Defining the Risk of Cryptocurrency

By Lowers & Associates,

The fundamental risk of cryptocurrency (‘crypto’), aside from market risks, is custody. Simply put, the high value of crypto, with the equivalent of over $100 billion in circulation (at this time), provides ample motivation to steal it.

Hot vs Cold Storage

If the crypto is stored in a “hot” (online) environment, strong encryption is the essential safeguard, but the entire environment must be secured. The digital asset and the private encryption key that accesses it must be stored separately. Since the online account storing the asset is generally known to the public through the blockchain, the biggest risks are hacking attacks on the online storage or theft of the private key. Whoever holds the private key controls the asset.  History has shown that online storage is highly vulnerable to theft.

If the crypto or its private key are held in “cold” storage (offline)—as many experts recommend—then both digital and physical risks exist. As large and more traditional investors choose cryptocurrencies for value stores and transactions, the cold storage option is likely to increase. The need for strong encryption remains, and specific kinds of threats against digital assets, like electromagnetic radiation, have to be mitigated.

That said, once the crypto and its private key are in the physical realm, many of the risks of crypto are similar to those that apply to compact high value objects like gems, bearer bonds and cash. A small cold storage “wallet”—a digital device that might be the size of a thumb drive—can hold and transfer any amount of cryptocurrency. These tiny devices are highly vulnerable to damage or theft, and even if a thief does not get the private key, they can still hold it for ransom.

A second major source of risk to crypto is the very reason it exists: it is outside of any traditional currency ecosystem, without the insurance and security protocols that accompany fiat currencies. No institution is monitoring crypto transactions, and no law enforcement agency is routinely tracking suspicious actors. In fact, the identities of investors in crypto may not be publicly known.

Financial institutions are beginning to evolve private ways to duplicate some of the protections of traditional currencies, like Know Your Customer (KYC) and Anti-Money Laundering (AML) protocols. Cash in Transit providers are building on their experience in cash management to devise secure ways to store and transport crypto.

Crypto is still in the wild west phase. It is growing very rapidly, and a financial system is developing to make it a reasonable option to fiat currencies.

For more information about the risks of crypto, and how to manage them, request a copy of our new white paper Custodial Crypto Transportation and Storage: Understanding and Mitigating the Risks.

The Opioid Crisis and Your Public Restrooms: Mitigating the Risks

By Lowers & Associates,

Opioid Crisis and Restrooms

As the opioid crisis continues its rise in the U.S., an unexpected threat has confronted businesses and other entities that offer public restrooms. It turns out more and more public restrooms are being used by addicts as a relatively safe, clean, and private place to get high.

For their part, the businesses who operate these restrooms report more cases of syringes and drug remnants left behind. Overdosed individuals (dead and alive) are being found by unsuspecting employees and customers in increasing numbers.

The situation of opioid use and public restrooms, which NPR referred to as “ground zero in the opioid epidemic,” presents businesses with a difficult decision. Do they restrict access, close their restrooms entirely, or keep their restrooms open and find other ways of managing the risks?

4 Aspects of Risk Mitigation:

Addict or not, no business owner wants to have someone die or harm themselves, especially on the company’s property. The opioid crisis is forcing business owners and managers to find ways to ensure the safety and convenience of customers and staff who use the restrooms, while also considering measures to increase the safety of addicts.

Measures taken must be based on a clear-eyed risk assessment. Managers cannot simply hope the addicts will go away.

There are several aspects of risk mitigation, some purely local managerial actions and others involving police or policy responses. Here we look at four areas you may want to consider in addressing the issue:

1. Access Control

The first thought for many owners is access control. If an addict cannot get into a restroom, problem solved. However, it’s harder to do than you might think. Here are some tactics companies have tried:

  • Keys or lock combinations controlled by staff can limit access. However, these are also easily defeated, as the addict could just linger near the door until someone exits, then grab the door before it closes.
  • Some businesses station a guard next to the restroom entrance and require a receipt for access. To combat this, according to the NPR report, an addict named ‘Eddie’ says he just gets a receipt from the trash.
  • Design can help in some cases. Airports, for example, usually have restrooms that are permanently open via hallways that block visibility from the main corridor, removing the privacy that the addict needs. This can be an overly-expensive or impossible undertaking for many businesses.

2. Adaptation

Given that addicts exist and will continue to exist, some owners have modified restrooms to limit the attractiveness of the room for the addict.

  • Restrooms can be modified to be less accommodating by removing shelves, cubbies, ceiling tiles, or other hiding places where an addict might store drugs or paraphernalia.
  • A popular tactic has been the use of blue lighting, which makes it more difficult to find a vein for injection. However, many addicts will inject anyway, increasing the chances of a botched attempt that spreads blood and potentially disease.
  • Some managers even train staff to use naloxone, a drug that can reverse opioid overdoses, in case someone is found passed out. Naloxone is widely available.

