KPMG’s revealing survey about cybersecurity and what we can do about it

KPMG’s revealing survey about cybersecurity and what we can do about it
Some of you may remember my post this spring about the breach of my family’s information by a major health insurer. I think about that a lot, as I am sure many of you do as well. It feels like we read about another major hack on a daily basis. We now have major governments funding hacks. The perfect is example is the recent breach of the IRS. This recent health IT survey by KPMG really caught my eye: 81% Of Healthcare Organizations Have Been Compromised By Cyber-Attacks In Past 2 Years. 81%! The survey covered both insurers and providers. I am stunned my mailbox does not overflow with notifications every day, but what concerns me is all of the breaches of which we are still blissfully unaware. It is particularly disconcerting because there are so many rules around patient privacy that we should be able to expect that our information is being managed securely. It is not. It would be easy to point fingers at those breached and blame it on their lack of preparation. And I suppose that is true in some cases. It would also be easy to point all the blame where it belongs, on the hackers. The big question for me, though, is what can I do about it? In short, the answer is not much. I can’t imagine querying an ambulance driver about the information security processes of a hospital. Even if they knew, would you divert to a different hospital based on the answer? Of course not. In a similar fashion, one would be unlikely to change insurers based on information about data security. But that doesn’t mean customers don’t care about it, and data security is something the audience of this blog can do something about. Regardless of your role in the company, ask some questions. Keep pounding the drum that our industry needs to stop being passive and needs to make the investment, even more investment, in security. We tend to think of the “big breach” as the area to invest, but there are so many more areas on which to focus. The survey showed that 35% of the respondents had a data breach from their own employees. So when you’re beating the aforementioned drum, make sure to discuss your internal risks too. As important, if you are in a position to do so, help ensure this is a topic discussed with the CEO of your company. They need to be aware, and be prepared, for the almost inevitable breach. Your company wants to handle it quickly, professionally, and competently. This would be in stark contrast to the insurer mentioned in my previous post, which took 3 ½ months to notify me, and started with my 4-year-old. In the words of Sergeant Esterhaus in the incomparable ’80s classic Hill Street Blues, “Let’s be careful out there.”

A four year old’s employment records (or how not to handle a data breach)

A four year old’s employment records (or how not to handle a data breach)
Yesterday one of my four year old twins received a letter from a major health insurance carrier (we’ll leave them nameless, tempting as it is). The letter states that the carrier had a data breach and that his information may have been included. The list was pretty extensive, including name, address, telephone number, email address, date of birth, social security number and employment history. That’s a pretty big list and everything you need to steal an identity. They assure me that no health information was shared, but I think they have their priorities wrong. I don’t care if the thief knows I have high cholesterol, but I do care that they have my social security number. I admit I am curious about the employment history of my four year old – I think he has been holding out on me. I wondered how he had so many Legos. The challenge? We’ve never had a policy from this particular carrier. Their FAQ site (a whopping four pages of minimal information) says it could have been because they process for other carriers, but nope, none of them either. So I set out to find out more information, particularly whether others in the family were affected, since we are all on the same policy (Mom, Dad and five small kids). I started my quest at 8:45am, on the website, and then the phone center opened at 9am. What a frustrating two hours. After talking to 11 people, from 4 different companies, do I know the answer to any of the questions? Not a single one. It all started with the vendor that the problem was outsourced too. I feel for those phone clerks, as they were provided almost no information. I then found a way to the carrier (a blog post in its own right), who didn’t know any more, but managed to transfer me to two other insurance companies, neither of whom had a clue why as they didn’t have a breach and I was never their customer. My concern is that this means they don’t even know what was stolen, where it was stolen, who’s information was stolen and more. If they don’t know that about me, what about you? I honestly don’t know how you protect yourself. You can’t really go off the grid. I could do without credit cards, and go to cash, but I can’t do without utilities or health insurance. I also understand that identity theft is big business, but the protections taken by major companies feel so lax. This is the FIFTH major breach of our family in less than 18 months. My credit card, from a major bank, has been replaced three times (only one breach was their own). So to the point of the post, for those still with me: If I was responsible for data security at any of these firms, I’d fire myself. There are solid, dependable companies doing security work. If you r company has not hired one to test your security, do it. Do it today. You should be doing penetration tests, at least annually. You should have solid company policies on data access, and that access should be extremely limited. People need information to do their jobs, but they don’t need all the information. Does your company have a data governance policy? If not, start today. We all know that IT budgets are limited and that our user communities, including our customers, want more and broader access. I just caution that you move with speed, but not without safeguards. Everything can be breached. Your firewalls, your apps, your website and even, as in the case of one breach, your cash registers. More important than all of this, though, is how you handle the breach when it occurs. Even with the most amazing safeguards, some pretty smart people, and governments, are hacking into private data. When it occurs, it should not be a shock to your company. You shouldn’t mobilize a task force after it happens. You should never consider this an IT problem – it is a major problem for the most senior levels of your company, and your reputation. Your company probably has, I hope, an IT Disaster Recovery (DR) plan. Does it include a data breach? Many don’t. They worry about floods, power outages, even pandemics, but not a data breach. Even if your DR plan does include data breach, are the actions your company will take fully laid out? If you are going to use a vendor, have they been chosen and briefed and is the conduit of key information already prepped? Is the spokesman for your company prepared and ready to speak publicly immediately? In my case, the time between the public announcement of the breach and the time we received the letter was over three months. Three months! Hopefully this post will cause at least one reader to start asking questions in their company and that those questions will be well received. You don’t want to be the next company in the news, do you?

