now browsing by tag
#parent | #kids | I’m a New Dad Scared About Pandemic-Era Day Care Safety. There’s Only One Expert I Wanted to Call. – Mother Jones | #parenting | #parenting | #kids
Rob Dobi The coronavirus is a rapidly developing news story, so some of the content in this article might be out of date. Check out our most recent coverage of […] View full post on National Cyber Security
Joliet single mom cut short COVID-19 hospital stay to care for kids | #covid19 | #kids | #childern | #parenting | #parenting | #kids
“The oldest had a cellphone and could message me,” Faundez said. “We were constantly checking on them, even overnight, and making sure they were safe. …It’s the Salvation Army’s mission […] View full post on National Cyber Security
DOJ Emphasizes Adequate Funding in Updated Compliance Guidance | Health Care Compliance Association (HCCA) | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | #
Report on Medicare Compliance 29, no. 21 (June 8, 2020)
Whether an organization shows its commitment to compliance with dollars is a new focus of the second update to guidance on evaluating compliance programs from the Department of Justice (DOJ). In its updated Evaluation of Corporate Compliance Programs, released June 1, DOJ indicates that adequate funding of the program and its people helps distinguish between a paper and an active program.
The guidance is used by white-collar prosecutors who evaluate compliance programs when deciding whether to file fraud charges and what the charges should be. Compliance officers also use the guidance to benchmark their organization’s compliance program. DOJ published the first version in 2017 and revised it in April 2019. The Evaluation of Corporate Compliance Programs modifies the Principles of Federal Prosecution of Business Organizations in the Justice Manual.
There are detailed questions about compliance programs in the guidance, which is organized around three “fundamental questions” that prosecutors try to answer when evaluating effectiveness. The 2020 version modified the second question to refocus on resources:
“Is the corporation’s compliance program well designed?“
“Is the program being applied earnestly and in good faith?” In other words, is the program adequately resourced and empowered to function effectively?
“Does the corporation’s compliance program work” in practice?
In elaborating on resources, DOJ explained that “prosecutors are instructed to probe specifically whether a compliance program is a ‘paper program’ or one ‘implemented, reviewed, and revised, as appropriate, in an effective manner.’ [Justice Manual § 9-28.800]. In addition, prosecutors should determine ‘whether the corporation has provided for a staff sufficient to audit, document, analyze, and utilize the results of the corporation’s compliance efforts.’ [Justice Manual § 9-28.800].”
The emphasis on funding doesn’t come as a shock. “You would have to have adequate resources before you get to adequate or better effectiveness,” said attorney Gabriel Imperato, with Nelson Mullins Broad and Cassel in Fort Lauderdale, Florida.
Prosecutors have always factored in the funding of compliance programs, although it’s significant to see this in writing, said Kirk Ogrosky, former deputy chief of DOJ’s fraud section. “You can have compliance officers who are making a fraction of what other senior executives are making,” he said.
The guidance also encourages organizations to advance compliance at all times, even during an investigation, said former federal prosecutor Robert Trusiak, an attorney in Buffalo, New York. As DOJ states, “In answering each of these three ‘fundamental questions,’ prosecutors may evaluate the company’s performance on various topics that the Criminal Division has frequently found relevant in evaluating a corporate compliance program both at the time of the offense and at the time of the charging decision and resolution.” DOJ reinforces this point when it talks about the risk assessment. “Prosecutors should endeavor to understand why the company has chosen to set up the compliance program the way that it has, and why and how the company’s compliance program has evolved over time.”
In other words, Trusiak said, “effective compliance is not set it and forget it. Compliance is an iterative process.”
DOJ Revises Other Questions
DOJ’s revisions ripple through the rest of the document, which is loaded with specific questions about commitment by senior and middle management, risk assessments, due diligence, communication with employees, oversight of third parties and other hot topics.
For example, the 2019 guidance asked whether the organization’s risk assessment was “current and subject to periodic review? Have there been any updates to policies and procedures in light of lessons learned? Do these updates account for risks discovered through misconduct or other problems with the compliance program?”
The 2020 guidance drills down. “Is the periodic review limited to a ‘snapshot’ in time or based upon continuous access to operational data and information across functions? Has the periodic review led to updates in policies, procedures, and controls?”