3. Policy

Public intervention to reduce the risk of overdosing deaths is controversial, part of the wider debate over criminalization versus rehabilitation. Several states have considered laws to permit “supervised injection facilities,” though these may run afoul of Federal law. Nevertheless, there have been several public policy attempts that businesses might look to for inspiration in forming their own policies.

  • CNN reports that Health Canada has approved a number of “safe injection sites” where addicts can use openly in a controlled environment. One site in Vancouver has been operating since 2003 and has not had a single person die even though there were 6,000 cases of overdosing.
  • A city could install “Portland loos,” named after the Oregon city where they were invented. The loos have no running water, no mirrors, no porous surfaces, and limited privacy because police can peer into them at top and bottom.
  • One ambitious example is the Corner Project in New York City, a syringe exchange program. The Project offers a restroom to users which its managers insist is just a restroom, not a supervised injection facility. There are no medical personnel on site, but an intercom is used to check on users, there is naloxone on site, and employees can quickly enter if necessary.

4. Design

A number of agencies have stipulated how restrooms should be designed to increase safety for addicts to use as injection havens. Public restroom managers may be able to adopt some of these practices.  One example is from the New York state “Syringe Exchange Policies and Procedures” guide.

  • Restrooms should support hygiene: cleaner injections reduce risk of infection.
  • Tables and other surfaces should be a non-porous material for easier cleaning.
  • Staff should have a means to access the restroom at all times.
  • Doors should swing out, not in, so a collapsed addict does not block entry.
  • Intercom systems for two-way communication are desirable.
  • The restroom needs a regular cleaning schedule.
  • A biohazard box for used needles, drugs, or bloody patches should be provided.

The unfortunate reality is that there are millions of people who are addicted to opioids and too many of whom graduate to injection. If managers want to continue providing access to public restrooms as a valued service to their customers, they will have to address the risks that addicts pose. How is your company addressing the concern? Talk to a Lowers & Associates risk management consultant for a complete risk assessment and advice.

  Category: Risk Management
  Comments: Comments Off on The Opioid Crisis and Your Public Restrooms: Mitigating the Risks

5 Current Threats to Hospital Security

By Lowers & Associates,

Treating patients is far from the only concern faced by hospitals today. To protect the safety of patients, visitors, and staff, hospitals must now take extra efforts to anticipate and prepare for security threats.

Hospitals are vulnerable to crime and violence from patients, visitors, and occasionally their own staff members. Therefore, security systems in hospitals must include proactive measures to create and reinforce effective security protocols geared towards accountability, readiness, and responsiveness.

The first step to designing an effective security system is understanding the threats themselves.

Here are some of the top security issues concerning hospitals today:

1. Abuse and battery towards medical staff

Assault and battery towards medical staff are the most common types of abuse-related injuries to occur within healthcare facilities. 80% of serious violent incidents reported in healthcare settings were caused by interactions with patients and were usually caused by patients hitting, kicking, beating, and/or shoving medical staff. There are many reasons that contribute to this. For one, patients may be victims of an incident caused by a dispute, creating a hostile or volatile environment inside the hospital. In other cases, patients may suffer from instabilities due to addiction or mental health issues.

At highest risk of patient-inflicted violence are psychiatric aides, who are more than ten times at higher risk than nursing assistants, the second-most affected group. Other high-risk groups include emergency departments, geriatrics, pediatrics, and behavioral health providers.

2. Active assailant attacks

Researchers at Brown University reported 241 hospital shootings between 2000 and 2015. Breaking this down, the majority of in-hospital shootings happened in the emergency room (29%), next to the parking lot (23%), and in patient rooms (19%).

As recent stories exemplify, simply having a plan is not enough. A recent active shooter situation at Dartmouth-Hitchock Medical Center exhibited the need for a much more comprehensive security approach. When the shooter entered the hospital and shot a patient, “Code Silver” was announced to all staff members. However, most staff did not know what the code meant, let alone how to react. The code has since changed to “Active Shooter,” along with other modifications to improve overall hospital security.

Bethesda Butler Hospital in Hamilton, Ohio is working to enhance training. They hired actors to practice emergency response to a hospital shooting. As Ronald J. Morris, the Director of Corporate Security for Tri-Health puts it, “It’s all about preparation and telling people about developing the right mindset so they can be more prepared.”

3. Infant abductions

Infant abduction is the most common type of abduction in healthcare facilities. According to the National Center for Missing and Exploited Children, 317 cases of infant abductions occurred between 1965 and 2017. The majority of cases of infant abduction occur in the mother’s hospital room, with violence inflicted on the mother in 8% of cases. Before more advanced security protocols came to form, many of the perpetrators disguised themselves as medical personnel to steal a child, usually from the hands of the mother.

In response, hospitals have cracked down on security measures and patient education practices that directly address this type of risk. The system does not need to be complex, but it should be effective. For example, access to maternity wards should be limited to qualified personnel or individuals who can prove their relationship to a patient. This can be further reinforced with badges that identify the security clearance of medical staff.

