significantly reduce the risk of fire incidents.

Likewise, taking the time to check fluid hoses or wiring insulation for cracking and general degradation is an important procedure. However, emphasis should be placed on identifying areas where hoses or electrical cables are in direct contact with another object. Hidden damage at the point of contact, caused by vibration and abrasion, may be identifiable on a hose or cable that otherwise looks to be in excellent condition. Figure 1 depicts an electrical failure of the positive battery. In this matter, the positive battery cable was routed adjacent to a battery ground cable. The point where the battery cables intersected resulted in long-term abrasion of the insulation. Once the insulation for both cables was compromised, the electrical fault occurred and caused this fire.

Figure 1: An electrical failure of the positive battery. In inspection, identify areas where hoses or electrical cables are in direct contact with another object.

Figure 1: An electrical failure of the positive battery. In inspection, identify areas where hoses or electrical cables are in direct contact with another object.

The trucking company in this case asked me to inspect other trucks at their facility. In nearly every case, the visible inspection of the cable insulation would have passed a routine preventative maintenance inspection, as the visible insulation was in good condition. However, closer inspection at the contact point between the positive cable and ground cable identified several instances of severely damaged insulation.

In addition to a closer inspection of potential contact points, the mechanic should also pay particular attention to hoses, wiring insulation, harnesses and wiring looms located in close proximity to hot surfaces, such as at or near the turbocharger or downstream as the exhaust piping exits the engine compartment. It is important to not only inspect these items, but also any heat shields installed by the manufacturer to protect combustible materials from these hot surfaces. Were heat shields properly re-installed after a recent service, damaged or not re-installed at all?

Although fires only represent a small fraction of trucking accidents, they can be deadly and costly. To avoid this situation, a thorough preventative maintenance program that addresses these primary fire hazards may further reduce your risk of a catastrophic fire loss. Are you protecting your fleet from these potential hidden dangers? If you have additional questions please feel free to leave your comments or contact us for more information.

Michael Hoffman, IAAI-CFI, District Manager
Unified Investigations & Sciences | a Sedgwick company

  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print

Managing-drug-samples-physician-officeManaging drug samples in a physician’s office or ambulatory care clinic requires a system of checks and balances to help prevent medication errors and adverse drug events, establish a tracking system for alerts and recalls to comply with federal laws and regulations, and to protect from loss of inventory/pilferage. Also, medication dispensing should be held to equivalent standards of care whether done by a provider office or a pharmacy. Some organizations have stopped distributing sample medications in their provider offices to eliminate the need to manage them or to avoid any legal and ethical issues that can arise when free samples are provided by pharmaceutical company representatives. Others have deemed that the economic benefits to patients and the convenience of starting drug therapy at the time of the visit outweigh the time and effort needed to manage the samples and put sample control systems in place.

The patient safety and liability risks of drug samples include:

  • Improper labeling
  • Medication errors
  • Incomplete patient monitoring
  • Lack of appropriate tracking
  • Inattention to expiration dates
  • Theft

While handling of pharmaceutical samples by physician offices is largely unregulated, state medical practice acts generally allow physicians and certain other providers with prescribing authority to dispense drugs from their offices. However, from a risk management and patient safety perspective, physician offices that dispense samples need to be sure that patient education is provided and that samples are kept secure from patients and staff who are not authorized to prescribe and dispense them. This is an often-neglected function that Sedgwick consultants find when assessing office practices. Frequently, safeguards are not in place and there is a lack of understanding of safe drug sample management.

Sedgwick’s Drug Sample Management Guidance Toolkit offers recommended practices and action steps; see excerpt below.

Sedgwick_PL_Drug-Sample-Management-Guidance-Toolkit

Sample medications can be important to many patients when managing their health. Whether due to financial issues, limited access to a medication while waiting for a prescription renewal or for the purpose of evaluating the effectiveness of a newly prescribed medication, many physicians feel strongly about providing sample medications to their patients. When managed as outlined above, the handling and distribution of sample medications can be a win-win for patients and providers.

For more information about the Drug Sample Management Guidance Toolkit, contact HealthcareRM@sedgwick.com.

Kathy Shostek, RN, ARM, FASHRM, CPHRM, CPPS, Vice President, Health Care Risk Management

  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print

california-IMRRecently there has been a lot of discussion – in the media and throughout the industry – about the California independent medical review (IMR) process. Introduced to the workers’ compensation system in California as part of Senate Bill 863, IMR serves as a way to fortify utilization review (UR) decisions and reduce frictional allocated loss adjustment costs. A similar process has been used for more a decade in the group health arena. IMR offers the injured worker a sole remedy for contesting a UR denial. A physician, rather than an administrative law judge, evaluates medical guidelines to determine if the UR was conducted properly.

