Monthly Archives: February 2016

Healthcare under Attack: The Need for Device Security

Healthcare under Attack: The Need for Device Security

Although we typically imagine the U.S. Food and Drug Administration as protectors of dietary and medicinal products, their outreach is expanding to the realm of cybersecurity.

Two of the biggest cybersecurity threats existing today involve malware and unintentional employee infections of confidential systems. These threats can compromise delicate medical devices and threaten the health of the users relying on them.

Healthcare under Attack: The Need for Device Security

In response to this emerging threat, the FDA is making medical device security a top priority. A collaboration by the FDA and the medical security focused MITRE Corporation is working to address existing vulnerabilities in medical devices to cyberattack. This approach involves better stakeholder engagement on critical issues and conducting in-depth interviews across the country to help develop a “roadmap” of medical device vulnerability. The end goal of this project, says FDA director of emergency preparedness, Suzanne Schwartz, is to establish a trusted ecosystem where security and vulnerability information can be collected, analyzed, and shared. According to Schwartz, the FDA has faced several challenges in this process:

  • Defining basic responsibility for device cybersecurity
  • Understanding device vulnerabilities for basic users
  • Knowing the challenges manufacturers face trying to address security issues
  • Reviewing expectations and accountability for manufacturers that must demonstrate their security protocols across each product’s lifespan

Addressing each of these concerns has been a primary goal of the FDA’s security strategy over the past few years.

The Need for Security

Device security relies on cooperation from multiple organizations. Both healthcare delivery organizations and device manufacturers must prioritize device security throughout each step of development and use. Healthcare organizations face constant threats from hackers trying to gain access to their privileged data. While electronic health records and hospital security infrastructure has improved, medical devices themselves have traditionally lagged behind.

MITRE’s contribution to the FDA’s initiative involves adapting the existing Common Vulnerability Scoring System to apply to medical devices in clinical settings. This assessment protocol accounts for considerations unique to each device and provides stakeholders with actionable data to be used in shaping the future of device security. The FDA and MITRE are addressing these loopholes to prevent future medical devices from being compromised and to establish protocols for better device security in the coming years.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground eBook CTA

10 Tips for a Successful Document Review Snippet

10 Tips for a Successful Document Review Snippet

The following snippet comes from our most recent eBook “10 Tips for a Successful Document Review.” You can download this FREE eBook here and be on your way to becoming an expert on the document review process.

For years, the legal review process has relied on overworked and underappreciated teams of associates and paralegals sifting through hundreds or thousands of pages of material. Worse yet, the vast majority of content was irrelevant to the case at hand, focusing on a needle-in-a-haystack scenario that was time consuming, costly, and required tremendous manpower to complete.10 Tips for a Successful Document Review

While legal document discovery in the modern age is still a thankless task, the process has been streamlined and automated in ways never thought possible.

The digital revolution of electronic file storage and transmission has taken the world by storm —and the process of legal document review is no exception. Where document reviews once involved experts pouring over  filing cabinets packed to the brim with papers and carbon copies, the ubiquitous application of digital file storage in legal firms has moved the playing field from the desk to the computer screen.

Instead of digging through folders, reviewers now utilize online search and databases. Rather than earmarking particular documents, digital files can be categorized and sorted based on their content. Best of all, multiple reviewers can access the review database simultaneously, preventing the need to share documents or create unnecessary copies.

This process has worked wonders for efficiency and reducing the cost of discovery, but it also presents a new set of challenges for legal reviewers to overcome.

1. Implement a Project Plan

Knowing how time-consuming document reviews are, establishing a timetable to provide an early summary for your clients should be the first thing on your mind. They’ll be eagerly waiting for the results of your review, therefore creating a delivery schedule and milestone based project plan will help keep them informed of your team’s progress. Review the information as soon you receive it to make sure it’s accessible, in the correct format, and related to the matter

Review the information as soon you receive it to make sure it’s accessible, in the correct format, and related to the matter at hand. If the information provided by your client is irrelevant or incorrect, it negatively affects your team’s schedule, creating a bench of unused expensive resources while your client scrambles to locate, assemble, and provide the correct documents. Once you have the files, quickly upload them into a database to sort them by category and give your team access to the materials. This step is essential for electronic document review—utilizing a file management system or database will let you analyze the results of your review in real time and give your team the much-needed flexibility to perform remote or onsite review.

