Tag Archives: department of defense

Has an International Cyber War Begun?

Cyber attacks were once on the periphery of American business consciousness. That mindset changed over the past two years. A series of devastating events, including the 2014 cyber attack against Sony, catapulted cyber liability concerns from an IT department issue to a major priority for boardrooms across America. As U.S. government officials concluded that North Korea was behind the attack, many C-suite executives suddenly found themselves asking questions. Is this the start of a cyber war? Could we be the next victim? If we are, how will it affect our operations and our bottom line? Do our insurance policies cover any of these costs?

g1

Today, many insurance buyers look to their cyber insurance policies to fill coverage gaps that often exist in other policies. For example, a property policy may respond to physical damage from a named peril, but it will likely exclude loss for non-tangible assets as a result of a cyber attack. Similarly, a commercial general liability policy will likely provide liability coverage for causing bodily injury because of negligence but exclude coverage for liability because of a failure to secure sensitive data from hackers.

Many policyholders may be unaware that some, though not all, of these cyber policies contain specific terrorism and war exclusions. As a result, gaps in cyber insurance coverage can exist in cases like the Sony breach, where government agencies, like the FBI, conclude that a foreign government or terrorist organization is responsible for the attack.

Is a Cyber Attack “Terrorism” or “War”?

Immediately following the Sony attack, President Obama referred to it by saying, “I don’t think it was an act of war . . . but cyber vandalism.” Then, on April 1, 2015, President Obama signed the Executive Order on Cybersecurity with the goal of protecting the private sector against hackers and thereby bolstering national security. The order seeks to identify and punish individuals behind attacks, but it could also lead some to categorize an apparent hacking event or act of cyber terrorism as an “act of war.”

Changes in government definitions trickle down into coverage disputes because many policies that exclude or include “war,” “terrorism” or “cyber terrorism” either fail to define those terms or define them by referring to standard government definitions.

Government Definitions of Terrorism, Cyber Terrorism and War

THE TERRORISM RISK INSURANCE ACT (TRIA)

“Act of terrorism” is defined as any act certified by the secretary of the Treasury in concurrence with the secretary of State and the attorney general of the U.S. to be:

» an act of terrorism

» a violent act or an act that is dangerous to human life, property or infrastructure

» an act resulting in damage within the United States or Outside (on a U.S.-flagged vessel, aircraft or U.S. mission)

» an act committed by an individual or individuals acting on behalf of any foreign person or foreign interest, as part of an effort to coerce the civilian population, U.S. policy or the U.S. government.

The secretary of the Treasury may not delegate his certification authority, and his decision to certify an act or not is not subject to judicial review.

DEPARTMENT OF DEFENSE (DOD)

The DOD defines “terrorism” as “the unlawful use of violence or threat of violence, often motivated by religious, political or other ideological beliefs, to instill fear and coerce governments or societies in pursuit of goals that are usually political.” The term “act of war” is understood to mean “a use of force [that may] invoke a state’s inherent right to lawful self-defense.”

DEPARTMENT OF JUSTICE (DOJ)/FEDERAL BUREAU OF INVESTIGATION (FBI)

The FBI defines “cyber terrorism” as “the premeditated, politically motivated attack against information, computer systems, computer programs and data [that] results in violence against non-combatant targets by subnational groups or clandestine agents.”

DEPARTMENT OF HOMELAND SECURITY (DHS)

The National Infrastructure Protection Center (NIPC), (formally a branch of DHS), defines “cyber terrorism” as “a criminal act perpetrated through computers resulting in violence, death and/or destruction and creating terror for the purpose of coercing a government to change its policies.”

Cyber Terrorism and the ‘Act of War’ Exclusion

Cyber policies are relatively new and manuscript products; as such, the wording varies significantly. Many policies contain a standard exclusion for “war, invasion, acts of foreign enemies, hostilities (whether war is declared or not), civil war, rebellion, revolution, insurrection, military or usurped power, confiscation, nationalization, requisition, or destruction of, or damage to, property by or under the order of any government, public or local authority…” An attack by the Taliban, for example, would probably fit within the exclusion as an act sponsored by a “public or local authority.”

Traditionally, war exclusions were relatively narrow; they required an actual war or, at the very least, “warlike operations”; “for there to be a ‘war,’ a sovereign or quasi-sovereign must engage in hostilities.” Pan Am. World Airways, Inc. v. Aetna Cas. & Sur. Co., 505 F.2d 989, 1005 (2d Cir. 1974) (finding that a Jordanian terrorist group that hijacked a plane was not a de facto government for the purposes of applying the war exception).

