Black Energy
Jun 14, 2018

No, not the stuff that astrophysicists are trying to figure out. Black Energy is the name of a hacker tool that Russian agents used to attack the Ukraine's power system last year. It has a near clone called VPNFilter. Why care? Well, gangs of hackers, like the much feared APT28 (probably Russian, but who can tell?) have been using these and other tools to probe systems around the globe. According to a Forbes article reprinted by Advisen, these tools were recently used to hack some 500,000 routers in 54 different countries. Ukraine was hit the hardest but there was plenty of damage to go around.

This new wave of attacks, which started in 2016 and continues, points out yet another area of vulnerability in the complex of servers, routers, VPNs, and other hardware/software that we all depend on every day. VPNFilter attacked routers from a range of vendors, including Linksys, MikroTik, Netgear, and TP-Link, which had publicly-known vulnerabilities. In other words, the black hats are not targeting just a few high profile corporate or government systems. They are targeting the internet using public - all of us - going after the devices you have sitting next to your laptop on your desk at home.

According to US and UK government reports, what we've seen thus far have been mere probes, trial runs, but it appears the attackers are planning something significant further along the line. They may be constructing a "kill switch" with a destructive capability that can render an infected device unusable, which can be triggered on individual victim machines or en masse, and has the potential of cutting off internet access for hundreds of thousands of victims worldwide in a single stroke, according to researchers at Cisco. That's the nuclear option, folks.

What does this mean for risk management? The ransom attack on Atlanta's municipal systems reported here a few weeks ago inadvertently suggests a possible response. When the city's primary systems were incapacitated by hackers demanding a bitcoin ransom, the city switched into alternative modes. They went back to using (gasp) telephones and snail-mail, even writing information down by hand - on actual paper. It just may be that your best defense against 2018 attacks like Black Energy might be keeping a few components from, say, 1990 handy.

Back in 1989 when the massive Loma Prieta earthquake smashed up the San Francisco Chronicle's computerized systems, they wrote the next day's 8 page special issue of the Chronicle newspaper on typewriters by lamplight, pasted it together and found presses that could still run. The next morning, the good old Chron was on everyone's doorstep, if they still had a house, that is. What would you do in a similar pickle? (Yes, The GB Journal still has a 1950 top of the line Royal manual typewriter on standby. Can't be too careful.)

"Ban the Box" vs Risk Management

Here's another reason to stay in close touch with the folks in HR. More and more states are adopting various versions of the "ban the box" concept which requires employers to remove the "have you ever been convicted" question from job applications. Instead, employers must now implement a cumbersome, multi-step process in which the criminal conviction question is asked only after a preliminary hiring decision.

We mention this because the post hiring process represents a new challenge for both HR and risk management. The legal issues involved are complex, as outlined in a recent article in the SheppardMullin Employment Law blog. Some recent court decisions, especially in California, have expanded the doctrine of "negligent hiring," to make matters more complex. For example, the authors of the SheppardMullin blog posts note: "if an employer fails to perform a sufficient background check, or hires an employee despite a similar past conviction, a court very possibly will find that the employee's violent actions were foreseeable." Got that?

A very recent California decision (case number S236765 in the Supreme Court of the State of California) does offer some insight into current thinking about this question. The carrier tried to deny coverage for a suit based on negligent hiring under a general liability policy based on the intentional nature of the employee's criminal acts while employed. While this decision involves some special circumstances, the court's determination that coverage applies will, in the words of the employer's attorney, "be significant for employers, as it will provide certainty that insurance policies will provide coverage for negligent hiring and supervision claims, unless there is an express exclusion for such claims."

This Journal does not offer legal advice, but it strikes us that now might be a good time to review your applicable liability coverages to determine whether your organization is adequately protected in this new environment. Are there any of those "express exclusions" noted above? Confer with your colleagues in HR. Are your post offer investigation processes robust enough to ensure coverage if something tragic happens?

Telemedicine: Straws in the Wind

The role of telemedicine in American healthcare appears to be growing quickly. With the widespread use of Skype and similar services like ooVoo and advanced teleconferencing technology, using your smartphone or laptop for a doctor appointment no longer seems odd. While the debate over the appropriate uses of telemedicine and how it applies in one type of care, say the ongoing monitoring of chronic, age-related conditions, as opposed to other types, such as the diagnosis and treatment of orthopedic injuries, continues, we see some developments that tell us it is becoming an established presence in American healthcare.

For example, The Associated Press - NORC organization recently polled a cross section of US citizens concerning their acceptance of telemedicine. While their specific area of concern was telemedicine in long term care, the findings are relevant for workers' comp as well. Some 80% of Americans over age 40 say they have no problem using telemedicine. This is almost exactly the same percentage as those under 40. In fact, the only generational difference the poll uncovered was that those over 40 are slightly more reluctant to use text to discuss medical issues. This is a dramatic rate of acceptance for a service almost unheard of less than ten years ago.

In the insurance business we all know that nothing is real until it's been billed. In response to the Office of the Inspector General's new effort to audit telemedicine charges and reimbursements in Medicare and Medicaid, announced a year ago, the good people at The Coding Institute (TCI) have just brought out an extensive new Telemedicine & Telehealth Handbook for Medical Practices 2018. This new publication looks at every aspect of telemedicine, not just how to code the services. For example, it includes chapters on specific applications of telemedicine in managing chronic conditions, how to measure outcomes, and updates on new telemedicine terminology and CMS regulations.

In other words, telemedicine now has all of the mechanisms in place to operate like any other species of healthcare. It's no longer cutting edge or hovering just offstage in the near future. Now it's part of how we get our work done every day.

Pain and Suffering

Back in the day, say 404 BCE, if listening to another long oration in the Agora of Athens by Pericles gave you a splitting headache, you went to see Hippocrates of Kos. He probably gave you fresh shoots from the white willow to chew on - and it worked. The bark of the willow contains natural aspirin. Nowadays, it's not quite so simple. Case in point - the May 29 edition of Risk & Insurance's WorkersComp Forum had two reports on new developments in pain treatment that may be coming soon to a workers' comp or liability claim near you.

Researchers are looking seriously into the rave drug, ecstasy, as a treatment for PTSD. It appears to have a positive effect, although the research is still very new. While PTSD is considered within the scope of comp in only a few states, note that PTSD can be a clinical component in liability claims as well. As marijuana gains acceptance as a treatment for certain types of pain and related symptoms, ecstasy may be on the same track.

Meanwhile, researchers at Cedars-Sinai in Los Angeles are having notable success in using a type of virtual reality (VR) sessions to relieve chronic pain in orthopedic injury cases. Again, the work is very preliminary, but the potential for VR to replace opioids or marijuana or other drugs, all of which have potential side effects, is too promising not to follow up.

You may see some unusual items in your "pharmacy" spend in coming years, but the good news for all is that the empire of pain is being pushed back. Indeed, Hippocrates tells us: "wherever the art of medicine is loved, there is also a love of humanity."


Share This
* Required Fields