But you can’t stop with uploading and categorizing your files. A quality control process assures an effective process. Determine how many reviewers are required to attain the highest quality document review within your project cost estimate. This involves establishing qualitative protocols for type of review, with appropriate levels of random sampling of each batch reviewed. Determine the characteristics of your document review to decide how best to structure your plan within your own unique restrictions.

iBridge Newsletter10 Tips Document Review CTA

Law Department Operations: What Comes Next in the Evolution of ‘For Services Rendered’?

Law Department Operations: What Comes Next in the Evolution of ‘For Services Rendered’?

Most attorneys who have been around the block are well acquainted with the now outdated billing concept of “for services rendered.” This idea took hold in the 1980s, allowing general counsel to arbitrarily bill clients without itemization for what was being charged. This lack of transparency was challenged as boards of directors prioritized spend visibility, ensuring that their budgets were handled efficiently.

This demand for accountability sparked the explosion of the legal technology we see today, with the creation of dedicated Law Department Operations (LDO) teams. These departments help regulate technology spend in each firm, and work to increase visibility of legal matters that have traditionally gone unchecked. This trend reflects a shift in how legal services are accounted for, with greater spending accountability required by general counsel.

Alternate Strategies

Rather than continuing to operate independently, legal departments are now being held to the same standards as other sectors in its organization’s infrastructure. Businesses are applying the same strategies to their legal structures as they have to their marketing and sales departments; using metrics, data, and technology to ensure that the right people handle the right jobs.

Law Department Operations: What Comes Next in the Evolution of ‘For Services Rendered’?

Image courtesy of Jeroen van Oostrom at FreeDigitalPhotos.net

A separate pricing strategy was developed: the Alternative Fee Arrangement (AFA). Instead of working off an hourly pricing model, AFAs function as agreements between law firms and legal departments to charge a flat fee based on pricing estimates. The AFA payment model flips the script on general counsel accountability. Instead of the carte-blanche spending that used to fall under “for services rendered,” AFAs require law firms to accurately calculate project costs before the work is started. This puts the burden of efficiency on general counsel—if the project runs too long, money will be lost, and if the project is finished faster than anticipated, the firm profits.

While this strategy tries to help balance the cost/benefit disconnect of traditional legal review, its success relies on the growth of data and technology. Accurate forecasting of project milestones can’t be done without supporting information to guide decision-making. This is just as true for traditional pricing structures as it is for AFAs. Data provides insight on services needed, risk analysis, and where potential cost overruns may occur. Power structures in the legal industry are changing. Counsel is being held to a higher standard of accountability than ever before, and the acceleration of technology is creating new standards of practice that will undoubtedly help shape the legal world in the years to come.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter10 Tips Document Review CTA

Missing Hard Drives Contain PHI of Nearly One Million Individuals

Missing Hard Drives Contain PHI of Nearly One Million Individuals

Cybersecurity and safeguarding Protected Health Information (PHI) is a hot topic in the digital world. However, while awareness and new legislation are improving the current state of digital information security, less attention is given to security protocols for hardware and physical data storage.

Hard Drive Theft

Centene, a prominent Medicare and Medicaid insurance provider, recently announced the loss of six hard drives containing private information on nearly 950,000 individuals. The affected data loss includes names, addresses, social security numbers, and membership IDs. A statement offered by Centene on Jan. 26th claimed that the hard drive loss “resulted from an employee not following established procedures on storing IT hardware,” noting that the missing drives were a small part of their total 26,000 unit IT inventory.

Is Encryption Necessary?

Centene’s data loss was a function of lack of encryption protocols and poor inventory management.

Unfortunately, the answer to data security isn’t as simple as “encrypt everything with PHI.” Unnecessary encryption can be costly and may reduce efficiency due to the extra steps needed to authenticate users. Under the HIPAA Security Rule, encryption of PHI is merely “addressable.” This means that organizations that thoroughly document alternative security measures need not encrypt all instances of PHI.Centene Corporation

When encryption isn’t feasible, other security protocols must be used. Inventory governance is essential for protecting hardware containing PHI. However, the challenges of keeping a real-time IT inventory make the process easier said than done.

