Skip to Main Content

insightsarticles

Five IT risks everyone should be aware of

09.11.19

A version of this article was previously published on the Massachusetts Nonprofit Network

Editor’s note: while this blog is not technical in nature, you should read it if you are involved in IT security, auditing, and management of organizations that may participate in strategic planning and business activities where considerations of compliance and controls is required.

As we find ourselves in a fast-moving, strong business growth environment, there is no better time to consider the controls needed to enhance your IT security as you implement new, high-demand technology and software to allow your organization to thrive and grow. Here are five risks you need to take care of if you want to build or maintain strong IT security.

1. Third-party risk management―It’s still your fault

We rely daily on our business partners and vendors to make the work we do happen. With a focus on IT, third-party vendors are a potential weak link in the information security chain and may expose your organization to risk. However, though a data breach may be the fault of a third-party, you are still responsible for it. Potential data breaches and exposure of customer information may occur, leaving you to explain to customers and clients answers and explanations you may not have. 

Though software as a service (SaaS) providers, along with other IT third-party services, have been around for well over a decade now, we still neglect our businesses by not considering and addressing third-party risk. These third-party providers likely store, maintain, and access company data, which could potentially contain personally identifiable information (names, social security numbers, dates of birth, addresses), financial information (credit cards or banking information), and healthcare information of your customers. 

While many of the third-party providers have comprehensive security programs in place to protect that sensitive information, a study in 2017 found that 30% of data breaches were caused by employee error or while under the control of third-party vendors.1  This study reemphasizes that when data leaves your control, it is at risk of exposure. 

In many cases, procurement and contracting policies likely have language in contracts that already establish requirements for third-parties related to IT security; however the enforcement of such requirements and awareness of what is written in the contract is not enforced or is collected, put in a file, and not reviewed. What can you do about it?

Improved vendor management

It is paramount that all organizations (no matter their size) have a comprehensive vendor management program that goes beyond contracting requirements in place to defend themselves against third-party risk which includes:

  1. An inventory of all third-parties used and their criticality and risk ranking. Criticality should be assigned using a “critical, high, medium or low” scoring matrix. 
  2. At time of onboarding or RFP, develop a standardized approach for evaluating if potential vendors have sufficient IT security controls in place. This may be done through an IT questionnaire, review of a Systems and Organization Controls (SOC report) or other audit/certifications, and/or policy review. Additional research may be conducted that focuses on management and the company’s financial stability. 
  3. As a result of the steps in #2, develop a vendor risk assessment using a high, medium and low scoring approach. Higher risk vendors should have specific concerns addressed in contracts and are subject to more in depth annual due diligence procedures. 
  4. Reporting to senior management and/or the board annually on the vendors used by the organization, the services they perform, their risk, and ways the organization monitors the vendors. 

2. Regulation and privacy laws―They are coming 

2018 saw the implementation of the European Union’s General Data Privacy Regulation (GDPR) which was the first major data privacy law pushed onto any organization that possesses, handles, or has access to any citizen of EU’s personal information. Enforcement has started and the Information Commissioner’s Office has begun fining some of the world’s most famous companies, including substantial fines to Marriott International and British Airways of $125 million and $183 million Euros, respectively.2  Gone are the days where regulations lacked the teeth to force companies into compliance. 

With thanks to other major data breaches where hundreds of millions’ consumers private information was lost or obtained (e.g., Experian), more regulation is coming. Although there is little expectation of an American federal requirement for data protection, individual states and other regulating organizations are introducing requirements. Each new regulation seeks to protect consumer privacy but the specifics and enforcement of each differ. 

Expected to be most impactful in 2019 is the California Consumer Privacy Act,  which applies to organizations that handle, collect, or process consumer information and do business in the state of California (you do not have to be located in CA to be under the umbrella of enforcement).

In 2018, Maine passed the toughest law on telecommunications providers for selling consumer information. Massachusetts’ long standing privacy and data breach laws were amended with stronger requirements in January of 2019. Additional privacy and breach laws are in discussion or on the table for many states including Colorado, Delaware, Ohio, Oregon, Ohio, Vermont, and Washington, amongst others.      

Preparation and awareness are key

All organizations, no matter your line of business must be aware of and understand current laws and proposed legislation. New laws are expected to not only address the protection of customer data, but also employee information. All organizations should monitor proposed legislation and be aware of the potential enforceable requirements. The good news is that there are a lot of resources out there and, in most cases, legislative requirements allow for grace periods to allow organizations to develop a complete understanding of proposed laws and implement needed controls. 

3. Data management―Time to cut through the clutter 

We all work with people who have thousands of emails in their inbox (in some cases, dating back several years). Those users’ biggest fears may start to come to fruition―that their “organizational” approach of not deleting anything may come to an end with a simple email and data retention policy put in place by their employer. 

The amount of data we generate in a day is massive. Forbes estimates that we generate 2.5 quintillion bytes of data each day and that 90% of all the world’s data was generated in the last two years alone.3 While data is a gold mine for analytics and market research, it is also an increasing liability and security risk. 

Inc. Magazine says that 73% of the data we have available to us is not used.4 Within that data could be personally identifiable information (such as social security numbers, names, addresses, etc.); financial information (bank accounts, credit cards etc.); and/or confidential business data. That data is valuable to hackers and corporate spies and in many cases data’s existence and location is unknown by the organizations that have it. 

In addition to the security risk that all this data poses, it also may expose an organization to liability in the event of a lawsuit of investigation. Emails and other communications are a favorite target of subpoenas and investigations and should be deleted within 90 days (including deleted items folders). 