Since the injured worker can request IMR for each UR denial, the demand proved to be greater than what the state of California originally anticipated. Since its inception in July 2013, more than 315,000 IMR requests have been made for all dates of loss industry-wide. Sedgwick receives approximately 2,000 IMR requests each month from injured workers. Maximus, the contractor for the state of California, has been working to keep up with the demand. Early in the process, they were completely overwhelmed and as a result IMRs took longer than the 30-day turnaround time required in the statute. Maximus has recently ramped up its operations and asserts that it can keep up with the heavy demand.

Across our industry, most IMR determinations currently uphold the original UR denials; this is in stark contrast to the days before the inception of IMR, when most UR denials contested by injured workers were ultimately overturned by judges or agreed/qualified medical evaluators through an often prolonged, expensive and litigious process. In large part thanks to IMR, employers and carriers can successfully uphold the denial of inappropriate medical care. The largest piece of the IMR pie – nearly 45% – relates to decisions about medications. About 86% of IMR decisions uphold the original UR determinations.

A number of plaintiff attorneys in California are attempting to discredit IMR as unconstitutional on the grounds that it removes the judicial branch from the process. They argue that UR and IMR serve to deny necessary care to injured employees. Recent studies show that more than 94% of requested medical treatments requested in California are approved; only 5.9% of requests become eligible for the IMR process.

Sedgwick has prepared a resource document outlining the IMR process and including statistics regarding the demand for and results of IMR. If you have questions or comments, please feel free to post them here or contact me.

Eddy Canavan, VP, Workers’ Compensation Practice & Compliance

  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print

computer-security+healthData security, or cyber security, is and has been on everyone’s minds now for some time. The hits just keep coming even as organizations step up their efforts to keep data protected. In the area of healthcare, it is especially true that you would want to keep personal health records protected and out of the “bad guys’” hands.

You may think you have taken the steps needed to protect your company’s data. Let’s ask some questions and let your answers guide you to your own conclusion. How does your data security currently stack up?

1) Do you think your annual SAS 70/SOC1 is the best tool to audit data protection compliance? No, that standard is too low.

Your Statement of Controls (SOC – the audit that replaced the earlier SAS 70) attests primarily to workflow associated with financial impacts. While some data protection controls are covered in the SOC1, they are woefully insufficient to assure your board, your management or your clients that your data protection practice has been objectively reviewed. The International Organization for Standardization (ISO) 27001 certification is the gold standard for international-caliber data protection. SOC2 and SOC3 attestations are a step in the right direction, but the ISO 27001 is more mature and accepted internationally.

Does your firm certify to the ISO 27001:2013 standard? Do your vendors?

2) Do you think antivirus software is the best protection against malware? No, that standard is too low.

Today’s malicious software differs radically from viruses from just a few years ago. Traditional antivirus software can only protect against things it has previously seen; new malware is specifically designed to constantly change itself to bypass traditional antivirus software. Application whitelisting software is quickly replacing antivirus software on workstations and servers of the best data protection organizations.

Does your firm use application whitelisting software on every workstation? Do your vendors?

3) Do you think your security policies will protect you? No, that standard is too low.

Security policies focus on administrative controls – things your employees are supposed to do but may not actually be doing. Technical controls (i.e. computer-enforced) are critical to align and enforce what you intend to happen. Policies can guide your technical controls, but they aren’t sufficient and offer little real protection.

Does your compliance and security team emphasize technical controls over administrative controls and policies? Do your vendors?

4) Do you think penetration testing is the best way to double check your internet-facing software so it can’t be hacked? No, that standard is too low.

Your software – any software – has errors and flaws deep within the programming code just waiting to eat you alive. These flaws don’t show up with standard testing. Tools like binary code testers analyze the logic and software vulnerabilities for ALL of the programming in your code, not just the code that’s operating when regular testing occurs.

Does your company use binary source code review software? Do your vendors?

5) And last but not least, do you think HIPAA is the data protection standard to meet? I think you know the answer! No, that standard is too low.

HIPAA requirements tend to pick and choose what to protect and often require only relatively loose technical protections. Healthcare data security should behave more like large financial institutions, creating multiple layers of security around everything and following rigorous frameworks designed to protect both transactions and data at rest. Shoot for data protection compliance comparable to big banks in your systems; you’ll not only meet HIPAA requirements, you’ll dramatically reduce your risk of data breach.

Does your company align to the financial industry’s standards for data storage, transmission and destruction? Do your vendors?

