Medical Devices and Cybercrime: Are Patients at Risk?

Jeff Sanchez Scott Erven, AD Los AngelesBy Jeff Sanchez, Managing Director, Information Security and Privacy Practice

and Scott Erven, Associate Director, Healthcare IT Security Practice


Technology now allows doctors to connect remotely to an array of medical devices, from infusion pumps to CT scanners, improving both speed and quality of care. The miraculous Da Vinci surgical system has even opened the possibility of telesurgery, a process by which a surgeon in one country could perform even the most intricate of operations via a surgical robot.

Connectivity, however, also introduces new risks. What happens, for example, when cyberattackers, maliciously or as a byproduct of a separate attack, compromise patient safety and privacy?

It is a potentially catastrophic scenario, and healthcare organizations must take measures to avert such possibility before it happens.

Historically, medical devices have been viewed as standalone instruments rather than connected computers with software, which, essentially, is what they have become. Thus, it is understandable why medical entities haven’t applied the same security standards to medical devices as they have to other technologies.

Furthermore, medical professionals who use these devices – often from remote locations – are rarely provided with enough information or training to properly educate them about potential cyber risks.

The reality has shifted – the boundary between a medical device and a computer hooked up to a network is no longer clear. It is imperative for healthcare organizations to adjust to the new paradigm and take preventive steps now rather than later. Consider this:

  • More and more medical devices are connected to networks to deliver additional patient care options, but often without appropriate security controls.
  • These devices may have significant vulnerabilities, including hard-coded credentials and insecure communication protocols, which can result in the exposure of protected health information (PHI) and affect patient safety.
  • The FDA, FBI and Department of Homeland Security (DHS) have released multiple advisories on medical device security risks, and the FDA has published formal guidance on addressing the cybersecurity of medical devices.
  • The Office of Inspector General (OIG) at the Department of Health and Human Services has announced that it is including medical device security in its audits.

For many healthcare organizations, meeting regulatory requirements, such as HIPAA or Meaningful Use, has taken top priority – sometimes at the expense of allocating sufficient time and resources to address the risks posed by connected medical devices. But with cyberattacks and security incidents now regarded as common occurrences rather than exceptions, failure or delay to implement appropriate countermeasures is no longer acceptable. Indeed, leaders of healthcare organizations that haven’t prepared or responded to these emerging threats will find it difficult to explain their negligence should a medical device breach cause patient harm or violate patient privacy.

A small amount of preparation now can have a profound impact on ensuring patient safety and privacy. The first step is for an organization’s information security (IS) and biomedical teams to begin discussions to assess risks. It also is vital for key stakeholders – IS, legal, compliance and procurement – to understand what process improvements need to be made to limit the organization’s liability resulting from a medical device incident. Bridging the knowledge gap between these groups may require expert help.

Ultimately, healthcare organizations need to evaluate medical device security from a holistic, lifecycle perspective – from procurement, to implementation, maintenance and decommissioning. Such a comprehensive and proactive approach will not only help prevent the potential occurrence of cyberattacks, but minimize their damage when they do strike.

Is your organization at risk of a medical device cyberattack? Taking the precautions outlined here will not only protect the organization from negative repercussions, but also enable it to stay true to its commitment to patients and the first rule of medicine: Do no harm.

Inside Job: Internal Investigation for Non-investigators

Life would be a lot easier if people always behaved honestly and ethically. Nevertheless, anyone who has spent any significant amount of time in the corporate crucible can tell you that employee behavior often falls short of the ideal. Such is life.

Internal investigations — whether for financial fraud or some other type of legal, moral or ethical breach — are a workplace reality. Too often, however, those called upon to conduct these investigations are ill-prepared, having come into their positions based on technical knowledge and functional experience, with little or no background or experience in managing a crisis and/or conducting internal investigations.

The need to perform an internal investigation typically comes without warning. It’s not surprising then that most organizations are not able to produce on the spot experts who have the skill sets, tools and experience necessary to perform an internal investigation.

Rather, the staffing of an internal investigation unit is much more likely to consist of “battlefield promotions” — typically, some combination of internal audit, legal, IT and HR leadership.

