Monthly Archives: August 2015

Legal Firms Turning the Tide on Cybercrime

Legal Firms Turning the Tide on Cybercrime

With cybercrime-related problems showing no signs of stopping, whether legal firms will be affected moves from if into the realm of when. Nobody expects that he or she will become a victim of cybercrime, creating a culture of damage-control where firms focus on mitigating the damage of breaches rather than initial prevention.

Legal Firms at Risk 

The senior director of information security at LexisNexis, Jeffrey Norris, highlighted the two biggest reasons that law firms are in danger of breaches:

“The criminal element has performed direct attacks on organizations at a growing pace going back to at least 2012 […] it’s now becoming understood that it’s easier to go after a third party to gain access to these organizations,” he said. “…The spotlight has swung towards law firms due to security concerns of how they handle the data they’re entrusted with.”

Legal Firms Turning the Tide on Cybercrime

Image courtesy of Pat138241 at FreeDigitalPhotos.net

Aside from the ease of targeting third-party legal firms, Norris spoke to the variety of data held by these firms, which often includes personal information, corporate merger details, intellectual property claims, and privileged legal data. “It becomes a realization they may have a treasure trove of data outside of the primary organization that’s being targeted,” said Norris.

Steps toward Security 

With nearly 80 percent of the biggest legal firms facing hacking-related problems since 2011, the need for increased regulation of third-party vendors is clear. Fortunately, the concerns voiced by IT professionals and network administrators on the risks of online data usage have not fallen on deaf ears. New York State Department of Financial Services (NYFDS) Superintendent Benjamin Lawsky recently acknowledged the vulnerabilities faced by third-party legal firms and his commitment to stricter cybersecurity protocols

However, Lawsky noted that “[while] banking organizations appear to be working to address the cybersecurity risks […] progress varies depending on the size and type of institution.”

Increasing the transparency of cybercrime-related issues is a tall order for an industry that relies on client confidence and security of information, but five Am Law 100 and Magic Circle firms are taking initial steps toward this goal. The alliance between these firms promises increased sharing of cyber-security threat information and opens a dialogue between industry partners that face the same challenges.

While there is still plenty of work to do, this is an encouraging step in the right direction for legal firms who acknowledge that cybercrime is a threat they can no longer ignore.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterLaw-Firms-and-Cyber-Attacks-eBook-CTA-1024x444

ICD-10 and an Assessment of Physician Readiness

ICD-10 and an Assessment of Physician Readiness

The ICD-10 deadline is right around the corner—and a new poll by the physician-based social network SERMO indicates that doctors aren’t prepared.

Physician Surveys

According to surveys conducted by SERMO and the Workgroup for Electronic Data Interchange (WEDI), the Oct. 1st deadline for the new medical coding system is arriving faster than doctors can handle. The SERMO survey indicated that 71 percent of physicians polled aren’t equipped to handle the transition, while the WEDI poll showed that nearly half of physicians surveyed were unsure of whether they would be prepared in time.

Sermo

Source: greenbook.com

Conversely, hospital staff surveyed by WEDI reported a 90 percent adherence rate for ICD-10. Such a large gap between hospital and physician readiness indicates disconnected priorities between varieties of healthcare providers.

“I am ignoring the entire thing,” an anonymous psychiatrist on the SERMO social network said. “I do not bill or correspond with third-party payers, and that removes the administrative pressure. […] My time is better spent seeing patients.”

These sentiments were echoed by other doctors on the site, indicating that physicians placed less importance on medical regulation adherence than on providing patient care. While quality care is important, misalignment of goals between physicians and the hospitals creates administrative challenges for systems designed on uniform procedures.

Disconnected Priorities

ICD-10 will change the way medical codes are uses, reported and submitted to insurance providers. Failure to meet these standards could create inconsistencies between medical claims submitted between different offices, or during transfer of patient records from one clinic to another. Physicians are a critical part of making sure the transition happens smoothly—creating problems when doctor interests are misaligned with those of their clinics.

“We are hopeful that industry leaders take the necessary steps to help ensure that the transition to ICD-10 is completed with minimal disruption to the healthcare industry,” said Jean Narcisi, chair of WEDI.

The goal of streamlined reporting is necessary for the medical field, but the healthcare industry isn’t yet close to meeting this goal.

“Based on this poll, the majority of the physician community is not ready for ICD-10,” said SERMO spokesperson Randi Kahn.