Do you get the idea by now? Say it with me…if you think your standard protections are enough, no that standard is too low! I may sound like a broken record, but in all seriousness (and this is a very serious issue) you must be vigilant; when you think you have done all you can do, dig deeper and find out how you can do more to protect your data and your employees’ or clients’ data.

I would be interested to hear your thoughts, concerns or suggestions on other ways companies can work to protect their data. Let’s start a dialogue; share your perspective in the comments.

Robert Jackson, SVP, Information Security Officer

  • LinkedIn
  • Twitter
  • Facebook
  • Google Plus
  • Digg
  • RSS
  • Email
  • Print

On Wednesday at the RIMS annual conference in New Orleans, I’ll be moderating and contributing to an important session with Gert Cruywagen, a leading risk leader from a South African hotel and casino enterprise and Betty Simkin, a leading finance and risk professor from Oklahoma State University who recently co-authored a significant text on case studies in successful “progressive” risk management. The session will highlight stories reflecting alternate versions of risk management maturity and success in the discipline.

strategic-risk-pyramid

I use the term “progressive” because whether you practice “enterprise risk,” “strategic risk” or “integrated risk,” it is my view that it all boils back to what “risk management” should have always been. In other words, while so much of the history of the discipline has revolved around the insurance mechanism as the primary, often exclusive, source of risk “treatment,” the most significant results achieved by risk leaders have more often been outside this box and involved risks (often strategic and operational) that do not lend themselves to insurance treatment. Aside from this fact, using the insurance/self-insurance mechanisms and strategies remains a very important tool in the arsenal of leading, accomplished risk professionals.

This session will begin with a review of a brief state of the union of risk management around the world. We will highlight, among other things, the RIMS’ risk maturity model that was so thoughtfully developed several years ago by a group of risk leaders with their own success stories, and who thoroughly vetted the seven components of “risk maturity” that they believe are most impactful in producing meaningful results for companies. Consider employing many – or even all – of these techniques to influence your own risk management program’s results. These techniques include:

  • A truly enterprise-wide approach to risk management
  • Use of repeatable and scalable processes
  • Use of a risk appetite framework and/or strategy
  • Use of root cause analysis
  • Attention to emerging risks and exposures
  • Use of a risk-performance approach
  • Emphasis on building and sustaining a resilient enterprise

Of course, there are many sources for defining risk maturity, each of which has its own take on this question; that diversity is what makes the discipline so vibrant and dynamic. As I like to say, there is no single approach that leads to great results. With that in mind, we’ll also be talking about the prevailing opinions and concerns of senior leaders and boards of directors, as shown in recent research, with respect to what they look for in risk management functions and leaders, and where the current opportunities lie in their organizations; we’ll look at what these stakeholders have to say about successful, mature and results-oriented risk management. While most stakeholders take a more narrow view of this question tied to their area of expertise and focus, the success of all risk management functions is highly dependent on a strategy that engages and leverages the views and talents of key risk stakeholders throughout an organization when developing and deploying a risk strategy and the many tactics that bring that strategy to life.

So while risk maturity implies success, not everyone can claim a successful experience. We’ll delve into areas that represent the pitfalls to be avoided in pursuing risk management excellence, enabling attendees to learn from the mistakes of others – mine included. You may have a “mature” risk program that succeeds more slowly over time, rather than producing the marquee results that matter most to many organizations. Any strategy deployed for any length of time will have its share of accomplishments, but “success” is really in the eyes of the beholder. To that point, understanding who your stakeholders and key constituents are is critical to true successful maturity, a term that we’ll put definition to and help refine. We’ll clarify what success looks like by exploring a set of elements which mean the most to the typical key risk stakeholder community. Here’s a peek at the elements I think are most impactful and important to senior leaders and boards:

  • Process consistency
  • Process rigor
  • Semantic interpretability
  • Communication clarity
  • Balanced measurability
  • Downside protection as job 1
  • Value creation
  • Embedded risk culture
  • Managing to appetite parameters
  • Aligning, if not integrating with, strategy and objectives

Of course as all risk leaders know, the discipline is daily faced with challenges and opportunities. In fact, most challenges are opportunities to be accepted if not exploited. We’ll spend some time addressing both. Attendees will leave with a clearer sense of not only what risk management success really should mean, but how several successful organizations have, in their own unique ways, achieved a level of successful maturity that works for them. And if no other point lands on solid ground with attendees at this session, it is that there is no one right way; if you don’t build your risk strategy and framework around the priorities of your organization, you’ve likely missed the boat.

Hope to see you at our session on Wednesday from 11:30-12:30, room 222 in the convention center.

Chris Mandel, SVP, Strategic Solutions