Critical Infrastructure Cyberattacks on the Rise

Critical infrastructure cyberattacks are increasing in frequency according to Advisen’s loss database, and some experts are worried the worst is yet to come.

There are sixteen industry sectors in the United States that make up the country’s critical infrastructure. These sectors are considered so vital their incapacitation or destruction would have a debilitating effect on national security, economic security and/or national public health and safety, according to the United States’ Cybersecurity and Infrastructure Security Agency (CISA). Poisoned water supplies, opened dam floodgates and pipeline spills are a few of the many worst-case scenarios that could result from a cyberattack on critical infrastructure. The sectors that have been designated as critical infrastructure include the following:


  • Chemical
  • Commercial facilities
  • Communications
  • Critical manufacturing
  • Dams
  • Defense industrial base
  • Emergency services
  • Energy
  • Financial services
  • Food and agriculture
  • Government facilities
  • Health care and public health
  • Information technology
  • Nuclear reactors
  • Materials and waste
  • Transportation systems
  • Water and wastewater systems

Further, recent critical infrastructure attacks in Advisen’s loss database include:

  • A ransomware attack in June 2021 on JBS meatpacking temporarily shut down all operations. The meatpacking company—which processes roughly one-fifth of the nation’s meat supply—paid an $11 million ransom to become operational again.
  • A ransomware attack on the Colonial Pipeline, the nation’s largest fuel pipeline, occurred in May and temporarily shut down all operations, causing a temporary increase in gas prices in the United States. The Colonial Pipeline paid nearly $5 million in ransom to restore operations, although some of the ransom was later recovered, according to Advisen loss data.
  • Hackers briefly attempted to increase the levels of sodium hydroxide to a lethal amount as part of a February cyberattack on a water treatment plant in Florida. The plant operator quickly noticed the increase in sodium hydroxide levels and lowered it to the original amount, preventing anyone from being harmed, according to Advisen loss data

Frequency of Critical Infrastructure Cyberattacks

Unfortunately, cyberattacks on critical infrastructure are becoming increasingly common. Since 2008, the frequency of cyberattacks on critical infrastructure has been trending upwards, according to Advisen loss data. The drop-off in 2019 is likely due to a data lag and is not reflective of an actual decrease in frequency.
Looking specifically at the sectors designated as critical infrastructure, the utilities sector was the most frequent target of cyberattacks – accounting for 26% of total losses, according to Advisen loss data. Manufacturing had the second-highest percentage at 23%, followed by government entities (shown AS PUBLIC ADMINISTRATION) at 17%
The vast majority of critical infrastructure cyberattacks come from external sources. Unidentified external hackers account for the greatest percentage of these attacks at 39%, followed by nation-state attacks at 34%, according to Advisen data. These attacks typically involve malware.

*Advisen’s loss data is curated from a wide variety of public sources. Our collection efforts focus on larger and more significant cases. For this reason, the figures in this article may not be fully representative of all cases of this type.

OSHA Will Not Amend its COVID-19 ETS Despite CDC Guidance

OSHA recently determined it will not be making changes to the healthcare emergency temporary standard (ETS) after reviewing the latest guidance, science and data on COVID-19, and the recently updated CDC face mask guidance. However, OSHA will continue to monitor and assess the need for changes monthly.

OSHA determined that neither the CDC’s guidance on health care settings nor the underlying science and data on COVID-19 in health care settings has materially changed in a way to necessitate changes in the June 10, 2021 ETS.

Revised CDC Guidance

The CDC recently announced updates to its face mask guidelines, recommending that fully vaccinated individuals should wear a mask in public, indoor settings in areas where there is high or substantial COVID-19 transmission, including of the new coronavirus delta variant. Prior to this update, the CDC guidance allowed fully vaccinated individuals to stop wearing a mask in most settings.

OSHA’s Healthcare ETS

Since OSHA has not changed its requirements for the healthcare ETS, the face mask exceptions under the standard still apply. The healthcare ETS covers employers in various health care industries, such as hospitals, nursing homes, assisted living facilities, emergency responders, home health workers and employees in ambulatory care settings where suspected or confirmed COVID-19 patients are treated.