With physicians having the final say in many healthcare related decisions, this reluctance to comply with ICD-10 standards is a sign that the healthcare industry’s move toward the future will be slower than policy-makers hoped.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterWhat Healthcare Execs Need to Know About ICD-9 to ICD-10 iBridge LLC

New Contracts to Increase Military IT Interoperability

New Contracts to Increase Military IT Interoperability

A new military IT contract with Cerner, Leidos and Accenture will be implemented to increase the interoperability of EHRs nation-wide with thousands of civilian healthcare facilities. This contract promises to diversify healthcare outreach for the nearly 10 million active duty and retiree military members that receive care by privatized providers.

Cooperation Is Necessary

EHR vendors have traditionally been slow at making their systems interoperable with other organizations, creating challenges for an industry that relies on communication and transparency for patient data and information sharing. This new contract was designed to overcome these shortcomings and enhance the business practices of hundreds of facilities that currently avoid cooperation.

Image courtesy of Jeroen van Oostrom at FreeDigitalPhotos.net

Image courtesy of Jeroen van Oostrom at FreeDigitalPhotos.net

This connectivity will not be simple to implement; hundreds of EHRs platforms will be integrated, including those provided by rival bidders. Over 1,200 military healthcare sites will experience changes, including international facilities in Iraq and Afghanistan.

Dr. Johnathan Woodson, Assistant Secretary of Defense for Health Affairs, spoke to the necessity of cooperation with these private-sector companies, which provide 60 to 70 percent of healthcare for soldiers and their families.

“Part of our requirement is to position ourselves to be interoperable with the private sector, but the fact of the matter is, the private sector has to make itself interoperable as well. What we’re doing today will help advance that public preparedness.”

Looking to the Future

This commitment to interoperability of the public and private sectors comes at a critical time, as the compliance deadline for the ICD-10 transition is less than two months away. Healthcare organizations in the middle of this transition must focus their efforts on communication and cooperation with other facilities to ensure that the quality of patient care does not suffer.

This is particularly true for the military and private-sector companies that must adjust their policies to reflect the needs of civilian and public-sector partnerships.

Federal Health IT Coordinator Dr. Karen DeSalvo commended the contract, calling it “…An important step toward achieving a nationwide, interoperable health IT infrastructure.” She pledged her office’s support of the Defense Department: “To help ensure its interoperability efforts align with nationally recognized data standards and industry best practices.”

While new standards of cooperation are a step in the right direction, military healthcare facilities will need to undergo rigorous testing to confirm the viability of their updates. Interoperability is necessary progress for the health field, but requires constant improvement to maintain its efficacy.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterWhat Healthcare Execs Need to Know About ICD-9 to ICD-10 iBridge LLC

The Changing Landscape of eDiscovery Security

The Changing Landscape of eDiscovery Security

Legal discovery has undergone a transition since implementing digital information storage. Discovery has shifted from digging through file cabinets full of documents to digging through online databases and electronic systems that house information, streamlining the process and facilitating better information transparency for all parties involved.

But despite the widespread implementation of in-house database security, many firms still fail to meet basic security standards during the eDiscovery process.

Challenges of eDiscovery

eDiscovery is often a transfer of large quantities of data from one party to another with methods that lack the same security regulations as normal systems. According to Jeff Kerr and John Mays, the founding partners of legal firm Mays & Kerr, the information transition period of eDiscovery is when confidential data is most vulnerable:

“In eDiscovery matters, the client is often asked to turn over a large amount of its raw data, either to counsel or to a vendor. Transferring that data creates risk that it can be breached during transit, and storage in multiple locations creates more attack surfaces,” Mays said.

photo-1437422061949-f6efbde0a471Unfortunately, legal firms must comply with these eDiscovery practices, regardless of whether each party involved is taking necessary security precautions. However, the increased incidence of digital data discovery and sharing will help create new policies to govern the flow of sensitive information.

“There is a connection between discovery and information governance, and it fits into security with respect to managing the number of times sensitive data is duplicated. You likely want to have that information backed up, but additional copies may increase risk,” said Mays.

Building Better Security

Legal firms are no strangers to cybersecurity breaches. Information losses can occur at every point of the information chain, creating a need for enhanced security standards that reflect the needs of an electronic legal landscape.

Secure passwords, firewalls, encryption and malware management are all essential to maintain for a protected digital environment. But being aware of the issues is not enough—legal firms need dedicated staff members who understand the challenges of IT security and the best way to deploy strategies to keep their data secure. This is true for in-house security, but also applies to areas of heightened data vulnerability, such as eDiscovery.