Considering the risks, both financial and reputational, a little advance planning could mean the difference between an effective outcome and a disaster. Protiviti Managing Director Scott Moritz teamed with Director Peter Grupe to address this important issue in a free webinar last year, Internal Investigations for Non-Investigators.

The webinar streamed live on November 13, 2014 and is archived by date on the Webinars page of the Protiviti website. Scott is a former FBI special agent and global leader of our Investigations & Fraud Risk Management practice. Peter is a director in the Investigations & Fraud Risk Management practice and served 24 years in various executive management roles in the FBI’s largest white-collar crime branch, where, among other things, he managed the Bernard Madoff investigation. Clearly, these guys have been there, done that.

The live broadcast of their webinar drew a large audience and remains one of the most popular on our site. Here are some takeaways from this conversation — actions every organization should take now, before a crisis arises.

  1. Develop an investigation plan. A good plan provides guidance for defining the scope of an investigation, the chain of command, communication protocols, timelines, documentation, deliverables and investigative procedures.
  2. Lay the groundwork in advance. Data preservation is critical — from books and records to email and other electronic data, and includes the ability to recover deleted hard drive contents. Verify the integrity of archived data to ensure that retained records can be retrieved.
  3. Identify external resources. When things go wrong, they can go wrong in a hurry. If your investigation plan calls for retaining outside counsel, public relations consultants or investigative help, make sure those assets have been identified and that those resources can be “on the ground” quickly.
  4. Implement a case management system. When your reputation is on the line, you want to be sure you have your investigative infrastructure in place before you need it. You never want to find yourself building the bridge as you cross it.
  5. Learn from your mistakes. Leveraging the positive and negative results of prior investigations helps organizations compress the learning curve over time, improving investigative efficiency and effectiveness.

Do you have an investigation plan? The heat of battle is no place to be formulating policy. For more information, I highly recommend watching the full webinar. As I said, these guys are good!

Jim DeLoach

Setting the 2015 Audit Committee Agenda

What is top of mind for senior executives and directors this year? Regulatory changes and heightened regulatory scrutiny, succession challenges, economic conditions and cyber threats – this according to the latest Protiviti and North Carolina State University ERM Initiative’s survey, Executive Perspectives on Top Risks in 2015.

You can get a preview of the insights from the survey and more in the latest issue of The Bulletin, our electronic newsletter on corporate governance and risk management. The issue is chockfull of collective wisdom culled from the interactions of Protiviti’s professionals with client audit committees, roundtables we’ve conducted, and discussions with directors at conferences and other forums.

As part of an ongoing effort to help you find the signal amid the noise of a busy and information-rich world, we’ve distilled this information into 10 actionable steps we call The 2015 Mandate for Audit Committees. The first five items relate to enterprise, process and technology issues. The remaining items pertain to financial reporting.

Here, then, are our recommendations for setting the 2015 audit committee agenda:

Enterprise, Process and Technology Issues

  • Update the company’s risk profile to reflect changing conditions – Consider emerging risks and changes in existing risks and address the adequacy of risk management capabilities.
  • Oversee the capabilities of the finance organization and internal audit to ensure they can deliver to expectations – Capabilities should be continuously aligned with the company’s changing needs and expectations.
  • Pay attention to risk culture to address the risk of dysfunctional behavior undermining risk management and internal control – The tone at the top and in the middle affects risk management and internal control performance.
  • Understand how new technological developments and trends impact the company – Be mindful of the implications of technological innovations to security and privacy, financial reporting processes, and the viability of the company’s business model.
  • Assess committee efficacy – The committee’s composition, expertise and engagement should keep pace with the company’s changing business environment and risk profile.

Financial Reporting Issues

  • Pay attention to revenue recognition – The Financial Accounting Standards Board’s (FASB’s) new standard may affect financial reporting systems.
  • Determine the Public Company Accounting Oversight Board (PCAOB) impact on the audit approach – PCAOB inspections, standards and guidance have raised concerns regarding the adequacy of public company auditing processes and have led to changes.
  • Understand the impact of COSO’s updated Internal Control – Integrated Framework – The new framework has the potential to affect internal control reporting, internal audit activities and other areas.
  • Understand and evaluate management’s significant accounting estimates – Ensure an adequate focus on the financial reporting processes requiring the most judgment.
  • Stay current on audit reforms – An expanded report, auditor rotation and other measures are being considered in various countries.