Next Steps

Health care employers should continue to monitor the OSHA website for updates on how changes in COVID-19 transmission affect agency policy and guidance. OSHA will continue to assess the need for changes monthly.

ETS Face Mask Exceptions:

Employees are not required under the healthcare ETS to wear face masks when:

  • They are alone in a room;
  • They are eating & drinking;
  • It is important to see a person’s mouth while communicating;
  • Employees are unable to wear face masks due to a medical necessity or condition; or
  • Use of a face mask presents a hazard to an employee of serious death or injury.

This is Why You Should Double Check Your Cyber Insurance Policy

Image

Whether a business is in healthcare, accounting, legal, real estate, manufacturing, etc., most of a business’ important assets are digital. (Government municipalities are included too.) To make matters complicated, it’s very common for these digital assets to be stored in various systems and locations, intertwined with a third party’s digital information. With so many opportunities for disaster, steps must be taken to insure this critical information.

Cyber insurance is a new frontier that is rapidly evolving as the industry gets its bearings. Many companies are finding that their current cyber policies have very minimal coverage in case of a cyber breach, and the majority of these policies will not come close to providing the necessary breach coverages to the business or municipality.

When looking at your existing or new cyber policy, it’s important to consider these types of coverages:


As we have come to realize, the idea that security starts and ends with the purchase of a pre-packed firewall is simply misguided

Art Wittman

1. Privacy Breach Notification

Some reports estimate the notification and credit monitoring costs alone are over $100 per record, so if you had 1,000 compromised records, this alone could cost $100,000 or more.

2.Data Loss Restoration

Believe it or not, many large insurance carriers have policy exclusions for the replacement and restoration of data, so be very careful in this area when reviewing your policy.

3. Privacy Liability

This covers for the theft or loss of private information related to customers and other third-party information that is in your care.

4. Regulatory and PCI Defense

Many industries are under strict regulatory control, and breaches may result in fines and other penalties from these regulatory agencies.

5. Public Relations

If an enterprise has a breach, the bad press they receive can do significant long term reputational damage and can also be used by competitors to their advantage. This coverage will help hire a public relations firm to mitigate the reputational damage your name brand might incur.

6. Cyber Crime

If your organization is threatened with various cyber threats such as malicious code that will result in financial loss or data loss, this coverage is needed for the reimbursement of the costs associated with these threats.

7. Defense and Settlement costs

A breach affecting a lot of customers may result in lawsuits and financial settlements, so insurance coverage is needed to offset these potentially enormous costs.

8. Consulting and Forensic Fees

If a breach does occur, the upfront investigative process will require a lot of professional expertise and a lot of money, and this specific coverage will offset these significant costs.

9. Business Continuity

If a hack causes your business to lose income, this coverage will reimburse you for these losses.

It takes 20 years to build a brand or company reputation and a few minutes within a cyber incident to ruin it

Stephane Nappo

For a free cyber insurance policy evaluation, contact Libertate Insurance today at 813-367-7574 or email me, James Buscarini at jbuscarini@libertateins.com.

Our professionals are happy to review and discuss your firm’s existing cyber liability insurance policy and the relation to your unique business requirements, needs and cyber coverage. Our goal is to help your PEO and client companies navigate the cyber liability insurance landscape and identify potential vulnerabilities that could be exposed based on your existing technology network and infrastructure. Finally, we want to make sure that in the event of a ransomware attack, business email compromise or phishing expedition your firm has adequate coverage in each of the areas that you might be vulnerable to be targeted in.

AM Best Assigns Credit Rating to Sunz Insurance Company

Congrats to our friends at Sunz for the A- (Excellent) rating!

Sunz Insurance

OLDWICK, N.J., July 16, 2021–(BUSINESS WIRE)–AM Best has assigned a Financial Strength Rating of A- (Excellent) and a Long-Term Issuer Credit Rating of “a-” (Excellent) to SUNZ Insurance Company (SUNZ) (Bradenton, FL). The outlook assigned to these Credit Ratings (ratings) is stable.