Take an inventory before you act

Organizations should first complete a full data inventory and understand what types of data they maintain and handle, and where and how they store that data. Next, organizations can develop a data retention policy that meets their needs. Utilizing backup storage media may be a solution that helps reduce the need to store and maintain a large amount of data on internal systems. 

4. Doing the basics right―The simple things work 

Across industries and regardless of organization size, the most common problem we see is the absence of basic controls for IT security. Every organization, no matter their size, should work to ensure they have controls in place. Some must-haves:

  • Established IT security policies
  • Routine, monitored patch management practices (for all servers and workstations)
  • Change management controls (for both software and hardware changes)
  • Anti-virus/malware on all servers and workstations
  • Specific IT security risk assessments 
  • User access reviews
  • System logging and monitoring 
  • Employee security training

Go back to the basics 

We often see organizations that focus on new and emerging technologies, but have not taken the time to put basic security controls in place. Simple deterrents will help thwarting hackers. I often tell my clients a locked car scares away most ill-willed people, but a thief can still smash the window.  

Smaller organizations can consider using third-party security providers, if they are not able to implement basic IT security measures. From our experience, small organizations are being held to the same data security and privacy expectations by their customers as larger competitors and need to be able to provide assurance that controls are in place.  

5. Employee retention and training 

Unemployment rates are at an all-time low, and the demand for IT security experts at an all-time high. In fact, Monster.com reported that in 2019 the unemployment rate for IT security professionals is 0%.5 

Organizations should be highly focused on employee retention and training to keep current employees up-to-speed on technology and security trends. One study found that only 15% of IT security professionals were not looking to switch jobs within one year.6  

Surprisingly, money is not the top factor for turnover―68% of respondents prioritized working for a company that takes their opinions seriously.6 

For years we have told our clients they need to create and foster a culture of security from the top down, and that IT security must be considered more than just an overhead cost. It needs to align with overall business strategy and goals. Organizations need to create designated roles and responsibilities for security that provide your security personnel with a sense of direction―and the ability to truly protect the organization, their people, and the data. 

Training and support goes a long way

Offering training to security personnel allows them to stay abreast of current topics, but it also shows those employees you value their knowledge and the work they do. You need to train technology workers to be aware of new threats, and on techniques to best defend and protect from such risks. 

Reducing turnover rate of IT personnel is critical to IT security success. Continuously having to retrain and onboard employees is both costly and time-consuming. High turnover impacts your culture and also hampers your ability to grow and expand a security program. 

Making the effort to empower and train all employees is a powerful way to demonstrate your appreciation and support of the employees within your organization—and keep your data more secure.  

Our IT security consultants can help

Ensuring that you have a stable and established IT security program in place by considering the above risks will help your organization adapt to technology changes and create more than just an IT security program, but a culture of security minded employees. 

Our team of IT security and control experts can help your organization create and implement controls needed to consider emerging IT risks. For more information, contact the team
 

Sources:
[1] https://iapp.org/news/a/surprising-stats-on-third-party-vendor-risk-and-breach-likelihood/  
[2] https://resources.infosecinstitute.com/first-big-gdpr-fines/
[3] https://www.forbes.com/sites/bernardmarr/2018/05/21/how-much-data-do-we-create-every-day-the-mind-blowing-stats-everyone-should-read/#458b58860ba9
[4] https://www.inc.com/jeff-barrett/misusing-data-could-be-costing-your-business-heres-how.html
[5] https://www.monster.com/career-advice/article/tech-cybersecurity-zero-percent-unemployment-1016
[6] https://www.securitymagazine.com/articles/88833-what-will-improve-cyber-talent-retention

Related Services

Assurance

Related Professionals

Principals

BerryDunn experts and consultants

Read this if you are responsible for cybersecurity at your organization. 

During the financial audit process auditors are required to develop and confirm their understanding of Information Technology (IT) and cybersecurity practices as it relates to financial reporting to better understand risks and because of auditors’ heavy reliance on data pulled from accounting information systems. As auditors, we have seen a significant increase in the amount of impactful incidents affecting not-for-profit organizations and our IT security experts often share valuable advisory comments in annual audit communications with our clients. With recent incidents and a very rapidly changing business environment, here are the three most important from the last six months that impact all not-for-profits. 

Board oversight of cybersecurity 

Cybersecurity gaps within an organization’s systems may lead to risk exposure and have material impacts on all aspects of operations. Responsibility for cybersecurity controls and for establishing a culture of awareness and security should come from the Board and senior leadership. Board members and senior leaders should stay apprised of cybersecurity efforts on a regular basis and incidents should be summarized and reported on a quarterly basis. 

The Board should also consider adding a member who is a professional with IT and cybersecurity experience to help manage and understand the specific risks to the organization and help drive and support cybersecurity efforts.

Ransomware threats and preventive controls

The use of ransomware as a profitable attack on organizations by hackers continues to rapidly increase. Within the last year there have been multiple high-profile incidents that illustrate the impact of a successful attack. These impacts fall into two main areas. One impact may be financial, as millions of dollars are paid to the bad actors as ransom in hopes of being able to regain control of systems. The second impact is operational, resulting in a loss of control of systems and data during the event. Potentially, an unsuccessful data restoration could result in the total loss of information and data maintained on your networks. 

