2018 Partner Program Guide – CRN

The 2018 Partner Program Guide offers the information solution providers need to evaluate IT vendors they work with or are considering working with. The guide is based on detailed applications submitted by over 270 vendors, outlining all aspects of their partner programs.

5-Star Technology Vendors

As part of the Partner Program Guide, CRN designates some programs as 5-Star Partner Programs. Here are the 5-Star designees in key technology spaces for 2018.

5-Star Networking And Unified Communications Vendors

5-Star Emerging Vendors

5-Star Cloud Vendors (Part 1)

5-Star Cloud Vendors (Part 2)

5-Star Security Vendors

5-Star Software Vendors (Part 1)

5-Star Software Vendors (Part 2)

5-Star Storage Vendors

5-Star Peripherals Vendors

5-Star System/Data Center Vendors

Click program names for much more information.
8×8, Inc. ★ ★ ★ ★ ★
8×8 Partner Program / Partner Integr8tion
A10 Networks
A10 Affinity Partner Program
ACC Business
ACC Business
Accelerite
Accelerite Partner Program
Acer
Acer Alliance VAR Program
Acronis, Inc
Acronis Partner Program
Acumatica -The Cloud ERP ★ ★ ★ ★ ★
Acumatica Partner Program
ADTRAN
ADTRAN Partner Program
Aerohive Networks ★ ★ ★ ★ ★
Aerohive Advantage Partner Program
AireSpring
AireSpring Channel Sales Division
Alaris, a Kodak Alaris Business ★ ★ ★ ★ ★
Alaris Partner Program
AlgoSec ★ ★ ★ ★ ★
AlgoSec Channel Program
AlienVault ★ ★ ★ ★ ★
AlienVault AlienNation
APC by Schneider Electric ★ ★ ★ ★ ★
APC Channel Partner Program
AppDynamics ★ ★ ★ ★ ★
AppDynamics Titan Partner Program
AppRiver, LLC
AppRiver’s Phenomenal Partner
Archive360
Archive360 Accelerate Partner Program
Arctic Wolf Networks
Apex Partner Program
Aruba, a Hewlett Packard Enterprise company ★ ★ ★ ★ ★
Partner Ready for Networking
Aryaka Networks ★ ★ ★ ★ ★
Aryaka Partner Program
Asigra ★ ★ ★ ★ ★
Asigra Hybrid Partner Program
AT&T Alliance Channel ★ ★ ★ ★ ★
AT&T Alliance Channel
AT&T Partner Exchange ★ ★ ★ ★ ★
AT&T Partner Exchange
Atlassian
Atlassian Partner Program
Attivo Networks
Attivo Networks Partner Program
Autotask Corporation
Autotask Partner Program
Auvik Networks Inc
Auvik Partner Program
AVANT
AVANT
Avaya ★ ★ ★ ★ ★
Avaya Edge
Barracuda MSP
Barracuda MSP Partner Program
Barracuda Networks ★ ★ ★ ★ ★
Barracuda Partner Program
Bitdefender ★ ★ ★ ★ ★
Partner Advantage Network
BitTitan
BitTitan Partner Program
BlackBerry Limited ★ ★ ★ ★ ★
Enterprise Partner Program for Solutions Providers
Blue Medora ★ ★ ★ ★ ★
True Visibility Partner Program
BluVector Inc
BluVector Channel Program
BMC ★ ★ ★ ★ ★
BMC Partner Advantage Program
bpm’online ★ ★ ★ ★ ★
bpm’online Partner Program
Broadvoice
Broadvoice Partner Program
Brother International Corporation
Brother Authorized Partner Program
Buffalo Americas
Buffalo Americas
BVoIP
BVoIP MSP Partner Program
CA Technologies ★ ★ ★ ★ ★
CA Advantage Partner Program
CA | Veracode ★ ★ ★ ★ ★
Veracode Partner Program
Cambium Networks ★ ★ ★ ★ ★
ConnectedPartner
Carbon Black ★ ★ ★ ★ ★
Carbon Black Connect
Carbonite Inc. ★ ★ ★ ★ ★
Carbonite Partner Program
Catalogic Software
Partner Edge
Centrify ★ ★ ★ ★ ★
Centrify Channel Connect Partner Program
CenturyLink
CenturyLink Channel Partner Program
Ciena Corporation ★ ★ ★ ★ ★
BizConnect
Cisco ★ ★ ★ ★ ★
Cisco Channel Partner Program
Cisco
Cisco Integrator Program
Cisco
Cisco Lifecycle Advisor Program
Cisco
Cisco Solution Partner Program
Cisco ★ ★ ★ ★ ★
Cloud and Managed Services Program
Citrix ★ ★ ★ ★ ★
Citrix Partner Network
Citrix Systems, Inc.
WW Education Citrix Authorized Learning Center (CALC)
CloudCheckr ★ ★ ★ ★ ★
Powered by CloudCheckr
CloudHealth Technologies
CloudHealth Cloud Business Accelerator Program
Cloudian Inc.
Cloudian Partner Program
Cloudistics ★ ★ ★ ★ ★
Accelerate
Cogent Communications
Cogent Channel Partner Program
Comcast Business ★ ★ ★ ★ ★
Comcast Business Solutions Provider Program
Commvault ★ ★ ★ ★ ★
Global Partner Advantage Program Manager which includes North American Channel Program
Couchbase ★ ★ ★ ★ ★
Couchbase PartnerEngage
Cox Business
Cox Business Indirect Channel
Cradlepoint ★ ★ ★ ★ ★
Cradlepoint Authorized Channel Partner Program
CTERA Networks
CTERA Cloud Accelerator Channel Program
Cyber Power Systems (USA), Inc.
Channel Partner Alliance
CyberArk ★ ★ ★ ★ ★
CyberArk Global Partner Program
Cyberbit
Cyberbit Partner Program
Cylance Inc. ★ ★ ★ ★ ★
Cylance Partner Program
DataCore Software ★ ★ ★ ★ ★
DataCore Premier Partner Program
Datto, Inc. ★ ★ ★ ★ ★
Datto Global Partner Program
DDN Storage
PartnerLink
Dell Inc. ★ ★ ★ ★ ★
Dell EMC Partner Program
Delphix
Delphix Partner Program
DH2i
DH2i DxAdvantage Channel Partner Program
Diamanti
Diamanti Value Added Reseller Program
DiCentral
DiCentral Channels
DigiCert
DigiCert Certified Partner Program
Digital Guardian ★ ★ ★ ★ ★
Digital Guardian Synergy Partner Program
Digital Shadows ★ ★ ★ ★ ★
Digital Shadows Channel REV Partner Program
Digium, Inc. ★ ★ ★ ★ ★
Digium Partner Program
Docker, Inc.
Docker Business Partners Program
Dome9 Security
Dome9 Cloud Protection Partner Program
Dropbox
Dropbox Partner Network
Druva ★ ★ ★ ★ ★
PartnerSync
Eaton ★ ★ ★ ★ ★
PowerAdvantage® Partner Program
Ekahau
Ekahau Partner Program
Epicor Software Corporation ★ ★ ★ ★ ★
Epicor Partner Program
erwin, Inc. ★ ★ ★ ★ ★
erwin Partner Program
ESET ★ ★ ★ ★ ★
ESET Partner Connect Program
Exabeam ★ ★ ★ ★ ★
Exabeam 3D Channel Program
Exasol
Exasol Partner Program
Extreme Networks ★ ★ ★ ★ ★
Extreme Partner Network
F5 Networks
UNITY
FireEye, Inc. ★ ★ ★ ★ ★
FireEye Fuel Partner Program
FireMon ★ ★ ★ ★ ★
Ignite Partner Program
Flashpoint ★ ★ ★ ★ ★
Flashpoint Global Channel Partner Program
Flexential
Flexential Partner Network
Flowmon Networks a.s. ★ ★ ★ ★ ★
Flowmon Channel Partner Program
ForeScout Technologies ★ ★ ★ ★ ★
ForeScout Forward Partner Program
Fortinet, Inc. ★ ★ ★ ★ ★
Fortinet Partner Program
Fuze ★ ★ ★ ★ ★
Fuze Global Partner Program
Gemalto ★ ★ ★ ★ ★
Gemalto Cipher Partner Program
GFI Software ★ ★ ★ ★ ★
GFI Partner Program
Globalscape ★ ★ ★ ★ ★
Globalscape Partner Program
Greenlink Networks
Greenlink Partner Program
GuardiCore, Inc. ★ ★ ★ ★ ★
GuardiCore Partner Program
Hewlett Packard Enterprise ★ ★ ★ ★ ★
HPE Partner Ready
Hitachi Vantara ★ ★ ★ ★ ★
Hitachi TrueNorth Partner Program
Honeywell Safety and Productivity Solutions ★ ★ ★ ★ ★
Honeywell Performance Partner Program
HP, Inc. ★ ★ ★ ★ ★
HP Partner First
IBM ★ ★ ★ ★ ★
PartnerWorld
IFS ★ ★ ★ ★ ★
IFS Partner Network
IGEL North America ★ ★ ★ ★ ★
IGEL Partner Program
iguazio Systems LTD
The iguazio Channel Partner Program
iland ★ ★ ★ ★ ★
iland Partner Program
Illusive Networks
Illusive Networks Accelerate Partner Program
Imperva ★ ★ ★ ★ ★
Imperva PartnerSphere Channel Program
Impinj, Inc.
Impinj Channel Partner Program
Infoblox
BuildingBLOX Partner Program
Infor ★ ★ ★ ★ ★
Infor Partner Network
Informatica ★ ★ ★ ★ ★
Informatica Partner Program
Intel Corp. ★ ★ ★ ★ ★
Intel® Technology Provider Program
IntelePeer
Cloud Advantage Partner Program
Intelisys
Intelisys Partner Program
Intermedia.net, Inc. ★ ★ ★ ★ ★
Intermedia Partner Program
Intsights
Intsights Partner Program
IOGEAR
IOGEAR’s Premier Connections Partner Program
Ivanti ★ ★ ★ ★ ★
Ivanti Partner Program
Ixia, a Keysight Technologies company
Channel Xcelerate Partner Program
Jabra
Jabra One Partner Program
JASK
JASK Answers Partner Network
Juniper Networks ★ ★ ★ ★ ★
Juniper Partner Advantage Program
K2 ★ ★ ★ ★ ★
K2 Ascend Partner Program
Kaspersky Lab ★ ★ ★ ★ ★
Kaspersky Lab Partner Program
KEMP Technologies ★ ★ ★ ★ ★
Partner at KEMP Program
Kenna Security ★ ★ ★ ★ ★
Kenna Security-Partners First
Laserfiche ★ ★ ★ ★ ★
Laserfiche VAR Program
Lenovo ★ ★ ★ ★ ★
Lenovo Partner Program
Lenovo Data Center Group ★ ★ ★ ★ ★
Lenovo Data Center Partner Program
Lexmark ★ ★ ★ ★ ★
Lexmark Connect
LookingGlass Cyber Solutions, Inc. ★ ★ ★ ★ ★
LookingGlass Cyber Guardian Network
Macola Software ★ ★ ★ ★ ★
Macola Unity Partner Program
Malwarebytes ★ ★ ★ ★ ★
Malwarebytes Global Partner Program
Masergy Communications, Inc.
Masergy Global Partner Program
MegaPath
MegaPath Channel Program
Mellanox Technologies ★ ★ ★ ★ ★
Mellanox PartnerFIRST Program
MicroPact
Global Alliance Program
Microsoft Corporation ★ ★ ★ ★ ★
Microsoft Partner Network
Mimecast ★ ★ ★ ★ ★
Mimecast Partner Program
Mist
Mist Partner Program
NCR Corporation ★ ★ ★ ★ ★
Interact
NEC Display Solutions ★ ★ ★ ★ ★
NEC Partner Net
Nectar Services Corp.
Nectar Partner Program
Nerdio ★ ★ ★ ★ ★
Nerdio Partner Program
NetApp ★ ★ ★ ★ ★
NetApp Partner Program
NetMotion PartnerConnect ★ ★ ★ ★ ★
NetMotion PartnerConnect
NETSCOUT Arbor
Arbor Advantage Partner Program
Neustar
Neustar Cloud Security Partner Program
Nexsan ★ ★ ★ ★ ★
Nexsan Partner Program
Nintex
Nintex Partner Network
Nitel
Nitel Channel Program
Nuspire Networks
NuSecure Partner Program
NVIDIA
Alvin Dacosta
Omnitracs ★ ★ ★ ★ ★
Omnitracs Partner Advantage
One Identity ★ ★ ★ ★ ★
One Identity Partner Circle Program
OnRamp
OnRamp Channel Partner Program
OPAQ Networks
OPAQ Channel Partner Program
Opengear ★ ★ ★ ★ ★
Opengear Partner Program
Oracle Corporation ★ ★ ★ ★ ★
Oracle PartnerNetwork Program
Oracle NetSuite
NetSuite Solution Provider Program
OutSystems
OutSystems Partner Program
Palo Alto Networks ★ ★ ★ ★ ★
NextWave Channel Partner Program
Panasas
Panasas Accelerate Partner Program
Panasonic System Communications Company of North America
Panasonic Authorized Reseller Program, Business Mobility
Panduit ONE Partner Program
Panduit ONE Partner Program
Panzura ★ ★ ★ ★ ★
Panzura Freedom Partner Program
Park Place Technologies
Park Place Technologies Reseller Program
Pax8 ★ ★ ★ ★ ★
Cloud Wingman Partner Program
PC Pitstop
PC Matic Pro Partner Program
Pitney Bowes Software, Inc. ★ ★ ★ ★ ★
Pitney Bowes Software Partner Program
Pivot3 ★ ★ ★ ★ ★
Pivot3 Partner Program
PKWARE
PKWARE Partner Program
PlanetOne Communications, Inc.
PlanetOne Partner Program
Platform9
Platform9 Cloud Partner Program
Polycom, Inc. ★ ★ ★ ★ ★
Polycom Partner Program
Progress
Progress Partner+
Proofpoint
Proofpoint Partner Program
PTC ★ ★ ★ ★ ★
PTC Partner Network
Pulse Secure ★ ★ ★ ★ ★
Connect Now Partner Program
Puppet ★ ★ ★ ★ ★
Puppet Partner Network
Pure Storage ★ ★ ★ ★ ★
P3 (Pure Partner Program)
Qlik ★ ★ ★ ★ ★
Qlik Partner Program
QOS Networks
QOS National Channel Program
Quality Uptime Services
Quality Uptime Services Channel Program
Quantum Corporation ★ ★ ★ ★ ★
Quantum Alliance
Quest
Quest Partner Circle Program
Qumulo
Qumulo Partner1st Program
Radware
Smart Choice Partner Program
Raritan Inc., a brand of Legrand
Raritan Partner Advantage Program
Red Hat Inc ★ ★ ★ ★ ★
Red Hat Connect
RedSeal
RedSeal Partner Program
Revolabs, part of Yamaha UC Department ★ ★ ★ ★ ★
CORE Reseller Program
Ribbon Communications ★ ★ ★ ★ ★
Advantage Partner Program
RIBBON Communications ★ ★ ★ ★ ★
RIBBON Partner Assure Program
RingCentral ★ ★ ★ ★ ★
RingCentral Partner Program
Riverbed Technology ★ ★ ★ ★ ★
Riverbed Rise
RSA ★ ★ ★ ★ ★
RSA SecurWorld
Ruckus Networks ★ ★ ★ ★ ★
Ruckus Ready Channel Program
Sage
Sage Partner Advantage Program
Sage Intacct ★ ★ ★ ★ ★
Sage Intacct Partner Program
Salesforce
Salesforce Partner Program
Samsung Electronics America ★ ★ ★ ★ ★
STEP – Samsung Team of Empowered Partners
SAP ★ ★ ★ ★ ★
SAP PartnerEdge Program
Scale Computing ★ ★ ★ ★ ★
Scale Partner Community
Schneider Electric ★ ★ ★ ★ ★
EcoXpert Partner Program
ScienceLogic
ChannelLogic
Seceon ★ ★ ★ ★ ★
SecuRIGHT — Cyber Security Done Right!
SecurityFirst
Reseller Partner Program
SentinelOne, Inc.
SentinelOne Partner Program
Server Technology, a brand of Legrand ★ ★ ★ ★ ★
Power Rewards Partner Program
ServiceKey ★ ★ ★ ★ ★
Independent Service & Maintenance Organization
Sharp Electronics Corporation ★ ★ ★ ★ ★
Sharp Alliance Plus
Siemens MindSphere
MindSphere Partner Program
Siemens PLM Software ★ ★ ★ ★ ★
Siemens PLM Solution Partner – Channel Sales Program
Silver Peak Systems, Inc. ★ ★ ★ ★ ★
Global SD-WAN Channel Program
SingleHop LLC
SingleHop Channel Program
Skybox Security
North America Channel Sales
SkyKick
SkyKick IT Cloud Partner Program
Snow Software Inc. ★ ★ ★ ★ ★
Snow Global Partner Program
SolarWinds MSP ★ ★ ★ ★ ★
SolarWinds MSP Channel Partner Program
SonicWall ★ ★ ★ ★ ★
SecureFirst Partner Program
Sophos ★ ★ ★ ★ ★
Sophos Partner Program
SOTI ★ ★ ★ ★ ★
SOTI Altitude Partner Program
SparkCognition, Inc.
SparkCognition, Inc.
Spectrum Partner Program
Spectrum Partner Program
Splunk ★ ★ ★ ★ ★
Splunk Partner+ Program
Star2Star Communications ★ ★ ★ ★ ★
Star2Star Channel Partner Program
StorageCraft ★ ★ ★ ★ ★
StorageCraft Partner Network
SugarCRM ★ ★ ★ ★ ★
SugarCRM Partner Program
Sungard Availability Services ★ ★ ★ ★ ★
Sungard AS Partner Program
Symantec Corporation ★ ★ ★ ★ ★
Symantec Secure One
SYNNEX Corporation
SYNNEX SMB Connect
SYNNEX Corporation
Varnex
Tech Data ★ ★ ★ ★ ★
Tech Data Practice Builder
Tech Data ★ ★ ★ ★ ★
TechSelect
TeleDomani, Inc.
TeleDomani Partner Program
TetherView
TetherView Partner Program
ThreatQuotient
Threat Alliance Program
Thycotic ★ ★ ★ ★ ★
Thycotic Partner Program
Tintri
Tintri Partner Program
Tripp Lite ★ ★ ★ ★ ★
Tripp Lite Partner Program & Premier Partner Program
Trustwave ★ ★ ★ ★ ★
Trustwave Channel Partner Program
Tufin
Tufin Partner Program
Turbonomic ★ ★ ★ ★ ★
Turbonomic Partnership Program
Unitrends, Inc. ★ ★ ★ ★ ★
Unitrends Partner Program
VASCO Data Security ★ ★ ★ ★ ★
VASCO Partner Program
Veeam Software ★ ★ ★ ★ ★
Veeam ProPartner Program
Veritas Technologies LLC
Veritas Partner Force Program
Verizon ★ ★ ★ ★ ★
Verizon Partner Program
Vertiv ★ ★ ★ ★ ★
Vertiv Partner Program
VIAVI Solutions ★ ★ ★ ★ ★
Velocity Partner Program
VIPRE
VIPRE Partner Program
Virtual Instruments ★ ★ ★ ★ ★
The Virtual Instruments Partner Network (VIPN)
VMware ★ ★ ★ ★ ★
VMware Partner Network
Vonage Business
Vonage Partner Network
WatchGuard Technologies ★ ★ ★ ★ ★
WatchGuardONE
Western Digital – Enterprise ★ ★ ★ ★ ★
Western Digital Enterprise Partner Program
Workfront
Workfront Partner Network
WTG
WTG Partner Program
Xerox Corporation ★ ★ ★ ★ ★
Xerox Global Partner Program
Yeastar Information Technology Co., Ltd.
Yeastar Xcelerate Channel Program
Zebra Technologies ★ ★ ★ ★ ★
Zebra® PartnerConnect
ZeroStack, Inc.
ZeroStack Cloud Innovation Partner Program
Zerto ★ ★ ★ ★ ★
Zerto Alliance Partner (ZAP) Program
Zyxel Communications, Inc.
ZAP – Zyxel Authorized Partner Program