The ratings reflect SUNZ’s balance sheet strength, which AM Best assesses as very strong, as well as its adequate operating performance, limited business profile and appropriate enterprise risk management (ERM).

SUNZ was formed in 2005 and primarily writes high deductible worker’s compensation coverage utilizing its proprietary technology-driven platform focused on collateral management for its medium and small business clients.

SUNZ’s balance sheet assessment is supported by its risk-adjusted capitalization as measured by Best’s Capital Adequacy Ratio (BCAR) in current periods, projected future scores, and under stress scenarios. SUNZ balance sheet assessment also considers the capital contributions in support of recent premium growth, improved reserving patterns exhibited during the recent five-year period, its comprehensive reinsurance program diversified among highly rated participants, and a conservative investment portfolio that matches assets with liabilities.

SUNZ’s operating performance is assessed as adequate as evidenced by average pre-tax return on revenue measures that trail AM Best’s workers’ compensation industry composite over the recent five- and 10-year timeframe. SUNZ’s business profile assessment is limited as 49.9% of premiums are written in two states, California and Florida, when considering both direct and assumed premiums. Operating as a single line workers’ compensation insurer, SUNZ’s limited business profile exposes the company to the potential legislative, regulatory or judicial changes occurring within these states. SUNZ’s ERM approach is considered appropriate for the scale, scope and complexity of the organization.

While positive rating actions are unlikely over the near term, positive rating actions could be taken on SUNZ’s ratings should operating performance improve and be sustained at a level that is in line with peers with stronger operating performance assessments.

Key factors that could result in negative rating actions on SUNZ’s ratings and outlooks include a weakening in operating earnings to a level that is not supportive of the adequate operating performance assessment.

Negative rating actions could occur should adverse reserve development or strong premium growth result in a weakening in risk-adjusted capitalization that falls short of supporting the very strong balance sheet assessment.

This press release relates to Credit Ratings that have been published on AM Best’s website. For all rating information relating to the release and pertinent disclosures, including details of the office responsible for issuing each of the individual ratings referenced in this release, please see AM Best’s Recent Rating Activity web page. For additional information regarding the use and limitations of Credit Rating opinions, please view Guide to Best’s Credit Ratings. For information on the proper use of Best’s Credit Ratings, Best’s Preliminary Credit Assessments and AM Best press releases, please view Guide to Proper Use of Best’s Ratings & Assessments.

AM Best is a global credit rating agency, news publisher and data analytics provider specializing in the insurance industry. Headquartered in the United States, the company does business in over 100 countries with regional offices in London, Amsterdam, Dubai, Hong Kong, Singapore and Mexico City. For more information, visit www.ambest.com.

Copyright © 2021 by A.M. Best Rating Services, Inc. and/or its affiliates. ALL RIGHTS RESERVED.

View source version on businesswire.com: https://www.businesswire.com/news/home/20210716005296/en/

Contacts

Gordon McLean
Senior Financial Analyst

+1 908 439 2200, ext. 5304
gordon.mclean@ambest.com

Robert Raber
Director
+1 908 439 2200, ext. 5696
robert.raber@ambest.com

Christopher Sharkey
Manager, Public Relations
+1 908 439 2200, ext. 5159
christopher.sharkey@ambest.com

Jim Peavy
Director, Communications
+1 908 439 2200, ext. 5644
james.peavy@ambest.com

CYBER RISKS & LIABILITIES – Penetration Testing Explained

Image

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach.  It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What Is Penetration Testing?


Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others. Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack. 

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.


Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
  • What is my organization looking to gain or better understand from penetration testing?
  • Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
  • What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
  • The general testing timeframe
  • Who will be made aware of the test
  • The test type and format
  • Which regulatory requirements (if any) must be satisfied through the test
  • The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

If you are a Risk Manager or Principal of a PEO and want to learn how you could help protect your client company’s interests through our affordable Master Cyber Liability program, eMail James Buscarini, Fl License #A036520 at jbuscarini@libertateins.com to find out more. The Master Cyber program is written through Axis, an A rated carrier, 250K in coverage, no underwriting, and a revenue generator!

