In the days leading up to the March 13, 2020 declaration of national emergency related to Coronavirus (“COVID-19”), many businesses began taking steps to assure that their workforce could continue operations remotely. Since then, these steps have gone into overdrive as more and more employees and contractors are being discouraged (or prohibited) from situations that involve human-to-human physical contact. Businesses that have not embraced or prepared for this new “normal” may be challenged with additional risk exposure related to remote operations, as well as complications that may arise when bad actors seek to take advantage of public fear/disaster scenarios.

Here are some potential trouble spots:

Lack of internal policies and procedures — businesses that have never created formal policies may find it difficult to coordinate and respond to external threats and potential data security events. Because security events tend to move quickly, delays in management response may result in larger than necessary losses (data, business, cash, etc.).

Lack of IT infrastructure and expertise — businesses that cannot access relevant expertise (especially during periods of increased demand) run the risk of their technical demands not keeping up with a rapidly evolving environment. For those owners not accustomed to a purely remote experience, this lack of access may mean extended downtime (loss of business/revenue) and/or extended windows where system vulnerabilities expose proprietary data to bad actors.

Lack of training and awareness — non-native users who are now forced to access company data from a remote platform may not be familiar with proper protocols necessary (both from a system and a hardware perspective) to maintain adequate safeguards over both data and access to the internal network. Potential avenues include traditional “hacking”, phishing, spoofing, ransomware, malware, password theft, or other points of entry made vulnerable due to lack of controls or lack of compliance with existing controls.

Human nature — in situations of high panic and incomplete information, the first viable source becomes the most reliable source almost reflexively. Bad actors understand this and are quite skilled at creating vehicles that prey on our need to make sense of events. These “social engineering” tricks look and feel like reputable information and prompt actions which, without diligence, can compromise secure systems.

Companies that find themselves somewhat unprepared should consider the following tips and advice for navigating these challenging times:

• If you are seeking technical expertise, do your diligence and find a reputable IT professional. Now is not the time to go discount — you are entrusting your and your clients’ data to this person. Do not get taken advantage of. Ditto for applications and software that you will be told “you have to have” as you embark on a remote strategy.
• Develop and implement an internally visible and centralized plan for the inevitable technology problems that will arise. If you do not have a dedicated IT resource, make sure that your remote workers are getting assistance from an approved and reputable source that is familiar with your system and policies.
• Consider multi-factor authentication (MFA) if you have not already. MFA may consist of software or applications that send verifications to a known email address or phone number, or in some cases may be as simple as requiring personal verification of previously identified categories of requests over the phone.
• Watch for unauthorized work-arounds as these may be indicative of system or process vulnerabilities or may create vulnerabilities to outside parties.
• Your network speed may get slower due to increased usage — BY EVERYONE. Depending on your provider, the speed and bandwidth accessible to your company may be affected by the overall increase in traffic. This phenomenon is no different than everyone realizing the highway will close at 4 p.m., so they all leave the office at 1 p.m. or 2 p.m. to avoid traffic. Factor this “traffic” in, and where possible, plan accordingly.
• Don’t forget your physical hardware and servers. For those that haven’t migrated to the cloud, consider your critical infrastructure and how it is physically protected (especially if located somewhere “closed until further notice”).
• Your staff may not have “work laptops” but may still need to access the company network on a device without the proper security setup. Train employees on minimum security requirements necessary for secure interface (VPN, firewalls, secure file exchange, avoiding “free wi-fi” in public spaces, etc.) and where needed consider follow-up measures (in-person configuration or retrieving/providing conforming hardware) to ensure compliance.

The governmental response to the COVID-19 pandemic will require most business to change the way they work, even if that change is temporary and regardless of whether they were prepared. Because this change is predictable, the threats related to that change are also somewhat predictable. The current environment not only means increased exposure to issues which traditionally confront users of technology to do business, but also increased numbers of companies who may be dealing with remote work for the first time on this level of scale. As you navigate your response to COVID-19, please make sure your systems and processes can withstand this new “normal.”