However, the events of Sept. 11, 2001, changed the way certain events and groups were perceived and classified, ultimately leading many to label the 2014 cyber attack on Sony an “act of war.”

Screen Shot 2015-12-22 at 1.53.07 PM

Litigation surrounding the Sept. 11 attacks led directly to an expanded view of the war exclusion. For one thing, the Second Circuit Court of Appeals ruled that the attacks were an “act of war.” In re Sept. 11 Litig., 931 F. Supp. 2d 496, 512 (S.D.N.Y. 2013), an owner of a building near the site of the World Trade Center attacks sought to recover cleanup and abatement expenses for removing pulverized dust that infiltrated into the owner’s building after the collapse of the Twin Towers. He sued under the Comprehensive Environmental Response, Compensation, and Liability Act [CERCLA], which allows strict liability claims in pollution cases, but the court applied CERCLA’s “act of war” exception to strict liability.

In concluding that the attacks were an act of war, the court commented that “Al Qaeda’s leadership declared war on the United States, and organized a sophisticated, coordinated, and well-financed set of attacks intended to bring down the leading commercial and political institutions of the United States,” id. at 509, and that “as we learned in the twentieth century, and as has been true throughout history, war can take on a formal structure of armies in contrasting uniforms confronting each other on battlefields, and war can persist for years, fought by irregular, insurgent forces and capable of causing extraordinary damage,” id. at 511.

This expansion of the legal definition of “act of war” to include acts by “irregular, insurgent forces and capable of causing extraordinary damage” could lead to attacks by hacktivist groups or foreign intelligence services being considered acts of war and therefore excluded from cyber policies.

Cyber Insurance and TRIA

The Terrorism Risk Insurance Act (TRIA) is a government program designed to provide a backstop for reinsurers in the event of large terrorism-related losses (more than $100 million). There is debate over whether TRIA applies to cyber policies at all. TRIA applies to commercial property and casualty insurance coverage, but some cyber policies are written as another line of coverage, such as professional liability, which is not included in TRIA.

Even assuming that TRIA would apply to cyber insurance, for TRIA coverage to be in effect, (1) there must be losses, resulting from property damage, exceeding $100 million; and (2) they must be caused by a certified terrorism event:

(1) Property Damage: For TRIA to apply, physical property damage must occur, and what constitutes “physical damage” in the context of a cyber attack remains an open question. What we do know is that TRIA will probably not cover business interruption or reductions in business income absent some physical loss or property damage. Many cyber attacks do not involve any physical damage, which would exclude TRIA coverage.

(2) A Certified Terrorism Event: For TRIA to apply to any event, the event would need to be certified as an act of terrorism. This onerous and political certification process requires the secretary of the Treasury, secretary of State and attorney general to agree that an incident was an “act of terrorism.” Many political and economic issues factor into certifying a terrorism event, which can lead to counterintuitive results. For instance, as of the date of this publication, the April 2013 Boston Marathon bombing has not been certified as a terrorist act.

Conclusion

To ensure coverage for cyber terrorism and cyber warfare, buyers of cyber insurance will need to seek out a cyber risk insurance policy that explicitly includes this coverage in the broadest terms possible. As more insurance carriers enter the cyber insurance market, one must be wary that policy terms will vary from one policy form to the next, and some will have coverage terms superior to others.

5 Apps That May Transform Healthcare

Talk about being in a room with a lot of smart people! Wow!

HITLAB, a healthcare innovation technology and teaching lab based in New York, just sponsored its second annual World Cup event at Columbia University for aspiring healthcare technology entrepreneurs and start-ups. The HITLAB staff, who blew me away with their creative energy, brought together the best and the brightest in academia, the business world, the insurance industry and the healthcare technology sector for this two-day event.

Out of 192 applicants, five finalists were selected to present potentially revolutionary technology and ideas on a wide range of global public health problems that have been around since the time Moses wore short pants and that someday soon may have the kind of impact Louis Pasteur and Steve Jobs did.

The beauty of these five finalists is that their solutions are so simple that even someone from Jersey City like me can easily understand. The health insurance industry and the malpractice insurance industry should stand up and take notice.

Noninvasix — Keeping Babies Safe

For starters, what if we could reduce brain injuries in newborns by 90%? That is what the CEO of Noninvasix (www.noninvasix.com ), Graham Randall, PhD, MBA, based in Houston, is working on.  The technology is designed to monitor the levels of oxygen molecules in the brains of infants; lack of oxygen causes many permanent brain injuries. This technology was originally funded by the Department of Defense and the NIH, among others, to address traumatic brain injuries in wounded veterans and other adults. Randall’s colleagues discovered a way to use this technology, known as an optoacoustic oxygenation monitor, to detect brain oxygenation levels in babies during active labor.

