Monthly Archives: February 2015

The Healthcare Data Security Wake-Up Call (Anthem Hack)

The Healthcare Data Security Wake-Up Call (Anthem Hack)

Hackers are continuing to take advantage of comparatively soft healthcare data security to score major breaches, the latest one being the 80 million-record breach at insurance giant Anthem. Everyone in the healthcare industry, from doctors and hospitals to insurers and government agencies, needs to understand that they have joined the ranks of retailers, banks, and credit card companies as high-value targets.Anthem Blue Cross Logo

If it weren’t clear already, the healthcare industry is vulnerable to data breaches. Years of complacency and a flawed belief that their data systems offered nothing of value to hackers have resulted in security that is well behind that of such traditional hacking targets as retailers and banks. Following the paths of least resistance, hackers are turning their attention to these softer targets.

As the Anthem breach shows, healthcare entities have information that is valuable to hackers, such as Social Security numbers and credit card numbers. The Anthem hackers could access this data but did not collect data about patient diagnoses, treatments, or insurance claims. However, the Sony Pictures breach of 2014 showed that exposing personal health information can be just as damaging to the victims. It’s only a matter of time before some enterprising hacker makes money from healthcare data and targets these already less-secure systems.

Get Serious about Healthcare Data Security

The time has come for the healthcare industry to work together and take data security seriously. If nothing is done, or if efforts are haphazard and uncoordinated, the problem will only get worse, especially as more entities get on board with electronic health records (EHRs). EHRs can be a treasure trove of information for hackers if current security practices persist.

Here’s a modest proposal: The credit card industry already has rigorous standards for data security (called the Payment Card Industry Data Security Standards, or PCI-DSS), and any organization that accepts credit- or debit-card payments must adhere to these standards. Many healthcare entities are already required to comply with PCI-DSS for their payment-related systems, and these standards could and should apply to healthcare data systems as well. The basic principles are the same: up-to-date firewalls, operating systems and software; role-based access control; strict control over what data can be stored and how it is protected; and annual certification to ensure the standards continue to be met.

Yes, this level of effort will cost money to implement and maintain. But the costs of complacency are much higher, both for the patients who are victims and the healthcare providers who get hacked. Security of healthcare data cannot be an afterthought anymore.

Newsletter Sign UpUnderground Economy of Data Breaches

Preparing for eDiscovery

Preparing for eDiscovery

Federal and state investigations and audits, plus civil actions, may require businesses to preserve electronic information for electronic document discovery, or eDiscovery. Some reach across international borders, which introduces complications to the data preservation and eDiscovery processes. Businesses subject to these laws and regulations are advised to prepare their systems and personnel ahead of time, so audits and investigations can be conducted smoothly and without damaging the evidence.

All businesses in the U.S. are subject to some level of regulatory and statutory requirements, and all businesses are vulnerable to lawsuits. Enforcement of the laws and regulations can bring auditors, inspectors, lawyers, and investigators who will all want to look at evidence, both in paper and electronic documents. Hoping that one will not be subject to a civil, criminal or regulatory action does not constitute advance planning, and being unprepared can lead to charges of obstruction. How should businesses prepare for eDiscovery?

apple-business-computer-4158

Have a response plan. Just as every business should have a disaster recovery plan and a response plan for data breaches, every business should also have a plan and a team to respond to surprise audits, criminal investigations and other actions that require eDiscovery. A senior IT person should be a part of this team—someone who knows where the data is stored and can take actions toward data preservation.

Know how to gather data safely. The corporate general counsel should be familiar with best practices for gathering and preserving data in a way that preserves the metadata, or information about the emails and other files being gathered, such as creation and access dates. Software-based eDiscovery tools can be invaluable here, because they are specifically designed to preserve both document content and metadata, and can help investigators index and tag documents to eliminate those that are not relevant to the investigations.

Do not forget about audio and video evidence. Audio and video files, such as voicemails and audio- or video-recorded meetings, are more difficult to deal with from a discovery standpoint, because someone must watch or listen to them. However, speech-recognition tools can help here too.