Past Partner Program Guides

2017 | 2016 | 2015 | 2014 | 2013 | 2012 | 2011 | 2010

See Also: 2018 Channel Chiefs

Study: Healthcare Lags Other Industries in Digital Transformation, Customer Engagement Tech – Healthcare Informatics

Last week, Michael Millenson, president of Health Quality Advisors LLC, and an associate professor of medicine at Northwestern University’s Feinberg School of Medicine, authored a thought-piece in the online publication STAT, entitled, “Google is quietly infiltrating medicine—but what rules will it play by?” Millenson looked at the emerging landscape in healthcare around the accelerating participation of healthcare consumers in using web search, consumer-facing apps, and other tools, to help them educate themselves about personal health and healthcare delivery issues, as well as the emergence of a number of corporations, including Google, Amazon, and Apple, as disruptors in the healthcare world—both as innovators in technology, as well as, increasingly, players in the care management and care delivery arenas.

“If ‘data is the new oil,’ as the internet meme has it, Google and its Big Tech brethren could become the new OPEC,” Millenson wrote on January 3. “Search is only the start for Google and its parent company, Alphabet. Their involvement in health care can continue through a doctor’s diagnosis and even into monitoring a patient’s chronic condition for, essentially, forever.”

Meanwhile, Millenson wrote, “Suppose you’re worried that you might have diabetes. Googling ‘diabetes’ brings up not just links but also a boxed summary of relevant information curated by the Mayo Clinic and other Google partners. Google recently deployed an app enabled with artificial intelligence for remote professionals to use that can all but confirm diabetes-related retinopathy, a leading cause of blindness. Diabetes is also a diagnosis your doctor might have predicted using more Google AI applied to the electronic health record. Meanwhile, a Google joint venture called Onduo recently announced a partnership to allow a major pharmacy chain to use its “virtual diabetes clinic” to coach patients on managing their disease. And, of course, at home you can get daily diabetes reminders from your Google Assistant.”

And, in some cases, he added, “[Y]our doctor could actually be Dr. Google. The brick-and-mortar Cityblock clinic, whose first site opened in Brooklyn, N.Y., earlier this year, is an Alphabet spinoff. It promises a ‘personalized health system’ experience for low-income patients.”

And with Google hiring the former chief executives of both the Geisinger Health system and the Cleveland Clinic, more and more interesting developments are certain to be at hand.

Michael Millenson

And all of this, Millenson noted, is prompting some in the industry to ask what the implications are of these developments for the social contracts that have long anchored physician-patient/clinician-patient, and patient care organization-patient relationships and interactions. In that context, he spoke with Healthcare Innovation Editor-in-Chief Mark Hagland, following the publication of his STAT commentary, to discuss the implications of some of those current trends, for the future of patient care delivery. Below are excerpts from that interview.

There are so many developments taking place right now involving what might be called “interspecies” business combinations—payers and providers, payers and retail pharmacy companies, employers and providers, and on and on. Do you see some potential dangers in the uncharted territory that’s emerging in healthcare, because of such combinations?

What I was trying to sound as a cautionary note, not an alarm, but a cautionary note, was that, when barriers are breached in terms of definitions, there are new challenges to long-established ways that we do things. We all like to talk about disruption, but there are downsides. And those downsides need to be confronted squarely. And what I was trying to propose in my commentary was a practical ethical framework for dealing with downsides—not a mission statement, or whatever, but practical thoughts. If you have a commitment to accountability and shared responsibility, it brings up issues. Just because you believe you’re committed to patient engagement or lowering healthcare costs, or whatever noble goals you espouse, particularly if you’re working for a not-for-profit entity, or even a for-profit, personal and corporate interests can conflict with noble goals.

And even as all these kinds of partnerships can be wonderful, we also realize we need new ways of dealing with potential negative side effects. No hospitals that merge ever say, thank God we can get rid of the price pressure from insurance companies! And it’s not that individuals making statements about mergers are deliberately telling untruths, but they sometimes make statements that may not be in the best interests of patients.

Healthcare informatics arose from people who were in the HC field, who wanted to apply the benefits of informatics knowledge to improving care, lowering costs, and other problems. That’s a different set of assumptions from when you take people whose expertise is in manipulating data and information, and put them into healthcare. There are cultural issues there. People from within HC tend to say, there are certain problems, and let’s look for solutions.

But people outside healthcare sometimes have the tendency to say, we have this wonderful tool; look at all the ways we can solve your problems.

Looking at the entry into the healthcare delivery process of disruptors like Google, simply because of the near-universality now of web search as a consumer activity in healthcare—will consumers simply start self-diagnosing off the web now?

It’s one thing to look at Google as a search engine. It’s another to look at the issue of Google as an element in care delivery. The issue of “Dr. Google” is a significant one. I wrote an article recently called, “Beyond Dr. Google.” What happens if you’re using the Babylon Symptom Checker with AI? What happens if you’re looking at a mole? Because they’ll have a legal disclaimer. But we’re looking at an entire paradigm shift around how we interact with doctors. Years ago, I said the Information Age is to medicine as the Protestant Reformation was to the Catholic Church. It changed the people’s relationships to the priests; the Church didn’t go out of business, but it had to change. Once the laity could read the Bible, the role of the priests had to change. And I think that the role of physicians as holders of knowledge, has to change. They still have specialized knowledge; but the conversation has to change, and the tone has to change.

What I’m concerned about is when an organization like Google, Amazon, or Apple, starts partnering with physicians, what happens? When Google, Amazon or Apple, starts being a partner to help you with your diabetes, are they helping you have a better conversation? Or are they starting to use gathered information to try to cause behavior change, to manipulate you? And there’s a fine line between doing this for your own good, or because I want you to change?

And then there’s the accountable care issue—when you have attributed patients, and it’s in your financial interest now to collect and use social-determinants-of-health data and other forms of data, as well as apps and tools, to try to motivate your patients towards participating in the enhancement of their health status.

Exactly—now, there’s also a profit motive. I wrote an article about the secret use of the social determinants of health, for care management—and for profit, on the part of vendors that are putting data into algorithms and selling those solutions. LexisNexis found a correlation between someone in the household having completed some kind of professional certification, anything from a plumber’s license to a PhD—with medication compliance and adherence. The point is, you get companies that use information about my life, as raw data for analytics, that are meant to influence my behavior. We need a different kind of safeguard doesn’t go awry. And I’m not saying that what they’re doing might not be wonderful and disruptive in a good way, but nothing turns out as promised, whether Brexit or Google.

The social contract in healthcare, particularly between providers and patients, especially that between physicians and patients—what might that look like, or need to look like, in the coming years?

I see collaborative health as the new social contract. I’m not sure that that patriarchal, hierarchical relationship has changed as much as we might be thinking. I remember writing things 30 years ago that everything would change, and the hierarchies would be totally gone. They haven’t disappeared, though. Your grandmother was probably just grateful to see a doctor. And there are still a lot of people in the country who are still grateful just to see a doctor.

So part of that issue involves socioeconomic class, of course?

Yes, absolutely. That said, I also absolutely agree that a new social contract is going to center around collaborative health. And an explicit one is needed. There’s a lot of talk about that, around Google, Facebook, Alexa. But the medical element is different. When organizations that have tremendous data analytics capabilities, are applying those to the problems of individual patients, that gives us both the potential for unprecedented breakthroughs in patient care, and for the unprecedented ability to manipulate people. The fact that I know everything about your Google searches, your purchasing and eating patterns, and I’m tracing your driving patterns—that can help me improve your health, but also control your life, and manipulate people. And even if the decisions are to your benefit, a social contract demands shared engagement and shared accountability, because that’s the social contract that medicine needs, to retain its soul—even if that doesn’t help increase the value of the IPO or the price-earnings ratio, or the amount of money you get back from meeting your obligations under an ACO contract.

How do you see physicians and other clinicians adapting to this new world?

I think the social contract is even more important, because the power of the individual doctor is often decreasing now. If more and more doctors will be employed, and operating under stricter rules of accountability, that’s good for patients, but the balance between accountability and autonomy is a balance we’ve got to find. And we should welcome Amazon, Apple, and Google—they have an incredible potential to disrupt HC for the better; but the individual doctor, just like the individual patient, is going to be powerless to set a new social contract on their own. That’s why we need a social contract that encompasses clinicians, patients, patient care organizations, payers, pharmaceuticals, and everyone. It may be to my benefit that my doctor is using an app to track population health issues, but with the blurring of lines between different types of organizations, things get complex. Information is power, and the information we’re gathering is extraordinarily powerful, and good things can go awry. So frankly, I see this new social contract as a protection for physicians, and as something that will ensure that the “therapeutic alliance” that doctors like to talk about, will remain strong, even as other boundaries dissolve. And whether my doctor is employed by an insurance company, a hospital, or is a solo practitioner, it should make no difference to certain kinds of relationships.

What You Need To Know About Cybersecurity In 2018 – Forbes Now

You might think of cybersecurity as a specialized, niche career—not a skill that the average person should learn about.

But that’s not the case. In an age where we manage more and more of our lives digitally, it means that anyonein any careershould know simple things about keeping security up to par. At work, this will help companies maintain robust protocols. At home, it will help you protect your own information.

Why anyone and everyone should learn about cybersecuritypexels.com

Technology Affects All Aspects Of Modern Life

To help explain why security knowledge is so important, let’s first establish the baseline of how daily life operates for most of us. “There aren’t many careers left that aren’t based on technology,” says Matt McCormack, Chief Security Officer at Virtustream.

“Teachers in classrooms are using SMART boards. Someone who comes to your home to do contract work will whip out a smartphone or tablet and add information to an app on the spot. The mistakes that cause the most damage at companies are security-related—something as small as clicking attachments in emails without knowing if they are safe.”

Of course, security concerns don’t stay at work. “Nowadays, you’re not just worried about the security of your company, but also your own security and what you put out on your social networks,” McCormack continues. “When I worked for the government, we constantly advised people on what they could and couldn’t do—even outside of work—when it came to social media.”

How Basic Security Knowledge Can Help Any Career

Aside from simply not clicking suspicious email attachments, there are things nearly all employees can do to enhance company security and make themselves more valuable workers.

“Within any role in the organization, learning about security can help an individual understand the risks and make informed decisions for their key stakeholders,” says Pavi Ramamurthy, senior manager of information security at LinkedIn.

Like what, you ask? Here are a few of Ramamurthy’s examples:

  • In sales, reassure customers of an organization’s security posture.
  • In corporate communications, you should assess in the context of business reputation and brand trust.
  • The legal team should ensure that the right security clauses are built into supplier and customer contracts.
  • Regarding HR and/or security, know what’s needed for better security awareness and training.
  • Product managers should advise on good security features.
  • In engineering development, make sure you develop secure code.
  • Security professionals should perform reviews and quality assurance tests for functional and security verification.
  • Corporate management should ensure that a good security incident response plan is in place to address any vulnerabilities.

As you can see, it certainly doesn’t require being a security professional to contribute to security-related projects and awareness. In fact, the more equipped a workforce is with this knowledge, the less money and time will be lost to security breaches.

Cyber Attackers Rely On Human Error

Hackers rely only partly on their security-penetration skills. The other thing they need? Regular people making mistakes. “An analysis of threats faced by organizations in the first quarter of 2017 reveals that cyber attackers still rely heavily on user interaction,” says Bo Yuan, Ph.D., professor and chair of the department of computing security at Rochester Institute of Technology.

One high-profile example: the CEO of Equifax attributed the company’s 2017 breach—which comprised the data of over 147 million consumers and could cost over $600 million—to, you guessed it, human error.

“For those who do not work in IT but use computing devices for work, it is necessary to have cybersecurity training so that they understand how minor mistakes or simple oversights might lead to a disastrous scenario regarding the security or bottom line of their organization,” Yuan continues. “With attacks becoming more advanced and sophisticated, training is mission-critical to minimize human error from the cyberattack equation.”

It’s a wise step to take on a personal level as well, since even if your mistake was completely unintentional, you won’t avoid consequences. “No one wants to get fired, especially when you didn’t do anything malicious to harm your company,” says Andrew Jones, senior sales engineer at Shape Security. “But this is exactly what can happen if you fall victim to an email phishing campaign or other social engineering attack and become the vector by which your company exposes sensitive information. Educate yourself to be suspicious and cautious when it comes to operational security.”

Security Know-How Can Advance You In Your Existing Job

Gaining new skills is a tried-and-true way of getting ahead at your job, and security is one that looks particularly good. “Educating yourself about security (cyber, physical, or otherwise) will positively impact the average person’s career,” says Jones.

The first step to getting promotions or pay raises is showing that you can be trusted with additional responsibilities. “Even if your job is not directly related to a security role, consider the ways that your work could be abused by a malicious third party,” Jones continues.

For example, consider sending an email to your customers that contains a link. “You could use a shortened URL service, like Google’s https://goo.gl, to make the document read better, but that could also provide a template for a bad actor to phish your customers with an identical email using a similar goo.gl link that points to a malicious website,” explains Jones. “The average consumer would have no way of telling the difference. How could you compensate for that risk? Are you even thinking about the potential vulnerability?”

Your company may be willing to cover educational expenses on your behalf, but even if they don’t, there are plenty of ways to pursue security knowledge independently. It doesn’t even have to mean formal training, either. “Educating yourself about security doesn’t just mean getting a certification or diploma,” says Jones. “It’s adjusting your way of thinking about the world so that you can put yourself in the bad guy’s shoes and really consider how they could exploit a weakness.”

