Tag Archives: department of transportation

When Hackers Take the Wheel

Operator errors, driving under the influence, and product defects have long been blamed for catastrophic accidents in the transportation industry. However, recent headlines revealed how cyber risk has emerged as a new and disturbing threat to airlines, railways, auto manufacturers and ocean cargo carriers.

Those in the transportation sector have embraced the “Internet of Things” and transformed what were once far-reaching concepts into some of the most common components of the cars they manufacture and the planes they fly. They often rely on a secure internet connection to function safely and efficiently. Recent headlines, however, raised concern and started a debate: Can the transportation sector be hacked? If so, what are the consequences?

Automobiles

In July 2015, Fiat Chrysler announced a recall of 1.4 million vehicles after white hat hackers demonstrated that they could take control of a Jeep Cherokee’s braking systems, change vehicle speed and affect operation of the transmission, air conditioning and radio controls. Hackers gained remote access by exploiting a software vulnerability in the vehicle’s Uconnect entertainment system.

The stakes have been raised even higher with recent advances made in the development of driverless cars, as more vehicles will become completely reliant on secure technology. Safety concerns were raised after a series of crashes allegedly caused by the failures of Tesla’s Autopilot technology, resulting in the death of a passenger. This prompted Tesla to announce efforts to improve its Autopilot software, including “advanced processing of radar signals.”

See also: How to Measure ‘Vital Signs’ for Cyber Risk  

The Department of Transportation has also recognized the risks associated with technology. In January 2016, the department entered into an agreement with 17 major automakers to enhance driver safety, including information sharing to prevent cyberattacks on vehicles. According to the agreement, the National Highway Traffic Safety Administration will propose industry guidance for safe operation for fully autonomous vehicles.

Planes

Boeing recently became the subject of a hacker demonstration when a security researcher accessed the entertainment systems of one of the company’s planes in mid-flight. Boeing was adamant that the hacker could not have gained access to the aircraft’s critical functions due to segregation of the two networks. However, the incident raised concerns throughout the airline industry, and an FBI investigation followed.

Railway Systems

German security researchers SCADA Strangelove demonstrated, without naming the rail systems in question, that they, too, are vulnerable. Their December 2015 report highlighted vulnerabilities related to outdated software, default passwords and lack of authentication. Moreover, entertainment and engineering systems were operating on the same network, leading to speculation that if one system is compromised hackers could gain access to the other. Because rail switches are automated and dependent on properly operating networks, the theory of a system compromise leading to a head-on collision with another train was explored in the report.

Marine Shipping

An investigation by Verizon Risk concluded that modern-day pirates are increasingly relying on network intrusions as a means to carry out crimes on the high seas. Verizon concluded that an unidentified shipping company’s networks were penetrated by hackers, giving them precise information on which ships were carrying the most valuable contents. Hackers then targeted their attacks on specific vessels, using bar codes to focus on individual shipping containers.

As of this writing, we have not seen any incidents of bodily injury or loss of life in the transportation sector directly attributed to a deliberate network compromise. Yet the findings of various researchers across multiple transportation sectors lead to some alarming conclusions. Law enforcement and transportation safety regulators have taken these findings seriously and conducted investigations of their own.

We can therefore expect with some degree of certainty that the transportation sector may be held to higher cybersecurity standards and will see increased regulatory scrutiny that has been witnessed in other industries, such as healthcare and financial services. When networks containing sensitive data may be compromised, regulators that oversee that industry often propose protection standards that ultimately become mandates. Failure to comply often leads to lawsuits, settlements, fines and significant reputational harm.

See also: Protecting Institutions From Cyber Risks  

Until then, the transportation sector can start by following the best practices as outlined in the National Highway Traffic Safety Administration’s “A Summary of Cybersecurity Best Practices,” published in October 2014 . Key observations and recommendations include:

  • Cybersecurity is a life-cycle process that includes elements of assessment, design, implementation and operations as well as an effective testing and certification program.
  • The aviation industry has many parallels to the automotive industry in the area of cybersecurity.
  • Strong leadership from the federal government could help the development of industry-specific cybersecurity standards, guidelines and best practices.
  • Sharing learning with other federal agencies is beneficial.
  • Use of the NIST cybersecurity standards as a baseline is a way to accelerate development of industry-specific cybersecurity guidelines.
  • International cybersecurity efforts are a key source of information.
  • Consider developing a cybersecurity simulator. It could facilitate identification of vulnerabilities and risk mitigation strategies and can be used for collaborative learning (government, academia, private sector, international).
  • Cybersecurity standards for the entire supply chain are important.
  • Foster industry cybersecurity groups for exchange of cybersecurity information.
  • Use professional capacity building to address and develop cybersecurity skill sets, system designers and engineers.
  • Connected vehicle security should be end-to-end; vehicles, infrastructure and V2X communication should all be secure.