Though no organization may be able to prevent a ransomware attack from occurring entirely, there are basic cybersecurity controls that help reduce the likelihood and impact of an attack. Preventive controls may include: 

  • Security awareness training on phishing emails and overall IT security practices for all organization users
  • Multi-factor authentication 
  • Access controls that prevent users from installing unapproved software onto organization-owned workstations and networks
  • Anti-malware software installed on devices that connect to organization systems 
  • Use of Zero Trust data management tools for backups
  • Disabling macros in emails (prevents back-end processes from automatically running) 

In addition to including these preventive controls to your cybersecurity program, your organization should assess current corrective controls already in place to react to a ransomware event if one is detected or reported. Corrective controls may include:

  • Disaster recovery plans/business continuity plans 
  • Incident response plans
  • Backup controls and restoration tests 

As the risk of ransomware continues to increase and the types of attacks continue to increase in sophistication, your organization should consider regular assessments of IT controls and cybersecurity practices on a regular basis. Such assessments may be performed in conjunction with annual financial statement audits as an expanded scope and/or as a separate annual IT assessment. 

COVID-19 IT considerations 

The global COVID-19 pandemic significantly impacted nearly every aspect of modern life, including the way we work. As personnel were sent home and literally became a remote workforce overnight, changes to IT systems and controls rapidly adjusted to accommodate this new way of business. 

Where controls and procedures were adjusted, if not suspended, your organization should review those changes and determine if controls should revert back to the pre-pandemic process—or be formally changed and documented as policy. 

Guidance from the American Institute of Certified Public Accountants (AICPA) dictates that a gap in controls associated with the pandemic is not a legitimate reason for not completing a control and that any changes must be documented and properly managed.  

Well over a year into the pandemic, the concept of a hybrid workforce has emerged as the predominant way employees and businesses want to work. Your organization should review current policies and procedures that may pre-date the pandemic to ensure that the updates both document and consider the current business environment. 

Additionally, with personnel working remotely or in a hybrid model, or a combination of both, you should assess practices for managing remote access and a hybrid workforce and, where needed, implement industry best-practice tools and procedures to accommodate a remote workforce while maintaining security controls. If you have questions regarding you cybersecurity procedures or want to learn more, please contact our team. We’re here to help. 
 

Article
Cybersecurity update for organizations: Considerations for boards and senior management

Is your organization a service provider that hosts or supports sensitive customer data, (e.g., personal health information (PHI), personally identifiable information (PII))? If so, you need to be aware of a recent decision by the American Institute of Certified Public Accountants that may affect how your organization manages its systems and data.

In April, the AICPA’s Assurance Executive Committee decided to replace the five Trust Service Principles (TSPs) with Trust Services Criteria (TSC), requiring service organizations to completely rework their internal controls, and present SOC 2 findings in a revised format. This switch may sound frustrating or intimidating, but we can help you understand the difference between the principles and the criteria.

The SOC 2 Today
Service providers design and implement internal controls to protect customer data and comply with certain regulations. Typically, a service provider hires an independent auditor to conduct an annual Service Organization Control (SOC) 2 examination to help ensure that controls work as intended. Among other things, the resulting SOC 2 report assures stakeholders (customers and business partners) the organization is reducing data risk and exposure.

Currently, SOC 2 reports focus on five Trust Services Principles (TSP):

  • Security: Information and systems are protected against unauthorized access, unauthorized disclosure of information, and damage to systems that can compromise the availability, integrity, confidentiality, and privacy of information or systems — and affect the entity's ability to meet its objectives.

  • Availability: Information and systems are available for operation and use to meet the entity's objectives.

  • Processing Integrity: System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.

  • Confidentiality: Information designated as confidential is protected to meet the entity's objectives.

  • Privacy: Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.

New SOC 2 Format
The TSC directly relate to the 17 principles found in the Committee of Sponsoring Organization (COSO)’s 2013 Framework for evaluating internal controls, and include additional criteria related to COSO Principle 12. The new TSC are:

  • Control Environment: emphasis on ethical values, board oversight, authority and responsibilities, workforce competence, and accountability.
  • Risk Assessment: emphasis on the risk assessment process, how to identify and analyze risks, fraud-related risks, and how changes in risk impact internal controls.
  • Control Activities: Emphasis on how you develop controls to mitigate risk, how you develop technology controls, and how you deploy controls to an organization through the use of policies and procedures.
  • Information and Communication: Emphasis on how you communicate internal of the organization to internal and external parties.
  • Monitoring: Emphasis on how you evaluate internal controls and how you communicate and address any control deficiencies.

The AICPA has provided nearly 300 Points of Focus (POF), supporting controls that organizations should consider when addressing the TSC. The POF offer guidance and considerations for controls that address the specifics of the TSC, but they are not required.

Points of Focus
Organizations now have some work to do to meet the guidelines. The good news: there’s still plenty of time to make necessary changes. You can use the current TSP format before December 15, 2018. Any SOC 2 report presented after December 15, 2018, must incorporate the new TSC format. The AICPA has provided a mapping spreadsheet to help service organizations move from TSP to the TSC format.

Contact Chris Ellingwood to learn more about how we can help you gain control of your SOC 2 reporting efforts. 
 

Article
The SOC 2 update — how will it affect you?

As the technology we use for work and at home becomes increasingly intertwined, security issues that affect one also affect the other and we must address security risks at both levels.

This year’s top security risks are the first in our series that are both prevalent to us as consumers of technology and to us as business owners and security administrators. Our homes and offices connect to devices, referred to the Internet of Things (IoT), that make our lives and jobs easier and more efficient, but securing those devices from outside access is becoming paramount to IT security.