Prepare for cross-border investigations. For data stored outside of the U.S., there are additional considerations for staying out of trouble. Some countries have stringent restrictions on what data can be accessed, used and exported; foreign privacy laws must be observed. eDiscovery may have to be conducted in-country, and it is helpful to have local counsel available that is knowledgeable of the country’s data-related laws and regulations.

The time to prepare for an investigation is now—not when investigators come knocking on the door.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Newsletter Sign UpCTA Social Media eBook

Enforcing Website Terms of Service

Enforcing Website Terms of Service

U.S. courts have ruled that the mere presence of a Terms of Service (ToS) page on a website cannot make it enforceable; rather, the ToS must be presented to the end user so the user cannot proceed with a transaction without actively agreeing to it.

Nearly every commercial website has a little link buried at the bottom of the home page (or sometimes every page) labeled “Terms of Service.” Clicking on the link opens a page describing the respective responsibilities of the website owner and end user regarding use of the site. The theory has been that by using the site, a user agrees to be bound by the terms, even if that user never clicks on the “Terms of Service” link to open the page.

Image Courtesy of Stuart Miles at FreeDigitalPhotos.net

Image Courtesy of Stuart Miles at FreeDigitalPhotos.net

That theory has been tossed out by U.S. federal courts, which have consistently ruled in recent cases that the mere presence of the ToS link—even if it is prominently displayed on every page a user might view—cannot make those terms enforceable.

To be enforceable, the terms—a contract between the site operator and the end user—must be affirmatively agreed to by the end user, just like a paper contract, which cannot be enforced if one or both parties fail to sign it. The courts so far have not required an actual (ink or electronic) signature, but they have insisted that end users be required to actively indicate acknowledgement of the receipt of, and agreement to, the terms.

This is best accomplished through a “click license.” The system must be set up so that before the end user can conduct a transaction on the site, that user must click a button or otherwise indicate that the ToS has been read and agreed to. No click, no transaction. Technically, this is easy to implement; it means the site needs some way of registering user accounts and tying that affirmative click to that user account.

That way, the site operator has it on record that the person associated with that user account claimed to read, understand and agree to the ToS. The courts then take a dim view of users who made such a claim when they did not; “I actively agreed to it without reading it” is a flimsy argument.

Website operators who have some kind of transactional functionality on their sites would be wise to implement a “click license” as a condition of conducting a transaction. Otherwise, that carefully (and expensively) crafted ToS document is an unenforceable waste of time.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Newsletter Sign Up

CTA Back-Office eBook

ASC and iBridge Partner to Solve Growing Contract Management Concern for Data Insight and Utility

ASC and iBridge Partner to Solve Growing Contract Management Concern for Data Insight and Utility

ASC and iBridge have partnered to deliver powerful contract lifecycle management (CLM) solutions, best practice contracting and information management services, and professional services support to customers in the US and India.

Ottawa, Ontario (February 17, 2015) — ASC (Advanced Software Concepts), a leading provider of SaaS and on-premise based contract, document, form, and configure, price and quote (CPQ) management solutions to SMBs and large enterprises, today announced its partnership with iBridge, a leading information management and data services firm.

This partnership will harness the power and versatility of the ASC solution platform and iBridge’s portfolio of information management and data services to offer both public and private sector organizations unparalleled visibility and control of contractual agreements, information assets and associated data. Customers will benefit from advanced contract lifecycle management (CLM) and information management tools that provide them the superior insights needed to take control of revenue-generating opportunities, reduce costs, and mitigate non-compliance and other corporate risks.

The preliminary focus for the partnership will be the US market, particularly in the legal, healthcare, manufacturing, financial, energy, technology, and government domains. This will be followed by market growth efforts in India where both companies have technical centers of excellence. The partnership will leverage ASC’s and iBridge’s complementary service and solution portfolios and their deep domain expertise and global reach to maximize return on investment for our customers.

 

iBridge is an information management and data services company specializing in collecting, organizing, analyzing and interpreting data using a unique blend of human and computer intelligence so that the data provides a true strategic information asset and competitive advantage for customers. By rapidly distilling large data stacks into clear, comprehensive, and simplified result sets for interpretation and use in different industries and applications, iBridge enables customers to quickly react to the changing competitive landscape. In supporting same, they offer additional value-add services such as mobile scanning units to digitize contracts, business process outsourcing services and contract review and data entry services.