I hope you find time to read the latest Bulletin in its entirety. These are interesting times. The new year is already off to an exciting start, and I can’t wait to see what challenges and triumphs await us all in the months ahead. I’m sure it will be interesting.


Executive Perspectives on Top Risks for 2015

Today, North Carolina State University’s ERM Initiative and Protiviti released the results of our third annual global survey of board members and C-level executives. Our survey assesses the extent to which a broad collection of risks are likely to affect organizations in 2015. We’ll be discussing the results here in greater detail over the coming weeks. For now, I want to share with you our short video along with our key results:

Among our key findings this year:

  • The global business environment in 2015 is perceived to be somewhat less risky for organizations than it was in the last two years.
  • Most organizations are more likely to invest additional resources towards risk management in 2015 compared to the past two years.
  • Regulatory change and heightened regulatory scrutiny is the top overall risk for the third consecutive year.
  • There are concerns about cyberthreats disrupting core operations.
  • Economic conditions are again a key risk area for organizations.
  • There is greater focus on succession challenges and the ability to attract and retain talent.

Infographic - 2015 Top Risks SurveyOur report, Executive Perspectives on Top Risks for 2015, as well as a podcast and video, are available at We also have published an informative infographic. In addition, on Thursday, February 12 (at 1:00 p.m. ET/10:00 a.m. PT), Protiviti and North Carolina State University will host a webinar to discuss the survey results and provide analysis as to how organizations can address these risk areas.

I again want to acknowledge our outstanding partners at North Carolina State University’s ERM Initiative: Dr. Mark Beasley, Dr. Bruce Branson and Professor Donald Pagach. It is a tremendous pleasure to work with them on this well-received project. I also want to thank the many individuals in Protiviti, including our Industry Leadership team, for their valuable contributions to this project.


A New Tool for Fast Times: Continuous Risk Assessment

Brian Christensen - Protiviti PHX 2012_Low ResBy Brian Christensen – Executive Vice President
Global Leader – Internal Audit and Financial Advisory Practice




Many internal audit functions work hard to complete one enterprisewide risk assessment each year and then plan, or hope, to rely on it for the next 12 months.

But what good is an annual audit plan that can become obsolete almost overnight by new risks we know are surfacing faster than the expected shelf life of the plan?

Richard Chambers, president and CEO of The Institute of Internal Auditors (IIA), in a recent article for Internal Auditor Magazine, called for the adoption of a new, continuous approach to risk assessment. I couldn’t agree more.

Audit plans need to evolve continuously, incorporating up-to-date information and assessments of potential risks as they emerge. There are several techniques that can be used to do this efficiently and effectively, but they must be embraced and practiced by the entire audit team. As Chambers emphasizes, a continuous risk assessment process can’t be executed by the CAE alone.

To adopt this new approach, Chambers recommends the following steps:

  • Identify key risk indicators (KRIs) – At the beginning of the year, identify KRIs and monitor them continuously, or at least periodically, throughout the year. KRIs can be linked to the results of the annual risk assessment or to risks that are known to be volatile. When anomalies appear in these KRIs, “red flags” should go up, triggering internal audit to evaluate whether risks are shifting and adjust coverage as needed.
  • Conduct “shoe-leather assessments” – This approach involves conducting risk assessment “by walking around.” As the name implies, auditors need to spend quality time with senior management leaders with the intent of learning about new risks as soon as management does. Though they may lack the structure of formal assessments, shoe-leather assessments can uncover vital new information that otherwise may skip detection. It’s imperative that the entire internal audit team develop relationships with all key executives – especially in large organizations with numerous business units – to ensure comprehensive coverage.
  • Establish a “bird’s-eye view” – Chambers recommends “setting your antenna as high as possible” to alert your organization as soon as possible about industry-wide changes, economic trends and other external factors. Practically speaking, this means, among other things, attending professional association meetings and seminars and keeping current with industry publications as some of the ways to see ahead of the curve.