“An inventory of any IT assets, including data, is only accurate for a moment. Things are constantly changing. Maintaining an accurate inventory doesn’t scale well for large organizations. Rather than putting a lot of effort into an accurate inventory, efforts are better spent encrypting media containing confidential information,” said Tom Walsh, founder of security consulting firm tw-Security.

This presents a challenge to holders of PHI: how can the costs of encryption be balanced with inventory management for better overall security? According to Walsh, risk analyses coupled with precise inventory tracking will help organizations “channel limited security resources where they are needed most.”

Finding a Middle Ground

The question of hardware and PHI security is as complex as the challenges associated with cybersecurity. It’s clear that both inventory governance and correctly-applied security protocols are necessary to keep PHI safe. The CEO of security consulting firm Redspin noted that: “…Healthcare organizations must be disciplined about tracking PHI throughout the organization and ensuring the appropriate safeguards are in place everywhere. Encryption adds cost and complexity, but a PHI breach can be far more costly.”

Given recent PHI breaches, we’re willing to bet that insurers like Centene would agree.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter7 Things About Medical Identity Theft Healthcare Executives Need to Know

5 Key Takeaways from the 2015 Cybersecurity Information Sharing Act

5 Key Takeaways from the 2015 Cybersecurity Information Sharing Act

President Obama recently signed into law the 2015 Cybersecurity Information Sharing Act, aimed at increasing cybersecurity regulation and nation-wide healthcare security.

Though online security awareness is on the rise, the cybersecurity industry is still lacking in the basic infrastructure, resource planning, and information governance that effective security protocols require. The legislation, slated to take effect in 2018, addresses these concerns and create a more prepared environment of cybersecurity awareness. Here are five key takeaways from the recent legislature:

1. The Cadillac Tax

The Cadillac Tax, or the excise tax of 40 percent on health plans whose value is more than $10,200 for individual coverage, was delayed two more years—now beginning in 2020. Though starting as non-tax deductible, the Cybersecurity Act includes a clause allowing employers to pay to make it so.

2. Increased HHS Preparedness

The Department of Health and Human Services must now submit reports assessing their cybersecurity threat preparedness to congressional committees. The Act also describes that HHS must choose a representative to lead cybersecurity initiatives and describe how the HHS plans to address threats.

Cybersecurity Information Sharing Act

3. Cybersecurity Task Force

The Cybersecurity Act describes a task force coalition between HHS, Homeland Security, National Institute of Standards and Technology leaders, industry experts, agencies, and stakeholders. This coalition will be charged with analyzing actions and assessing cybersecurity safeguards across industries, and reviewing challenges faced by private healthcare organizations. This also includes assessing the functioning and operability issues of electronic record keeping systems.

4. Stakeholder Education

Improving stakeholder education and preparedness is an integral part of the 2015 Cybersecurity Act. Agencies must inform key decision makers on best practices for cybersecurity, and create channels for communication of defensive measures and emerging threats. This focus on communication is predicted to help improve industry-wide knowledge of cybersecurity protocols and contribute to each agencies’ ability to regulate their own security.

5. Protecting the Private Sector

The Cybersecurity Act includes language that protects the liability of private sector entities during sharing or receiving cyber threat information. This includes establishing what personal data must be scrubbed before transmission and standardized timetables for notifying individuals that their information was shared.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge Newsletter7 Things About Medical Identity Theft Healthcare Executives Need to Know

Why is eDiscovery a Mystery to Attorneys? Pt. 2

Why is eDiscovery a Mystery to Attorneys? Pt. 2

Back in March of 2015, we wrote about why eDiscovery, one of the legal profession’s most powerful tools, is also among the most poorly understood by attorneys.

Almost a year later, not much has changed. Here’s part 2 of why eDiscovery is still a mystery to attorneys.

It’s critical for organizations to easily access documents, emails, and even text messages. If those forms of information are deleted without being properly preserved, they could be lost forever. This poses an issue when a company must provide these records to aid regulatory compliance, a legal case or an employee dispute.Why is eDiscovery a Mystery to Attorneys?