Gaining Knowledge Now Can Lead To A Lucrative Career Later

If you begin dabbling in security and discover that you enjoy it or have a knack for related skills, why not pursue it full-time? Doing so is more lucrative than ever. According to Cybersecurity Ventures, it’s predicted that by 2021 there will be 3.5 million unfilled cybersecurity positions. That kind of demand should be attractive to anyone seeking career advancement.

Sarah Squire, senior technical architect at Ping Identity, started her own security career after transitioning from another job. “I began my career in web development, but I was recruited onto a niche information security team,” she said. “After one year of exhaustive training, I was hooked. From there, I got the qualifications to open my own consulting business, contribute to NIST guidelines, speak at high-profile security conferences, author white papers, and contribute to standard protocols that everyone on the internet uses on a daily basis. My security education super-charged my entire career trajectory.”

Plus, it’s work that will help you solve real problems. “The consequences of the cybersecurity skills gap spread far outside of the security space—leaving workplaces across all countries and industry verticals vulnerable to attack,” says Dr. Yuan. “The average data breach is projected to reach a $150 million price tag, plus the corresponding customer and employee trust/loyalty-related outcomes of a breach.”

Ready to start looking into cybersecurity skills or potentially pursue it as a career? Here’s where to start.

The top 10 technology challenges that startups face and how to navigate them – YourStory.com

From business models and management teams to customer experience and technology platforms, startups face a number of challenges that may trip them up in their long journey. Here are 10 key challenges founders need to identify and correct, to ensure that their entrepreneurial venture has a chance of success.

  1. Skillsets

Founders with a business or design background may not understand the language of technology, let alone the latest trends in tools and platforms. Conversely, techie founders may not grasp the design and financial issues which go into building full-scale customer offerings.

Capacity building via online courses, peer discussions and mentors can help here. For example, the business model canvas by Strategyzer is a good tool for techies to understand management and strategy issues. Courses on commercialisation of technology at the MITs and IITs of the world can help managers understand technology evolution issues and manage innovation. Design thinking workshops and tools by companies like IDEO and Stanford’s. School can increase the design quotient of techies and managers.

  1. The Product Mindset

Customers do not care really care what technology is used – all they want is a product or service which can meet their needs and aspirations. This requires a product mindset from the ground up, which will eventually lead to branding of the offering in a way that is attractive to the customer. Technology should be seen as an enabler, and not an end by itself.

Techies, managers and designers need to master product management and teamwork processes. Product management is now emerging as a discipline at the intersection of business, technology, and user experience. Product-first companies such as HP, Microsoft and Google have helped bring a shared vocabulary to the field; courses are offered on sites like UpGrad.

Product managers must be experienced in at least one of the three key areas (business, tech, UX), passionate about all three domains, and be able to converse with practitioners of all three. Product management also involves familiarity with strategic planning, marketing, and team development.

  1. Project management

The software industry has often been plagued with over-runs in costs, time and effort. Project management of software and services continues to attract some of the best brains in the field to build a body of knowledge (BoK) for project management efficiency. Managing tech projects is a tough skill, and many young startups may flounder in their early steps.

Project managers can overcome some of these challenges with frameworks such as lean, agile, scrum, design sprints, directed discovery, and kanban. A range of easy-to-use and often free tools are available for startups, such as Asana (daily activities), Podio (complex projects), Kanban Tool (workflow visualisation) and Smartsheet (for spreadsheets).

  1. Team roles and dynamics

Even in the field of technology, there are multiple roles and skillsets, ranging from architects and testers to developers and administrators. From the junior engineer all the way up to CTO, each role calls for different skills, experiences and mindsets, which can change over time.

At the individual and team level, this calls for continuous capacity building and changes in team configuration. Startups need to identify talent tracks in roles like lead software engineer, fullstack developers, JavaScript developers, data scientists and even content managers.

  1. Cultural fit

The startup world is unlike the relatively smoother and structured corporate environment. Rapid changes in market and customer needs as well as pivoting by the founder will lead to frequent changes in the product direction. Techies in startups will, therefore, need to be more flexible than in larger firms, and deal with a culture of continuous adaptation.

While hiring techies, qualities to look for, in addition to skillsets, include capability to think of the big picture, willingness to enjoy challenges, ability to unblock obstacles, capacity to wear multiple hats, time management, and humility to create ‘psychological safety’ for newer team members as the company grows. There should be clear alignment on metrics for success and ethics in product development.

  1. Continuous learning

Every other year there seems to be a new programming language, operating system upgrade, stack architecture, development framework or SMAC update. For engineers, learning tech skills does not end when they get a college degree – that is just the beginning.

Techies need to devote a significant amount of time to learning from online courses, books, conferences and peers. A number of MOOC offerings such as Coursera and Udacity allow subscription models where learners can sign up for courses as well as updates on refresher modules on tech topics. Developer conferences and hackathons offer hands-on opportunities to brush up on skills and emerging platforms, and network with tech peers.

  1. Proprietary versus Open source

There are convincing arguments from both sides on when proprietary code or open source code should be used, depending on the context (this extends to APIs and standards as well). Comparison features include quality, robustness, customer support, expense, upgrades, market penetration, and emerging trends.

For example, some developers work within the Microsoft or Oracle suite of products. Those wishing to use open source tools can use LibreOffice (functional modules for word processing, spreadsheets), Mozilla Thunderbird (email management), TurboCASH (accounting) and WordPress (web publishing).

  1. Choice of channel

For digital offerings, the customer contact can be via channels such as desktop, mobile, kiosk, or IoT, and variations of these. At times, startups have been swept up by hype about which of these channels is best. For instance, many high-profile e-commerce startups mistakenly abandoned the desktop and chose to go “mobile only” for customer interface, before retracting their moves and developing for all platforms.

E-commerce retailer Myntra discontinued its mobile website to adopt an app-only model in 2015, but brought it back a year later. Early online check-in for airlines was only via the desktop web – but later expanded to mobile apps and airport kiosks. Techies and designers need to compare and contrast the benefits of each such channel as they roll out interactive customer touchpoints.

  1. Ignoring security and privacy

Many high-profile instances of hacking and loss of confidential information due to lost or stolen devices have revealed that security is either ignored or tacked on as an afterthought in tech development. Tech security and risk management should be a key priority for startups right from Day One.

Companies like Symantec, McAfee and QuickHeal offer solutions for startups to secure their devices, data and online workspaces; similar approaches should be used by startups to secure their own offerings to customers.

There are also tough laws in each country about privacy of consumer data. Techies and their business heads should be clear about what kinds of customer data is being captured, what kinds of consent agreements are implied, how this data will be used, and who this data is being shared with. Techies should clearly trace and log all this data for the scrutiny of internal and external auditors.

  1. Hardware: prototyping and supply chains

Hardware is driven by rapid prototyping and global supply chains of components, and tech firms in the hardware space will quickly realise that design and development requires mastery of techniques like 3D printing, virtualised products, and even frequent trips overseas to build close connects with suppliers in countries like China.

The first Maker Faire was launched in 2006, and there are now many such community events held around the world. These events have a mix of hobbyists and product professionals. Inexpensive boards (such as Arduino, Raspberry Pi, and BeagleBone) make electronics prototyping accessible to everyone; a number of enabling startups (eg. MakerBot, Adafruit, SparkFun) have also sprung into the game to help other founders develop products.

Hardware products fall into four categories: connected devices (eg. Nest, SmartThings, Belkin’s WeMo, Lowe’s Iris Smart Home Management System); wearables (Quantified Self: eg. Nike+ and Fuelband, UnderArmour’s Armour39), robots (eg. Fetch Robotics, Rethink Robotics, Agrobot, UAV or unmanned aerial vehicles such as DroneDeploy, and ROV or remotely operated vehicles); and designed products (eg. Quirky).

Founders should be able to segment the market in terms of needs and behaviours, and differentiate their proposed offerings. For example, Jawbone began with noise-cancelling headsets for soldiers, and then diversified into other kinds of wearables. Lumo Body-Tech, co-founded by Monisha Perkash, conducted extensive customer research with 30 different iterations for its body posture sensors; it finally arrived at the monitor band design instead of adhesives or garment tack-ons.

Founders will need to master terms such as design for manufacture (DFM), design for assembly (DFA), design for test (DFT), design for cost (DFC), engineering verification test (EVT) and engineering change order (ECO).

A number of hardware accelerators offer formal design reviews and mentorship in design, manufacturing, logistics, reliability, standards, and testing. Prominent players in this space include Lemnos, Y Combinator, 500 Startups, TechStars, PCH, AlphaLab Gear, Flextronics Lab IX, Logistica Asia, HaxAsia and HAXLR8R (‘hack-celerator’ programme in China).

In sum, becoming aware of the above mentioned types of challenges and taking corrective steps is key for startups to harness the transformative power of technology. Forewarned is fore-armed, and it helps startups to learn not just from their own mistakes but from others’ mistakes as well in order to keep their tech foundations intact.

Liked this article? Read more such educative and inspiring stories here.

Information security and privacy protection aspects of CCTV systems – Government Europa

Professor Dr. Milan Marković of Paneuropean University Apeiron, Republic Srpska, Bosnia and Herzegovina, discusses the impact of CCTV systems on information security and privacy.

Closed-circuit television (CCTV) is a TV system in which signals are not publicly distributed, but are monitored, primarily for surveillance and security purposes. CCTV systems rely on strategic placement of cameras and observation of the camera’s input on monitors. As the cameras communicate with monitors and/or video recorders across private coaxial cable runs, or wireless communication links, they gain the designation “closed-circuit” to indicate that access to their content is limited to only those with authorisation to see it.1

The effectiveness of video surveillance technology is continuously improving, and it has already established itself as a vital security tool for the police, private companies and many public sector organisations.. An effective CCTV system contributes to the detection and prevention of crime, as well as protecting towns, cities and transport networks from the threat of terrorism.2

Advances in CCTV technologies – especially from analog CCTV cameras to internet protocol (IP) ones – certainly improves the safety and security that CCTV systems provide, but also increases information security and privacy concerns. Having in mind that the new EU privacy protection regulation, General Data Protection Regulation (GDPR), will be applied from 25th May 2018, information security and privacy protection concerns of CCTV systems are being recognised.

Applications of CCTV systems

There are three primary ways to use CCTV systems:

  • As a deterrent;
  • For forensic purposes; and
  • As an interdictive device.3,4

Originally, CCTV surveillance systems were simply a deterrent. The notion that “Big Brother” was watching was often enough to keep people from misbehaving.

On the other hand, as recording and storing technologies and software, such as video analytics, have become more efficient, CCTV systems have evolved into a forensic surveillance tool, enabling the collection of evidence after an event has taken place.

Finally, as CCTV surveillance systems become more easily integrated with monitoring devices, alarm systems and access control devices, a third use of CCTV is related to help security personnel to identify and interrupt security breaches as they’re occurring, or even before they take place.

CCTV systems are commonly used for a variety of purposes, including:1,3

  • Maintaining perimeter security in medium- to highly-secure areas and installations;
  • Observing the behaviour of incarcerated inmates and potentially dangerous patients in medical facilities;
  • Traffic monitoring;
  • Overseeing locations that would be hazardous to humans, for example, highly radioactive or toxic industrial environments;
  • Building and grounds security;
  • Obtaining a visual record of activities in situations where it is necessary to maintain proper security or access controls, for example, in a diamond cutting or sorting operation, banks, casinos, or airports;
  • Home security;
  • Public transportation;
  • Crime prevention;
  • Business surveillance;
  • School protection;
  • Body worn;
  • Sporting events;
  • Monitor employees; and
  • CCTV for Open Data purposes.

We should have surveillance cameras in public places because they ensure public safety. Rarely will anyone attempt to harm anyone else when they know their actions are being recorded on camera. Cameras keep the public and their personal property safe.5

The police can identify criminals through recordings on camera. Through surveillance cameras, the police can both prevent crimes from happening and can quickly solve criminal cases with material evidence.

Surveillance cameras protect against property theft and vandalism. It is very difficult for criminals to get away with stealing if there are cameras in operation. Therefore, the thief will often get caught. Surveillance cameras will catch the thief before, or during, the process of committing the crime.

Cameras, through video analytics, now have a zoom feature, allowing the camera to reveal someone’s identity, which can be beneficial to crime prevention when used in the correct way. As a result, the criminal can be apprehended quickly. For instance, in abduction cases a video would be a great way of tracking down a person quickly, and may even prevent a death.

In industrial plants, CCTV equipment may be used to observe parts of the process from a central control room, for example when the environment is not suitable for humans. CCTV systems may operate continuously, or only as required to monitor a particular event. A more advanced form of CCTV utilises digital video recorders (DVRs), providing recordings for many years potentially, with a variety of quality and performance options and extra features, such as motion detection and email alerts. More recently, decentralised IP cameras, some equipped with megapixel sensors, support recording directly to network-attached storage devices, or internal flash for stand-alone operation.

Advances in CCTV Technologies

CCTV surveillance systems have made tremendous technological progress in the last decade, not only in individual capabilities, but also in the ability to interact with other security technology.

Some of the key advances in the domain of CCTV systems are:2,3,4,5,6,7,8

  • Video content analysis (VCA);
  • Automatic number plate recognition (ANPR);
  • High definition (HD) CCTV;
  • Sophisticated motion detection algorithms;
  • Facial recognition;
  • Wide dynamic range;
  • Internet of Things (IoT);
  • Cloud technology;
  • Big Data;
  • Video management systems (VMS); and
  • Wireless technology.

Video content analysis

A key area where CCTV is rapidly developing is that of VCA. This impressive technology is already contributing to the security of a range of high-level facilities, such as city centres, transport facilities, and utilities. The costs of the technology are falling and the capability increasing to the extent that it is becoming a cost effective option for commercial premises.

VCA is the automatic analysis of CCTV images in camera or centrally, utilising advanced algorithms to create useful information about the content. Generally, these systems need a static background and, consequently, tend to operate with fixed cameras or pan, tilt, zoom (PTZ) cameras at set positions, as they are looking to identify changes or movement at a particular scene. The scope of VCA is considerable and can be used in the detection of intruders, abandoned packages, wrongly parked vehicles or as a means of counting people.

One particular area that VCA can be especially effective is around the perimeter of a site. Securing a perimeter can be seen as one of the most crucial steps in any security plan. An early detection of a threat also means that there is more time and space available to formulate the necessary response, potentially preventing an intrusion alltogether.

Automatic number plate recognition

Using CCTV in conjunction with ANPR software can also be beneficial at large sites, as it allows for the identification of vehicles moving in and out of a site. If an intruder does happen to be successful, this integration can provide the police with valuable information in order to track down the suspect.

HD CCTV

HD CCTV is another area that is expanding across a wide range of video surveillance applications. HD CCTV signifies:

  • An unprecedented revolution in the quality of images that can be delivered;
  • The ability to more easily identify suspects and make sense of their actions; and
  • The potential to improve successful conviction rates on the ground.

HD cameras also open up the possibilities to cover a much wider area without having to use multiple different cameras. Operators of these cameras will also be able to pan, tilt and zoom the camera with the use of a joystick, adding flexibility to the monitoring process. When employed in the right contexts, cameras like these can allow for more widespread coverage and observation in larger areas.

Intelligent video algorithms

Intelligent video algorithms, such as sophisticated motion detection algorithms, can identify unusual walking patterns and alert a guard to watch a particular video screen. Object recognition algorithms can identify someone who might simply be loitering, or even a briefcase or other suspicious object that is left somewhere that it shouldn’t be. Again, the system can alert a monitoring guard so that appropriate action can be taken.

The most advanced intelligent video algorithm is facial recognition. However, most experts agree that use of this technology as an efficient tool in the private sector is still several years down the road.

Wide dynamic range

Wide dynamic range is another technology that is becoming a more prevalent feature of CCTV cameras. Wide dynamic range means cameras can provide detail when there’s a tremendous amount of both light and dark areas in the same scene. Meanwhile, traditional cameras can’t do that.

The Internet of Things

IoT services will allow for combined systems which integrate previously disparate devices into a common management console providing a single pane overview across entire buildings and sites. This includes:

  • Video surveillance cameras;
  • Smoke detectors;
  • Access control panels; and
  • Loudspeakers.

In the last few years, IoT has grown rapidly across the world. No longer is the internet confined to computers and mobile devices, it is now available to nearly every device that has an IP address – from microwaves and refrigerators to wearable devices and headphones. IoT systems can be integrated with, and supported by, video to provide information for facility, operational, or business needs. Video analytics, like heat mapping and person counting, can also help businesses gather more business intelligence and strengthen their security.

The result is a huge opportunity for security solutions that are purpose built to share useful data with other connected devices, all of which can be monitored remotely. This connectivity between devices will provide end-users with more complete situational awareness across multiple locations. With the advent of Cloud technology, the notion of connecting any and every device to the internet with an on and off switch became a reality.