Many of this year’s risks focus on deception. Through deception, hackers can get information and access to systems, which can harm our wallets and our businesses.

In our 2017 Top 10 IT Security Risks e-book we share with you how to understand these emerging risks, the consequences and impacts these risks may have on your business, and approaches to help mitigate the risks and their impact. Some of the key ways to address these risks are:           

  1. Do your homework — change your default passwords (the one that came with your wireless router, for instance), and also make sure that your Amazon Alexa, Google Home, or other smart devices have complex passwords. In addition, turning off devices when they are not in use, or when you are gone, helps secure your home.
  1. If you work from home, or have employees who do, set up and use secure connections with dual authentication methods to help protect your networks. Remote employees should be required to use the same security measures as on-site employees.
  1. Protect your smartphone at work and at play—smartphones have become one of our most important possessions, and we use the same device for both work and personal applications, yet we don’t protect them as well we should. Password protection is step one. Consider uploading new antivirus software to corporate smartphones and using container apps for corporate emails and documents. These apps allow users to securely connect to a company’s server and reduce the possible exposure of data.
  1. Train, inform, repeat. Create a vigilant workforce—through continuous and consistent training and information sharing, you can reduce the occurrence of phishing, hacking and other attacks against your systems.
  1. Conduct IT security risk assessments annually to help you identify gaps, fix them, and prepare for any incidents that may occur.
  1. Monitor and protect your reputation through tools to identify news on your company and understand the sources of the information.

Our 2017 Top 10 IT Security Risks takes a deeper look at the IoT and other risk issues that pose a threat this year, and what you can do to minimize your own and your organization’s IT security risks.

Article
The 2017 top IT security risks: Everything is connected

During my lunch in sunny Florida while traveling for business, enjoying a nice reprieve from another cold Maine winter, I checked my social media account. I noticed several postings about people having nothing to do at work because their company’s systems were down, the result of a major outage at one of three Amazon Web Services (AWS)’ Data Centers and web hosting operations. Company sites were down directly or indirectly through a software as a service (SaaS) provider hosted at the AWS data center.

The crash lasted for four hours and affected hundreds of thousands sites, including Airbnb, Expedia, Netflix, Quora, Slack, and others. The impact of such crashes can be devastating to organizations that rely on their website for revenue, such as online retailers and users of SaaS providers that may rely on a hosted system to conduct day-to-day business.

We advise our clients who consider hosting services in the cloud to weigh the option seriously and understand potential challenges in doing so. Here are some steps you can take to prevent future outages and loss of valuable uptime:

  1. Know the risks and weigh them against the benefits.  Ask questions about the system you are thinking of having hosted. Is the system critical to business? Without the system, do you lose revenue and productivity? Is the company providing the SaaS service hosting their own systems, or are they hosted at a data center like AWS? Does the SaaS provider have failover sites at other, separate data centers that are geographically distant from another?
  2. Have a backup plan. If your business conducts e-commerce or needs SaaS service to function, consider hosting your web servers and other data at two different providers. Though costly, the downtime impact is highly reduced.
  3. Consider hosting yourself. In some cases, we advise against relying on a third-party hosted data center. We do this when the criticality of the function is so high that having your own full-time dedicated support personnel, with multiple internet service providers available, allows you to address outages in-house and reduce the risk of outages.
  4. Have a service level agreement. Having a service level agreement with the hosted third party establishes expectations for uptime and downtime. In many instances where uptime is critical, you may consider incorporating liquidated damage clauses (fines and penalties) for downtime. Often when revenue is involved, the hosted party will take deeper measures to ensure uptime.

These types of outages are rare, but significant and while most organizations should not be scrambling to host their own systems and cancel all hosted agreements, it’s a good idea to take a hard look at your cyber security and IT risk management plan. Then, like me, when the clouds clear and you are in warm and sunny Florida, you can take a long lunch and enjoy the day.

Article
When the skies clear: Web-hosting outage hits Amazon data centers

Read is you use QuickBooks Online.

Your customers are your company’s lifeblood. Make sure their records are thorough and up-to-date.

When companies buy other companies, the customer list is often considered the most critical asset. When a business is damaged and data possibly lost, the customer list is the set of records do they most hope to recover.

You probably spend most of your time in QuickBooks Online working with transactions and reports, but your customer records deserve equal time. If they’re incomplete or otherwise not well maintained, you lose time filling in the blanks when you’re trying to complete a task that requires complete customer profiles. Your searches and reports may not tell the whole picture. Your relationships can suffer, and you may miss out on sales opportunities.

QuickBooks Online provides excellent tools for creating and maintaining comprehensive customer and sub-customer records. Here’s a look at how it all works.

Moving your customer data in

There are two ways to create customer records in QuickBooks Online. If you have an existing database in Outlook, Excel, Gmail, or Google Sheets, you can import it. This will save you an enormous amount of time, but it’s a challenging process. You select the file you want to import, and then you have to “map” it by matching the fields in your database to fields in QuickBooks Online. You’ll likely need our help with this.


To import a customer file into QuickBooks Online, you’ll have to “map” its fields. We can help you with this.

Your other option is to enter records manually. This is time-consuming, but the more information you can include about your customers from the start, the better. You can always edit your records to add, delete, or modify what you originally entered.

To get started, hover over Sales in the toolbar and click on Customers. Then click on New Customer in the upper right corner to open the Customer information window. The only field you’re required to complete is Display name as. You may want to do this if you have a new customer on the phone and you want to concentrate on the conversation. You can take notes about their contact information and fill in the record later, when you’re off the phone.