Watch out. Apple with Mayo is heading your way

Watch out. Apple with Mayo is heading your way
Hmmm . . . That combination is pretty tasty in a Waldorf salad, but it’s a bit hard to think of other recipes that do appeal. The Apple Watch is very attractive—one analyst hoped it would be stylish enough to wear to the Oscars. (I’ll let everyone know what I decide to do next year). But from a healthcare and health insurance Internet of Things perspective, questions still remain. Early information is that the Apple Watch’s biomonitoring functions are pretty modest: pulse and movement (and distance?). Did anyone say fitness band? Somehow “killer app” doesn’t sound quite right in this context, but that is the real question in terms of making people with serious medical conditions (or serious medical vulnerabilities) want to buy the Apple Watch. In roughly ascending order of technical and ergonomic challenges—temperature, blood pressure, glucose levels, blood chemistry of all different types, urine analysis, and (why not?) genome-driven personalized medicine—are off in the future, in some cases well beyond the horizon for a wearable (time telling, messaging, location-revealing) device. Meanwhile there is always next year’s Oscars. btw: about the Mayo:  https://www.apple.com/pr/library/2014/06/02Apple-Releases-iOS-8-SDK-With-Over-4-000-New-APIs.html    

Model Insurer Asia Summit: A quick overview

Model Insurer Asia Summit: A quick overview
Earlier this month, I attended the Model Insurer Asia Summit at the Fullerton Hotel in Singapore.  With approximately 50 delegates from across the APAC region, it was a fantastic event to learn from others, debate the key issues facing the industry, and network across the region. A total of 18 firms were recognised this year from over 8 countries, with entries ranging from large regional technology transformations through to novel uses of technology to enable propositions. Tokio Marine presented just one such novel use of technology to enable a proposition where an app-based avatar is employed to provide health advice for women based upon how their body is feeling in support of a health insurance product.  This solution goes as far to include tracking the insured’s body temperature using a smartphone and a connected thermometer in order to identify when they may be coming down with an illness.  I just love this idea!  After talking about the potential for personal telemetry within the health insurance sector for several years now within Celent, it’s great to see a live proposition racing towards it.  Since its launch in June 2013, Tokio Marine has added 250,000 users already. The overall Model Insurer Asia winner was awarded to Max Bupa Health Insurance (MBHI) from India.  Being a relatively new player in India at around four years old, MBHI had aggressive plans to launch new distribution channels whilst not losing sight of delivering an excellent customer service experience. It chose to implement a BPM solution to wrap around its existing applications, enabling it to deliver a consistent end-to-end process that achieved a 75% increase in processing capacity and 90% improvement in service level agreements.  This is a great example of how, when applied effectively, technology can truly deliver a differential business performance. To find out more about these (and the 16 other finalists), a copy of the Model Insurer Asia report can be downloaded by Celent clients at http://www.celent.com/reports/celent-model-insurer-asia-2014-case-studies-effective-technology-use-insurance. Finally, this year, we sandwiched the summit between two roundtable discussions: one on the use of digital and ‘big data’ to enable innovation in insurance; and the other one on regional distribution opportunities and challenges.  Round-table discussions of this nature are always a great way to get detailed insights around the main challenges facing firms quickly.  Unfortunately, I can’t share too much as they’re closed sessions and “what’s said in the room, stays in the room”.  However, what I can share with you is that many of the opportunities and challenges facing individual firms across the Asian region are shared with insurers from around the world.  There is a growing desire to provide a more engaging proposition with the end client, a need to secure new forms of distribution, and an acceptance that effective technology is at the heart of future business performance.  Sound familiar?  That said, unlike perhaps some other geographic regions, regional diversity in distribution, regulation, population prosperity, language, character set, and political goals, make it more difficult for insurers, vendors and SIs / consultancies to navigate with a ‘one size fits all’ policy.  It’s this diversity coupled together with the regional growth rates for emerging financial services that make the region one of the most fascinating to follow and one that we expect to see a lot more innovation come out over the coming decade.