Big Data

There still remains a significant challenge to effectively manage and use the endless amounts of video data being generated, so-called Big Data. Big Data is difficult to process through traditional data processing applications. This technology can put structure around vast amounts of unstructured video data, helping better understand significant patterns and trends. In the coming years, look for improvements in, and greater use of, VMS to search Big Data in order to pull up relevant events, people, locations, times, colors and keywords. Such tools will assist business operators to turn Big Data into critical information that supports loss prevention, marketing, operations and customer service.

Wireless technology

Wireless technology has transformed our lives in many ways, from mobile phones, to WiFi connectivity. We have already seen the benefit and convenience of remote security monitoring via smartphones and tablets. Video surveillance systems of up to ten network cameras can be managed entirely via mobile devices, no longer requiring a desktop PC to run video management software. This significantly lowers the technology hurdle, as users are more open to using a smartphone app than having to overlook a more comprehensive and detailed video management software on a desktop PC, whilst also reducing overall system and maintenance costs.

Information security and CCTV

Today, security safeguards generally fall into one of three categories:9

  • Physical security;
  • Information security; and
  • Operational security.

Physical security involves measures undertaken to protect personnel, equipment and property against anticipated threats. It includes both passive and active measures. Passive measures include the effective use of architecture, landscaping and lighting, to achieve improved security by deterring, disrupting, or mitigating potential threats. Active measures include the use of proven systems and technologies designed to deter, detect, report and react against threats. CCTV systems are part of such active measures.

Information security is the process of protecting the confidentiality, integrity and availability of data from accidental or intentional misuse by people inside or outside an organisation or facility. Key elements of information security, include technical security measures/controls, such as:

  • Encryption/pseudonymisation;
  • Limiting information to authorised entities exclusively;
  • Preventing unauthorised changes to, or the corruption of proprietary data;
  • Guaranteeing authorised individuals the appropriate access to critical information and systems;
  • Ensuring that data is transmitted to, received by or shared with only the intended party; and
  • Providing security for ownership of information.

Such measures very much influence the modern CCTV systems, in regards to:

  • Protection of unauthorised access to the camera itself, especially IP cameras, to VDR systems, and to video storage systems (especially if cloud technology is used);
  • Ecryption of video transmission links between camera and storage system, especially in the instance of IP camera case;
  • Encryption or pseudonymisation of retained video material, either on local or cloud storages; and
  • Antimalware/end-point protection, on both camera and storage systems.

Operational security is the process of creating policies and procedures, and establishing administrative controls to preserve privileged information regarding organisational capabilities and vulnerabilities. Operation security is of paramount importance in order to create effective CCTV security policies and procedures, and that certainly should be an important part of the overall Information Security Management System (ISMS), established on the basis of the ISO/IEC 27001 international security standard.

Applying advanced information security technologies to CCTV

Cloud-based computing has touched just about every industry and it will continue to reshape the security and surveillance sector, as well. Security can now be offered as a service that is managed remotely, freeing up valuable human and capital resources that no longer need to be on-site at every location which requires monitoring.7

Secure remote access to security systems will increase in use, including by end-users who want the convenience and real-time benefits of being able to monitor property and events without having to be physically present. Such systems must be well protected at the end point (camera), as well as protecting video transmission and video retention system components.

Cloud storage is another important aspect of how systems are becoming more efficient in this model. Much larger volumes of data can be stored cost-effectively and securely at dedicated server facilities, allowing users to archive video and associated data for longer periods of time and improve its accessibility as well.

While the vision of IoT is enticing for the convenience, capabilities and flexibility that vast networks of connected devices offer, there is a growing risk for security threats and breaches as the number of entry points of a network dramatically increases. As a general rule of thumb, as you increase availability and access to any network device, it potentially increases exposure to cyber threats.

As security camera systems become increasingly interconnected with the rise of the Internet of Things, offering benefits such as remote access and third party integration – just as with other network connected devices – it is critical to perform an information security risk assessment and implement security polices in the design and implementation of a network video system. The first step is establishing an understanding and use of industry standard security protocols, including:

  • Multi-level user authentication and authorisation;
  • Password protection;
  • SSL/TLS encryption;
  • IEEE Standard 802.1X;
  • IP-filtering; and
  • Public key infrastructure (PKI) electronic certificate management.

As a network device, a camera, or other connected physical security devices, may pose a risk. If devices, services and applications do not need to interact, users should try to limit connectivity between them. Additionally, segmenting the video system from the core network is a good overall protection measure, thereby reducing risks of video resources and business resources adversely effecting each other.

Recently, surveillance CCTV cameras being used as IoT devices are being used by hackers to gain entry into corporate IT networks. The security industry needs to quickly get a grip on keeping hackers out of devices connected through IoT, by using transport encryption and establishing more secure firewalls and monitoring which alert the security administrators of potential hackers.

CCTV privacy concerns

Many civil liberty campaign groups, academics and consultants, have published research papers into CCTV systems. Challengers of CCTV point out the loss of privacy of people under surveillance and the negative impact of surveillance on civil liberties. Furthermore, they argue that CCTV displaces crime, rather than reducing it.10

Proponents of CCTV systems argue that cameras are effective at deterring and solving crime, and the appropriate regulation and legal restrictions on surveillance of public spaces can provide sufficient protections so that an individual’s right to privacy can reasonably be weighed against the benefits of surveillance. However, anti-surveillance activists have maintained that there is a right to privacy in public areas.

According to the debate of whether surveillance cameras should be put in public areas, such as schools, stores, libraries, airports, bars and clubs, some individuals feel more secure with cameras, while other citizens and privacy advocates feel nervous about the idea of someone watching them every time they are out in public.

As the volume and quality of cameras and sensors are increased, cities are turning to more advanced face and object recognition software to make sense of the data; civil liberty activists are concerned about how the technology of CCTV systems could be abused.10 With cameras in remote cities all connecting to the same database, a person’s movements can be tracked across states or continents. For instance, it could be used to single out a person attending multiple political protests.

In the workplace, employers have to deal with two competing interests; employers have a legitimate need and right to watch their employees.11 At the same time, employees maintain some privacy rights while they are at work. Workplace privacy laws vary by country, but it is very common for video surveillance of restrooms, locker rooms and break areas to be illegal, while surveillance of work areas is permitted.

From a legal perspective, there is a significant difference between a video only camera and a camera that records audio along with video. As such, if your camera is set up to record audio, you will fall under even more legal scrutiny. 11

CCTV and GDPR

The EU GDPR regulation is designed to strengthen the privacy laws governing the data of EU citizens worldwide. Protecting personal information, including image data which may allow individuals to be personally identified, is a central consideration and it brings CCTV data into the scope of GDPR.12

The GDPR is a set of laws designed to protect personal data from commercial abuse and to encourage organisations that retain such data to harden their defences and improve their processes for looking after it. This will significantly increase the importance of control over all types of data, not least because companies that breach any of the GDPR’s principles run the risk of massive fines – up to €20 million or 4% of turnover, whichever is higher – as soon as the regulation comes into effect.13,14

Some of the key facts about the GDPR include:12

  • The GDPR applies to all companies worldwide that process personal data of EU citizens.
  • The GDPR widens the definition of personal data, bringing new kinds of data under regulation. The GDPR considers any data that can be used to identify an individual as personal data. It includes, for the first time, materials such as genetic, mental, cultural, economic, or social information.
  • The GDPR tightens the rules for obtaining valid consent to using personal information. The GDPR requires all organisations collecting personal data to be able to evidence clear and affirmative consent in order to process that data.
  • The GDPR introduces mandatory privacy impact assessments (PIAs) to identify privacy breach risks and minimise risks to data subjects.
  • The GDPR introduces a common data breach notification requirement which harmonises data breach notification laws in Europe. This is intended to ensure that organisations constantly monitor for breaches of personal data. Organisations need to notify the local data protection authority of a data breach within 72 hours.
  • The GDPR introduces the right to be forgotten; organisations are not to hold data for any longer than necessary and are not to change the use of the data from the purpose for which it was originally collected. Data must be deleted at the request of the data subject.
  • The GDPR requires that privacy is included in the design of systems and processes. Software development processes must factor in compliance with the principles of data protection. Essentially, all software must be capable of completely erasing data.
  • The GDPR allows any European data protection authority to act against organisations, regardless of where in the world the company is based. This enforcement is backed by significant fines for non-compliance.

The key security technologies encompassed by GDPR are:

  • Data discovery, cataloguing and classifying;
  • Data loss protection;
  • Data encryption;
  • Email encryption;
  • Data breach identification and blocking;
  • Pseudonymisation;
  • Data portability;
  • Mobile device management;
  • Perimeter security;
  • Cloud storage and sharing services;
  • Anti-malware and advanced threat protection – endpoint protection;
  • Application security testing;
  • Evaluating cloud service providers;
  • Identity and access management;
  • Behaviour analytics;
  • Privileged access management; and
  • Format-preserving encryption (FPE).

CCTV and GDPR compliance

As for CCTV in regards to GDPR compliance, businesses and organisations operating CCTV and electronic surveillance systems need to consider:12

  • Conducting a Privacy Impact Assessment (PIA) to ensure that all CCTV cameras serve a legitimate purpose.
  • Allowing CCTV systems to power on/off, where appropriate, so recordings of footage are not continuous. Audio and video need to be independent from each other as well. Legitimate reasons for recording either, or both, need to be clearly established.
  • Sound recordings should only be obtained where absolutely necessary, in order to support the legitimate reasons. The use of CCTV surveillance systems should not be regularly placed in the working environment in order to record conversations between the public and employees.
  • Recordings from CCTV systems need to be stored securely, whilst access is required to be restricted to authorised personnel.
  • CCTV recordings need to be of an appropriate quality to meet the purpose intended.
  • Regular checks are needed to ensure that the date and time stamps recorded on images is accurate.
  • Recording and playback functions need to provide access to recordings made in specified locations and times, in order to comply with subject access requests from individuals in recordings, or in response to police requests.
  • Appropriate policies need to be enforced so that employees know how to respond to requests from individuals or police for access to CCTV recordings.
  • Ensuring that the appropriate security safeguards are in place to prevent interception and unauthorised access – the copying of recordings or viewing.
  • CCTV recordings that no longer serve a purpose need to be deleted. Clear documentation of the information retention policy, which is clearly understood by CCTV system operators, need to be established.
  • The need for signage and the availability of other appropriate information; there is a need to notify individuals of surveillance information processing, such as their presence in an area where CCTV is in operation and their rights of access to recordings and/or images of themselves.

What many organisations often do not realise is that personal data is not just written material, but includes video and audio if this allows individuals to be identified. One area of particular concern is CCTV. Nowadays, there is a constant flow of news articles, highlighting the security flaws that have enabled hundreds of thousands of CCTV systems across the world to be hacked and used in Distributed Denial of Service (DDoS) attacks.13

When the GDPR comes into force, management will set out operational processes to help their employees demonstrate compliance. Due to the inherent limitations of traditional CCTV, where data is held on DVRs, these will inevitably restrict general access to the equipment, rather than allowing access to specific data by authorised employees.

One of the solutions is to hold CCTV information securely in the Cloud, with access limited to authorised personnel. There is no longer a physical DVR; data is sent directly and securely from the cameras to the Cloud. Such systems can not only provide an overview of all visual data collected by the CCTV cameras connected to it, but also complete control over access to that data, which is encrypted from end-to-end and can be viewed using a standard computer, tablet or smartphone, via secure browser technology. They can also only record CCTV data when needed and can automatically delete it when it is no longer required.

References

  1. http://whatis.techtarget.com/definition/CCTV-closed-circuit-television
  2. http://www.in-security.eu/index.php/news/archives/advances-in-cctv-can-offer-peace-of-mind
  3. https://en.wikipedia.org/wiki/Closed-circuit_television
  4. https://www.facilitiesnet.com/security/article/From-cutting-edge-to-off-the-shelf-Facilities-Management-Security-Feature–2643
  5. https://www.ifsecglobal.com/role-cctv-cameras-public-privacy-protection/
  6. https://www.facilitiesnet.com/security/topic/How-Can-CCTV-Surveillance-Systems-Improve-Security–19062
  7. https://www.ifsecglobal.com/smart-cctv-and-the-internet-of-things-2016-trends-and-predications/
  8. https://systemsurveyor.com/iot_survellance/
  9. https://www.facilitiesnet.com/security/article/Taking-Security-To-the-Next-Level-Facilities-Management-Security-Feature–2566
  10. https://edition.cnn.com/2013/04/26/tech/innovation/security-cameras-boston-bombings/index.html
  11. https://itstillworks.com/legal-issues-concerning-surveillance-cameras-3333.html
  12. https://www.ic2cctv.com/news/cctv-regulation-compliance-surveillance-footage-new-gdpr-information-security-standard/
  13. https://gdpr.report/news/2017/04/25/gdpr-key-cctv-cyber-security/
  14. http://smallbusiness.co.uk/cctv-system-gdpr-compliant-2541510/

Professor Dr. Milan Marković

Paneuropean University Apeiron

Republic Srpska

Bosnia and Herzegovina

Scope Infotech, Inc. – Government Accountability Office

Decision

Matter of: Scope Infotech, Inc.

File: B-414782.4; B-414782.5

Date: March 22, 2018

Daniel J. Strouse, Esq., Laurel A. Hockey, Esq., David S. Cohen, Esq., and John J. O’Brien, Esq., Cohen Mohr LLP, for the protester.

David B. Dixon, Esq., Meghan D. Doherty, Esq., and Robert Starling, Esq., Pillsbury Winthrop Shaw Pittman LLP, for Sparksoft Corporation, the intervenor.

Christian P. Maimone, Esq., and Erin V. Podolny, Esq., Department of Health and Human Services, for the agency.

Nora K. Adkins, Esq., and Amy B. Pereira, Esq., Office of the General Counsel, GAO, participated in the preparation of the decision.

DIGEST

1. Issuance of a task order that included non-Federal Supply Schedule (FSS) items under a competition among FSS vendors was improper.

2. Protest challenging agency’s evaluation of the awardee’s quotation is denied where, despite the protester’s assertions to the contrary, the solicitation did not mandate the pricing of all software provided as government furnished equipment, vendors were assessed on a common basis, and the awardee’s professional compensation was reasonably evaluated in accordance with Federal Acquisition Regulation provision 52.222-46.

DECISION

Scope Infotech, Inc., a small business located in Columbia, Maryland, protests the issuance of a General Services Administration (GSA) Federal Supply Schedule (FSS) task order to Sparksoft Corporation, a small business located in Catonsville, Maryland, by the Department of Health and Human Services, Centers for Medicare and Medicaid Services (CMS) under request for quotations (RFQ) No. 170454 for operations and maintenance of the data services hub system utilized to support healthcare exchanges. The protester challenges multiple aspects of the agency’s evaluation.

We sustain the protest in part, and deny the protest in part.

BACKGROUND

CMS issued the RFQ on January 20, 2017, pursuant to the procedures of Federal Acquisition Regulation (FAR) § 8.405-2, to small business vendors holding contracts under GSA schedule 70–commercial information technology equipment, software, and services.[1] RFQ at 1; Contracting Officer Statement (COS) at 1. The solicitation sought a vendor to provide information technology operations, maintenance, and support services to maintain CMS’ data services hub, which permits computer systems and networks across multiple government agencies to communicate with each other, and permits the public to shop for health insurance in the private health insurance markets (known as exchanges). COS at 1. The agency intended to issue a fixed-price and time-and-materials task order consisting of a 1-year base period and four 1-year option periods.[2] RFQ at 1, 4. The RFQ provided for selection of the best-value vendor based on the following factors, which were listed in descending order of importance: technical understanding and approach; personnel qualifications and management plan; past performance; section 508 compliance; and price.[3]Id. at 8-9.

The RFQ required vendors to submit quotations in three separate volumes: business/price; technical; and business ethics, conflicts of interest, and compliance. Id. at 4-7. With respect to the business/price volume, vendors were instructed to provide a total price for each year for the fixed-price portion of the statement of work and complete a basis of estimate for the time-and-materials tasks outlined in the statement of work. Id. at 4. Vendors were also required to include any materials, travel, and/or other direct costs (ODC). Id. This volume also required the submission of information pursuant to FAR provision 52.222-46–Evaluation of Compensation for Professional Employees.

With respect to the technical volume, vendors were instructed under the technical understanding and approach factor to demonstrate their technical approach for completing the statement of work requirements, including anticipated risks and their approach for mitigating each risk. Id. Under the personnel qualifications and management plan factor, the RFQ instructed vendors to provide the labor categories and hours, and a plan to manage the staff based on their technical approach. Id. at 5. The RFQ also required vendors to provide a letter of commitment for each person not currently employed by the vendor, to include the date of availability, how long the commitment is binding and a signature both of the individual submitting the letter of commitment and the vendor’s authorized official. Id.