Gary Hankins, MD, who is the vice chair of the American College of Obstetrics and Gynecology Task Force on Neonatal Encephalopathy and Cerebral Palsy, said, “This technology has the potential to eliminate up to 90% of cases of hypoxic ischemic encephalopathy and subsequent permanent injuries such as cerebral palsy.” The problem with simply using current technology such as a fetal heart monitor-which dates back 40 years-is that it does not accurately measure the levels of oxygen in the brain. In fact, 80% of results are indeterminate or unknown. The new technology can help prevent brain hypoxia (or lack of sufficient oxygen) at birth, which is responsible for 23% of neonatal mortality in the world.

This technology may also help revolutionize obstetrics. OB-GYN physicians have the highest rate of malpractice insurance, with reported annual premiums as high as $200,000 in some states. More than 75% of OB/GYN physicians have been sued for malpractice, with an average of 2.7 lawsuits per physician. Most lawsuits relate to neurologically impaired infants, whose issues get blamed on the doctor during delivery. It has been reported that as many as 50% of OB-GYN physicians have cut back on their practice because of the fear of malpractice claims. Many have moved their practices to states that have less expensive premiums because of legislative caps on liability.

Hospitals, healthcare systems and health insurers should also take notice because the rate of unnecessary surgery has been widely believed to be too high since I walked the hallowed halls of Columbia University 34 years ago. C-section rates have, in fact, nearly doubled over the past 10 years from 17% to 34% of all births in the U.S. The World Health Organization (WHO) recommends C-section rates in the range of 10-15%. The Joint Commission on the Accreditation of Hospitals now requires hospitals to report C-section rates, and many health insurers now pay a bundled rate for deliveries and not a separate, higher rate for C-sections. Many health researchers believe the high rate of unnecessary C-sections is because of the fear of malpractice lawsuits, and Graham Randall believes that false positives from fetal heart monitors also play a huge role. C-sections are the most common surgery in the U.S., with 1.2 million performed each year, and they carry risks such as blood clots and surgical infections to both mother and baby.

Ceeable — Preventing Blindness

Chris Adams, the CEO of Ceeable, based in Somerville, Mass. (www.ceeable.com), won this year’s World Cup competition. “I am here to prevent blindness,” he said. Ceeable was formed in 2014 to commercialize a mobile digital eye exam platform that was co-invented with Dr. Wolfgang Fink at Caltech with assistance from scientists at NASA, the University of Arizona, the Doheny Eye Institute at UCLA and the Jet Propulsion Laboratory in Pasadena.

This mobile field test is a perfect example of the potential for telemedicine. Current technology, used by ophthalmologists, optometrists and eye care clinics in strip malls across America and around the world are expensive, and not very mobile. Today’s eye exams are tedious. (Bats have much better eyesight than I do, so I have experience with tests.) The equipment typically costs $35,000 and weighs roughly 100 pounds.  By contrast, Ceeable only needs a tablet with a touch screen and the Internet to perform a 3-D early detection for glaucoma, muscular degeneration disease, other causes of vision problems and the actual onset of blindness.

The test is user-friendly and can be performed anywhere in the world. The test can even be performed at home, which is brilliant. Although health insurers pay for eye exams at no cost under the ACA, patients are typically limited to two visits per year. With this inexpensive mobile device, people at risk can perform tests as often as they like.

More than 285 million people worldwide suffer from diseases that cause blindness, such as diabetic retinopathy, glaucoma and age-related macular degeneration. The Ceeable technology is now deployed in vision clinics in the U.S., Mexico and Russia and will soon be available in developing countries.

Rubitection — Managing Bedsores

Sanna Gaspard, the CEO and founder of Rubitection, based in Pittsburgh, received her PhD from Carnegie Mellon University, and her start-up has developed a handheld diagnostic device and software system to modernize the detection and management of bedsores. Rubitection has been part of Project Olympus at the Carnegie Mellon incubator program.

When I met her, I interrupted her within 60 seconds and said, “I get it.” My mother ended up in a nursing home when she was overcome with organic dementia. She became so fragile from old age that the nurses could hardly touch her skin without it turning black and blue. They also had to check her frequently for bedsores. 

Turns out I didn’t get it about bedsores at all. What I didn’t know, until Gaspard told me, is that bedsores can be life-threatening. Complications from bedsores, such as infections, kill 60,000 people every year in the U.S. The average cost to treat bedsores in acute cases is $43,000 each and may reach $70,000; there are more than 2.3 million bedsore cases a year in the U.S., costing $11 billion in total.