But wherever possible, as we’ve already said, complete as many fields as you can. You’ll enter name and billing and shipping address and phone number(s) on the opening screen. You can also supply contact details like fax number and website. 

Creating sub-customers

You’ll notice a checkbox that says Is sub-customer. QuickBooks Online lets you “nest” related records under the “parent” record. This can be an actual customer, but many people use it to document jobs they’re doing for the customer. So if you’re a contractor, for example, you might have sub-customers like Sun deck and Spa

If you want to set up such a record, enter the job name and click in the box next to Is sub-customer. Two fields will open below that allow you to select the parent customer and to indicate the sub-customer’s billing status. The remainder of the fields will automatically fill in with the parent customer’s contact information.


You can set up jobs as sub-customers in QuickBooks Online. 

Supplying details

When you’re setting up individual customers, you should add as much detail as you possibly can to each record, beyond basic contact information. QuickBooks Online’s record templates display a number of tabs running horizontally across the window. The most important of these are:

  • Tax info. Are the customers taxable or exempt? If taxable, what is his or her Default tax code? (If you haven’t set up sales taxes yet and need to, please let us help. It’s complicated.)
  • Payment and billing. Do they have preferred payment and/or delivery methods? Will you be assigning default payment terms, like Net 30 or Due on receipt? What is their Opening balance? If they’re brand-new customers who have never ordered from you, this will be $0.00. If they’re existing, active customers, enter any outstanding balance they have with you as of the date that you enter. This must be correct, to avoid any problems with the customers’ ongoing balances. Questions? Ask us.

Other tabs here are self-explanatory. When you’ve entered everything you can, click Save. The new record will now appear in the Customers list and will be available to select from the drop-down list in transactions.

There will be times when you have to refer back to these forms to answer questions. By maintaining detailed, accurate customer records, you’ll be ready to respond. If you have questions about any of the information requested, or about other elements of QuickBooks Online that are puzzling you, please contact our Outsourced Accounting team. so we can set up a consultation.

Article
How to maintain customer records in QuickBooks Online

Read this if you are a behavioral health agency leader looking for solutions to manage mental health, substance misuse, and overdose crises.

As state health departments across the country continue to grapple with rising COVID-19 cases, stalling vaccination rates, and public heath workforce burnout, other crises in behavioral health may be looming. Diverted resources, disruption in treatment, and the mental stress of the COVID-19 pandemic have exacerbated mental health disorders, substance use, and drug overdoses.

State agencies need behavioral health solutions perhaps now more than ever. BerryDunn works with state agencies to mitigate the challenges of managing behavioral health and implement innovative strategies and solutions to better serve beneficiaries. Read on to understand how conducting a needs assessment, redesigning processes, and/or establishing a strategic plan can amplify the impact of your programs. 

Behavioral health in crisis

The prevalence of mental illness and substance use disorders has steadily increased over the past decade, and the pandemic has exacerbated these trends. A number of recently released studies show increases in symptoms of anxiety, depression, and suicidal ideation. One CDC study indicates that in June 2020 over 40% of adults reported an adverse mental or behavioral health condition, which includes about 13% who have started or increased substance use to cope with stress or emotions related to COVID-19.1 

The toll on behavioral health outcomes is compounded by the pandemic’s disruption to behavioral health services. According to the National Council for Behavioral Health, 65% of behavioral health organizations have had to cancel, reschedule, or turn away patients, even as organizations see a dramatic increase in the demand for services.2,3 Moreover, treatment facilities and harm reduction programs across the country have scaled back services or closed entirely due to social distancing requirements, insufficient personal protective equipment, budget shortfalls, and other challenges.4 These disruptions in access to care and service delivery are having a severe impact.

Several studies indicate that patients report new barriers to care or changes in treatment and support services after the onset of the pandemic.5, 6 Barriers to care are particularly disruptive for people with substance use disorders. Social isolation and mental illness, coupled with limited treatment options and harm reduction services, creates a higher risk of suicide ideation, substance misuse, and overdose deaths.

For example, the opioid epidemic was still surging when the pandemic began, and rates of overdose have since spiked or elevated in every state across the country.7 After a decline of overdose deaths in 2018 for the first time in two decades, the CDC reported 81,230 overdose deaths from June 2019 to May 2020, the highest number of overdose deaths ever recorded in a 12-month period.8 

These trends do not appear to be improving. On October 3, the CDC reported that from March 2020 to March 2021, overdose deaths have increased 29.6% compared to the previous year, and that number will only continue to climb as more data comes in.9  

As the country continues to experience an increase in mental illness, suicide, and substance use disorders, states are in need of capacity and support to identify and/or implement strategies to mitigate these challenges. 

Solutions for state agencies

Behavioral health has been recognized as a priority issue and service area that will require significant resources and innovation. In May, the US Department of Health and Human Services' (HHS) Secretary Xavier Becerra reestablished the Behavioral Health Coordinating Council to facilitate collaborative, innovative, transparent, equitable, and action-oriented approaches to address the HHS behavioral health agenda. The 2022 budget allocates $1.6 billion to the Community Mental Health Services Block Grant, which is more than double the Fiscal Year (FY) 2021 funding and $3.9 billion more than in FY 2020, to address the opioid epidemic in addition to other substance use disorders.10 

As COVID-19 continues to exacerbate behavioral health issues, states need innovative solutions to take on these challenges and leverage additional federal funding. COVID-19 is still consuming the time of many state leaders and staff, so states have a limited capacity to plan, implement, and manage the new initiatives to adequately address these issues. Here are three ways health departments can capitalize on the additional funding.