Using these three approaches together best assures protecting the organization. And they work well with other key action steps recommended for CAEs in the most recent Common Body of Knowledge (CBOK) Study by The IIA Research Foundation. It echoes Chambers’s advice and urges organizations to develop a more responsive and flexible risk-based audit plan.

One way to help companies not just realize the importance of but fully embrace continuous assessment is to set new priorities and incentives for the audit team. In other words, make the identification of emerging issues a key performance responsibility for those who report to you directly.

CAEs are encouraged to discuss with executive management and the audit committee the need to make more frequent updates to the audit plan and establish a clear process to make changes to appropriately address emerging risks.

Businesses have improved their ability to manage risks and that’s great. Now it’s time for all of us to learn to do it faster.

Four Things to Know Before Your IPO

It is common sense than an uncertain global economy slows IPO activity, and yet, the IPO pipeline is at near-record levels.

In the U.S. market alone, there were more than 270 IPOs priced in 2014, up 23 percent from the prior year. And total proceeds raised reached more than $85 billion, an increase of 55 percent compared with 2013.

My colleague Steve Hobbs, managing director of Protiviti’s Public Company Transformation solution, says that 2014 was one of the strongest IPO years in the last decade, fueled by legislation such as the JOBS Act, which was enacted in 2012 to help ease regulatory burdens on emerging growth companies.

The IPO appeal is immense. But what companies don’t know about the process can drive an offering off the rails in a hurry. Last November, Protiviti held a nationwide webinar highlighting key challenges and offering tips to help companies avoid common missteps. Some highlights from the discussion:

Challenge #1 – Investor Relations: Many companies underestimate the amount and intensity of preparation required, especially regarding the growing demand for transparency from regulators and shareholders.

Just how much is required? For Barracuda Networks, provider of cloud-connected security and storage solutions, the time from IPO process launch to its first public call in January 2014 spanned eight months.

The journey to public company readiness involves a complex array of tasks, deadlines and focal points that require significant time, effort and attention throughout the organization.

Among the many tasks Barracuda tackled: scheduling organizational meetings to educate management on operational metrics; staging a “test-the-waters roadshow” to meet with prospective investors and obtain their feedback; and even holding a full mock earnings call with syndicated analysts to practice interacting with the investment community.

Challenge #2 – Tone at the Top: Setting the proper tone at the top to encourage “buy-in” is a top priority.

Public companies operate in a fishbowl of public disclosure and regulatory compliance. Finance, at the center of IPO preparations, is usually well-prepared by the end of the process, however, establishing a positive tone for compliance throughout the company is the job of executive management.

Another one of my colleagues, Gordon Tucker, managing director and leader of Protiviti’s Technology, Media and Communication Industry practice, recommends promoting compliance infrastructure not just as a system of controls, but as a tool for growth and scalability.

Challenge #3 – Documentation: Establishing documented policies and procedures is critical for expansion.

Beyond the initial buy-in, Tucker also emphasizes the importance of developing and documenting processes to ensure consistency and sustainability across the organization. If you want to be able to scale, new hires should be able to handle transactions according to well established and documented procedures.

Challenge #4 – IT Infrastructure: It is critical to properly assess the organization’s IT readiness.

An organization’s ability to conduct accurate, timely and effective financial reporting and regulatory compliance hinges on the strength of its applications and systems infrastructure. The topics that need to be addressed in this arena include selection and implementation of an ERP system and scaling of IT processes and governance. And during a time when cyberattacks routinely make headlines, it is imperative to evaluate IT security and privacy.

When Protiviti meets with pre-IPO companies’ executive teams, we ask the CFO:

  • Do you know what assets you are trying to secure?
  • Is there somebody in your organization who is responsible for securing the enterprise?
  • Would you know if you were breached? And if you were, would you be prepared to respond in a timely manner?

If the answer to any of those questions is ”No,” then it’s probably time to take a look at the IT systems from a security perspective.

The four points above underscore certain of the key challenges of successfully executing an IPO. But they also show where proper preparation can boost the odds in your favor.

And I’ve only skimmed the surface here. For a more thorough analysis, check out the online version of our November 18 webinar entitled “It’s What You Don’t Know That Can Affect Your IPO.”