There have been countless examples of how an archiving system has affected a company, both negatively and positively. Easily accessing archived documents, emails and messages takes the guesswork out of certain situations and will ultimately protect your company if used correctly. Greg Arnette, founder and CTO of Sonian, a pioneer in cloud-powered archiving, has identified nine situations in which having records accessible, or not having records accessible, has largely affected companies and employees.

Lack of Understanding that ESI (electronically stored information) is More Than Any Other Office Document

YouTube videos, Facebook and Twitter posts have been used as evidence. Voice mail, calendar and journal entries, and instant messages also fit the bill. As Kentucky attorneys Michael Losavio and Jennifer Hans points out, ESI can be stored just about anywhere – including such places as hard drives, RAM, cell phones, PDAs, flash or thumb drives, and even MP3 players.

Fear or Inadequate Knowledge of ESI (Remember ESI can make or break your case)

It’s a lesson California-based outdoor furniture supplier Creative Pipe had to learn the hard way. After the company allowed opposing counsel to use an untested keyword search tool that unearthed 165 documents of privileged data during the discovery process, the court determined Creative Pipe had waived privilege on those documents because it had not taken care to protect them. Creative Pipe’s opponent could use any of those documents as evidence against Creative Pipe.

Non Pro-Activeness to Approach ESI in the Right Manner

The best approach to ESI is a proactive approach. Attorneys must understand that ESI will avoid errors like those made by Creative Pipe and others who have been in the news the past few years, it is not wise to put ESI archiving/eDiscovery policies on the back burner. Figure out where all of your ESI is, and how or whether it can be quickly accessed, then address how any new ESI that comes into the system will be managed. Waiting until you have an actual eDiscovery request or regulatory audit notice in hand before deciding what to do is just seeking for trouble.

Lack of Best Practice

Best practice is crucial. Developing best practices is the key to navigating the complexities of global eDiscovery matters.

Lack of Procuring Right Technology and Tools

The right technology can make all the difference. Like any software or service, eDiscovery solutions come in a variety of shapes and sizes. Whether it’s an appliance, a hosted solution, or a custom, site-specific implementation, you must shop around to find the one that best which meets our needs.

Neither IT nor Legal Should Tackle eDiscovery alone.

Neither IT nor legal should tackle eDiscovery alone. That’s why it’s important to teach the departments of Attorneys how to work together to accomplish eDiscovery goals. Some companies are looking to a new breed of IT professional, who reports up through the general counsel’s office to lead the efforts. Others take a team approach, with representatives from each group providing input at the planning and implementation stages.

This post was contributed by Jai Santosh, HR Team Lead.

iBridge Newsletter

 

Communication as a Barrier to Cybersecurity Compliance

Communication as a Barrier to Cybersecurity Compliance

Though cybersecurity threats become increasingly dangerous for legal firms guarding privileged data, information governance and data protection plans are still falling short.

A 2015 survey by BDO USA found that only one-third of corporate directors have documented policies in place to protect their business’s digital assets. Yet, despite this supposed lack of cybersecurity strategy, 69 percent of public company board members reported that their board was more involved in cybersecurity than it had been 12 months ago. Seventy percent of companies also reported increased spending on cybersecurity over the past year, averaging an increase of 22 percent.

What’s to blame for this disconnect between management and board members?

Failing to Communicate

According to Shahryar Shaghaghi, leader of technology services for BDO Consulting, the problem has its roots in communication.

“It is the responsibility of the IT manager to communicate with the board in a manner, which the board is able to understand. Often the communication is performed in a manner, which is too technical, too much in the weeds, for the board to understand,” said Shaghaghi. He added that while the disconnect appears to stem from a lack of knowledge on the surface, the underlying issue is the gap in communication between the two parties.

Risk Management Strategies

To solve the miscommunication issues facing businesses, Shaghaghi recommends instituting a “standardized, repeatable” process of information delivery from the IT department to board members. Creating a structured cyber-risk profile informs board members of the level of risk of various cyber decisions and how risk management strategies may affect their bottom line.

Communication as a Barrier to Cybersecurity Compliance

Image courtesy of Sixninepixels at FreeDigitalPhotos.net

Cybersecurity decisions are facing increased scrutiny in the legal world, with many public companies requiring third-party vendors (like law firms) to provide developed cybersecurity policies, and even become ISO 27001 certified. Despite this push toward digital asset protection, BDOs survey reported that only 35 percent of directors say their company has established cyber risk requirements for their third-party vendors.