Conduct a needs assessment to identify opportunities to improve use of data and program outcomes

Despite meeting baseline reporting requirements, state agencies often lack sufficient quality data to assess program outcomes, identify underserved populations, and obtain a holistic view of the comprehensive system of care for behavioral health services. Although state agencies may be able to recognize challenges in the delivery or administration of behavioral health services, it can be difficult to identify solutions that result in sustained improvements.

By performing a structured needs assessment, health departments can evaluate their processes, systems, and resources to better understand how they are using data, and how to optimize programs to tailor behavioral health services and promote better health outcomes and a more equitable distribution of care. This analysis provides the insight for agencies to understand not only the strengths and challenges of the current environment, but also the desires and opportunities for a future solution that takes into account stakeholder needs, best practice, and emerging technologies. 

Some of the benefits we have seen our clients enjoy as a result of performing a needs assessment include: 

  • Discovering and validating strengths and challenges of current state operations through independent evaluation
  • Establishing a clear roadmap for future business and technological improvements
  • Determining costs and benefits of new, alternative, or enhanced systems and/or processes
  • Identifying the specific business and technical requirements to achieve and improve performance outcomes 

Timely, accurate, and comprehensive data is critical to improving behavioral health outcomes, and the information gathered during a needs assessment can inform further activities that support programmatic improvements. Further activities might include conducting a fit-gap analysis, performing business process redesign, establishing a prioritization matrix, and more. By identifying the greatest needs and implementing plans to address them, state agencies can better handle the impact on behavioral health services resulting from the COVID-19 pandemic and serve individuals with mental health or substance use disorders more efficiently and effectively.

Redesign processes to improve how individuals access treatment and services

Despite the availability of behavioral health services, inefficient business and technical processes can delay and frustrate individuals seeking care and in some cases, make them stop seeking care altogether. With limited resources and increasing demands, behavioral health agencies should analyze and redesign work flows to maximize efficiency, security, and efficacy. Here are a few examples of process improvements states can achieve through process redesign:

  • Streamlined data processes to reduce duplicative data entry 
  • Automated and aligned manual data collection processes 
  • Integrated siloed health information systems
  • Focused activities to maximize staff strengths
  • Increased process transparency to improve communication and collaboration 

By placing the consumer experience at the core of all services, state health departments can redesign business and technical processes to optimize the continuum of care. A comprehensive approach takes into account all aspects that contribute to the delivery of behavioral health services, including both administrative and financial processes. This helps ensure interconnected activities continue to be performed efficiently and effectively. Such improvements help consumers with co-occurring disorders (mental illness and substance use disorder) and/or developmental disorders find “no wrong door” when seeking care. 

Establish a strategic plan of action to address the impact of the COVID-19 pandemic

With the influx of available dollars resulting from the American Recovery Plan Act and other state and federal investments, health departments have a unique opportunity to fund specific initiatives to enhance the delivery and administration of behavioral health services. Understanding how to allocate the millions of newly awarded dollars in an impactful and sustainable way can be challenging. Furthermore, the additional reporting and compliance requirements linked to the funding can be difficult to navigate in addition to current monitoring obligations. 

The best way to begin using the available funding is to develop and implement strategic plans that optimize funds for behavioral health programs and services. You can establish priorities and identify sustainable solutions that build capacity, streamline operations, and promote the equitable distribution of care across populations. A few of the activities state health departments have undertaken resulting from the strategic planning initiatives include: 

  • Modernizing IT systems, including data management solutions and Electronic Health Records systems to support inpatient, outpatient, and community mental health and substance use programs 
  • Promoting organizational change management 
  • Establishing grant programs for community-driven solutions to promote health equity for the underserved population
  • Organizing, managing, and/or supporting stakeholder engagement efforts to effectively collaborate with internal and external stakeholders for a strong and comprehensive approach

The prevalence of mental illness and substance use disorder were areas of concern prior to COVID-19, and the pandemic has only made these issues worse, while adding more administrative challenges. State health departments have had to redirect their existing staff to work to address COVID-19, leaving a limited capacity to manage existing state-level programs and little to no capacity to plan and implement new initiatives. 

The federal administration and HHS are working to provide financial support to states to work to address these exacerbated health concerns; however, with the limited state capacity, states need additional support to plan, implement, and/or manage new initiatives. BerryDunn has a wide breadth of knowledge and experience in conducting needs assessments, redesigning processes, and establishing strategic plans that are aimed at amplifying the impact of state programs. Contact our behavioral health consulting team to learn more about how we can help. 

Sources:
Mental Health, Substance Use, and Suicidal Ideation During the COVID-19 Pandemic, CDC.gov
COVID-19 Pandemic Impact on Harm Reduction Services: An Environmental Scan, thenationalcouncil.org
National Council for Behavioral Health Polling Presentation, thenationalcouncil.org
The Impact of COVID-19 on Syringe Services Programs in the United States, nih.gov
COVID-19 Pandemic Impact on Harm Reduction Services: An Environmental Scan, thenationalcouncil.org
COVID-19-Related Treatment Service Disruptions Among People with Single- and Polysubstance Use Concerns, Journal of Substance Abuse Treatment
Issue Brief: Nation’s Drug-Related Overdose and Death Epidemic Continues to Worsen, American Medical Association
Increase in Fatal Drug Overdoses Across the United States Driven by Synthetic Opioids Before and During the COVID-19 Pandemic, CDC.gov
Provisional Drug Overdose Death Counts, CDC.gov
10 Fiscal Year 2022 Budget in Brief: Strengthening Health and Opportunity for All Americans, HHS.gov

Article
COVID's impact on behavioral health: Solutions for state agencies

Read this if you use QuickBooks Online.