ASC provides tailorable CLM solutions and supporting services and lifecycle management solutions for documents, forms, CPQ and other document types and business processes. The company has a proven reputation for delivering feature rich, best practice solutions across industry and around the world. Working with iBridge, ASC will broaden its scope even further with an enriched professional services offering. iBridge clients will benefit from ASC’s strong service and support framework and enterprise-grade solution portfolio which provides industry specific, seamlessly integrated modules that easily and flexibly scale to support businesses of all sizes and complexities from small-medium enterprises to Fortune 500 companies.

“Our strategic partnership with iBridge will leverage our core strengths to provide customers with faster, more effective tools to populate their ASC Contracts databases, automate their processes and derive more meaningful data insights,” said Shawn King, President and CEO, ASC. “Working in tandem we will deliver a powerful and integrated suite of CLM and information management solutions and supporting services designed to ensure the full utility of contracting information and processes as strategic corporate assets and drive immediate value for money.”

“iBridge’s partnership with ASC is a great fit for us from all angles — from shared values, to technology solutions and market opportunities,” said Dean Van Dyke, Vice President, Business Process Optimization, iBridge. “This relationship enables us to better support customers with an extensive portfolio of professional services complemented by solutions rooted in a proven best-practice framework and will also address the growing need for seamless business process lifecycle solutions that assure optimal data utility and resultant business intelligence.”

The two companies will engage in joint marketing efforts to develop business opportunities throughout the US and India.

Founded within a framework of cross-industry best practices dating back to 1992, ASC solutions are delivered via a proven web-based platform easily tailored to environments and processes and is well suited for any industry and organizations of all sizes and complexities.

All ASC solutions provide a central database to track key milestones within a company’s business workflows and administration processes, the ability to capture images (e.g., signed contracts), approvals routing workflow management, robust search and reporting, template and clause libraries, and support for a wide range of meta data, document and content types and processes such as compliance and credentialing.

This strategic partnership represents another key initiative in ASC’s commitment to expanding its worldwide partner network and continuing to offer comprehensive “end-to-end” solutions and services to exceed the diverse needs of our customer base in markets around the world.

View the PDF version of the press release.

About ASC

ASC (Advanced Software Concepts Inc.) is a leading provider of cloud, Software as a Service (SaaS) and on-premise solutions for contract, document, form and configure, price and quote (CPQ)lifecycle management. Leveraging the proven ASC solution platform, ASC deploys tailored, customer-specific solutions that automate and streamline business process management requirements end to end. Features include a searchable online data repository, document generation, template library, workflow management, audit-ready history and reporting, esignature, image capture and support for a wide range of document types and processes. ASC solutions help organizations reduce costs, maximize revenue and minimize regulatory non-compliance risks. With extensive experience providing best practice solutions, ASC is an industry expert that works as a true partner to define and create unique business process management solutions for our SMB and large enterprise customers. ASC also provides solutions for order tracking, invoice validation and verification, data retention, records management, product configuration and sales configuration. For more information, please visit www.ascnet.com.

About iBridge

iBridge is a team of trusted, responsive information experts who capture, normalize, mine and report data to help organizations make smarter business decisions. By cutting through the data noise, iBridge provides critical information to its customers, allowing them to better understand their opportunities. iBridge’s value is in its ability to solve business problems in collaboration with its customers; to rapidly scale up or down; and to integrate its teams with client organizations. Besides its information management services, iBridge offers eDiscovery and legal support. The company has offices in Oregon, Washington and India. For more information, please visit ibridgellc.com.

Contact Information:

Angie Stockley
Advanced Software Concepts
angie.stockley@ascnet.com
+1-613-599-2087 x240

David Kaufer
iBridge
david.kaufer@ibridgellc.com
+1-503-906-3930

Preventing Cyberattacks by Learning from Counter-Terrorism Efforts

Preventing Cyberattacks by Learning from Counter-Terrorism Efforts

Cyberattacks of all kinds—whether to disrupt operations, steal data, or extort money—have been on the rise, and both public- and private-sector entities are targets. The effort to prevent cyberattacks bears a strong resemblance to the effort to prevent terrorism, and people involved in preventing cyberattacks would do well to learn lessons from worldwide anti-terrorism efforts.