As relevant here, the RFQ provided that the agency would evaluate technical understanding and approach by assessing the vendor’s understanding of the statement of work and its techniques and procedures to ensure efficient, low risk performance. Id. at 8. The agency would evaluate price in accordance with FAR § 8.405-2(d) and assess the information submitted as required by FAR provision 52.222-46 to determine whether a vendor’s compensation plan reflects a sound management approach and understanding of the contract requirements, including an assessment of the vendor’s ability to provide uninterrupted high-quality work. Id. at 9. The professional compensation proposed would also be considered in terms of its impact upon recruiting and retention, its realism, and its consistency with the vendor’s total plan for compensation. Id.

CMS received six quotations in response to the solicitation. Agency Report (AR), Tab 6, Source Selection Decision (SSD), at 4-5. The agency evaluated quotations and issued questions to all vendors. COS at 2. As relevant to this protest, on April 14, the contracting officer sent an email to Sparksoft asking if it was possible to provide any of the non-FSS (open market) software licenses on Sparksoft’s GSA schedule or on one of its teaming partner’s schedules. Id. On April 17, the contracting officer also sent an email to Scope asking if it was possible to provide any of the open market software licenses on Scope’s GSA schedule or on one of its teaming partner’s schedules. Id.; AR, Tab 4M1, CO Email, Apr. 17, 2017 (12:34 p.m.). On April 20, the contracting officer sent an additional email to Scope to point out that the RedHat JBoss software licenses it quoted were open market items. COS, at 2; AR, Tab 4M3, CO Email, Apr. 20, 2017 (11:02 a.m.). The contracting officer asked Scope if it could look at providing these items through one of their partners’/subcontractors’ GSA schedules. Id. On April 21, Scope responded that two companies, Carasoft and EC America, offered the JBoss software licenses on their GSA schedules; however, Scope noted that when purchased on the GSA schedule, the price discount from Carasoft would be removed, which would make the total cost of the JBoss software licenses higher.[4] AR, Tab 4M3, Scope Email, Apr. 21, 2017 (2:53 p.m.).

On April 26, based on the results of the initial evaluation and the vendors’ answers to the contracting officer’s questions, the contracting officer removed all vendors, aside from Scope and Sparksoft, from the competition. COS at 3. On April 28, the agency opened discussions with Scope and Sparksoft. Id.

The agency sent discussion letters to both Scope and Sparksoft to address questions regarding the vendors’ assumptions and quoted software licenses. AR, Tab 4B, Sparksoft Discussion Letter, at 1-2; Tab 4D, Scope Discussion Letter, at 1-2. Each letter also noted that, “a significant portion [of the ODC software licenses] were quoted as open market items as defined in FAR part 8.” Id. at 2. The agency asked, “[i]f at all possible, please provide a quote with no open market ODC’s.” Id. at 2. On May 1, the contracting officer held individual conference calls with each vendor. COS at 3. During these calls, the contracting officer discussed, among other things, whether the software licenses quoted by the vendors as ODCs were open market items. Id. The contracting officer also agreed to provide both vendors with a list of government furnished equipment (GFE) software licenses, which the agency would receive at the end of the incumbent contract and provide to the new contractor. Id. The contracting officer requested final quotation revisions by May 4. Id. at 4.

On May 2, the contracting officer emailed the vendors a spreadsheet listing the GFE software licenses CMS would provide to the awardee. AR, Tab 4F3, CO Email to Scope, May 2, 2017 (3:16 p.m.); Tab 4F4, CO Email to Sparksoft, May 2, 2017 (3:15 p.m.). In response to this email, Scope responded as follows, “this GFE list covers most of the ODC items we had listed. We will go ahead and revise our ODC list to exclude the items covered under GFE.” AR, Tab 4F3, Scope Email, May 2, 2017 (3:43 p.m.). On May 3, the agency sent an updated GFE spreadsheet to the vendors, which included an expiration date for each software license. AR, Tab 4F3, CO Email to Scope, May 3, 2017 (9:28 a.m.); Tab 4F4, CO Email to Sparksoft, May 3, 2017 (9:28 a.m.); See AR, Tab 4E, GFE Software List.

The agency received final quotation revisions from both Scope and Sparksoft. AR, Tab 6, SSD, at 4. The contracting officer began reviewing the vendors’ quotations and noticed a possible misunderstanding in Scope’s business/price volume. COS at 4. The contracting officer emailed Scope on May 5to request clarification that it intended to remove all GFE software from its ODC pricing. Id. The contracting officer’s email provided as follows:

I notice there are no ODC costs in your updated quote besides travel costs. As you saw in the GFE list I provided, the [software] licenses CMS is providing as GFE do expire and will need to be renewed. I want to confirm that the updated quote you sent includes support of the licenses throughout the life of the contract as needed to complete the DSH [data services hub] work – perhaps as not separately priced.

AR, Tab 4G, CO Email to Scope, May 5, 2017 (2:27 p.m.). In response, Scope replied:

It is a misunderstanding on my part, I apologize. I assumed the items from the GFE list you provided will continue to be provided as GFE items under [the] DSH [data services hub] recompete contract. I can redo the price sheet and submit it as if we are picking up all the GFE items as ODC, as they expire.

Id., Scope Email, May 5, 2017 (2:45 p.m.). On May 8, Scope submitted a revised quotation. Id., Tab 6, SSD, at 4.

The agency evaluated the quotations of Scope and Sparksoft and concluded that Sparksoft provided the best-value quotation. COS at 5. On May 31, CMS awarded the task order to Sparksoft and notified Scope of the award. Id.

On June 9, Scope filed a protest with our Office. In response, the agency notified our Office of its intent to take corrective action by re-evaluating the price quotations of both Scope and Sparksoft and issuing a new source selection decision. Based on the agency’s notice, we dismissed the protest as academic on June 29. Scope Infotech, Inc., B-414782, June 29, 2017 (unpublished decision). The agency conducted a re-evaluation of the quotations, and on July 28, again awarded the task order to Sparksoft. COS at 6.

On August 4, Scope filed a second protest with our Office. After the GAO attorney assigned to the protest conducted an alternative dispute resolution conference, in which she informed CMS that she would likely sustain the protest based upon the agency’s evaluation of the vendors’ professional compensation, the agency notified our office of its intent to take corrective action by re-evaluating the quotations of Scope and Sparksoft and issuing a new source selection decision. Based on the agency’s notice, we dismissed the protest as academic on October 27. Scope Infotech, Inc., B-414782.2, Oct. 27, 2017 (unpublished decision). The agency conducted a re-evaluation of the quotations, and on December 8, again awarded the task order to Sparksoft.[5] COS at 6.

On December 13, Scope filed this protest with our Office. Thereafter, on December 22, the agency published a justification and approval for other than full and open competition pursuant to FAR § 8.402(f) to add the bundled JBoss software licenses as open market items to Sparksoft’s FSS task order award.[6] AR, Tab 1Q, JBoss Justification, at 1-5; Seehttps://www.fbo.gov/?s=opportunity&mode=form&id=ab47fb10689ebc40ee787cd3367a4cd7&tab=core&_cview=0 (last visited, Mar. 16, 2018). The justification cited the authority at 41 U.S.C. § 253(c)(1), authorizing the use of other than full and open competition when there is only one responsible source and no other supplies or services will satisfy agency requirements. Id. at 2. The justification provided that Sparksoft was forced to quote the open market bundled JBoss software licenses because these items were not available on a GSA schedule. Id.

DISCUSSION

Scope challenges the agency’s evaluation of Sparksoft’s quotation. The protester alleges that the agency’s award is improper because Sparksoft’s quotation contained open market items, which Scope quoted on Carasoft’s GSA schedule. The protester also alleges that CMS’ evaluation was unreasonable because Sparksoft’s quotation is unacceptable. Scope also challenges the agency’s evaluation of Sparksoft’s professional compensation. We have reviewed all of the protester’s allegations and as explained below, we sustain the protest because the agency unreasonably included the JBoss software licenses as open market items on Sparksoft’s task order. While we do not address each of the remaining allegations, we have reviewed them all and find that none provide a basis to sustain the protest.[7]

Open Market Items

Scope contends that the task order award was improper because Sparksoft quoted the JBoss software licenses as open market items. In response, CMS alleges that it properly issued the award pursuant to FAR § 8.402(f) because no vendor could provide the JBoss software licenses on a GSA schedule contract. We sustain the protest because Scope’s quotation provided the JBoss software licenses on a GSA schedule contract and thus, the agency could not include the same JBoss software licenses on Sparksoft’s order as open market items.

The FSS program, directed and managed by GSA, provides federal agencies with a simplified process for obtaining commonly used commercial supplies and services. FAR § 8.402(a). Orders placed using the procedures established for the FSS program satisfy the requirement for full and open competition. 41 U.S.C. § 152(3); FAR § 6.102(d)(3). Non-FSS products and services may not be purchased using FSS procedures; instead, their purchase requires compliance with the applicable procurement laws and regulations, including those requiring the use of competitive procedures. See FAR § 8.402(f); Symplicity Corp., B-291902, Apr. 29, 2003, 2003 CPD ¶ 89 at 4.

Here, the JBoss software licenses at issue are offered by Carasoft. As explained above, Carasoft’s GSA schedule contract includes the JBoss software licenses as four separate items. Under the prior CMS contract, Carasoft offered a price discount to the incumbent contractor if the four software licenses were purchased as a bundle (i.e. JBoss Fuse + BRMS 16 core and JBoss Fuse + BRMS 64 core). While Carasoft assigns these two bundled products separate product numbers from the four software licenses on its GSA schedule, there is no dispute among the parties that, aside from a price discount, the four JBoss software licenses on Carasoft’s schedule are the same software licenses as those bundled for the price discount. In this regard, whether ordering the bundled or unbundled products, Carasoft provides four separate JBoss software licenses.

The agency first asserts that its award was proper because Scope’s quotation did not include the JBoss software licenses on Carasoft’s GSA schedule contract as the protester alleges. The agency explains that Scope’s final quotation provides, after listing the four software licenses individually: “[The incumbent] had bundled discount for Fuse + BRMS. GSA schedule does not offer bundle discount.” See AR, Tab 2q, Scope Revised Price Quotation, ODC Tab, at 1. CMS contends that this reference to the bundled price discount indicates that Scope did not obtain the JBoss software licenses on Carasoft’s GSA schedule. We disagree.

Scope’s quotation provided a spreadsheet with line entries for each of its ODCs. Four of these line entries quoted Carasoft’s JBoss software licenses and listed Carasoft’s schedule number, Carasoft’s GSA schedule price, and a discounted price Scope received from Carasoft for this procurement. Id. As stated above, the entries also included a note referencing the price discount received by the incumbent. Id. On this record, we find no basis to support the agency’s conclusion that Scope quoted the bundled open market software. Scope’s quotation provided all the necessary information for the agency to confirm that Scope was offering the four separate JBoss software licenses on a GSA schedule (i.e. Carasoft’s GSA schedule number, GSA schedule price, and a price discount). Had the agency reviewed this information, the agency could not have reasonably concluded that Scope failed to quote these items on a GSA schedule. Scope’s reference to the incumbent price discount simply acknowledged that the discount was not available on a GSA schedule. Accordingly, we find the agency’s conclusion that Scope failed to provide the JBoss software licenses on a GSA schedule was unreasonable.

We also find that the agency’s next argument–that CMS could properly rely on Carasoft’s bundle-item price discount to support its claim that no vendor could provide these items on a GSA schedule–is unreasonable. The agency asserts that Sparksoft was forced to quote the bundled JBoss software licenses as open market items because they are not sold on a GSA schedule. However, as explained above, the software licenses were, in fact, available on GSA schedule contracts as four separate items. Indeed, the exact software licenses quoted in Sparksoft’s proposal as open market items were quoted by Scope on Carasoft’s GSA schedule. While the agency makes much of the fact that Carasoft provides different product numbers for these software licenses, whether bundled or unbundled, and provides a price discount for the bundled items, the agency’s claim that the price discount prevents Sparksoft from quoting these items on a GSA schedule is unreasonable and circumvents the very purpose of the FSS. That is, to award contracts to vendors quoting scheduled items. Rapiscan Sys., Inc., B-401773.2, B-401773.3, Mar. 15, 2010, 2010 CPD ¶ 60 at 3 (citing general rule that all items under an FSS solicitation must be included on the successful vendor’s FSS contract). Accordingly, we find that the agency could not reasonably rely on a bundle-item price discount as a basis to find that the JBoss software licenses were not available on a GSA schedule.

In sum, we find that the agency unreasonably concluded that Scope did not provide the JBoss software licenses on a GSA schedule and that no vendor could provide these items on a GSA schedule. Thus, we cannot find the agency’s inclusion of the open market items on Sparksoft’s order pursuant to FAR § 8.402(f) to be reasonable. In this regard, FAR § 8.402(f) permits a contracting officer to “add items not on the Federal Supply Schedule (also referred to as open market items)” to a FSS task order only if all applicable acquisition regulations pertaining to the purchase of the items not on the FSS have been followed. FAR § 8.402(f). Here, the JBoss software licenses could not reasonably be considered to be “items not on the Federal Supple Schedule” because they were quoted by Scope on Carasoft’s GSA schedule contract. For these reasons we sustain the protest.[8] We further conclude that Scope, the only other vendor in the competition who was favorably evaluated at a fair and reasonable price, was prejudiced by the agency’s inclusion of the open market items because, but for these errors, the protester could have had a substantial chance for award. SeeDRS ICAS, LLC, B-401852.4, B-401852.5, Sept. 8, 2010, 2010 CPD ¶ 261 at 21-22.

Sparksoft’s Evaluation

Scope argues that Sparksoft’s proposal is unacceptable because it failed to price all GFE software licenses as ODCs. Relatedly, Scope argues that Sparksoft’s quotation is unacceptable because its technical approach, which provided that it would not make significant changes to the current software licensing, is inconsistent with its price, which did not include pricing for five software licenses provided as GFE. Scope further argues that the agency failed to treat the vendors equally because it permitted Sparksoft to quote only a portion of the required GFE software licenses, while it required Scope to price all GFE software licenses. Scope also challenges the agency’s evaluation of Sparksoft’s professional compensation.

Where, as here, an agency issues a solicitation to FSS contractors under FAR subpart 8.4 and conducts a competition, we will review the record to ensure that the agency’s evaluation is reasonable and consistent with the terms of the solicitation. SRM Group, Inc., B-410571, B-410571.2, Jan. 5, 2015, 2015 CPD ¶ 25 at 4. In reviewing a protest challenging an agency’s technical evaluation, our Office will not reevaluate the quotations; rather, we will examine the record to determine whether the agency’s evaluation conclusions were reasonable and consistent with the terms of the solicitation and applicable procurement laws and regulations. OPTIMUS Corp., B-400777, Jan. 26, 2009, 2009 CPD ¶ 33 at 4. A protester’s disagreement with the agency’s judgment does not establish that an evaluation was unreasonable. DEI Consulting, B-401258, July 13, 2009, 2009 CPD ¶ 151 at 2.

Scope raises multiple related arguments all based upon the same underlying premise–that vendors were required to price all GFE software licenses as ODCs. We find no basis to support this conclusion. The protester has not pointed to anything in the solicitation that would require such pricing, and based on our review, we have found none. Instead, Scope argues that the agency’s communications with the vendors included the requirement to price all GFE software licenses. We do not agree.

As stated above, during separate conference calls with each vendor, the contracting officer agreed to provide a list of GFE to the vendors. The GFE list contained the software licenses used by the incumbent contractor and included an expiration date for each license. AR, Tab 4E, GFE Software List, at 1. After Scope received the list of GFE software licenses, it revised its quotation to remove pricing for each of the GFE software licenses. AR, Tab 2P, Scope Price Quotation, May 4, 2017, ODC Tab, at 1. The contracting officer reviewed Scope’s final revised quotation and recognized Scope’s misunderstanding with respect to the GFE software licenses. COS at 4. In this regard, the contracting officer realized that Scope mistakenly believed that CMS would be providing the software licenses as GFE for the entire contract. Id. To correct this misunderstanding the contracting officer emailed Scope to explain that “[a]s you saw in the GFE list I provided, the licenses CMS is providing as GFE do expire and will need to be renewed. I want to confirm that the updated quote you sent includes support of the licenses throughout the life of the contract as needed to complete DSH [data services hub] work – perhaps as not separately priced.”[9]Id.; AR, Tab 4G, CO Email to Scope, May 5, 2017 (2:27 p.m.). Scope confirmed its misunderstanding and submitted a revised quotation. AR, Tab 4G, Scope Email, May 5, 2017 (2:45 p.m.), at 1; Tab 2Q, Scope Revised Price Quotation.