The cyber risk profiles proposed by Shaghaghi give board members better insight into the risk/reward aspect of each cybersecurity decision and the feasibility of bringing in outside firms for third-party assessments. Though the communication disconnect between IT and board of directors may be slow to change, the increased public focus on digital security suggests that cybersecurity governance will only improve moving forward.

Dean Van Dyke iBridge LLC

Written by Dean Van Dyke, Vice President, Business Process Optimization

Dean Van Dyke is the Vice President of Business Process Optimization for iBridge. He brings more than 18 years of customer relations, business process outsourcing, lean six sigma, program/project management, records management, manufacturing, and vendor management experience to iBridge. Mr. Van Dyke was the former head of Microsoft’s corporate records and information management team, and served honorably for over fourteen years in the U.S. Navy and Army National Guard. He received his Bachelor of Science in Business Administration from the University of South Dakota and his Master’s in Business Administration from Colorado Technical University.

iBridge NewsletterUnderground eBook CTA

The 4 Essential Leadership Qualities Your Business Needs

The 4 Essential Leadership Qualities Your Business Needs

pablo (2)

What makes a good leader?

Is it the ability to take decisive action when problems arise? Having excellent communication skills? How about having the ability to develop and lead a team to success?

All important, sure, but quality leadership may transcend these basic definitions. A recent report by McKinsey Quarterly revealed four of the most important traits for leaders to have, all correlated closely with leadership success:

1. Effective Problem-Solving

Problem-solving is a necessary skill for any leader. Before informed decisions can be made, leaders must have gathered and reviewed all available data. This is a challenge for many leaders, as the critical and logic-based thinking that supports effective problem solving doesn’t come naturally to all of us. Regardless, leaders must make development of their problem-solving abilities a priority. Everything from team disputes to guiding organizational direction depends on these skills.

2. Results-Oriented Action

Good leaders prioritize efficiency and productivity when working towards goals. These leaders adopt an essentialist mindset in every action they take. This philosophy involves recognizing which goals are necessary, which aren’t, and where the most value can be gained for the least effort. This efficiency helps ensure resources are allocated effectively and that time isn’t wasted chasing ineffective goals.

3. Valuing Varied Perspectives

Diversity of opinions, ideas, and ability nearly always translates into a better product. Good leaders understand this and seek out these perspectives when deciding. Employee input can provide leaders with necessary insight and information on the best direction to guide the organization. Leaders who prioritize the value of varied perspectives gain better knowledge about how their business is run and gain tools to aid in their problem solving and decision-making.

4. Supporting Others

You can’t lead without a team. Effective leaders show genuine interest in and concern for their employees. They build personal relationships that inspire trust, loyalty, and positivity towards the business. Good leaders can also support their staff by contributing to their projects with top-down insight. This can help promote efficiency and prevent internal conflicts from occurring.

Though the definition of a good leader may depend on the context of your organization, several facts remain clear: leaders can solve problems and act in ways that drive meaningful change, support their team, and gather diverse perspectives. When a leader excels in these essential traits, improved top-down decision-making isn’t far behind.

Desh Urs iBridge LLC

Written by Desh Urs

Desh Urs brings more than 20 years of entrepreneurial, start-up and Global 500 corporate experience in sales, marketing and general management to the customers of iBridge. He has led sales organizations as SVP at Qsent, Inc. and VP at Acxiom Corporation, and has focused on the usage of data in data distribution, direct marketing, fraud prevention, and law enforcement.

As a Vice President of Global Sales, Services, and Marketing at Silicon Graphics, Inc., Urs managed engineering and non-engineering functions, developing solutions in sciences, telecommunications, manufacturing, media, business, and defense intelligence, for companies with revenues of several billion dollars. During his tenure as Vice President at Think Tools AG and Brio Technology, Inc., he ran business development and alliances providing solutions in Business Intelligence and Decisions Cycle Management to Global 100 corporations worldwide. In the late 1980s, Urs founded Indus Systems, Inc., which he profitably sold to a systems integration company.

Urs serves on several Advisory Boards, as well as many company Boards, in the United States and India.

iBridge NewsletterInfo Gov eBook CTA