There are also more questions about how organizations ensure that policies get in the hands of employees and vendors. For example, “have the policies and procedures been published in a searchable format for easy reference? Does the company track access to various policies and procedures to understand what policies are attracting more attention from relevant employees?” The stakes also are raised on employee awareness of the hotline. “Does the company take measures to test whether employees are aware of the hotline and feel comfortable using it?”
Imperato noted that DOJ “dwells a fair amount on third-party due diligence” and whether it continues after the deal is done. For example, DOJ asks, “What has been the company’s process for tracking and remediating misconduct or misconduct risks identified during the due diligence process? What has been the company’s process for implementing compliance policies and procedures, and conducting post acquisition audits, at newly acquired entities?”
Questions on learning from mistakes were also tweaked. “Does the company review and adapt its compliance program based upon lessons learned from its own misconduct and/or that of other companies facing similar risks?” There are other changes to questions, including, for example, about training and “monitoring investigations and resulting discipline.”
Imperato said he will attach the updated guidance to his board training, along with other documents. “This automatically becomes the benchmark…for setting up a compliance program and determining its effectiveness.”
Ogrosky noted, however, that even well-funded, effective compliance programs may fail to detect bad actors. “Fraud is a non-self-revealing offense,” he said. “The people who commit fraud at large corporations are doing it to avoid the compliance folks.” He’s referring to flat-out fraud, not a debate about whether an arrangement fits within a safe harbor, for example.
Whether fraudsters inside corporations are unmasked depends more on whether executives ask the right questions vs. looking the other way, Ogrosky said. For example, if a salesperson outperforms his or her peers 50 times over, managers should dig into it. “If a contractor is able to do what no one has been able to do, ask why, because the fraud is not self-revealing.” DOJ will expect the corporation to accept some responsibility for bad actors, even when they have good compliance programs, he said.
1 U.S. Dep’t of Justice, Criminal Div., Evaluation of Corporate Compliance Programs (Updated June 2020), http://bit.ly/2Z2Dp8R.
2 U.S. Dep’t of Justice, Justice Manual, Principles of Federal Prosecution of Business Organizations, § 9-28.000 (2020), http://bit.ly/2GtxXFt.
The post DOJ Emphasizes Adequate Funding in Updated Compliance Guidance | Health Care Compliance Association (HCCA) | #employeefraud | #recruitment | #corporatesecurity | #businesssecurity | # appeared first on National Cyber Security.
View full post on National Cyber Security
Source: National Cyber Security – Produced By Gregory Evans For FastMed Urgent Care, speed and efficiency are about much more than creating operational excellence. It translates into prompt, personal, and high-quality medical care where and when patients need it. With a laser focus on providing best-in-class family and occupational healthcare, FastMed is constantly looking for […] View full post on AmIHackerProof.com
The medical field has undergone massive digitization in recent years with the emergence of interconnected medical devices and the broader exchange of health care information. In less than a decade, nearly all hospitals and physician offices have adopted electronic health record (EHR) systems.[i] But the adoption and investment related to cybersecurity has been slow. According to the Health Care Industry Cybersecurity Task Force, “a majority of the health care sector made financial investments in cybersecurity only in the last five years.”[ii] This expansion of digitizing critical information without an investment in cybersecurity has, in large part, led to the current environment where health care providers are easy targets for attackers. In a 2017 report, the American Medical Association found that 8 out of 10 physicians had experienced a cyberattack in practice.[iii]
In fact, 2017 introduced some of the largest and most widespread cybersecurity attacks in recent memory. The health care industry was shown to be particularly vulnerable to these threats. In 2018, health care providers should be on the watch for the following threats and should take efforts to protect against them.
Ransomware will Continue to Plague Providers
Ransomware is malware that exploits vulnerabilities in a system to encrypt or remove access from the information contained on the system. The infected system displays a message informing users that their data will not be released unless they pay the demanded ransom. Industries where access to information is critical to providing services—such as health care–are particularly targeted by such attacks.
Health care providers will remember 2017 as the year of large ransomware attacks, starting with the WannaCry ransomware attack, which spread to over 150 countries and infected more than 400,000 machines in just two days.[iv] The United Kingdom’s National Health Service was hit hardest by this attack, causing it to cancel nearly 7,000 appointments – including operations – as a direct result of the attack.[v] Hospitals here in the U.S. were also affected by this attack, including medical devices such as Bayer’s MedRad device that assists in MRI scans.[vi] WannaCry was followed by another global ransomware attack in June 2017 known as NotPetya. Several hospital systems and other health care entities were impacted by this attack, including Merck, one the U.S.’s largest pharmaceutical manufacturers.[vii] Health care providers can expect to see more of the same in 2018, as neither their vulnerabilities nor their mitigation efforts have drastically changed.