Based on our review of record, we find that the contracting officer’s communications did not provide a requirement to price all GFE. Rather, the communication was to correct Scope’s misunderstanding with respect to the agency’s provision of these items throughout the life of the contract. Indeed, the contracting officer made clear that the licenses should be renewed only as needed to perform the work. The protester’s allegations in this regard are not reasonable.

Relatedly, Scope also challenges the agency’s evaluation of Sparksoft’s price quotation asserting that the agency failed to recognize that Sparksoft’s price is inconsistent with its technical approach. Sparksoft’s technical quotation provided, “Sparksoft does not anticipate major changes to the current DSH [data services hub] architecture, so, we do not expect significant changes to software licensing.” AR, Tab 3c, Sparksoft Technical Quotation, at 46. Scope argues that, since Sparksoft did not expect significant changes to software licensing, it was required to price all GFE software licenses, and that since Sparksoft did not price five software licenses listed as GFE, the agency should have found its quotation unacceptable. We disagree.

As above, we find no requirement for vendors to provide pricing for all software licenses provided on the GFE list. We also find no basis to conclude that Sparksoft’s statement–that it did not expect significant changes to software license–is inconsistent with its price quotation or required it to price all GFE software licenses. In this regard, Sparksoft did not propose the same solution as the incumbent contractor. Thus, it is not unreasonable to expect differences in its pricing of the GFE software licenses. Moreover, as part of its previous corrective action, the agency conducted an evaluation of Sparksoft’s ODCs to determine if the lack of pricing for the five specific software licenses called into question Sparksoft’s ability to perform the contract. AR, Tab 5F, Sparksoft ODC Analysis, at 1-3. Based upon this review, the agency found no issues with the software licenses Sparksoft included in their quotation and concluded that the price quotation: “1) matched their technical approach and 2) the excluded items . . . would not cause any changes to the DSH [data services hub], which could or would introduce unacceptable risk or problems for the Government.” Id. at 2. On this record, we find the agency’s evaluation unobjectionable.

Scope also alleges that the agency’s evaluation was unequal because the agency required Scope to price all GFE software licenses while Sparksoft was permitted to provide pricing for only a portion of the licenses. Again, neither the RFQ nor the contracting officer’s communications with the vendors mandated the pricing of all GFE software licenses. Furthermore, we find no unequal treatment as a result of the contracting officer’s communications with the vendors because the contracting officer asked both vendors the same question. Compare AR, Tab 4C, CO Email to Scope, May 5, 2017 (2:27 p.m.), at 1, with Tab 4H, CO Email to Sparksoft, May 5, 2017 (3:05 p.m.). As the record demonstrates, Scope priced all software licenses listed as GFE because, as it explained in its communications with the contracting officer, “a central part of our proposed approach for DSH [the data services hub] is to continue the current hardware/software configuration and infrastructure.” AR, Tab 4M2, Scope Email, Apr. 19, 2017 (11:16 a.m.). In this regard, Scope chose to implement the solution of the incumbent. However, Scope was free to maintain only the licenses that were required for performance of the contract. That Scope chose to implement the solution of the incumbent does not require the agency to evaluate Sparksoft, or any other vendor, as if they offered the same solution as Scope. Accordingly, we find that the agency’s evaluation in this regard was equal and in accordance with the solicitation criteria.

Finally, Scope argues that the agency’s evaluation of Sparksoft’s professional compensation was unreasonable. We find no basis to object to the agency’s evaluation.

The purpose of FAR provision 52.222-46–Evaluation of Compensation for Professional Employees is to evaluate whether offerors will obtain and keep the quality of professional services needed for adequate contract performance, and to evaluate whether offerors understand the nature of the work to be performed. MicroTechnologies, LLC, B-413091.4, Feb. 3, 2017, 2017 CPD ¶ 48 at 8. In the context of fixed-price contracts, our Office has noted that this FAR provision anticipates an evaluation of whether an awardee understands the contract requirements, and has offered a compensation plan appropriate for those requirements–in effect, a price realism evaluation regarding a vendor’s proposed compensation. Id. at 6-7. The depth of an agency’s price realism analysis is a matter within the sound exercise of the agency’s discretion. Apptis Inc., B-403249, B-403249.3, Sept. 30, 2010, 2010 CPD ¶ 237 at 9. In reviewing protests challenging price realism evaluations, our focus is on whether the agency acted reasonably and in a manner consistent with the solicitation’s requirements. MicroTechnologies, LLC, supra, at 11.

Here, the agency conducted a thorough evaluation of the vendors’ professional compensation plans to ensure that the plans reflected a sound management approach and understanding of the contract requirements, including an assessment of each vendor’s ability to provide uninterrupted high-quality work. AR, Tab 5E, Professional Compensation Analysis. The agency compared the salary and benefits submitted by the vendors to the incumbent contractor’s salary and benefits to determine if compensation levels were lower than those of the predecessor contractor. Id. To conduct this portion of the analysis the agency chose to use the mid-point of each vendor’s professional compensation plan salary range. Id. The agency compared this number to the incumbent salary as well as reference salaries such as salary.com, glassdoor.com, and indeed.com. Id. For Sparksoft, the mid-point was the 75th percentile salary range. Id. Based on this analysis, the agency concluded that there was no evidence to suggest that Sparksoft’s professional compensation plan salaries were out of line or otherwise not competitive. AR, Tab 6, SSD, at 27.

Scope argues that the agency’s evaluation was unreasonable because the agency should have compared Sparksoft’s 50th percentile range to the incumbent’s rates. We find the agency’s evaluation unobjectionable. As stated above, price realism analysis is a matter within the sound exercise of the agency’s discretion. While Scope would have preferred that the agency conduct its analysis at the 50th percentile range, there is nothing in the solicitation that would require the agency to do so. Scope’s disagreement with the agency choice of percentile range is unavailing. Sparksoft’s professional compensation plan provided that “although the salary [ranges] reference local and national surveys, Sparksoft may offer salaries beyond those listed for resources exceeding standards set for requirements such as education and experience.” AR, Tab 3L, Sparksoft Business/Price Quotation, Section 2.4, at 6. Moreover, the record demonstrates that Sparksoft’s quotation included signed letters of commitment, many of which are from incumbent employees. AR, Tab 3C, Sparksoft Technical Quotation, Appendix A, Resumes. Thus, we have no basis to question the agency’s conclusion that Sparksoft’s proposed compensation plan reflects a clear understanding of the work to be performed; demonstrates the ability to retain qualified personnel and employ a stable workforce; and includes realistic rates for professional compensation. AR, Tab 6, Award Decision, at 27.

RECOMMENDATION

We recommend that the agency cancel the order to Sparksoft and assess its actual requirements. To the extent the agency chooses to move forward with this procurement, it should reevaluate proposals consistent with the RFQ and the rules applicable to FSS procurements, and make a new source selection. We also recommend that the agency reimburse Scope the reasonable costs of filing and pursuing the protest, including attorneys’ fees. Bid Protest Regulations, 4 C.F.R. § 21.8(d)(1). Scope should submit its certified claim for costs, detailing the time expended and costs incurred, directly to the contracting agency within 60 days of this decision.

The protest is sustained in part, and denied in part.

Thomas H. Armstrong

General Counsel

Scottsdale Institute 2017 CISO Fall Summit: Best Practice Standards in Cybersecurity Risk Management – Healthcare Informatics

Thirteen chief information officers (CIOs) and chief information security officers (CISOs) of leading health systems convened in Chicago to discuss key challenges, best practice standards and collaborative opportunities in cybersecurity. These healthcare executives focused on cybersecurity maturity levels, governance practices, reporting systems, threat monitoring/threat analytics tactics and the importance of tying cybersecurity metrics to business impacts. This report captures their discussion and shared insights.

CISO Fall Summit Participants: Fernando Blanco, vice president and CISO, Christus Health; Jeff Bontsas, vice president and CISO, Ascension Information Services; Erik Decker, chief security and privacy officer, University of Chicago Medicine; Jim Hanson, Information Security Officer, Avera Health; Bryan Kissinger, Ph.D., vice president and CISO, Banner Health; Thien Lam, vice president and CISO, BayCare Health System; Ken Lawonn, senior vice president and CIO, Sharp HealthCare; Leonard Levy, vice president and CISO, Spectrum Health; Christie Polley, system director, IS information security, Eastern Maine Healthcare Systems; Brad Sanford, CISO, Emory University; Randy Thompson, M.D., CMIO and interim CIO, Billings Clinic; Jim Veline, senior vice president and CIO, Avera Health; Brenda Williams, vice president technology services, Mosaic Life Care

Organizer: Scottsdale Institute; Sponsor: Deloitte

Moderators: Deloitte—Bruce Daly, principal, Deloitte & Touche Llp; Raj Mehta, partner, Deloitte & Touche Llp

Introduction

With numerous high-profile security events and data breaches splashed on the papers of national newspapers, there is a growing appreciation in healthcare and non-healthcare organizations alike that cybersecurity impacts business as a whole. Today, cybersecurity is increasingly regarded not as a technical issue pigeonholed in IT departments, but as a corporate and business issue. The cybersecurity function is rapidly evolving, eliciting greater visibility across healthcare systems and drawing increased attention from boards and leadership charged with risk management.

In October, leadership representing information technology (IT) and information security (IS) functions from Scottsdale Institute member health systems came together to share their perspectives, experiences and strategies for tying cybersecurity metrics into business impacts and business risk and for monitoring and managing ever-changing risks and threats.

The Imperative of Linking Cybersecurity Risks to Business Impacts

There is a growing appreciation across boardroom tables that cybersecurity is a business risk, not just a technical risk. Yet, the process of reporting metrics has not fully caught up. To drive the understanding home that cybersecurity addresses key corporate and business issues, alignment of cybersecurity reporting to business impacts is key. “How many of you are regularly using business risk to report?” asked discussion moderator Raj Mehta of Deloitte, kicking off a spirited conversation focused on improved communication of metrics, risks and impacts to management and boards. “If there is a cybersecurity risk to the organization, it is fundamentally a business risk. On this, we all agree. But is it being reported up and out that way?” Mehta challenged.

Participants around the Summit table voiced challenges, shared tips and broadly agreed that CISOs and cybersecurity teams have work to do internally to better align cybersecurity metrics, measures—and even budget requests—with business risks and business impacts. Many have already started that process.

What We Consider Catastrophic may be Very Different from what the Business Cares About

It is crucial to understand what critical or catastrophic impact means to your business leaders, emphasized Erik Decker, chief security and privacy officer at University of Chicago Medicine. “What we in IT think of as catastrophic can be very different from what the business cares about,” said Decker, citing his experience in collecting feedback from his senior leadership on the business impacts most important to them.

“Early on in my program, we convened our C-suite to make objective statements around the stratification of risks that were most concerning to them and that had the most consequential impacts to the business. We talked through many different scenarios of cybersecurity risk and threat outcomes that could happen, and together we categorized and stratified these on a 1-5 scale of catastrophic to nominal. Items on the table ranged from a simple phish, to hacking that could lead to data loss, as well as cyber actions that could cause death. There is now a clear sense internally of what the most concerning business impacts are, and we can now measure and stratify risks/threats against those stratified impacts.”

Core business impacts ranked by University of Chicago, and agreed upon by participants around the table, included:

  • Patient safety issues/harm to patient
  • Ransomware that can bring down digital operations and systems
  • Breach of private data
  • Mishandling of sensitive information
  • Risks/unknowns brought by M&A activity

There were hearty nods of agreement centered on the categories of business impacts, with the understanding that different boards may rank the importance of each type of impact differently.

Brad Sanford, CISO at Emory University, reported that his organization reflects these business impacts in a slightly different approach. “We have one risk measure that is a roll-up of several related risks that could impact the confidentiality or integrity of our data, and another one that focuses on the availability of our systems including business continuity and our ability to recover in the event of a disaster.”

Cybersecurity: A Row in a World of Columns

Bryan Kissinger, CISO of Banner Health, noted that his organization views cybersecurity metrics via the lens of “confidentiality, availability and integrity of systems.” Yet, he noted, none of the frameworks adequately fits the depth and breadth of cybersecurity risks and impacts. “Cybersecurity is a row in a world full of columns,” he opined, in a statement that became a mantra during the Summit. “Patient safety is a column. Financial performance is a column. But security is a row that cuts across everything. Information security and cybersecurity cut across every one of those business impacts. We are a row in a world full of columns. The row is being driven by info security and privacy teams but it permeates all of the organization and its entities.”

Risk Assessment: Shaping Risk Postures through the Lens of Threat Actors

Though risk assessment is tackled differently across organizations, the value of understanding “threat actors”—and the type of impact each could have on business—was discussed as a meaningful way to approach risk assessment frameworks. One participant identified a white paper, “Hacking Healthcare IT in 2016: Lessons Learned from the OPM Breach” as a particularly helpful resource to overlay the intentions of threat actors with the business risks of health systems.

The paper, which categorizes risks across five main categories of threat actors—script kiddies, hacktivists, cyber criminals, cyber terrorists and nation-state actors —has “helped shape our risk postures,” the participant explained. “We’ve built a framework that considers who the actors are, what their motivations might be, and how our strategies can address those specifically. We now tie threats back to risks, and tie risks back to groups of threat actors. Today, as we profile risks and add controls, we keep the common threat actors in mind.”

Tip: To manage the sheer volume and immensity of risk assessment and risk analysis, Leonard (“Lenny”) Levy, Vice President and CISO, Spectrum Health, reports that he and his team balance breadth and depth when conducting their annual risk assessment. “Since it would not be feasible to go in-depth across our entire environment, we perform an enterprise assessment looking at key risks and control and once a month perform a deep dive into a specific application, location and business unit, to make a more comprehensive analysis.”

Threat Monitoring

There is abundance—and many times, an overabundance—of data feeding into the threat intelligence and threat-monitoring funnel. A challenge that many agreed on is deploying the right level of internal and external resources to collect the optimal information. Outsourcing and collaboration rose to the top as the trends that CISOs are converging around.

CISO Insider Insights / Tips from the Trenches:

Outsourcing: “We recently converted to a hybrid model. Our primary level 1/level 2 monitoring is now outsourced. We still retain some resources internally who respond to issues and double-check our provider. This is where our red team comes in to test and make sure it is functioning properly.” (Lenny Levy, Spectrum Health)

Collaborative learning through ISACs: “The information-sharing and analysis centers (ISACs) are helpful as members are able to share information about what we are seeing. After all, it only takes one person to figure out an interesting nuance to a particular threat. Then, this can be shared and everyone can take advantage. Working with ISACs, you don’t need to figure out everything on your own.” (Brad Sanford, Emory University)

Monitoring for threats not experienced…yet: While this is an area that is ripe for maturity, many CISOs have their teams on a variety of chat rooms to “monitor what is happening externally, so we know threats we haven’t experienced. You need to look for it, as it doesn’t come to you.” (Jim Hanson, Avera Health)

Structured internal teams: “We have a team that is structured to focus on three core areas: threat management, vulnerability management, and incident management.” (Brad Sanford, Emory University)

Establishing internal norms and flags: “We feed privacy and access data in SIEM [security incident and event management] and determine what is normal—for example, how many records people access per day, per week and per month. So if this number of records went up, that is a flag for investigation.” (Thien Lam, BayCare Health System)

While SIEM systems were broadly regarded as the go-to tool for threat monitoring and analysis, understanding and applying the data generated by SIEM remains an area CISOs struggle to best interpret.

“As you deploy tools, you will see more [incidents]. So, it may seem like you are doing worse, but really you are doing a better job. There are not necessarily more threats, but you are expanding the visibility across your network and identifying more threats,” commented Jeff Bontsas, Vice President and CISO, Ascension Information Services. Many are moving to playbooks and use cases to bolster and build out general threat intelligence.

Common challenges underlying threat monitoring identified by participants include:

  • Cost of threat intelligence investments vs. value
  • Scope
  • Use cases
  • Talent
  • Maturity
  • Intelligence

Needed: A Plan for Ransomware across the Entire Health Sector

CISOs probed each other for what their plans were in a ransomware situation. While the commonly accepted best practice is not to pay, CISOs around the table understood that the amount of money was trivial compared to an EMR system being taken down. One CISO had even researched an investment in bitcoin to have readily available if needed—“although the board shot down that option.”

This is an industry and sector issue, rather than an individual organizational issue and threat, argued Jim Veline, Senior Vice President and CIO of Avera Health. “Once one [organization] pays, we are all more likely to get attacked. It would be worthwhile to run this up the flagpole with our professional associations and generate a position paper that you do not pay. That gives cover and backstop to a CEO and board when faced with a difficult decision. Right now there may be FBI advice, but formal positions are lacking in the relevant professional groups we all participate in.” This suggestion was met with broad agreement from participants around the Summit table, who agreed to have follow-up discussions regarding how to best raise the issue through targeted professional organizations.