The transportation sector is yet another industry that must learn to adapt to the systemic nature of cyber risk. Because of ever-increasing reliance on evolving technology, cyber risk will certainly begin to move toward the top of the list of transportation safety concerns. The captains of this industry can no longer claim ignorance to cybersecurity issues or completely delegate responsibility. They owe a duty to safeguard the flow of information that effectively keeps our planes airborne and our cars on the road. Failure to do so could be catastrophic.

A Physician’s View of ‘Return to Work’

While physicians are well-trained in diagnosis and treatment, most have received little or no training in how to evaluate their patients’ ability to do work. Whenever asked about a patient’s work ability, physicians should think through the issues by considering three terms: risk, capacity and tolerance. This first topic, risk, I would like to explore in this communication.

Risk refers to the chance of harm to the patient, or to the general public, if the patient engages in specific work activities. Familiar examples are that the Department of Transportation medical certification processes require examining physicians to disqualify individuals with uncontrolled seizure disorders from working as aircraft pilots and as commercial motor vehicle drivers. Thus, a work ­restriction is something a patient can do, but should not do, as opposed to a work limitation, which is something the patient cannot physically do. The terms “work restriction” and “work limitation” are frequently seen on work status certification forms.

Unfortunately, there is little scientific literature on the real-world observed risks of working despite known medical conditions. Ideally, this would be the type of information on which to base work restrictions. Where generally accepted sound scientific evidence exists, there should logically be universal agreement among physicians about the issue in question. Sometimes, there are consensus documents that are helpful in assigning work restrictions based on risk. One example is the American College of Cardiology guidelines for physicians in approving participation in competitive sports. While this is a consensus document, and thus not scientifically proven, following these guidelines is our best approach to achieve consistency among physicians.

If a patient is applying for work, a physician performing the pre-placement medical examination for the employer must remember that the Americans with Disabilities Act of 1990 permits the employer to deny the tentatively offered employment only if, on the basis of objective information, the work activities of the “essential job functions” pose a substantial risk of significant harm to self or others that is imminent. Under this law, these criteria would be the basis for physician-imposed work restrictions that would disqualify an applicant from working. 

Substantial harm means an objectively verifiable worsening in the patient’s condition, and not merely an increase in previously present symptoms, like pain or fatigue. The law says that individuals may choose to work despite pain or fatigue. While physicians in pre-placement examinations generally remember and adhere to the maxim that “if there is not objective evidence of substantial risk for significant harm, the patient may choose whether or not to work despite symptoms,” many times the obverse of this principle is forgotten when physicians are asked by patients to certify work disability based on subjective symptoms without evidence of risk of harm. The decision to work with no significant risk, and despite symptoms, is the patient’s decision (and not the physician’s decision), and the decision is still the patient’s when the patient is requesting disability certification.

There are recurring situations in which physicians have historically restricted patients on the basis of medically plausible risk assessment. Examples ­include heavy overhead lifting after shoulder rotator cuff repair, and heavy lifting, carrying and jumping with combined anterior and medial instability in a knee. In these cases, it is plausible to argue that recurrent cuff rupture and progressive osteoarthritis may occur, despite the lack of prospective human studies to prove that these risks are real. Until studies disprove these risks, they will be “generally accepted” and noted by consensus groups.

For decades, spine surgeons placed permanent lifting and other activity ­restrictions on patients who had good results after a first-operation lumbar diskectomy. Recently, studies have shown that those with good results can return quickly to full work with no increase in the incidence of disk ­re-rupture.

In the next article, I hope to explore the concept of capacity and what it means in the process of approaching patients with complaints of limitation.

Minority-Contracting Compliance — Three Risks

On Jan. 13, 2014, the Department of Justice announced that two former executives of Schuylkill Products had been sentenced to two years in federal prison and forced to pay $119 million in restitution because of their role in what the FBI called the largest fraud involving the Department of Transportation’s Disadvantaged Business Enterprise (DBE) Program. A third individual, the owner of Marikina Construction, the firm that was used as a “front” in the scheme, received a prison sentence of nearly three years.