Targeting of Connected Medical Devices
The potential vulnerabilities in medical devices have long been on the radar. Successful hacks dating back to 2011 have affected a variety of medical devices, ranging from insulin pumps to pacemakers.[viii] Medical devices connected to a broader computer network have been used as easy access points for attackers to gain unauthorized entry to the network. In 2013, the Department for Homeland Security (DHS) issued a warning that 300 medical devices tested for cybersecurity vulnerabilities all failed to meet minimum standards.[ix] This warning spurred the Food and Drug Administration (FDA) to issue recalls due to cybersecurity vulnerabilities and, in 2016, to issue cybersecurity guidance for medical devices.[x] This year, Congress took notice, and the Medical Device Cybersecurity Act of 2017 was introduced.[xi] Although the bill failed to pass, by all indications regulatory and legislative actions seeking to address this concern will continue in 2018.
In the meantime, medical devices remain extremely vulnerable. Unlike other devices that receive multiple and frequently automatic updates that may protect against certain security holes, medical device manufacturers remain slow to update their products, and the process for implementing updates may be less user friendly. Further, the fact that hospitals and similar health care entities “typically have 300-400% more medical equipment than IT devices”[xii] provides more possible targets for hackers seeking access to a provider’s networks.
Falsification of Electronic Medical Records
As an increasing number of providers deploy certain protections (backups, frequent updates, etc.) against ransomware and refuse to pay the demanded ransoms, cybercriminals undoubtedly will turn to other methods that could increase the potential harm to providers and lead to higher ransom payments. One change we may see in 2018 is the possibility that hackers, instead of making data within a medical record unavailable or encrypted, will simply change the stored data so that it is inaccurate.[xiii] If providers have no way of knowing what information in the medical record is accurate, substantial liability may arise from issuing a contraindicated prescription, amputating the incorrect leg, or being falsely alerted that a patient has flatlined. The possibility that these attacks could even more directly threaten life or safety of patients presents an opportunity for attackers to exploit and profit from ransom demands at a greater degree.
These three potential areas of cybersecurity concern, along with many others (such as mobile device and vendor security), will continue to trouble providers in 2018. As we head into the new year, health care entities should take steps to protect their information systems, the medical information they create, and the patients they serve.
The post Top #Three #Health Care #Cybersecurity #Threats for 2018 appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
Anyone living through today’s news cycle who does not recognize cybersecurity as an issue is simply not paying attention. But, until recently, most manufacturing companies have considered it someone else’s issue. Most reported cyber incidents have been aimed at acquiring large caches of consumer data (think breaches at Target affecting 70 million consumers, and Verizon affecting 40 million consumers.) Hackers were historically intent on identity theft, and the acquisition of consumers’ personally identifiable information (PII) is a first step toward that goal. Most manufacturers do not deal directly with consumers or collect their data, so many put cybersecurity on the back burner. However, a recent study found that the manufacturing sector is now the second most frequently hacked industry, after healthcare. (2016 Cyber Security Intelligence Index, IBM X-Force Research.)
Recent cyber breaches have gone far beyond collecting consumer PII. Cyber criminals (and some foreign countries) are after trade secret technology and IP — yours, your vendors’, and your customers’. Losses from these breaches can include direct payments in the form of “ransom” for shutting down your computerized systems and holding your data hostage (ransomware); business email compromises (BECs), where inside information about upcoming transactions or wire transfers are mistakenly directed to a cybercriminal by your own employees under the misapprehension they are acting on the instructions of a senior executive (phishing); or loss of employee PII or a whole host of other information you may not realize is accessible to a sophisticated cybercriminal.
All Modern Manufacturing Systems are Susceptible to Exploitation. Think about your company’s reliance on computerized industrial control systems (ICS) and supervisory control and data acquisition (SCDA) systems, employees’ use of multiple data storage devices (servers, laptops, smartphones, social media), your vendors’ and customers’ everyday access to your systems to streamline communications or production, cloud computing, vindictive or disgruntled employees with access to sensitive information, or innocent employees opening an email link or attachment without verifying the source. Any and all of these may provide points of entry for a determined hacker or data phisher. Target’s massive data breach in late 2015, for instance, was engineered through access unwittingly provided by a company HVAC vendor that did not have a secure system, despite Target’s own otherwise sophisticated and thorough security and breach prevention program.