Reporting Business Risk: The “So What?” of Metrics

There was little consistency in the types of metrics—the key performance indicators (KPIs) and key risk indicators (KRIs)—reported up to management councils, board committees and executive boards. Summit discussions also pointed to little consistency on the frequency of reporting (some monthly, some quarterly, others annually—depending on the organization, and the body being reported to). However, there was broad agreement on the challenges of collecting actionable, instructive KPI/KRI data.

Shared challenges to developing good-quality, standardized KPIs/KRIs included the need to address these areas of variability: data availability; data consistency; data quality; and reporting thresholds

When it comes to KPIs and KRIs, there is a lack of standards guiding the industry in this field. “Management made investments in security, and we need to show the value of that investment. But how do you best do that with today’s KPI and KRI metrics?” challenged Ascension’s Bontsas. “For example, we can show the increased number of attacks we blocked. Yet, it’s hard to talk about value when we talk about risk avoidance. Was it worth it? What did we avoid? Telling the story of what we avoided can be difficult.”

While the core concern voiced around the table was the overall lack of KPI/KRI standards guiding the cybersecurity field, the key issue that emerged was the actionable nature of metrics: the “so what?” factor.

There are many KPIs “that are important for operations people, but that are not meaningful in terms of making informed decisions about risk. There are also many that are more focused on justifying spend than on risk. The challenge we face is, what is most meaningful?” noted Fernando Blanco, CISO of CHRISTUS Health. “We regularly report on metrics like ‘we did patching X months ago and we hit X percent.’ If we are at 85% or even 95%, is that good or bad? That is what we have to ask as we are collecting metrics both for ourselves and for the purposes of reporting up and out. However, today we lack clear thresholds to make the numbers meaningful.” Summed-up by Banner Health’s Kissinger: “Every metric has to answer the question ‘so what’ to be meaningful from a business-impact perspective.”

“When there is a significant new threat that emerges, at the end of the day the ‘so what’ metrics we need to know are: (a) how quickly can we frame the specific risk to our institution, (b) how exposed we are, and (c) how quickly we can react and get controls in place. These are the metrics that matter most from a business perspective, and we are working now to really shrink the time for that process,” said Emory University’s Sanford.

Common Cybersecurity Metrics Being Tracked

> Encryption

> Vulnerability Management

> Patching

> 2-factor authentication

> Phishing

> Training

> Risk assessment

> CAPs (Corrective Action Plan)

> Old/Outdated legacy systems (cannot be patched)

> Identity & Access Management/Privilege Access Management

> Incidents

> SLA (Service Level Agreements)

> SOC (Security Operations Center)

Key Takeaway: A key action-item from the discussion was to ensure that, no matter what metric was being tracked, it tied back to business risk so that its value could be better understood in the broader context of business impacts. “My metrics today are not all explicitly tied to business risk, but that is what I am going to go back and do,” reported Randy Thompson, MD, CMIO and Interim CIO, Billings Clinic, to the team.

Threats, Risks and Metrics: CISO Insider Insights/Tips From The Trenches

> Collaborate with outside parties/external auditors: “We do both internal and external risk assessments. We have internal auditors that check for risk/cyber risk. Then we hire and have high-tech security firms audit so we have a different set of eyes every year.” (Brenda Williams, Mosaic Life Care)

> Outsourcing and hybrid models: “Our small team couldn’t move at the pace the business needed, so it made sense to outsource rather than hire in. The funnel was too small internally to send all the third-party risk assessments through.” (Lenny Levy, Spectrum Health) Thien Lam, CISO of BayCare Health System, showed the value of outsourced threat detection in real-time to senior management. While everyone was convened, he had his team initiate a ransomware and lock up select machines. His phone rang within 15 minutes, with his vendor reporting the event. “I showed them exactly how fast we can know and react,” Lam reported. Buy-in was achieved in real-time.

> Establishing metrics silos: “We were having difficulty with consistent apples-to-apples metrics. For example, in our vulnerability scanning, in some areas we get comprehensive information on our credentialed scans, and for others (non-credentialed) we get just basic information. These were originally all lumped together in a risk score, but now we are working to silo them out to keep metrics for groups we get full scans on vs. metrics for groups we get partial scans.” (Brad Sanford, Emory University)

> Weighted metrics: Though all metrics may be relevant, not all are equal across business threats. “We have metrics around general cybersecurity hygiene health, and then specific metrics that support measurement of executive level cybersecurity risks of interest to our Audit Committee and executives.” (Erik Decker, University of Chicago Medicine)

> Know your audience: “Be sure to know your audience when reporting out metrics. IT boards and councils are different from senior management, which are different from executive boards. Each is after different information.” (Ken Lawonn, CIO of Sharp HealthCare)

“Keep Us Out of the Papers”—Reporting Metrics and Maturity to Boards

“We don’t get a lot of guidance and direction from the board in terms of what they want to see,” reported one participant, with many heads nodding in agreement.

At Ascension, Bontsas noted, “Board members want the assessment on a scale from 1-10, but the scale keeps changing. Now we may be at a 7, but as soon as we climb to 9, we fall back to 7 as cyber threats continue to evolve and the scale to measure them against changes so quickly. Whatever I report out will change, quickly.” Board members tend to have one key top-level concern, he noted: showing up in the newspapers because of a security event. More heads nodded vigorously in agreement from shared experience.

“We can’t say definitively that this event won’t happen, but we do show what we are doing to prevent that event by focusing on the right things. We report on why we believe we are following the right strategy, and taking the right steps. We show our progress as the threat landscape changes. The board wants a 1-10 measure of assurance, but at the end of the day that is subjective,” Bontsas said.

Tip: Take Advantage of News Headlines to Educate. Bontsas takes advantage of board members’ interest in news headlines about breaches by using that curiosity—and concern—to educate board members. “At most board meetings, I have five to ten minutes to address what I want to talk about, and the rest is questions about what they’ve seen in the headlines [or] read in the Wall Street Journal, and how those threats may impact our organization.” This speaks to the education gap that is there. “I now regard that Q&A as an important educational opportunity. Ultimately, I believe it will build much more value with our board in the future when we discuss how our strategy and controls will help protect our organization against the threats, risks and breaches experienced by other organizations and governments.” Spectrum Health’s Lenny Levy added, “Sharing tangible examples of threats detected and mitigated go a lot further than metrics in resonating with leadership and boards.”

The Challenge of “Subjective-Objective” Cyber Maturity Levels

While CISOs are regularly asked to assess and weight their cybersecurity maturity levels for their boards or management councils, there are many limitations of maturity assessments—which were broadly regarded around the table as helpful, but ultimately subjective.

Kissinger explained how Banner Health tackled that issue: “For each category in our maturity framework, we’ve established for ourselves internally that ‘to be a 5 means this’, and ‘to be a 3 it’s this.’ This is a subjective-objective rating, but we think it’s valuable. It shows where we were, where we are today, and where we want to be. I show that I want to move from here to here. This helps us with audit committee and board level discussions.”

Tip: Build a Dollar Investment/Dollar Value Model to Guide Spending and Funding Determinations: To complement its maturity framework, Spectrum Health created a framework to show the direct dollar value of its cybersecurity initiatives, and to guide future investments. “To better ‘sell’ the cybersecurity programs up through our board, we created a framework to illustrate where we are now, what we are targeting and the dollar impact. We worked with actuarial teams from our health-insurer arm to do the calculating to show business risk, business disruption, direct dollar costs, soft costs and reputational risks. We broke those out,” explained Levy. “We built a model to show that as we went from 2 to 3 to 4 to 5 on the maturity scale, we could show how that impacts the curve. For example, if we fund at X level to Y level, we could show investment and benefits. Of course there were many assumptions built in that were well-documented, but with this model we could overlap maturity ratings on a scale and show where we were, where we wanted to go, how much to get there. We could also show spends and the predicted value of the spend.”

Lengthy questions followed, given the tremendous interest in Spectrum’s model, which Levy has offered to make available (in a desensitized format) to Summit participants and Scottsdale Institute members. CISOs around the table voiced the same desire to get a better handle on not only what an “appropriate” spend is, but how it changes depending on levels of maturity, and how an individual organization spends compared to currently unknown industry benchmarks. While bigger health systems may spend more on cybersecurity than a smaller one spends on total IT, the ratio of spends across maturity levels—and across capital expenditures vs. operating expenditures—is a valuable benchmark to the CISO community.

Tip: Refer to the Gartner Graph (Gartner Best Practices for Moving Up the Information Security Maturity Curve) to see a benchmark graphic of levels of spend to get to different levels of maturity.

“From this we could develop and create guideposts more specific to the healthcare sector. This graph that represents the security investments across industries in terms of percent of IT spends and levels of maturity is a good start,” said Jim Veline, senior vice president and CIO at Avera.

External Consultants and Peer Comparisons in the Maturity Assessment Process

“When it comes to maturity level, we show our board where we are, where industry is, and how and where we are aiming to grow. We report maturity level progress,” said CHRISTUS Health’s Blanco, offering a tip that has helped him drive the credibility of his team’s maturity assessments: “We now hire an independent organization to do the assessment. After all,” Fernando joked, “if I assess myself, I am thinner and taller, so a third-party provides an independent perspective to the board.” Many others in the room reported that their organizations were also employing third parties for purposes of objectivity and for an additional layer of credibility to the board on the results.

“We measure ourselves and measure ourselves again, against the same maturity criteria. This works well comparing against ourselves, but comparing to other organizations is where it all falls apart. There is no benchmark to compare to each other, it is subjective even with tools like the Cybersecurity Framework,” lamented University of Chicago Medicine’s Decker, to broad agreement. Banner Health’s Kissinger agreed that peer comparisons were much needed, but woefully lacking. “It would better help us to know how we compare with one another. We and our boards want to know what we are like compared to our peers in the health sector, and in other industries.”

Yet, there is also potential downside in comparing across sectors, cautioned Avera’s Veline. “We are being held to the same standard as banks. Unfairly. Yet, we in the room are unique because our number one business is patient care. While we could look to banking for benchmarking and maturity comparisons, we have to remember that banks aren’t buying robotic surgery devices or infusion sets.”

Billings Clinic’s Thompson drove home shared concerns about the helpfulness of cross-industry comparisons by reminding fellow CISOs about the task their organizations are all focused on at the end of the day: patient care. There are unique challenges in pitting cybersecurity against patient care when it comes to the allocation of dollars and resources at health systems, he opined. “When you pull money away from patient care to put money into a risk that may or may not happen, who wins? Until the system goes down, that is not always clear to leadership—even when we aim to make the business risks and our security impacts clear. Every FTE that I hire or resource that I request is personnel and dollars not going to patient care. So it’s a challenge and balance.”

Challenge and Balance Of Cybersecurity and IT Alignment

The challenge and balance raised by Thompson also applies to alignment of the cybersecurity function within organization structure and governance. With the increasing visibility of the cybersecurity function and its influence on business risk and impact, many sectors with the same level of complexity of healthcare have moved the cybersecurity function outside of IT. “With large regulated sectors like banking and aerospace, we’ve seen the security function organized more independently than it is in healthcare. Security has its own budget, leadership role and direct feed to the CEO or board. We don’t have that in the healthcare space today, and it’s a notable difference,” noted Bruce Daly, Deloitte’s healthcare digital technology risk leader who co-moderated the Summit. “How many have a security function that has a direct line to the board that could bypass the CIO?” Daly asked. No one responded in the affirmative. This generated a discussion about how to best align cybersecurity and where it could move to in the future.

“We contemplated moving cybersecurity into other places—like reporting to the general counsel or CEO. We ultimately decided that staying under the CIO organization was most helpful in the environment of today, where we need to change many technology elements to bring cybersecurity measures onboard. Once we mature, we can contemplate moving it somewhere else, but for now it is more effective where it is under the CIO,” noted Spectrum Health’s Levy.

Banner Health’s Kissinger said the challenges of appropriate alignment spoke to the “[cybersecurity] row against the [risk] columns.” It is the entire organization “that ultimately owns security and cyber-risk challenges, you need deep teaming with IT to be effective today. So embedding with IT is key.” Avera’s Jim Hanson summed up the discussion by noting that cybersecurity “belongs with the executive that is most effective in moving it forward. We could function in several areas, so the issue is not about ‘where.’ If the executive in charge doesn’t have a sense of the function, then it doesn’t matter where or how we align in organizational governance.”

Better Communications of Business Impact = Earlier Seat at the M&A Table

One of the positive outcomes of better linking cybersecurity to business impact is that it has opened doors for earlier engagement in a key business area notorious for introducing some of the most significant risks and causing the most painful cybersecurity headaches: M&A activity.

“We are noticing nationally a slight but discernable uptick in bringing in security and privacy functions into due diligence for M&A activity,” shared Deloitte’s Daly. Reaction was quick, with many noting there’s much room for growth. Even for those CISOs who are invited to the discussions earlier in the process, many are not convinced that their inputs are carrying weight in decisions.

“I ask a set list of questions I like to ask early and often when it comes to M&A activities,” said Banner Health’s Kissinger. “At the end of the day, I may not have much influence on a deal even if it is introducing considerable new risks. But at the very least, we are looking for pathways to more visibility in what we are inheriting, so we can get ahead of it and start planning on what we need to remediate.”

Mosaic Life Care is “bringing in security and risk teams earlier now, including review of contracts. We are getting ahead of things rather than mitigating the risk after the contract has been signed,” said Brenda Williams, Vice President Technology Services, Mosaic Life Care. “We have introduced it for vendors and we are putting some due diligence in place for acquisitions.”

“We are involved before the ink is set. But our access to it is small. We can only ask minimal things. Leadership doesn’t want to scare a potential partner with a 300 page questionnaire,” one participant shared.

Many opined that even if a review earlier in the process identified clear risk, that likely wouldn’t be enough of a red flag to slow down or stop a deal that served other business needs of the company. Often, being at the M&A table was more informative than influential. Deloitte’s Daly, however, conveyed a real-world instance when cybersecurity assessments made as part of the diligence process brought real value to an M&A deal he had worked on. “The prospective buyer got a better deal because they had identified some of the core vulnerabilities and risks of the organization they were looking to acquire, and they had calculated remuneration estimates to bring that organization’s systems up to speed. They were able to factor this in to an adjusted price. In this way, for smaller-scale acquisitions, early collaboration in the diligence process with security or IT functions can really pay off.”

Driving Third-Party Accountability: Vendor Management and Vendor Risks

Similar to the security concerns that M&A introduces are the risks and challenges associated with vendors. Many at the Summit expressed frustration working with vendors who made them feel like they were the “only ones” asking for certain provisions and protections. Many CISOs are also pulling together and standardizing risks and metrics specific to vendors.

Tip: generate a heat map. “We can’t fully assess every vendor, but we can generate heat maps with a procurement system or accounts payable overlay,” said Emory’s Sanford. CISO teams can take a risk-phased approach with that heat map and focus on highest risk vendors.

Call to Action: Bontsas led a call to action: “As an industry, let’s start choosing only those vendors willing to secure their products.” These can be generated organization by organization, or preferably, created by associations that can share across the healthcare sector. The National Health Information Sharing & Analysis Center (NH-ISAC) and Medical Device Information Sharing and Analysis Initiative (MDISS) were discussed as a good go-to group to develop such a list. MDISS, it was noted, maintains a large repository of devices and their vulnerability issues, which it shares with members.

To get a better handle on risks posed by vendors, many CISOs are pulling together metrics specific to this area and collecting:

> Percent of critical third parties who have not been risk-assessed

> Percent of vendors who have had security incidents since the last reporting period

> Percent with high residual risk

> Percent of third party system accounts that have not been certified in the last 6 months

> Percent of vendors with high-risk findings

> Percent of vendor X that have not been certified

Securing Medical Devices with Stronger Vendor Contracts, Micro-Segmentation

Many of the vendor headaches above spill over to medical devices as well, which is already an area of particular concern and risk as it relates to cybersecurity.

“For years we were told by manufacturers that, because the medical devices were FDA approved, we couldn’t make any changes or they had to be recertified by FDA. So relationship with our vendors was tense. We would scan the network, but not these devices. Or similarly, manufacturers would tell us that we could patch devices, but ‘if you break something, don’t come back to us because it is not the way we configure it. If you patch it, it’s your problem,’” recounted CHRISTUS Health’s Blanco. The FDA has recently made it clear that hospital systems could patch devices and address security aspects, he said, referencing the 2016 “Postmarket Management of Cybersecurity in Medical Devices” guidance to industry from FDA. This led to an around-the-table sharing of other positive experiences leaning on the FDA in related instances, but also to the shared grievances of government punishing businesses for being victimized by cybercrime—which can happen even to the most robust and mature cybersecurity operations.

Call To Action: Consistent Language Across Contracts. Blanco reported he has been in touch with Mayo Clinic’s CISO, who shared the language it uses in its contracts to hold vendors accountable to the 2016 FDA guidance. “If we all incorporate the language in contracts, we have more power together.”

