Kusserow on Compliance: Most data breaches are financially motivated by outside parties

71 percent of breaches last year were financially motivated

C-Suite Executives 12 times more likely to be a target

Ransomware attacks account for one out of four cyber-attacks

Safeguarding Tips from Strategic Management

According to the to the Verizon 2019 Data Breach Investigation Report (DBIR), 71 percent of breaches were financially motivated and 69 percent were perpetrated by outsiders. This 12th edition of the annual report analyzed 41,686 security incidents, which included 2,013 confirmed breaches. This year’s report included new metrics and analysis from the FBI Internet Crime Complaint Center (IC3). Not surprising, the C-Suite was the major target, because they are in the position to transfer money. They were found twelve times more likely to be the targets of breaches.  Also, time-pressed senior executives tend to move quickly in reviewing and clicking on emails, resulting in a greater likelihood that suspicious emails slip through. On a positive note, attacks against HR personnel has rapidly decline in recent years, in large measure as result of W-2 tax form scams almost disappearing as a problem. Some other interesting statistics from the report:

  • 52 percent of breaches involved hacking
  • 33 percent of breaches included social attacks
  • 28 percent of breaches involved malware
  • 32 percent of breaches involved phishing
  • 29 percent of breaches involved the use of stolen credentials
  • 21 percent of breaches were caused by errors
  • 56 percent of breaches took months or longer to discover

 

Safeguarding Tips from Strategic Management

  • Brief executives, as the prime targets, on avoiding cyber-attacks
  • Train employees to not click on email links/attachment, or respond to “phishing” inquiries
  • Provide ongoing employee and contractor training on what to do and not to do
  • Implement policies/procedures for precautions against malware
  • Conduct a risk assessment to understand threats presented by an insider
  • Regular systems tests can also help flag vulnerabilities before a hacker can get in
  • Configure email servers to block zip or other files that are likely to be malicious
  • Continuously monitor employee and vendor networks
  • Conduct regular systems tests to flag vulnerabilities before a hacker can gain access
  • Update and upgrade software
  • Use encryption to guard against information being read by unauthorized parties
  • Establish multi-factor authentication
  • Regularly test users to make sure they are on guard

For more information health care provider cyber-security, contact Dr. Cornelia Dorfschmid at cdorfschmid@strategicm.com or at (703) 535-1419.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: Measuring culture using compliance benchmark surveys

– Evidencing compliance program effectivenes

– Provides quantifiable compliance program effectiveness metrics

– Internally developed and administered surveys lack credibility

The Sentencing Commission in its Federal Sentencing Guidelines states that businesses must “promote an organizational culture that encourages ethical conduct and a commitment to compliance with the law.” The OIG in its Compliance Program Guidance for Hospitals noted that “as part of the review process, the compliance officer or reviewers should consider techniques such as…using questionnaires developed to solicit impressions of a broad cross-section of the hospital’s employees and staff.”  Daniel Peake of the Compliance Resource Center explains that a culture survey can identify gaps between the compliance culture that is intended and the one that employees actually experience. Importantly, it can identify whether the investments in the compliance program and employee attitudes and perception are truly aligned.  Surveys of this type can measure employee perceptions regarding the day-to-day management behavior.  However, to be truly useful, the culture survey should be a professionally developed, tested, validated, and independently administered. It would be best if responses to the individual questions can be evaluated, analyzed, and benchmarked against a large universe of organizations that have used the same questions. This permits comparisons to industry peers and national averages. Using the same survey every couple of year can assist in benchmarking and monitoring progress of a compliance program against its own results (i.e., trending historical company survey data). Results from a survey report should provide enormous value in identifying organization strengths as well as opportunities for improvement. This can help ensure the organization is on a track towards creating an organizational compliance culture of the highest quality. It can provide great insights into how effective the compliance program has been in changing and improving the compliance of an organization and signal not only strengths in the compliance program, but areas of potential weakness warranting attention. Culture surveys can measure:

  • beliefs and values that guide thinking and behavior of the workforce;
  • outcomes or the “impact” of compliance program activities;
  • the extent to which individuals and leaders demonstrate commitment to compliance; and
  • the current state of the compliance climate or culture.

 

For more information, contact Daniel Peake at (dpeake@complianceresource.com) (703-236-9854).

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2018 Strategic Management Services, LLC. Published with permission.

Kusserow on Compliance: OIG Advisory Opinion 18-14

The OIG’s continued interest and concerns about arrangements that could implicate the Anti-Kickback Statute was reaffirmed recently by another advisory opinion on the subject. A drug company (Requestor) that markets an injectable drug to treat a specific and rare form of epilepsy (the Syndrome) raised the concern with the OIG. The Requestor sought an advisory opinion as to whether the arrangement would be susceptible to sanctions related to the federal Anti-Kickback Statute (AKS). The proposed arrangement would have the Requestor providing a drug to hospitals on a consignment basis, at no cost to the hospitals or any payors, to treat inpatients diagnosed with the Syndrome.  In addition, the company would provide additional free vials to patients that are uninsured after they are discharged. The OIG found that the proposed arrangement implicates the AKS, in that free provision of the drug would constitute remuneration to hospitals that serve as a referral source for the drug. Specifically, hospitals would serve as a direct referral source when their employed physicians prescribe the drug to inpatients or outpatients.  Hospitals could also serve as an indirect referral source for the Drug through inclusion of the Drug in the hospitals’ drug formulary, thereby keeping it stocked and readily available to prescribing physicians. In this manner, the arrangement could induce hospitals to arrange for or recommend additional future purchases of the drug. The OIG highlighted the arrangement’s risks with respect to over-utilization, increased costs to federal health care programs, corruption of medical decision-making, patient steering, and unfair competition.

 

Richard P. Kusserow served as DHHS Inspector General for 11 years. He currently is CEO of Strategic Management Services, LLC (SM), a firm that has assisted more than 3,000 organizations and entities with compliance related matters. The SM sister company, CRC, provides a wide range of compliance tools including sanction-screening.

Connect with Richard Kusserow on Google+ or LinkedIn.

Subscribe to the Kusserow on Compliance Newsletter

Copyright © 2019 Strategic Management Services, LLC. Published with permission.

NGE IP Focus Life Sciences issue now available

As intellectual property practitioners working in the life sciences industry, we are positioned to engage with innovative scientific advances as well as emerging legal issues impacting the ability to secure and maintain patent protection for these advances. The legal issues encountered run the gamut from niche issues specific to the life sciences industry to intellectual property issues of general applicability across industries. In this issue of NGE IP Focus, we highlight some recent legal decisions in the life sciences industry that illustrate the depth and breadth of legal issues encountered in the field.