The sentencing of these individuals is not the result of an isolated incident. In recent years, federal prosecutors and the DOT inspector general have significantly stepped up enforcement of DBE and have brought several cases resulting in civil penalties and jail time. Some involved well-known international construction firms and their executives.

Here are three reasons why every contractor dealing with a federal, state or local minority contracting program needs to have proper compliance policies and procedures in place:

1.         Jail Time and Civil Fines

Contractors that do not comply with the DBE program’s rules and regulations face the very real threat of jail time and civil fines. According to the DOT, DBE fraud now represents more than one-third of the DOT inspector general’s open cases. From Oct. 1, 2003, through Sept. 30, 2008, investigations of DBE fraud allegations resulted in 49 indictments, 43 convictions, nearly $42 million in recoveries and fines and 419 months of jail sentences. From 2009 to 2010, the number of open investigations related to DBE fraud increased by almost 70%. The number of investigations shows no signs of slowing, as the DOT is aggressively hiring additional investigative agents.

Under several legal doctrines, a defendant can be held liable when the evidence shows that the defendant intentionally avoided confirming certain facts and learning the truth.

2.         Whistleblower Lawsuits

Under the Federal False Claims Act, every disgruntled employee is a bounty hunter. The act authorizes private individuals to bring a civil claim in the name of the U.S. against anyone who fraudulently obtained money or property from the government. The person who brings the action is entitled to 30% of the amount recovered for the government.

Contractors can become the target of a False Claims Act case if they submit payment applications to the government that falsely certify that a certain percentage of work was performed by DBE firms. Like in the criminal context, a contractor can still be liable even if it lacks actual knowledge of the DBE fraud. Reckless disregard for the truth or deliberate ignorance are sufficient.

3.         Bid Rejections and Challenges

Strict minority set asides or quotas are almost always unconstitutional. Disadvantaged business contracting programs, like the DOT’s DBE, are not quotas (a fact that DOT underlines in its regulations). Rather, they are goals that contractors must use “good-faith efforts” to achieve. In fact, many contractors would be surprised to know that a state transportation agency cannot reject a bid because it fails to include a commitment to subcontract work that meets or exceeds the stated DBE goal. However, for a bid to be accepted, the contractor must be able to demonstrate “good faith efforts” to meet the stated DBE contracting goal. Because most state procurement codes require the award of a contract to the lowest responsible and responsive bidder, failing to document adequate good-faith efforts is grounds for a state transportation agency to reject a bid or for challenge to be filed by a disgruntled bidder.

The risks that contractors face with not complying with minority contracting programs, particularly the DOT DBE program, literally cannot be ignored. At best, contractors that fail to comply with the program face significant financial ramifications in the form of fines, expensive lawsuits and lost projects. At worst, executives and employees can wind up in jail.

What An Employer Can Do To Reduce Soft Tissue Injuries In The Transportation Industry

The trucking industry accounted for nearly 20 percent of all days-away-from-work cases in 2011. Correspondingly, trucking was among the seven occupations which had an incidence rate greater than 300 cases per 10,000 full-time workers and who had greater than 20,000 days-away-from-work cases.

OSHA defines a Musculoskeletal Disorder (MSD) as an injury of the muscles, nerves, tendons, ligaments, joints, cartilage and spinal discs. They identify examples of Musculoskeletal Disorders to include: carpal tunnel syndrome, rotator cuff syndrome, De Quervain’s disease, trigger finger, tarsal tunnel syndrome, sciatica, epicondylitis, tendinitis, Raynaud’s phenomenon, carpet layers knee, herniated spinal disc, and low back pain.

The average cost of a work-related soft tissue injury in the trucking industry exceeds any other industry. According to the U.S. Bureau of Labor Statistics (BLS), Musculoskeletal Disorders nationwide typically account for 33% of work-related injuries, while the incidence of Musculoskeletal Disorders in the transportation industry is 60-67%. The Bureau of Labor Statistics also noted that there were 1.4 million total transportation workers, and each year 1 in 18 is injured or made ill by the job.

These higher rates of injury can be attributed in part to several factors. Due to the nature of their work, many drivers maintain a poor diet, rarely get enough sleep, and are sedentary. As a result, they find themselves more susceptible to heart attacks and diabetes, as well as a myriad of strains, sprains and various other Musculoskeletal Disorders.