Jim DeLoach

Is Your Data Safe and Are You Sure?

Cal Slemp mug



by Cal Slemp, Protiviti Managing Director
Leader – Security Program, Strategy and Policy Practice

Data is the lifeblood of any organization, fueling nearly every aspect of operations. But with reports of cyberattacks and data breaches making headlines routinely, the question needs to be asked:

Is your business really safe?

There is no better time than now to assess whether you have the protections you want in place to protect your information and data and, equally important, whether your organization is prepared to respond to a crisis.

Protiviti professionals have performed data security fieldwork for decades, and Protiviti has formally surveyed the cybersecurity landscape for the past 3 years. We’ve identified recurring issues among organizations that threaten to compromise their data and privacy security. To best protect your organization, here are a few key safety measures:

  • Classify data. Not all data is made equal. Some is useful or valuable, and some is critical. Companies should identify their most critical data – the “crown jewels” – and classify it accordingly so its protection can be addressed first. Protiviti’s 2014 IT Security and Privacy Survey indicates developments in data classification that are both positive and negative: While more organizations are becoming aware of the concept of data classification (“don’t know” responses to the question whether the organization has a classification scheme and policy in place dropped almost in half), a full one-third of organizations surveyed admit they have not yet performed such classification. This is a rise from 20 percent in 2013. Let’s hope this high number is tied to the increased awareness and that these companies tackle the complex but important task of data classification soon. With a clear data classification scheme and policy, those companies will be able to identify types of data (sensitive, confidential, non-sensitive, public, etc.) and allocate security resources accordingly.
  • Only keep what you need. Companies should adhere to the principle “If you don’t need it, don’t store it.” Not only is retaining all data and records inefficient and costly, it exposes your organization to a greater security risk and liability. Instead, companies should “stratify” data based on importance and type and then assign appropriate retention periods for each “stratum” according to regulatory and legal requirements, as well as industry- or company-defined standards. What’s alarming is the increase in the number of organizations that fail to adhere to this practice. 17 percent of respondents to our survey acknowledged retaining all data and records without a defined destruction date – up from 9 percent in 2013.
  • Make sure your cloud is safe. Although relatively few organizations are currently moving sensitive information to the cloud, Protiviti’s survey did document a significant year-over-year jump in the use of cloud-based vendors: 8 percent versus 3 percent in 2013. By comparison, 64 percent of respondents said they store sensitive data on on-site servers. For those choosing a cloud-based service, it’s critical to focus on terms and conditions and understand the information security standards that will be used. Many companies are discovering that cloud-based vendors are holding more data than they were contracted to store, potentially escalating risk. A related focus must be to ensure that the physical processing and storage of specific sensitive data is done in concert with established data privacy regulations.
  • Minimize legal exposure with information security policies. In the United States, almost every state has data privacy laws that impose penalties on organizations that expose confidential data. Nearly all of these laws, however, provide for leniency if the organization that suffers a data breach had a written information security policy (WISP) and a data encryption policy in place. Naturally, these policies should be well-communicated and understood by your employees and business partners. The value of such policies, aside from reducing legal liability, is obvious. But shockingly, one-third of respondents in the 2014 Protiviti survey acknowledged not having a WISP, and 41 percent had no data encryption policy.
  • Perform regular fire drills. Even the most secure organizations cannot expect to prevent all breaches. That’s why it’s critical for a company to have a documented crisis response plan, in which everyone involved knows what to do, and the ability to implement this plan quickly in the event of a crisis or cyberattack. Organizations with robust security protocols involve various senior management members, including the CIO, in their crisis response planning to bring different critical perspectives to the process and ensure an effective response. Again, it’s troubling to note that only 56 percent of respondents in our 2014 survey said they had a crisis response plan. Best practice calls for an annual risk assessment and testing of the response plan every six months.

With high-profile breaches making headlines almost daily, it is becoming clear that a security incident is not a matter of “if” but rather, “when.” With so much at stake, isn’t it best to be prepared?

Author’s note: I want to thank SingleHop for providing information to us as part of National Cybersecurity Awareness Month (NCSAM) in October. For more information, visit