Strengthen the Perimeter

The security of a company’s networked systems must be stepped up and maintained, just as security at airports and border crossings in the U.S. was enhanced after the 9/11 attacks. The key here is “maintained”—establishing a security perimeter is not a “set it and forget it” proposition. Because cyber-attackers are continually finding and exploiting new security holes, systems must be kept up to date, reviewed and tested.

Hand over keyboard

Prepare a Response Team

Law enforcement and other public agencies have provided extensive training to their personnel on the actions to take if a terrorist attack occurs. Businesses should do the same to prepare for a cyberattack. Who is the response team? What is each member’s role and responsibilities? How will a breach be investigated to determine how the attack was carried out? What is the communication plan for dealing with customers, suppliers, investors and law enforcement? The reason Target and Home Depot could recover from their high-profile data breaches was that they had thorough response plans and the right personnel in place to execute them.

Collaborate

Before 9/11, federal agencies such as the Federal Bureau of Investigation, Central Intelligence Agency and National Security Agency operated in their own domains and rarely interacted with each other. Now, they share in the responsibility for preventing terrorist attacks, and have had to learn to work together to do so. Businesses should do the same, both with law enforcement and with other businesses. By sharing information about security vulnerabilities and breaches, all entities can strengthen their stance against cyberattacks.

Watch for Insider Attacks

Although attacks by outside perpetrators make for the biggest headlines, breaches caused by insiders—whether intentional or accidental—are more frequent and potentially more damaging. Just as federal, state and local law enforcement have stepped up efforts to recognize potential domestic terrorists; businesses should try to prevent insiders from causing data security breaches. Conducting thorough background checks, monitoring employee morale, making sure each employee’s system access levels are appropriate and implementing technical safeguards against insider breaches all must be part of a comprehensive plan to maintain security from within.

Desh

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

Newsletter Sign UpUnderground Economy of Data Breaches

How to Resurrect a Failed IT Project

How to Resurrect a Failed IT Project

Depending on whom you ask, the failure rate for enterprise software projects is 20 percent to two out of three, and big-budget project fail at a higher rate than smaller ones. By the time a business realizes a project is off the rails, it’s usually too late to get it back on track. If you are a part of a failed (or failing) IT project, how do you bounce back to do it right the next time around? Here are some ideas:

Hold an Honest Postmortem

The first step in ensuring a comeback is to take an objective look at the failed project to learn what went wrong by holding a “lessons learned” session. This is not a witch-hunt; rarely is a project failure the result of active malfeasance or sabotage. Nor is a postmortem an unstructured free-for-all. The session must have a strict agenda that looks objectively at all the components of the project, from the standpoint of organizational structure, executive support, budget, scope, planning, requirements, infrastructure… everything. If there is a skills gap on the team, identify that gap and determine how to close it without playing the blame game.

picjumbo.com_HNCK3323 (1)

Re-Evaluate the Requirements

Many projects fail because of a problem in the requirements. There are too many (or too few) must-haves, they are poorly written, they are overbroad, they are not properly classified (essential/optional) or the business drivers have changed. Look at the guidelines and get them right. If requirements were the key problem the first time around, leaving them alone will not change the outcome the second time.

Look for Scope Problems

Some project fail because the scope was too broad, and some projects that start with limited scopes fail because the scope expands during the project. Often it’s not a conscious effort to expand it, but the culmination of innumerable “Wouldn’t it be nice if…” thoughts. If you tried to bite off more than you could chew from the beginning, divide the project up into smaller portions that can be executed over multiple phases. If the project was a victim of scope creep, it’s time to implement a more stringent change management policy.

Re-Think Your Test Plan

The test plan should not be exclusively, or even mostly, about checking that the system capabilities work. The focus should be on features that prevent people from screwing things up. If, for instance, negative inventory quantities would cause problems for your business, make sure the system prevents transactions that would cause negative inventory.