This material is provided for informational purposes only and does not provide any coverage or guarantee loss prevention. The examples in this material are provided as hypothetical and for illustration purposes only. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations contained herein will make any premises, or operation safe or in compliance with any law or regulation. By providing this information to you, The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.

MAR LC 2020-161A

Well-trained, highly-educated healthcare professionals strive each day to provide the best and safest care for their patients. However, despite ongoing efforts, preventable medical errors persist as the number three cause of death in the United States, following only behind heart disease and cancer.¹

Beyond what and why

When medical errors occur, the natural reaction may be to determine which employees were involved and to terminate their employment. The assumption is the employees did something wrong. Though that may be the case, there is no guarantee that the same incident will not occur again, with other employees involved, unless the healthcare facility digs deeper to understand exactly what happened, why it happened, and what needs to change to prevent future mistakes.

This is where root cause analysis comes in. The American Society of Risk Management defines the root cause analysis (RCA) process for the healthcare industry as a “systematic analysis of an event or near miss that has occurred within the healthcare setting.

Understanding what happened is only one piece of the puzzle. To minimize the likelihood that similar mistakes will be made again, healthcare facilities need to implement sustainable changes to processes, policies, and environment. Analysis plus action will help ensure safer patient care and working conditions for staff.

– MARYBETH RHODES RN, MN, CPHRM,

Risk Management Consultant,

The Hanover Insurance Group

When performing RCA, organizations should consider the goals they want to achieve. Common expectations of RCA include:

• Identifying and implementing sustainable systems-based improvements that provide safer patient care
• Identifying methodologies and techniques that will lead to more efficient and effective use of RCA
• Promoting the utilization of tools to evaluate the RCA process so that significant errors or flaws are realized and remedied prior to implementing the action items
• Employing RCA as a focused review of the systems and processes involved in the delivery of healthcare and not on individual action.

Root cause analysis should not be a tool used to discipline employees involved. To do so would impede a culture of safety and decrease the chance of errors being brought forth in the future.

Learning from mistakes

Root cause analysis at a glance³

• Identify the problem
• Select team conduct investigation
• Identify possible factors
• Identify root cause
• Define and implement action plan
• Monitor and assess results

When conducted properly, RCA can help us learn from our mistakes. How organizations handle RCA should be documented and reviewed annually. Keys to success include:

• Support and involvement of leadership team
• Documentation of what incidents should go through RCA
• Starting RCA within 72 hours of an incident
• Establishment of a four-to six-person team, including at least one person who has expertise in the RCA process
• A consistent approach to the investigation, including utilization of such tools as interviews, flow charts, diagrams, barriers, five whys, action hierarchy, accountability and measurement
• Determination of actions to be taken and timing
• Ongoing measurement of the changes and improvements
• Feedback to staff, patient, and family on findings⁴

Given how busy all healthcare professionals are, it is tempting to forego RCA, but given what is at stake — patient and staff safety — it is advisable to take the time and understand what caused a medical error. If not, it will eventually re-occur.

Sources:

1. McCann E. Deaths by Medical Mistakes Hit Records. Healthcare IT News. July 18, 2014. Accessed February 24, 2017.

2. World Health Organization, 10 Facts on Patient Safety. Fact Files. Accessed February 24, 2017.

3. Six Sigma What is Root Cause Analysis

4. Root Cause Analysis Playbook-An Enterprise Risk Management Approach and Implementation Guide. ASHRM. 2015

5. RCA2 Improving Root Cause Analyses and Actions to Prevent Harm, Version 2. National Patient Safety Foundation. January 2016

6. United for Patient Safety Progress Report 2014-2015. National Patient Safety Foundation. February 2016.

7. Shining A Light Safer Health Care Through Transparency. The National Patient Safety Foundations Lucian Leape Institute. Report of the Roundtable on Transparency. 2015

126-10056 (9/17)              LC 2017-352

Before you head out on your next vacation, make sure your home is protected while you're away using these preparation tips.