White House Issues Ransomware Prevention Guidance to Businesses

In a recent letter addressed to corporate executives and business leaders, the White House emphasized that
bolstering the nation’s resilience against cyberattacks is a main priority for President Joe Biden’s administration.
Specifically, as ransomware attacks continue to rise in both cost and frequency throughout the country, the
federal government is urging businesses to take this evolving cyber threat seriously.

These attacks—which entail a cybercriminal deploying malicious software to compromise a business’s network or
sensitive data and demand a large payment be made before restoring this technology or information—have
quickly become a growing concern across industry lines. In fact, the latest research provides that ransomware
attacks have increased by nearly 150% in the past year alone, with the median ransom payment demand
totaling $178,000 and the average overall loss from such an attack exceeding $1 million.

While the White House has begun working with both domestic and international partners on various strategies to
prevent ransomware attacks, the Biden administration is also encouraging businesses to play their part in
minimizing this rising cyber concern. Rather than viewing ransomware attacks as a minor cyber risk, the federal
government is instructing businesses to view these attacks as a significant exposure—one with the potential to
wreak havoc on their key operations.

As such, the Biden administration is recommending that businesses convene with their senior leadership teams
to review their ransomware exposures and implement these top cybersecurity measures:


  • Utilize the federal government’s best practices. Businesses should be sure to incorporate the best
    practices outlined in the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity. This
    includes the following practices:
    o Implementing multi-factor (MFT) authentication on all workplace technology
    o Leveraging endpoint detection and response tools to identify and deter suspicious network activity
    o Encrypting sensitive data to make it less accessible to cybercriminals
    o Developing a trusted and skilled workplace cybersecurity team
  • Ensure an effective incident response plan. All businesses should have cyber incident response plans in
    place. These plans outline proper response protocols and offer steps for minimizing potential damages during
    cyberattacks. Businesses should make sure to include several ransomware attack scenarios within their
    response plans and routinely test these scenarios with their cybersecurity teams. Based on test results,
    businesses should revise their response plans accordingly.
  • Conduct frequent data backups. In addition to the federal government’s best practices, businesses should
    also prioritize securely backing up all sensitive data, images and other important files on a regular basis.
    Conducting such backups can help businesses remain operational and continue to access crucial data in the
    event that any workplace technology is compromised in a ransomware attack. Data backups should remain
    offline (not connected to key business networks) and be routinely tested.
  • Keep critical networks separated. In order to keep ransomware attacks from fully disrupting their operations, businesses should attempt to segment their various workplace networks (e.g., sales production, and corporate) from one another rather than having a unified network. Access to each network should be restricted to those who use them to conduct their job tasks. Networks should only allow internet access as needed. That way, businesses can avoid becoming completely compromised by single-network ransomware attacks and continue performing critical functions.

  • Maintain updated security software. To help safeguard workplace technology from ransomware threats,
    businesses should equip their systems and devices with adequate security software—such as antivirus
    programs, firmware protections and firewalls. Further, this software must be regularly updated to remain
    effective. That being said, businesses should also consider utilizing centralized patch management systems to
    keep security software on a consistent update schedule.
  • Review workplace cyber security protocols. Apart from testing their response plans, businesses should
    also regularly assess whether their existing workplace cybersecurity policies, procedures and software are
    sufficient in protecting against current risks—such as ransomware threats. In particular, businesses should
    consider using a third-party penetration tester to review their ransomware defense tactics and overall
    cybersecurity capabilities. Businesses should work with their trusted cybersecurity teams and IT experts to
    make workplace adjustments as needed (e.g., updating policies or purchasing new security software).

For additional risk management guidance and insurance solutions email me James Buscarini, PCA at jbuscarini@libertateins.com or call me at 813.367.7574.

California Senate Rejects Workers’ Compensation Proposal

Close one!