Are you finding that you need more flexibility in an area of QuickBooks Online? Maybe it’s time to try an integrated app.

When you first started using QuickBooks Online, you probably found it supplied the tools you needed to manage your accounting—and then some. But as your business grows or becomes more complex, you may need more functionality and flexibility in one or more areas, like time tracking and billing.

There are hundreds of add-on applications that integrate well with QuickBooks Online in the QuickBooks Apps store, which you can find here. Many of these apps are free, but most have subscription fees. They’re designed to amplify the power of QuickBooks Online’s own features. The site will remain your home base, but you’ll have to learn enough about the add-on apps to understand how they work and how they integrate with QuickBooks Online. Here are some of the most popular add-on solutions from the QuickBooks Apps site.

Expensify

QuickBooks Online allows you to record expenses. Its thorough form templates ask you for numerous details, like the vendor, product or service, amount, and billable status. Completed expenses appear in a table. You can run any of several related reports, like Expenses by Vendor Summary. If you use the QuickBooks Online mobile app, you can snap photos of receipts that are turned into expense forms by QuickBooks Online and partially completed with the receipt data.

Using the QuickBooks Online mobile app, you can snap photos of receipts and complete the expense forms provided.

But Expensify ($5-9 per month for one user) does more. It’s a robust expense management system that handles everything from receipt processing to next-day reimbursement. Where QuickBooks Online only supports basic expense tracking, Expensify allows you to create expense reports and follow them through multi-level approvals. It features automatic credit card reconciliation and expense policy enforcement, as well as bill pay and invoices/payments. Two-way synchronization with QuickBooks Online means you can work in either application and your data will be replicated in the other, as is the case with all of these integrated solutions.

QuickBooks Time

Formerly known as TSheets, this powerful time-tracking application builds on QuickBooks Online’s time management and payroll features. QuickBooks Time ($8-10 per user per month plus $20-40 monthly base fee) is now owned by Intuit, so it’s embedded directly in QuickBooks Online. 

Your employees can track their hours on any device, from any location, and they will instantly be available in QuickBooks Online so managers can review, edit, and approve timesheets. That data can then be used in areas like invoicing, job costing, and payroll. Advanced features include scheduling capabilities, overtime monitoring, GPS tracking, and real-time reports. The Who’s Working window shows you where your staff members are working and what they’re doing, in real time. 

Method:CRM

QuickBooks Online does a good job of helping you create profiles of customers and storing them for quick retrieval. But some businesses need more than that. They need true Customer Relationship Management (CRM). Method:CRM ($28-49 per month per user; discounts for annual subscriptions) is an excellent partner for QuickBooks Online in this area.

You can record and store customer details in QuickBooks Online, but Method:CRM adds true Customer Relationship management to the site.

When you integrate Method:CRM with QuickBooks Online, you no longer have to do duplicate data entry to keep track of your customers and their sales profiles and histories. You get a shared lead list and activity tracking (emails and phone calls), and your customer records contain the information a sales team needs, like customer details, interaction, transactions, and services performed. Leads are stored in Method:CRM until they’re customers, and you can track sales opportunities from a customer’s initial interest through the final sale. 

Two more advanced integrated apps

QuickBooks Online provides basic inventory-tracking capabilities, but if your business has more complex needs, an integrated application like SOS Inventory ($49.95-149.95 per user per month) should be able to meet them. Built for QuickBooks Online from the ground up, the application offers advanced features like sales orders and order management, assemblies, serial inventory, and multiple locations. And if you need more sophisticated bill pay, invoicing, and payment processing (with multiple automated approval levels) than QuickBooks Online offers, you might look into the highly-regarded Bill.com ($39-69 per user per month).

Growth Is good, but challenging

We wanted to introduce you to a few of the hundreds of integrated apps available for QuickBooks Online because you should know that there are options for expanding on the site’s built-in capabilities. As your business grows, so does your need for more sophisticated accounting. QuickBooks Online may still be able to serve you well with the help of one or more of these add-ons.

You may also want to explore the possibility of upgrading your version of QuickBooks Online. We encourage you to consult with us if you’re outgrowing QuickBooks Online. We can help you explore the options so you can spend your time planning for your company’s future instead of wrestling with your accounting application. Please contact our Outsourced Accounting team

Article
Expand QuickBooks Online's features: Use integrated apps

Read this if you are a division of motor vehicles, or interested in mDLs.

It can be challenging to learn about the technical specifications that must be met to safely acquire, implement, and use emerging technologies. And why wouldn’t it be? Technical specifications are full of jargon only a technical expert can understand, and seem to appear out of thin air. Well, BerryDunn is here to help. When it comes to mobile driver’s licenses (mDLs), we’ve got the scoop.

Technical standards are developed by a few large international organizations. The International Organization for Standardization (ISO) is a Swiss-based organization responsible for the development of international standards for technical, industrial, and commercial industries in 165 countries. The International Electrotechnical Commission (IEC) is an international standards organization that develops and publishes standards for electronic technologies. The ISO and IEC have been collaborating on international technical standards for mDL technology. Recently, the ISO/IEC finalized and published these standards, which can be purchased on ISO’s website for $198 Swiss francs (about $213 US).