4. Supplies and property theft

From drugs, food, and medical supplies, you could make an A-Z list of items that are stolen from healthcare facilities. In 2009, hospitals reported 272 incidents of theft. By 2015, this number rose to 2,926 – a 166% increase. The result can be extremely costly. As a single example, the Santa Clara Valley Medical Center in San Jose, CA counted 383 stolen pieces of equipment between 2010 and 2014, totaling to over $11 million in value.

Culprits include patients, visitors, and also staff. An employee at the Christus Santa Rosa Hospital-Westover Hills in San Antonio, TX admitted to stealing over $400,000 worth of equipment because “it was easy and no one asked any questions.” Hospital theft is a good indication of a vulnerable security system, and also contributes to unnecessary overhead costs.

5. Pressure to cut costs

While 49% of hospitals reported an increase in crime between 2016 and 2017, nearly 1 in 4 hospitals (23%) reported a decrease in its hospital security budget over the same period. Part of this involves a reluctance to hire more security staff. In an anonymous survey, hospital workers mentioned “more [security threat] incidents, no increase in staff,” as a key challenge for hospitals.

Given its impact on security measures such as employee training, staffing, and security equipment, the pressure to cut costs is one of the most devastating restraints to an effective security solution. With $3.6 billion in federal budget cuts announced for 2018, hospitals need to prioritize security measures that combine effectiveness with cost-efficiency to strive for the best return on investment and highest possible level of security.

Security demands are changing, and hospitals must keep up to protect the security of their patients and staff. To address the increasing risk of in-hospital crime, hospitals must prioritize prediction and prevention of crime just as much as how they respond to and manage incidents. Solutions to achieve this include more advanced technology and data collection, increased security visibility to deter criminals, and bolstering in-house security presence and security response.

Now is the time to examine and refresh whether your hospital is in need of updated practices. Explore our healthcare security and risk mitigation solutions.

  Category: Healthcare Security
  Comments: Comments Off on 5 Current Threats to Hospital Security

Human Capital Risk Series: Focus on Complacency

By Lowers & Associates,

One way to think about risk management is as a set of procedures designed to mitigate risks identified in a threat assessment. In this view, the risk management program contains a set of rules that can be taught to the right people who can implement the procedures to reduce or eliminate risk.

Humans are good at inventing routines to make repetitive tasks easier or faster to complete. In the beginning, we spend a lot of time and energy working out how the parts of the puzzle fit together, what causes what, what can go wrong, and how to achieve the goal most efficiently, in this case, to mitigate risk.

Once the routine is designed properly, we test it.  If it works, we implement it and then begin the second phase of embedding the routine into a body of standard procedures.

… Continue reading

  Category: Risk Management
  Comments: Comments Off on Human Capital Risk Series: Focus on Complacency

3 Risk Management Practices of Industry-Leading Organizations

By Mark Lowers,

Managers in every organization are responsible for achieving the objectives identified in their organizations’ strategic plan. We commonly think of these as positive outcomes, such as increasing sales, maximizing profits, expanding market share, and the like.

But outstanding leaders know that there are threats as well as opportunities in the environment, and they work to manage these risks just as actively as they seek to maximize gains. For industry-leading organizations, avoiding or minimizing the costs of foreseeable risks is an integral part of the total performance of the organization.  Maximizing gain and minimizing risk are two sides of the same coin.

The risk management practices of industry leaders deserve attention. Here are some of the top practices:

1. Risk Management is Integral to the Strategic Plan

The most important thing effective leaders do to manage risks is to make it an explicit part of the strategic plan, and demand buy in from all levels of the organization. Risk management becomes a systematic effort that is pervasive through all operating units, from sales to marketing, supply management to manufacturing, and internal controls. It is given a priority commensurate with its importance, right in line with market expansion or critical support functions. All these functions are explicitly targeted for investment and effort.

To get and retain the visibility it deserves, industry leading organizations assign responsibility for risk management to a C-suite manager, and make it part of that role’s evaluation. In order for the risk management function to matter to an organization, it has to matter to someone whose job is defined by it. This helps to ensure that there is accountability for the performance of risk mitigation tactics and consistency in implementation.

2. Risk Management is a Planned Activity

Good leaders understand that the key to success is channeling the efforts and resources of every unit in the organization to the achievement of its strategic objectives. They use the strategic planning process to define measureable outcomes, but also to communicate organizational priorities to every level. This general approach has to be adapted to the risk management function.

At the highest level, the person in the role responsible for risk management has to initiate the process of defining risk mitigation objectives. This is based on a thorough, objective risk assessment process that occurs in every operating unit. Although the details will vary depending on the organization, there are some basic concepts that are common to all organizations:

Internal controls have to be reviewed for their risk exposure and ability to mitigate those risks. Obvious places for control reviews are in financial, accounting, and IT functions, but these functions permeate the organization from sales to C-suite. … Continue reading