SACRAMENTO, Calif. (AP) — The California Senate on Thursday rejected a bill aimed at making it easier for health care employees to have hospitals pay their medical bills related to COVID-19 and other diseases that may have been contracted on the job — a move business groups said would have cost them too much money.

Companies pay their workers’ medical bills if they get sick or injured while on the job. In some cases, workers must prove their injury or illness is work-related to get the benefits. Last year, the California Legislature passed a law that assumed COVID-19 was work-related, shifting the burden to employers to prove it wasn’t.

Photo by Hush Naidoo on Unsplash

That law is scheduled to expire in 2023. A bill by Sen. Dave Cortese, a Democrat from San Jose, would have made it permanent. It would have also added other presumptions to the workers’ compensation law for hospital workers, including cancer under some circumstances, post traumatic stress disorder, certain respiratory diseases and muscle or ligament injuries.

The bill had to pass the Senate by Friday to have a chance at becoming law this year. But it fell short on Thursday before the Senate adjourned for the week. Lawmakers are not meeting Friday.

Cortese on Thursday agreed to change the bill to remove respiratory illnesses such as asthma and chronic obstructive pulmonary disease (COPD). But it wasn’t enough to get the bill passed.

Cortese said his goal was to give hospital workers, of whom he says 90% are women, the same protections as other medical professions, including emergency medical technicians.

“It really comes down to equal work, equal compensation,” he said.

Business groups, led by the California Chamber of Commerce, opposed the bill, labeling it a “job killer.”

“Such a drastic shift in the law will create an astronomical financial burden on healthcare employers and the system, creating an appreciable pact on the cost of healthcare at a time when we are trying to make healthcare more affordable,” Ashley Hoffman, policy advocate for the California Chamber of Commerce, wrote in a letter to lawmakers that was signed by 35 other groups.

The bill is part of a broader discussion in California about which coronavirus modifications should continue. Gov. Gavin Newsom said he will lift most of the state’s coronavirus rules on June 15.

The state Senate passed a bill earlier this week that would let restaurants continue to serve alcohol outside. The state Assembly passed a bill that would require local governments to keep letting people comment during their meetings by telephone or the internet. Both bills still must pass the other legislative chamber and be signed by the governor before becoming law.

Written by Adam Beam, Associated Press (June 3, 2021)

https://www.westport-news.com/news/article/California-Senate-rejects-workers-compensation-16223712.php

Benefits of Utilizing Post-Offer Medical Questionnaires in Your Hiring Practices

Prescient National produced this thought provoking look at how to effectively use Post-Offer Medical Questionnaires as a part of your hiring practices. The original post can be found by clicking here.

When companies think of managing their Workers’ Compensation costs, several key programs may come to mind. For example, Early Return to Work, Post-Accident Drug Testing, and establishing a network of medical providers have become second nature in the course of doing business.  While these post-claim activities will reduce costs after a claim has been filed, preventing a loss starts with strong hiring practices.

A comprehensive hiring program contains several standard components, such as pre-employment drug screening, criminal background checks, and reference checks. But perhaps none are more important than the Post-Offer Medical Questionnaire (POMQ). As health conditions, such as obesity, diabetes, and previous surgeries continue to contribute to Workers’ Compensation costs, employers who incorporate the POMQ can rest easy knowing they’ve taken every step necessary to ensure that employees can perform the essential functions of the job, without endangering themselves or others.

What is a POMQ and How Does it Mitigate Potential Injuries?

The POMQ is a document with questions about a prospective employee’s prior medical history.  The POMQ helps an employer understand if the individual will be able to complete the essential functions of the job with or without a reasonable accommodation. Its goal is to help match the candidate to the physical requirements of the job and prevent putting an employee in a job that could be unsafe for him or her, other employees, and the company. It’s good stewardship. 