While your teen may be gaining their freedom, they may not have the freedom to drive certain cars in your home. We get it, and we want to give you the choice to enjoy some discounts on your policy with our Hanover SafeTeen deductible.

When you add the Hanover SafeTeen deductible to vehicles that aren’t usually driven by your teen, you can save money and protect your vehicles. If a teen gets into an accident in one of the cars that has this deductible on it, an additional $2,500 will be applied to the deductible.

You get a discount on the policy and your teen gets one more reason to drive their car and not yours. The choice is yours.

How it works 

1. Speak with your independent insurance agent about the ParentChoice deductible option.
2. Select the vehicles that your teen won’t frequently drive*, and add the ParentChoice deductible of $2,500 on those vehicles.
3. The additional $2,500 deductible is applied to the comprehensive and collision deductible in the event of a loss on the selected vehicles only when driven by a teen driver.

* ParentChoice deductible can be added to any vehicle on the policy

Example for illustration purposes only:

112-10400 (7/18)              LC2018-242

Nearly 1 in 12 holiday shoppers this season will become a victim of identity theft. Don't let hackers put coal in your virtual stocking–follow these tips to keep your identity and your holiday shopping safe.

Sources:

National Cyber Security Alliance

Cybersecurity & Infrastructure Security Agency

Experian

Sources:

National Cyber Security Alliance USA.gov

This material is provided for informational purposes only and does not purport to address every possible legal obligation, hazard, code violation, loss potential or exception to good practice.

701-0615A (11/13)

This material is provided for informational purposes only and does not purport to address every possible legal obligation, hazard, code violation, loss potential or exception to good practice.

701-0513A (7/13)

117-10051

IBHS research has shown that ballasted PV systems may be subjected to sliding or localized lifting at wind speeds well below design levels. When a PV array is first installed, a baseline inspection should be conducted and the location of key elements should be clearly identified. Be sure to discuss liability, maintenance, and repair responsibilities with your PV installer and insurance company.

Following a strong wind event — with wind speeds of about 70 mph or higher — steps should be taken to identify and address any change or damage that may have occurred.

Initial inspection

After installation, create a baseline of the PV system and roof cover:

• Record distance between PV system and other roof-mounted equipment. 
• Document locations of PV array, panels, and ballast.
• Inspect and photograph PV system and roof cover.

Post-event inspection and repairs

After a strong wind event, inspect and address the following:

• Loose or disconnected conduit, wiring, or electrical connections.
• Damage to roof cover, including tears and abrasion.
• Damage to PV arrays, including panels, connectors, and ballast.
• Movement of PV system and components, particularly changes in proximity to other roof-mounted equipment to determine if collision has or could occur.
• Overly tight cables and any signs of fraying or damage to cables or conduit, which could result in an electrical short or broken connection.
• PV systems and components can shift after a severe weather event, including systems suddenly or gradually moving toward the roof edge, as shown above.
• Other components that can shift after severe weather include the electrical tray, conduit, and mounting block with roof cover sheet carrying the power line, which is shown shifted away from the PV system. This may cause tightening or disconnection of the cable, which can be a fire hazard.

This material is provided for informational purposes only and does not provide any coverage or guarantee loss prevention. The examples in this material are provided as hypothetical and for illustration purposes only. The Hanover Insurance Company and its affiliates and subsidiaries (“The Hanover”) specifically disclaim any warranty or representation that acceptance of any recommendations contained herein will make any premises, or operation safe or in compliance with any law or regulation. By providing this information to you. The Hanover does not assume (and specifically disclaims) any duty, undertaking or responsibility to you. The decision to accept or implement any recommendation(s) or advice contained in this material must be made by you.

171-10003 (4/16)               LC 2016-089