Be Realistic About ROI

Some business leaders operate on the assumption that an enterprise software system will pay immediate dividends. It doesn’t work that way. First, there is a learning curve for the users as they grow accustomed to the new system. Mistakes will be made, transactions must be backed out and done over, and people must be trained and re-trained. It’s all part of the process. Many enterprise software systems can’t show their value until they have several months of data on which to base decisions. Make sure executive management has realistic ROI targets and ramp up to them as you go.

Sofia

Written by Sofia Johnson, Manager, Software Development

Ms. Johnson, an expert in Project and Resource Management, is the Software Development Manager at iBridge. She brings 11 plus years of combined years of IT work experience and business intelligence to provide successful customer engagement of software development. Prior to working at iBridge, Johnson worked as a Senior Engineer for Hewlett Packard and Oracle, and a Hyperion Consultant for IBM and Google.

She is a product expert in enterprise contract management software solutions – diCarta/IBM Emptoris. As part of her previous engagements as a Hyperion Consultant, she made significant contributions to optimize and enhance a BI/Analytic solution for a major food, health and home retailer, LoBlaw, in Canada. She introduced performance tuning and optimization principles to the existing solution by leveraging Essbase cube partitioning techniques and re-writing some of the calculation logic to bring in significant performance improvements. Another significant engagement included automation and enhancement deliveries of a Hyperion analytical solution for a South African multinational brewing and beverage company (SABMiller) headquartered in London, England.

Ms. Johnson is a certified Essbase developer with a Master’s degree in Computer Applications from Bangalore University. She has immense passion for travel, reading and working for social causes.

Newsletter Sign UpCTA Back-Office eBook

Is Meaningful Use Collapsing Under its Own Weight?

Is Meaningful Use Collapsing Under its Own Weight?

More data is being reported that medical providers of all types, from individual physicians to large hospitals, are having difficulty meeting the Federal government’s meaningful use requirements, and probably cannot do so by this year’s deadlines. These widespread struggles have led to renewed calls for leniency.

Female doctor Sitting On Her Office Making Notes

Image Courtesy of Photostock at FreeDigitalPhotos.net

Among the data published by the U.S. Centers for Medicare and Medicaid Services (CMS) are revealing figures: Over 60 percent of hospitals have not yet demonstrated compliance with either the Stage 1 or Stage 2 meaningful use requirements, and only 2 percent of 260,000 eligible individual practitioners have met the Stage 2 requirements. Over 3,900 hospitals must meet the Stage 2 requirements in 2015.

This lackluster showing has prompted renewed requests from various groups—such as the American Medical Association, the College of Healthcare Information Management Executives and the Medical Group Management Association—for CMS to be more flexible and work with hospitals and practitioners to help them get on track with meaningful use. Specifically, they have asked to reduce the full-year reporting period to 90 days. This would reduce the administrative burden on providers and increase the likelihood of showing compliance.

The poor compliance results indicate that the system is not designed properly. If a teacher gives a final exam to a large class and none pass, the problem is not the students; it’s the test (and by extension, the teacher). If 98 percent of individual practitioners aren’t meeting the requirements, it’s not because 98 percent don’t care—it’s because the expectations are unreasonable.

A “bigger stick” is not the answer. One would be hard-pressed to find anyone in the medical community who disagrees with the principles driving the program: a desire to make electronic medical records accurate, comprehensive, secure and shareable, leading to better communication, fewer errors and better patient outcomes. But for the program to succeed, the barriers to providers’ success must be lowered. This does not mean watering down the requirements; it means reducing the administrative overhead, streamlining the existing regulatory burden and providing realistic targets for providers to hit.

The risk in a CMS not working with the medical community to find a workable solution is that many providers will throw in the towel and not participate, undermining the whole point of the initiative. The value and benefit of the program shrinks exponentially as the number of participants declines. Of what use is a sharable electronic health record if there is no one to share it with?

Dean Van Dyke

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsurcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

Newsletter Sign UpCTA ICD-10 eBook