Let’s use an example to illustrate:  An employer in the home healthcare industry employs nurses who travel from one home to another to provide care. The company conducts pre-employment drug screening, motor vehicle record checks, as well as criminal background checks and reference checks, but it does not use a POMQ as part of its hiring practices.  One day, while making a sandwich for a client, an employee bends over to pick up a piece of silverware that has fallen off the counter. When he stands up, he feels pain in his lower back and decides to file a Workers’ Compensation claim. When the claim is received by the insurance carrier, it is determined that the employee has had two prior back surgeries and that picking up the piece of silverware has aggravated his pre-existing back condition. After a doctor’s assessment, the employee is scheduled for a third back surgery, which will cost approximately $100,000. It is estimated that this claim alone will increase the employer’s experience modification rate from a 1.00 to a 1.50, which will cost the firm $500,000 in additional Workers’ Compensation premiums over the next three years. The employer was shocked to learn of the employee’s prior health condition and is frustrated that the employee cannot return to a “light duty” job, because the employee has been written completely out of work.  Additionally, the employer is worried that the employee was placed in a position that required lifting and walking assistance for an elderly client, and wonder about future lawsuits from “negligent hiring” practices.

In the example above, the employer could benefit greatly from the effective use of a POMQ.  Uncovering the prospective employee’s prior back surgeries would have allowed the employer to make a well-informed hiring decision, which would protect both the employee and its client population from injuries. For the POMQ to be “effective”, an employer must follow the rules of its use.

How to Use the POMQ

Under the Americans with Disabilities Act (ADA), employers are allowed to conduct medical inquiries of prospective employees as long as certain rules are followed. First, the document can only be used after a job offer has been made (i.e., “post-offer”), but before the employee is placed into the job. This means, for example, an employer cannot ask an applicant to complete a POMQ while filling out an application. Just as with background checks and drug tests, POMQs can also be part of the contingent post-offer process, but only if all new employees in the same job category are required to complete a POMQ.  All information on the POMQ is protected health information and must be handled responsibly (typically by HR), kept confidential, and secured separately. 

An applicant must be provided with a copy of the written job description that outlines the physical requirements of the job. The questions on the POMQ must be “job-related and consistent with business necessity.” This means that the job must contain physical exertion that has been documented and is essential. It also means that employers cannot inquire about any family medical history. The job description in our home healthcare scenario, for example, may require employees in the position to be able to lift 50 lbs. The POMQ will include a question related to the amount of weight an individual can comfortably lift unassisted. If the candidate is unable to meet this requirement, the employer will solicit a medical opinion and provide the doctor with a copy of the written job description. The candidate can meet with his or her own physician or with the company physician to determine if the job requirement can be met and what, if any, accommodations can be made to meet those requirements.  

Depending on the physician’s medical assessment, the employer (assisted by feedback from the candidate), must determine if the recommended “reasonable accommodation(s)” can be made to enable the candidate to meet the essential requirements of the job. This may involve modifying the job, if possible, or purchasing additional equipment to help with the task, depending on whether this is a reasonable expectation for the business to undertake. If no reasonable accommodation is available, an employer can withdraw the offer. 

POMQ Red Flags

There are certain red flags to look for in a POMQ. Ensure that every question on the POMQ is answered. Often, we see a candidate forget to complete a question or perhaps even refuse to answer a question. All questions should be addressed to avoid potential issues down the road. Look carefully to see if the candidate documents something that doesn’t match with the requirements of the job to address any discrepancies or potential problems. Also, make sure the document is signed by the candidate. 

Note: If a candidate is untruthful on the POMQ and aggravates a pre-existing injury on the job, in many states the claim may be denied. In most cases, the injury/aggravation must be to the same body part where he or she suffered a prior injury which was not disclosed. Typically, it must also be established that the employer would not have hired the employee if he or she had indeed disclosed the prior injury and the injury would not have allowed him or her to safely perform the essential functions of the job, with or without a reasonable accommodation.

At Prescient National, we believe that well-informed hiring decisions drive down costs and improve employers’ profitability. Used correctly, a POMQ is a good tool to optimize employee safety and to help mitigate potential claims. Hiring employees fit for duty is productive for the staff, insulates an employer from legal liability, and enhances safety throughout the organization.