Additionally, the percentage of older workers is higher in transportation than in most industries, with the Transportation Research Board estimating that up to 25 percent of truck drivers will be older than 65 by 2025, translating into more severe Musculoskeletal Disorder claims.

These factors are contributing to more workers’ compensation claims for drivers which increase employers’ costs. As part of the job, many truck drivers are required to unload the goods they transport, leading to serious sprains and strains. Heavy lifting after long periods of sitting can increase the likelihood of severe sprains and strains. In addition, drivers often rush at the delivery site in an effort to meet the demands of tight schedules. This combination contributes to 52% of the non-fatal injuries in this industry, with trunk and back claims accounting for 70% of these cases.

Due to its unique workplace circumstances, the commercial transportation industry is at higher risk for increased frequency of injuries and costs to the industry. The following describes the framework of this dilemma:

  1. Commercial transportation jobs expose workers to high physical demands and extended hours of exposure.
  2. The transportation industry experiences one of the highest work-related injury rates among all workplace sectors.
  3. The transportation industry experiences a high level of turnover on an annual basis, which results in a high number of newly hired employees exposed to unfamiliar and physically demanding tasks.

While this is an industry-wide issue, we will focus on California in order to illustrate how problematic it truly is. In March of 2010, the California Workers’ Compensation Institute (CWCI) issued its latest scorecard for the California Trucking Industry. Over eight years, $480 million dollars was paid in medical and indemnity costs alone. The study found that, even though this industry accounted for only 1% of all California industrial claims, they accounted for 1.8% of the state’s workers’ compensation paid benefits. It was also found that medical and indemnity payments were higher than any other industry. The average lost-time direct claim cost at $18,587 is 41% higher than the industry average in California. The indirect costs in this industry range from a 2x to a 10x multiple, and in an industry known for low profit margins, controlling costs is critical.

It should also be noted that California can retain jurisdiction of a workers’ compensation claim even if the injury did not occur in that state; the employee only has to live in California, drive through California or have been hired out of California. This is such a significant problem that in 2010 the U.S. Department of Transportation initiated the Compliance Safety Accountability measure of driver’s fitness. This is specific to transportation, is publicly available, and the ratings are tied to insurance rates and letters of credit.

With the numerous reforms taking place in 2013 and the Centers for Medicare and Medicaid Services (CMS) Mandatory Reporting Act, it is now essential that employers become proactive and only accept claims that arise out of the course and scope of employment. Medicare has mandated all work-related and general liability injuries be reported to CMS in an electronic format. This means that CMS has the mechanism to look back and identify work comp-related medical care payments made by Medicare. This is a retroactive statute that will ultimately hold the employer and/or insurance carrier responsible for these payments.

Should CMS have to pursue the employer in court, the amount owed is doubled. The insured or employer could pay the future medical cost twice — once to the claimant at settlement and later when Medicare seeks reimbursement of the medical care they paid on behalf of the claimant. There is no statute of limitations on compliance with the MSA requirements. CMS can review claims closed last year, five years ago, or even longer to check for compliance. Penalties and fees for noncompliance are $1,000 per day if medical care is not paid within 30 days.

Historically, soft tissue injuries have been difficult to diagnose and even harder to treat due to the broad spectrum of disorders related to soft tissue. Most diagnostic tests are not designed to address Musculoskeletal Disorders and are unable to document the presence of pain or loss of function … two key complaints.

Employers need a way to manage their Musculoskeletal Disorder exposure and provide better care to their injured workers. The key to managing this problem is for employers to obtain the ability to only accept claims that arise out of the course and scope of employment. The only viable solution for employers is to conduct a baseline soft tissue assessment in order to establish pre-injury status. The baseline must be job and body part specific and objective to comply with the Americans with Disabilities Act Amendments Act of 2008.

The baseline assessments are not read or interpreted unless and until there is an injury. By not identifying a potential disability, employers are able to conduct baseline assessments on new hires as well as existing employees while maintaining compliance with the Americans with Disabilities Act Amendments Act. If there is a soft tissue injury, the employee is sent for a post-loss assessment to determine what and if there is any change from the baseline assessment. If no change is noted (no acute pathology), then there is no valid claim. This proven baseline program is known as the EFA Soft Tissue Management Program (EFA-STM Program), which utilizes the Electrodiagnostic Functional Assessment to objectively provide this data.