Until legal firms can guarantee a secure information transfer process during eDiscovery practices, the risk of cyberattacks and compromised data will be a notable concern.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterLaw Firms and Cyber Attacks iBridge LLC

New Security Regulations Promise Increased Transparency

New Security Regulations Promise Increased Transparency

In a new initiative to reduce the incidence of the ever-present danger of cybersecurity breaches, the European Union is developing new standards for data security that may come into practice as early as this year. While the regulations don’t apply to U.S. businesses, they’ll be mandatory for companies that partner with business in the EU and work with clients there. Part of these procedures involve appointing a dedicated privacy security officer to manage compliance of security standards, and shifting toward an “opt in” mindset for personal data use that keeps customers in the loop, legally and contractually-speaking.

This creates new incentives for international companies to maintain their cybersecurity standards, even those without current partnerships with European businesses.

The Need for Change

The new security standards speak to an initiative against the near-constant incidence of cybersecurity breaches affecting businesses—from the U.S. Office of Personnel Management to the U.S. Census Bureau, both large- and small-scale organizations have fallen victim to the data losses that coincide with poor security practices. The campaign to put an end to these attacks also involves increased cooperation and transparency between general counsel and IT tech services.

New Security Regulations Promise Increased Transparency

“The laws are always going to change, and unless you have a general counsel involved to understand that, to present that to the technologist in a way that they can understand, there’s no way the technologist will be able to understand all the nuance,” said Kristoph Gustovich, director of hosting and security at Mitratech.

In-house counsel ensures that all company contracts comply with cybersecurity standards, including the new standards proposed by the EU. These stringent regulations require companies to clarify their intended use of patient information, with specific and focused language that leaves no room for miscommunication on the contractual use of patient data. While burdensome for companies that must now increase transparency of their information use, Gustovich believes that the regulations are a necessary part of the future of cybersecurity.

“Most companies nowadays are going above and beyond anything that’s out there right now and looking forward to the future,” said Gustovich. “They’re always looking to meet what’s going to be the next stage of regulations.”

Desh Urs iBridge LLCWritten by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterLaw Firms and Cyber Attacks iBridge LLC

The Public Desensitization to Cybercrime

The Public Desensitization to Cybercrime

The frequency of cybercrime in a tech-world filled with vulnerabilities has created a trend of people viewing data breaches as commonplace and necessary evils for the privilege of technology use.

Turning a Blind Eye

A comparison of two recent breaches highlights this desensitization: the Office of Personnel Management leak on July 9th that revealed sensitive data of nearly 22 million individuals, and the more recent July 22nd breach of the U.S. Census Bureau’s information network. This second leak was reported to have released privileged information on employee names, email addresses and social security numbers, though on a much scale smaller than the OPM’s data loss.

(PRNewsFoto/U.S. Census Bureau)

(PRNewsFoto/U.S. Census Bureau)

The difference between the two is that the public took less notice of the smaller-scale data breach. With high-profile and large-scale breaches at an alarming rate, governmental organizations and the public are less likely to prioritize small-scale trickling of confidential data.

“[M]y real concern is that [the OPM breaches] desensitized the public and government officials to smaller but still damaging breaches like the attack on the Census Bureau,” said Monzy Merza, chief security evangelist of the software intelligence firm Splunk. “…It is clear that we must ensure that our government has the right budget, tools and personnel to continuously defend our networks from all adversaries.”

Preventative Action

The danger of desensitization to cybercrime is real, as most people don’t consider it a priority until they become victims. The Census Bureau commented on their recent data loss with an acknowledgement that unauthorized access occurred, but claimed that any information leaked was “non-confidential.”

“Security and data stewardship are integral to the Census Bureau mission,” the Census Bureau statement said. “We will remain vigilant in continuing to take every necessary precaution to protect all information.”

Unfortunately, 11th hour measures to improve cybersecurity come at a cost. Businesses that prioritize security only after their privileged information has been compromised indicate a willingness to ignore the risk until there are tangible consequences. Preventative measures are critical for good cybersecurity practices, yet the cost of implementing these measures leave organizations ill-equipped to handle cybercrime when it arrives.