Medical expenses resulting from bedsores are not reimbursable under Medicare if they developed after someone was admitted to a facility. The facility has to eat the costs.

Current technology that monitors for bedsores is very expensive and difficult to use. The current standard of care is typically a manual skin palpitation and visual inspection. The Rubitech Assessment System (RAS) provides a reliable early detection handheld device for patients at risk with bedsores, helping to address a global public health problem that I didn’t even know existed beyond discomfort and pain for the patient. Rubitection www.rubitection.com came in a well-deserved second place.

Now I get it.

Homeward — Getting the Medication Right

Joe Gough, president and CEO of Homeward Healthcare in Toledo, Ohio www.homewardhc.com, told how his six-year-old son was misdiagnosed at a hospital emergency room and was sent home with the wrong medication. All his vital signs crashed. Luckily, his life was saved upon readmission, and today he is a healthy young man. Many others are not so fortunate.

Again, I immediately could relate to misdiagnosis and incorrect medications. My dad was diagnosed with congestive heart failure, and his cardiologist told me he had two months to two years to live. Several months later, I got a call: “You have to come home because your father is in the hospital, and we need to amputate both his legs because he is not getting enough blood circulation down there. We need you to tell him.”

I hopped on the next flight. When I told my dad the situation, he had the perfect answer: “Throw me out the window now.”

Turns out he was on all the wrong medications, and the poor circulation in his legs was actually more because of blockage in his carotid artery. The plan to amputate his legs would have done nothing to save his life. I got him admitted to a new hospital with a new cardiologist. My dad got to live a couple more years before he finally took his first day off from work, at his funeral. We buried him with both his legs.

So, I get misdiagnosis, wrong medications and poor discharge planning.

Gough and the researchers at Homeward Healthcare have created interactive software for hospitals, patients and payers that the patient can control on a touchscreen tablet from her bedside. Multimedia, real-time discharge planning that includes a patient dashboard will produce better outcomes, free staff time and resources and vastly improve communications.

Gough had begun his presentation by telling us that most people toss their discharge instructions as they walk out the hospital door — but no more. His technology has great potential to reduce hospital readmissions. A key component is a psychosocial assessment to determine who is at risk of not following the discharge plan.

There are also reminders about the correct use of proper medications, and I get the need for that, too. Patients must own their care plan. My oldest brother, upon release from a hospital a few years ago, was told he needed to lose weight and stop smoking. The first thing he did when he got home was have a large bowl of ice cream and a cigarette. I threw his discharge plan in the waste basket.

It is estimated that $26 billion is spent annually from readmissions. The reduction of readmission rates is now a major initiative under both Obamacare and the Joint Commission on Accreditation of Hospitals. The Homeward Healthcare technology is now being used in 23 hospitals, and I am told nurses doing discharge planning just love it.

Ristcall — a Mobile, Smart Watch Nursing Station

Srinath Vaddepally, the CEO and founder of Ristcall, with offices in both Philadelphia and Pittsburgh, has designed a wireless, wearable smart device for both hospital patients and nurses. I like to think of it as a mobile smart watch nursing station.

The idea for this technology, designed with researchers from Carnegie Mellon, came about when, as a hospital patient, Vaddepally fell in his hospital room and could not reach the call button on the bed. Turns out 70% of all patient falls in a hospital occur in the patient’s room, with 40% occurring while walking to the bathroom. The average cost to a hospital for a patient fall is $20,000 per case, and the annual reduction in Medicare reimbursements can reach $200,000.

Ristcall (www.ristcall.com) has a great point. How do you call a nursing station if you are lying on a floor and can’t reach the call button? In addition, how can you reach a nurse who is busy caring for multiple patients and is not at the nursing station?  Even when you ring the traditional call button, the nurse has no idea why you are calling; he has to walk to your room to find out.

As I told Dr. Michelle Odlum, a postdoctoral research scientist at the Columbia School of Nursing, nurses rock! They are the heart and soul of our healthcare system, but they are often overworked, and they don’t have eyes in the back of their heads.

Now, with the help of Project Olympus-which provided incubator space at Carnegie Mellon-nurses can soon have a real-time alert for all traditional patient requests. Nurses will be able to rock even more.

If you are a healthcare technology entrepreneur, I highly recommend applying for this award or sponsoring next year’s HITLAB World Cup Summit. It will be held once again at Lehner Hall at Columbia University in New York, from Nov. 28 to Dec. 2, 2016.

For more information, visit www.hitlab.org.

It was a real pleasure to meet these outstanding World Cup finalists and the HITLAB staff. I learned a great deal and made friends I feel I will now have for a lifetime.