Tips from the trenches/CISO Insider Insights:

Micro-segmentation: Banner Health has been moving to micro-segmentation to secure devices, reported Kissinger. “A lot of security technologies in our server just don’t work in clinical devices. So we are doing segmentation and micro-segmentation. Some clinical devices are on their own network, and then infusion pumps, for example, are on their own sub-network segment so that issues can’t move laterally across groups of devices.”

Separate long-term from short-term: BayCare’s Lam noted that as part of his risk planning, he looked at short-term vs. long-term medical device concerns. “We did risk planning to assess what would happen to these medical devices if we had to take down our network. Believe it or not, 90% of the devices we were most concerned about would still function. We identified the few that need to stay on the network, and those that would be okay if the network was down. That helped us establish long-term and short-term protection for our medical devices.”

Overlay patient risk with cyber risk: CHRISTUS Health is similarly segmenting medical devices by risk, but counseled CISOs not to start with standard patient-safety methodology: “Our first priority when we started this process was infusion pumps and pacemakers, because if these get compromised it has a direct, dangerous impact on patients. What we learned, however, is that these were not the most risky from a cyber point of view. Many did not have wireless capability or were not connected to the network. So these are low-risk from a cyber perspective. We realized we needed to combine patient risk with cyber risk. Now we are reclassifying this risk overlay and identifying new priority devices. We lost a few months on the final deployment based on this risk identification and selection, but now we know how best to deploy,” said Blanco. “I hope I can save you a few months with this advice: don’t start with standard patient-safety methodology, these were not the most high-risk devices in our current inventory.”

Align clinical engineering teams within cybersecurity governance: “We have folks installing medical devices on our network who have no IT experience let alone cybersecurity experience. This has been an ongoing challenge that I’m looking to find ways to fix,” lamented Christie Polley, System Director, IS Information Security, Eastern Maine Healthcare Systems, noting, “Our supply chain currently handles clinical engineering, with little or no visibility on the IT side.” Ascension’s Bontsas concurred that with device installation, engineering teams often leave ports and services open and running that are not necessary. “We need to get in front of the implementation so we can have them shut off ports and services that are not needed.” BayCare’s Lam counseled, “This is something we changed. Clinical engineering now reports to IS and the same CIO. This works really well.” Spectrum’s Levy added, “We will pull help desk or clinical engineering teams and do exercises together in IT to build relationships so that we can speed coordination in a real-time incident.”

Get manufacturers involved: “Over the long term, we have to get the manufacturers on board to work with us,” said Lam, with much agreement from the table. The need for more manufacturer cooperation, particularly for patches for “end of life” devices and equipment, was emphasized. While the enhanced contract language referenced above will help moving forward to hold manufacturers accountable for updates and patches, participants recognized the near-term challenge is the legacy systems in place that have no contract terms to make vendors more accountable.

Work together on standard demands: “We regularly get push back from vendors when they say we are the ‘only ones’ asking for certain protective measures and contract terms. We need the ability to reach out to others so that we can standardize our demands and ‘asks’,” said BayCare’s Lam. Summit participants also planned, as follow-up, to build a better mutual understanding regarding how and when CISOs are reaching out to the FDA.

Cybersecurity Training: It is Everyone’s Business to Protect the Business

Ultimately, it is everybody’s business to protect the business from cybersecurity risks—which spills over to the need for training staff across the organization. Yet, participation in and compliance with training is a frustration shared across CISOs at the Summit. Discussion focused both on the “carrot” and the “stick”—on how CISOs were attempting to make it easier for providers and health system staff to complete training, and how discipline and sanctions were being put in place for those who were non-compliant.

Tips from the trenches/CISO Insider Insights:

Provide context: “We made a two-minute video explaining to new hires the importance of cybersecurity and their role in it. Then they have a mandatory training module to complete online within 15 days of onboarding, but at least with the video they now have the proper context and motivation to complete the training.” (Fernando Blanco, CHRISTUS Health)

Make it real: “Members of my team and I started personally going to senior staff meetings and getting on agendas each quarter. We talk briefly about threats and risks and provide tips. We made cybersecurity more real and personal rather than something that simply emanates from corporate. We’ve gotten great feedback about that.” (Bryan Kissinger, Banner Health)

Set a consistent calendar of training expectations: “We launch interactive educational modules a minimum of 4x year, along with our bi-monthly reminder communications. We struggled at first with pushback on that frequency, but we have taken a stand.” (Christie Polley, EMHS)

Enable, rather than only restrict: “We have tools that we have certified for employees to use, for example, the file-sharing tool box. That way, we weren’t just putting out restrictions to tools like Dropbox and Google Drive, we were also providing an alternative.” (Brad Sanford, Emory University)

Align training to safer computers at home: “Our biggest successes in terms of staff engagement come not from a ‘how to be secure at work’ approach, but from training and communications focused on how to be more secure online at home. People were very motivated when it came to their home computers and emails, and we realized we could offer advice there that can then bleed back over into work.” (Lenny Levy, Spectrum Health)

Be prepared for paradoxes: “We did some internal testing, and what we learned showed a training paradox. Our healthcare division performed much worse in phishing tests but had a nearly 100% completion rate in training; our university staff performed better on the phishing tests, but were much less compliant in training.” (Brad Sanford, Emory University)

With regard to how to discipline or sanction a provider who is adding benefit to the organization from a patient-care perspective, but who hasn’t been compliant with training, CISOs have taken a variety of approaches. Some have made noncompliant providers ineligible for a pay raise. Others reported they have in fact terminated people based on long-term noncompliance. One creative solution being considered is a quarterly report, entered into board minutes, that lists all employees who have completed cybersecurity trainings…and all who have not. The thinking underlying this approach: being named on a noncompliance list will be frightening to providers, and that alone could be motivation to complete training. At the end of the day, CISOs agreed, sanctions and discipline must be set as part of an organizational culture discussion, and must have the buy-in of leadership.

Conclusion: The Tail Will Wag the Dog

Even with its challenges and frustrations, CISOs have come a long way for a role that barely existed in healthcare organizations a decade ago. With the realization that security breaches can derail profits, damage reputations and ultimately hurt patient care, health systems are now moving toward enterprise risk management (ERM). CISOs are well poised to play an active role in that evolution, and in many ways, can be the proverbial tail that wags the dog when it comes to understanding, assessing and managing risks and threats across an organization. After all, that has been a focus we have been pushing up and out on the cyber front for years. With the evolution to ERM, the imperative to understand and articulate risks/threats within the context of business impacts will only increase.

Indeed, our current role as a “row within columns” may in fact be the jumping-off point as we guide health systems through ERM adoption over the next five to 10 years. Our experiences, challenges and frustrations today may in fact be the fodder that guarantees us a seat at the table tomorrow.

Three Myths About Cyber Insurance – Healthcare Informatics

The average cost of a data breach in the U.S. in 2016 increased to $7 million, according to the Ponemon Institute
Click To View Gallery

The drumbeat of cyberattacks grew louder in 2017. The number of U.S. data breach incidents in 2017 hit a new record high of 1,579, according to the Identity Theft Resource Center (ITRC) and CyberScout, a 44.7-percent increase over 2016. And the capper to that record-breaking year was undoubtedly the September announcement by Equifax, a credit reporting agency, that more than 145 million records had been compromised.

Of the five industry sectors that ITRC tracks, the business category topped the list for the third year in a row with 55 percent of the total number of breaches, while the medical/healthcare industry followed in second place with 23.7 percent. Yet most businesses don’t carry cyber insurance. According to The Council of Insurance Agents & Brokers (CIAB), about 31 percent of respondents’ clients purchased some form of cyber liability and/or data breach coverage in the last six months of 2017, compared to 32 percent in its May 2017 survey, and 29 percent in October 2016.

Given the escalating number of attacks and increasing financial costs (the average cost of a data breach in the U.S. in 2016 increased to $7 million, according to the Ponemon Institute), the rate of cyber insurance adoption is somewhat surprising. We believe there are three myths about cyber insurance that are keeping more businesses from adding these policies.

Myth #1: We don’t need cyber insurance

Business leaders at large companies may have a false sense of security because they employ smart people and devote significant resources to security measures such as firewalls and encryption, or they incorrectly believe that they are not liable for data handled by a third-party company or stored in the cloud. But what they often fail to take into account is that cyber criminals also have significant resources and are focused day-in and day-out on finding any crack in a company’s armor.

Webinar

Components of Strong Cybersecurity Program – A Closer Look at Endpoint Security Best Practices

Endpoint protection remains a core security challenge for many healthcare organizations and it is more important than ever for healthcare organizations to actively manage their full range of…

Meanwhile, small- and medium-sized businesses (SMBs) are often under the very wrong assumption that they are too small to be targets. A survey by Nationwide found that a majority of SMBs (57 percent) do not have a dedicated employee or vendor monitoring cyberattacks, and another 34 percent do not believe they will be the target of an attack.

But, in reality, half of all SMBs in the U.S. experienced a data breach in 2016, and 55 percent experienced a cyberattack, according to the Ponemon Institute. In the aftermath of an incident, SMBs spent an average of $879,582 due to damage or theft of IT assets, based on extrapolated calcula­tions. In addition, disruption to normal operations cost an average of $955,429.

Despite the severe financial consequences, many SMBs do not have the budget and in-house expertise to protect their systems and networks against potential threats. Only 14 percent of small companies rated their ability to mitigate cyber risks, vulnerabilities and attacks as highly effective, according to Ponemon.

Myth #2: We already have coverage

Another major reason that companies choose not to investigate cyber insurance is that they believe they are already covered under the general liability policy, and they are often unclear about stand-alone cyber insurance options.

According to the Insurance Information Institute, most traditional commercial general liability policies do not cover cyber risks, such as property damage, personal and advertising injury claims arising from access or disclosure of confidential information. Since traditional insurance policies do not cover these risks, insurers have developed policies to bridge the gaps. Typical cyber-related coverages can include:

Data breach response and liability: Covers the expenses and legal liability that arise from a data breach.

Computer attack: Covers damage to data and systems caused by a computer attack, such as a virus or other malware attack or denial-of-service attack.

Network security liability: Provides defense and liability coverage for third-party lawsuits alleging damage due to the insured inadequately securing its computer system.

Media liability: Covers defense costs and damages for claims asserting copyright infringement and negligent publication of media while publishing content online and via social media channels.

Funds transfer fraud: Covers losses from the transfer of funds as a result of fraudulent instructions from a person purporting to be a vendor, client or authorized employee.

Cyber extortion: Covers the “settlement” of an extortion threat against a company’s network, as well as the cost of hiring a security firm to track down and negotiate with blackmailers.

Myth #3: Coverage is not affordable

Another myth surrounding cyber insurance is that it’s not affordable. According to The Insurance Information Institute, premiums can range from a few thousand dollars for base coverage for small businesses (less than $10 million in revenue) to several hundred thousand dollars for major corpora­tions looking for comprehensive coverage.

As part of the application process, some insurers offer an online and/or on-site security assessment free of charge regardless of whether the applicant purchases the coverage. This assessment is critical since cyber insurance is hardly a one-size-fits all type coverage. Different industry sectors represent different levels of exposure. For example, a small convenience store is a relatively low hazard compared to a medical doctor’s office. In addition to a simplified limit and deductible structure, different credits may apply if certain security procedures are in place, such as employee training.

Ironically, given the concern about price, it should be noted that cyber insurance prices have actually been declining. According to the CIAB, 62 percent of respondents said premium prices generally decreased over the last six months of 2017. And, according to Marsh, U.S. cyber insurance rates decreased 1.1 percent, on average, in the third quarter of 2017, the third straight quarter of decline.

Cybersecurity risks can seem very intangible, especially compared to risks such as fire, flood and bodily injury, but thousands of companies have already found that these risks can suddenly become all too real. Given the pace of cyberattacks and their financial repercussions, businesses of all sizes should ignore the myths around cybersecurity and seriously consider adding this coverage to protect operations.

Daniel Casey is president and CEO of Peoples United Insurance Agency, one of the largest regional brokers in the Northeast with over 160 professionals and $400 million in premiums.

VC Fisher: Better policing, sustainability, shared services – UC Berkeley

Campus efforts to address everything from policing to the delivery of goods and services to academic units to recycling to inclusivity were part of the latest Campus Conversations, held Thursday at Alumni House with Marc Fisher, vice chancellor for administration. The noon talk was the third in a series connecting the campus community with UC Berkeley leaders.

New to campus last September, Fisher leads a division of more than 1,800 staff members who span human resources, information technology, facilities management, Campus Shared Services, the UC Police Department and other critical functions that support Berkeley’s academic and research mission. He also is partnering with the chancellor and executive vice chancellor and provost to improve the campus’s organizational culture, particularly its commitment to diversity.

Fisher, who has worked for 22 years in the UC system and most recently was vice chancellor for administrative services at UC Santa Barbara, said he remains struck by the “brilliant” staff, faculty and students on the Berkeley campus and that he is honored to be engaged with their “thoughtful, challenging questions. This level of thought is refreshing and interesting to me.”

“The resources (at Berkeley) are challenging,” he added, “but what we have here is adequate to do a great job.”

Answering a series of wide-ranging questions, Fisher first addressed campus policing. It’s a hot topic in his portfolio, especially after the protests last September – right after Fisher had arrived on campus — that erupted around a planned appearance by right-wing commentator Milo Yiannopoulos.

Marc Fisher

Fisher says a new body, the UCPD Community Advisory Board, has been proposed by UC Police Chief Margo Bennet to advise her on how campus police can reflect shared community values as they keeps UC Berkeley safe. The board would grow to include faculty, staff and students.

“Police officers should be proud of what they do to keep us safe, but also be mindful they’re in a community, and that we need policing efforts appropriate and tailored well to that community,” said Fisher. Not everyone arrives on campus having had the same experiences with police, he added, so it’s important for UCPD officers to recognize they’re working in a diverse environment where perceptions of their presence will be varied.

Fisher says he also encouraged the UCPD upon his arrival last fall to increase the number of student-employees in its CSO (community service officer) program. Today, CSO has grown from 19 students last fall to 57. CSO student-officers operate the BearWALK night safety escort service for students, faculty and staff and also are a presence in residence halls and libraries.

“It’s a great way to police the campus. They carry no weapons, tend to be well-received by the student population and can do a lot of good,” Fisher said, adding that in a recent incident, “having a CSO in the building helped resolve the case much quicker than it would have otherwise.”

The increased number of CSO officers also will also mean reduced wait times for their services and the reinstatement of the Hill Patrol fire mitigation program, which began in 1991 as a response to the Oakland Hills firestorm.

Fisher also said campus efforts led by the Office of Sustainability are continuing to progress toward the UC system goal of zero waste by 2020 and carbon neutrality by 2025. He described one effort underway — placing Big Belly bins outside campus buildings so that people can sort their waste into recycling, composting and landfill. About 20 bins have been distributed around campus, and 40 more will be added in 2018. Inside buildings, bins for composting and deskside recycling will be gradually added by 2020.

Fisher added that “huge progress” is being made to upgrade the physical condition of the campus, and that UC Berkeley’s “front door is the most important thing. We need to change that first impression people have here. We need to look at deferred maintenance and do little things to make an older building better.”

Fisher also talked about the campus’s commitment to how it delivers administrative support services to academic clients and how a new regional service delivery model will bring improvements. Schools and colleges will be grouped into six regions, not geographically, but by similar academic disciplines. Each of the eventual five academic and one administrative region will have a regional associate dean, a regional director and its own governance structure.

This regional model evolved from the Campus Shared Services model, which moved the services out of departments, and hopes to establish closer connections between service and the academic units.

“This will be a more integrative model,” said Fisher. “My aspiration is that this will happen quickly, but it will take longer. It’s critical to make it right. We’ll begin to see progress by June.”

Fisher emphasized several times during this talk that he is committed to staff, and to opportunities for them to seek pathways of opportunity to advance their careers in the University of California system. “It’s a big, rich organization filled with opportunities for everyone in this room,” he said, adding that he would be happy to speak with people individually about their career goals.

“Staff are very important to me. I feel hugely responsible for you to have a good experience here,” he said. “You should have fun coming to work. I enjoy coming to work.”

Fisher also encouraged any member of the campus community with ideas about how to improve the campus to email him at marcfisher@berkeley.edu.

“Start by emailing me,” he said. “I like to know what’s going on.”

The new technology that aspires to #DeleteFacebook for good – The Washington Post

The new European data protection law requires us to inform you of the following before you use our website:

We use cookies and other technologies to customize your experience, perform analytics and deliver personalized advertising on our sites, apps and newsletters and across the Internet based on your interests. By clicking “I agree” below, you consent to the use by us and our third-party partners of cookies and data gathered from your use of our platforms. See our Privacy Policy and Third Party Partners to learn more about the use of data and your rights. You also agree to our Terms of Service.

I agree