To prevent this trend from becoming part of the norm, organizations must take preventative action to safeguard their data and infrastructure before problems occur. While costs are associated with these measures, they are negligible compared to the costs of a lawsuit from individuals affected by poor data security.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground Economy of Data Breaches

eDiscovery: The Weak Link in the Cybersecurity Chain

eDiscovery: The Weak Link in the Cybersecurity Chain

Data security is a pertinent issue for every business that handles the flow of sensitive information, but legal firms responsible for the transfer and management of large amounts of confidential data show an inability to meet basic cybersecurity standards. This puts their clients’ information at risk for data theft and security breaches. This is true when eDiscovery is shared with opposing counsel, as legal requirement forces legal collaboration with firms that have inadequate cybersecurity standards.

Partner Security

A 2015 Advice From Counsel study by FTI Consulting shows that law firms are the weak link in the eDiscovery process, with in-house counsel and companies they partner with providing less data security than other businesses at the industry standard. The study also showed that 48 percent of responding law firms had no security requirements for the firms with which they partner. With the incidence of cybercrime on the rise in the legal world, it’s disconcerting that so many law firms maintain lax security standards for information sharing.

eDiscovery: The Weak Link in the Cybersecurity Chain

Image courtesy of tigger11th at FreeDigitalPhotos.net

While law firms have come under fire for their lack of data security and eDiscovery practices with the clients they work with, Mike Kinnaman, senior managing director at FTI Consulting, explained that the quality of data security depends on the firm you hire.

“You’ll have some that are very, very tech-savvy and others that are not,” he said. “…They are much more focused on the service providers right now. We see it all the time.”

Sharing Vulnerability

Some firms may have the security protocols in place to protect the privileged data of their clients, but the report by FTI Consulting highlighted another concern faced by legal firms for the viability of their security: the presentation of data in eDiscovery to opposing counsel ill-equipped with the security staff or data safeguards.

Basic discovery and information sharing are vital parts of the legal process, and are another way that legal firms with inadequate security standards become interconnected and reliant on each other. Many firms are comfortable with the security found in larger organizations, including firms from the Am Law 200, but smaller firms still must keep up with these more complex standards.

Until security standards are maintained for all legal firms that share discovery with opposing counsel and their partners, data losses through inadequate eDiscovery security will keep rising.

Desh Urs iBridge LLC

Written by Desh Urs

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decision Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterUnderground Economy of Data Breaches

UCLA Data Breach Part of a Growing Trend of Information Vulnerability

UCLA Data Breach Part of a Growing Trend of Information Vulnerability

The incidence of criminal data theft shows no signs of slowing.

In another highly-publicized breach of confidential data, hackers broke into the computer network of the UCLA Health System and compromised the data of nearly 4.5 million patients.

This breach is another notch on the growing list of healthcare corporations that have suffered from vulnerabilities in their privacy infrastructure; health insurance company Anthem reported a data breach that affected nearly 80 million Americans earlier this year.

UCLA Data Breach Part of a Growing Trend of Information Vulnerability

Security Weaknesses

Reports like these highlight a truth in the healthcare industry: with as much reliance as medical providers have on information-based technology services, they are still ill-equipped to handle the security provisions for their use.

UCLA specifically came under fire for their failure to encrypt their patients’ information—a basic security measure that many IT security analysts consider to be common practice, considering how frequently cybercriminals target healthcare facilities. Anthem Inc. faced similar criticism for their lack of forethought in their data security measures.

Dr. Deborah Peel, founder of Patient Privacy Rights in Austin, Texas, spoke to the weaknesses of the healthcare IT infrastructure:

“These breaches will keep happening because the healthcare industry has built so many systems with thousands of weak links,” she said.

Despite the unauthorized access that potentially revealed names, insurance information and Social Security numbers, the university claimed there was no evidence that any patient information was stolen. The interim president of the UCLA Hospital System, Dr. James Atkinson, expressed his concerns about the exposure of the confidential information:

“We take this attack on our systems extremely seriously,” he said. “For patients that entrust us with their care, their privacy is our highest priority. We deeply regret this has happened.”

The Costs of Data

While these data losses will hopefully spark increased security measures for the university IT network, they may be of little consolation to the millions of patients whose medical data was exposed. However, the patients aren’t the only ones that suffer from such data leaks—a Brighton, Mass. hospital was recently fined $218,400 due to alleged HIPAA violations due to using unsecured data-sharing applications to transmit patient information.

There are high costs associated with vulnerability of privileged information. As healthcare IT systems continue the shift towards digital record-keeping, healthcare providers must make a concentrated effort to ensure that those systems are updated and secure.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter7 Things About Medical Identity Theft Healthcare Executives Need to Know