Ransomware/BEC attacks have not distinguished manufacturing companies from other targets. A hacker may gain access to a company’s computerized systems by means of an insider/employee opening an official-seeming link or attachment in an innocent-seeming email, and implant a virus into the system that holds critical data hostage or shuts down critical functions. Even payment of the demanded “ransom” to unfreeze the system may not guarantee a return of data or normal functionality.
Data and System Breaches are Expensive. Costs can include business disruption, product discounts, forensic and investigative activities, loss of customers, litigation and regulatory, and reporting costs. According to the 2017 Cost of Data Breach Study recently released by the Ponemon Institute, the total organizational cost per data breach incident for the U.S. was $7.35 million last year, the highest of the 13 countries studied. The study did not address loss of competitive advantage when trade secret technology and IP are stolen, which could be substantially more costly; the U.S. Federal Bureau of Investigation (FBI) estimated that $400 billion of intellectual property leaves the U.S. every year as a result of cyberattacks targeted at manufacturing companies.
BECs increased 2,370% between January 1, 2015 and December 31, 2016, with victims reporting losses of $346 million. The FBI estimated in a May 2017 alert that such crimes have caused losses of $1.6 billion in the U.S. since 2013 and $5.3 billion globally. For instance, in 2015 paint manufacturer Sherwin-Williams reportedly sent $6.5 million to overseas bank accounts of Russian criminals due to BECs.
How Can You Fight Back? There are a number of protections available to manufacturing companies, many of which are relatively inexpensive.
- Train your employees. People are the weakest link in cybersecurity, since hackers can access your systems through a single point of contact. If employees are alert to potential email threats, confine their work to your secure network, and limit postings on social media, many potential attacks can be blocked.
- Use two-step authentication to mitigate threats from BECs. Companies that require confirmation of funds transfer requests by secure telephone or a secondary sign-off by company personnel can virtually eliminate unauthorized transfers.
- Segment your network on a “need to access” basis. This practice limits accidental transfer of critical data and prevents a hacker from using one point of entry to move a virus or malware through your entire system.
- Encrypt critical data and back up your systems regularly.
- Audit your vendors’ and contractors’ cybersecurity systems. Contractual provisions can create cybersecurity duties for your business partners and give you the right to examine their systems for weaknesses that might otherwise compromise your network.
- Use penetration testing or public domain audits regularly to ensure that your sensitive information is not accessible online.
- Apply software patches and update your systems on a timely basis. Operators of ICS/SCADA tend not to update or apply software patches because these require system downtime or gaps in service, but most of the systems hacked in recent ransomware attacks were running out-of-date software, and the attacks could have been foiled if the victims had simply applied manufacturer-supplied patches regularly.
- Check the NIST Guide to Industrial Control Systems (ICS) Security for additional cybersecurity guidance.
- Have a response plan in place in case of a breach.
- Look into cyber insurance to mitigate the cost of a cyber incident. The current insurance market is competitive and well-priced, so you should be able to negotiate for the appropriate protection.
While it is impossible to create impenetrable systems, be aware that hackers tend to go after low lying fruit. The more protections you implement, the less likely you are to experience a debilitating cyber-attack.
The post Cybersecurity #101 for #Manufacturers: Why Should You #Care? appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
The Affordable Care Act, also known as “Obamacare” came into play in March of 2010. The three primary goals of the Affordable Care Act were: Make affordable health insurance more readily available: the law actually provides consumers with premium tax credits that lower to costs of insurance within household where…
The post How the Affordable Care Act Impacted Cyber Security for HealthCare Providers appeared first on National Cyber Security Ventures.
View full post on National Cyber Security Ventures
To Purchase This Product/Services, Go To The Store Link Above Or Go To http://www.become007.com/store/ PHILADELPHIA (CBS) — The owner of a day care center in Philadelphia has been arrested and charged with raping at least two children left in his care. Police say 53-year-old Duncan Round of Medford Lakes, New…
The post Police: Day Care Center Owner Sexually Assaults Two 5-Year-Old Children appeared first on Become007.com.
View full post on Become007.com