These technical standards cover three key components: 

  • Data exchanged during an mDL transaction
  • Security during online and offline mDL transaction scenarios
  • mDL data model to ensure mDL interoperability 

Data exchange/transaction

Data exchange is the process by which an mDL device is used to provide credentials (e.g., verify age or identity) to an mDL reader. Broadly speaking, data exchange consists of three phases: initialization (activating your device at a store to confirm your identity), device engagement (the mDL device creates a connection with the mDL reader), and data retrieval (the mDL reader requests the appropriate data to continue a transaction). The process can occur when the mDL has an internet connection (online retrieval) or when it does not have an internet connection (offline retrieval). Offline data retrieval can be conducted using a combination of Bluetooth Low Energy (BLE), Near-Field Communication (NFC), or Wi-Fi Aware technologies. These are all methods by which an mDL can connect to mDL readers at short ranges, functionally similar to Apple Pay. Online Data retrieval can be conducted using a web-based application programming interface (WebAPI) or OpenID Connect (OIDC). These are methods by which mDLs connect with the mDL issuer, confirm the mDL holder’s identity, and allow the mDL issuer to transfer data to the mDL reader. In short, an mDL transaction might look something like this:

  1. Initialization: An mDL holder attempts to purchase alcohol from a local store. The mDL holder opens their device, enters their mDL application using a PIN or biometric security feature, and uses NFC or a QR code to initiate a connection between the mDL and mDL reader.
  2. Device engagement: The mDL and mDL reader connect using NFC or a QR code.
  3. Data retrieval: The mDL reader either asks the mDL for data to confirm the holder’s age, or asks the mDL issuer to confirm the mDL holder’s age. Either the mDL or mDL issuer sends appropriate data to the mDL reader to confirm the holder’s age. Once validated, the mDL-reading establishment and mDL holder are free to complete the transaction. 

Security for mobile driver’s licenses 

mDL security aims to protect against four primary threats.

  1. mDL forgery/forgery of data elements
  2. mDL cloning/cloning of data elements
  3. mDL communication eavesdropping
  4. Unauthorized mDL access 

mDL security needs to cover online scenarios, in which an mDL-holder’s device is connected to the internet, as well as offline scenarios, when an mDL holder’s device does not have internet connectivity. Potential mDL security options include: 

  • Authentication of mDL data to protect against data cloning
  • Authentication of the legitimacy of the mDL reader to prevent alteration of communications between the mDL and mDL reader 
  • Session encryption to preserve mDL data confidentiality and prevent mDL data alteration or unauthorized data access
  • Issuer data authentication to ensure the mDL data originates at a legitimate issuing authority

During online retrieval scenarios, mDLs can employ transport layer security (TLS) to preserve the confidentiality of mDL data, or use a JavaScript Object Notation (JSON) Web Token (JWT) to authenticate mDL data origin.  

mDL technical specifications: Key terms and definitions

Technical specifications are an important, yet confusing aspect of IT system implementations, particularly for emerging technologies where expertise has not yet been established within the market. The same holds true for mDLs. Understanding mDL technical specifications requires understanding the specific terms used to describe the technical specifications along with general mDL terminology. Here’s a list of mDL-related and technical specification terms and definitions.

Key terms and definitions
 

Terms Definitions
Bluetooth Low Energy (BLE) A form of Bluetooth that provides a wireless connectivity of similar range to traditional Bluetooth at reduced device power consumption.
IEC International Electrotechnical Commission
ISO International Organization for Standardization
JavaScript Object Notation (JSON)  An open standard file format and data interchange format that uses human-readable text to store and transmit data objects.
JSON Web Token (JWT) An object used to transfer information between two parties over the web.
mDL issuer  The department of motor vehicles or bureau of motor vehicles responsible for administering rights to, and overseeing distribution of, mDL data to mDL holders.
mDL holder The person whose data is contained in, and represented by, the mDL.
mDL reader The hardware technology used to consume mDL data from an mDL holder’s device.
mDL-reading establishment The institution consuming mDL data via an mDL reader (e.g., law enforcement, liquor store, Transportation Safety Administration).  
Near-Field Communication (NFC) Communication protocols that allow electronic devices to communicate over distances of 1.5 inches or less (e.g., Apple Pay).
Offline retrieval The mDL holder’s device is not directly connected to an internet network via Wi-Fi or cellular data, requiring the mDL device to hold some mDL data—behind security features (e.g., PIN, or biometric lock)—and, at a minimum, confirm holder identity, driving privileges, age, and residence.
Online retrieval  The mDL holder’s device is connected to an internet network via Wi-Fi or cellular data. Upon request, the mDL holder can initiate a transfer of mDL data using a QR code or web token to approve the sharing of mDL data between the mDL issuer and mDL reader. 
OpenID Connect (OIDC) OpenID Connect is an authentication protocol that allows for the verification of end user identity.
Transport Layer Security (TLS) A cryptographic protocol that provides communication security over a computer network (e.g., between an mDL reader and mDL issuer).
Web Application Programming Interface (API)   An interface for a web server or web browser.
Wi-Fi Aware A Wi-Fi capability that allows devices to discover potential Wi-Fi connections nearby without connecting to them. Wi-Fi Aware runs in the background, and does not require users to have current Wi-Fi or cellular connections.


If you have any questions regarding mDLs and technical requirements, please contact us. We’re here to help. 

Article
mDL technical specifications: Background, terms, and topics