Tag: risk mitigation

Why Healthcare IT Security Must Be at the Forefront of the CIO Agenda | Sherpas in Blue Shirts

Considering the nature of regulations and the sensitivity of personal information, one would assume that IT security is a top priority in the healthcare space. However, an estimated 29 million+ patient health records have been compromised, (classified as HIPAA data breaches,) since 2009. The number of health records breached in 2013 jumped a whopping 138% over 2012. Serious security flaws have even been detected in Obamacare’s much-touted flagship health insurance exchange website, HealthCare.gov, including severe lapses spanning JSON injection, unsanitized URL redirection, user profile disclosures, cookie theft, and unprotected APIs.

An Afterthought

Healthcare IT security challenges

The pace at which IT is changing the healthcare landscape makes it a prime target for malicious activity. Industry headwinds such as big data, payer-provider convergence, BYOD, HIX, EHR/EMR, and the Internet of Things (IoT) are adding to the healthcare information security conundrum. Patient records have become increasingly common in the fraud marketplace. When combined with other data sources such as insurance and medical data, the problem assumes more alarming proportions.

And it’s not a case of absence of punitive measures. Under the new HIPAA Omnibus Rule (effective from September 2013), firms face fines of up to US$1.5 million in the event of a violation (“willful neglect that was not timely corrected”). Europe has enacted several data security measures. Even before the latest regulatory rulings, insurer WellPoint was fined US$1.7 million after its online application database exposed information concerning more than 600,000 patients.

Feeding the problem

Although CIOs often list security as a priority imperative, it just doesn’t translate into actual spending. This discrepancy can be attributed to a confluence of reasons. The problem originates in a lax culture regarding IT security. The majority of information security breaches are highly avoidable, and most lapses can be traced back to sloppy system administrator password practices, careless sharing of sensitive information, failure to change default login credentials, among others. Healthcare information security is still not a top execution priority for most personnel, and most security programs are hampered by lack of relevant expertise and attention. Regulatory inconsistencies compounds the issue, i.e., multiple agencies are involved (FTC, FDA, FCC, to name a few), and their often divergent mandates contribute to the travails of healthcare IT security stakeholders.

Healthcare IT security roadmap

Stakeholders – both buyers’ internal IT teams and third-party service partners –face an increasingly complex technology conundrum. Any mitigation strategy should incorporate leading practices utilized in similar initiatives:

  • Conduct a thorough risk-assessment to proactively identify and secure vulnerabilities
  • Establish clear level-driven permission policies (on a need-to-access basis) applicable to data, applications, and devices (keeping in mind expanding BYOD policies)
  • Institute appropriate staffing practices to make sure personnel with relevant skills are given charge of security tasks
  • Ensure adequate personnel training and sensitization toward information security
  • Implement best-in-class encryption standards
  • Collaborate with business associates (held to the same standards as HIPAA-covered entities) to establish processes and enforce standards
  • Evaluate the security strategy along a security versus accessibility paradigm
  • Drive synergy between the business and IT vision to avoid incoherent implementation resulting from disparate imperatives

Ultimately, any healthcare IT security policy has to encapsulate the individual needs and challenges of various stakeholders – patients, providers, payers, and third parties – to ensure equitable access and health information exchange for coordinated care. The unenviable task of securing healthcare information in the onslaught of exploding devices and touch points calls for a carefully thought-out and implemented approach. But first, healthcare IT security must make a monumental shift from being an afterthought to being a primary strategic imperative in any plan design.

When Flying in the Cloud You Can Be Struck by Lightning | Gaining Altitude in the Cloud

Once upon a time there was a cloud storage provider with a compelling offering.  Hundreds of small companies and prominent world-leading companies became its customers and reseller partners and moved their data to the provider’s cloud. Then bigger cloud companies offered services at lower prices and drove the storage provider out of business.

Unfortunately this is a true story. Nirvanix announced on September 17 that it was closing its doors and customers — including resellers whose customers might not have known their data was stored in the Nirvanix Cloud — have been scrambling to move their data in the allotted two weeks.

The Nirvanix story serves as a cautionary warning: You should care whom your service provider selects as its subcontractors and partners, especially if your data is mission critical or your company is in a highly regulated industry.

Nirvanix Cloud’s target market was enterprises and addressing enterprise requirements made its solution more expensive than other cloud storage options. Its pricing couldn’t compete with lower-cost options from larger players such as Amazon, Google and Microsoft, so the venture capitalists refused to do the next round of funding, thus shutting the company down.

Often cloud solutions are ecosystems that have been put together with a lot of subcontracting relationships. It’s a sign of the times and harkens back to the bubble days of the Internet in 2000. You need to conduct careful due diligence to understand those relationships and their ramifications to your business before you turn your workflow and data over to a service provider.

Our advice is to make sure that subcontract relationships are transparent to you so that you can evaluate their risk and evaluate the stability of the subcontract relationship. Above all, make sure that your provider has contingency plans in place that are transparent to you; it’s also wise to develop your own contingency plans in place just in case.

Analyzing Risk-Mitigation Strategies for Indian Service Providers’ Impact from U.S. Immigration Reform | Sherpas in Blue Shirts

The U.S. Congress took steps last week that bring proposed immigration reform — and associated H-1B visa reform — even closer to passing into law. The Senate Judiciary Committee passed the full bill on a bipartisan vote of 13-5. They also agreed to key compromises that, if passed, raise the annual cap on H-1B visas from 65,000 to 115,000 and remove the provision requiring recruiting American workers before foreigners. It gives a green light to Silicon Valley giants and other U.S. tech firms and squelches the hopes of the large Indian service providers that the language in the reform provisions might be softened. The tech companies now seek to influence six GOP senators to vote to pass the bill out of the full Senate with a large majority, which would increase the odds for it passing in the House.

Although expectations that the legislation will pass are now drifting slightly higher than 50-50 odds, it’s still unclear how onerous the language in the visa reform provisions will be. Our first two posts in this blog series on visa reform (Critical Impacts on the Global Services Industry Due to Upcoming Immigration Reform and A Detailed Look at How the U.S. Immigration Reform Will Impact Indian Service Providers and Their Customers) provide background on the impacts to the various global services providers and their customers.

In addition to the potential impacts we outlined in those blog posts, Senator Hatch last week added an amendment that brings L-1 visas into the net for reform and prevents Indian firms from using L-1s to dodge the troubling aspects of H-1B visa reform. For employers with 15 percent or more U.S. employees on L-1 visas, the amendment states they will be prevented from placing those workers at client worksites. Further, they will be unable to assign L-1 visa holders to “labor for hire” arrangements.

Unless the trends reverse, the legislation will uproot the business models of the large heritage Indian service providers. At stake: increased costs and margin hits along with constraints in placing H-1B and L-1 visa holders on site in U.S. clients’ locations.

Aside from praying that the proposed legislation falls apart in the House, there’s no “silver bullet” for eliminating the negative impacts to the Indian providers. So in this third post in our series on H-1B visa reform we present risk-mitigation strategies and our analysis of the likelihood of those strategies succeeding. We worked closely with Rod Bourgeois of Bernstein Research and Jeff Lande of The Lande Group in developing the thinking in this analysis, which also draws heavily on Rod’s presentation at his 10th annual equity analyst conference. We sincerely thank Rod and Jeff for their insights in this analysis.

What mitigation strategies are available?

Our analysis breaks down the H-1B reform provisions into six major aspects (shown in the blue rectangles in Exhibit 1). With the exception of two aspects, we suggest one or more mitigation strategies (green rectangles) for the impacts to the Indian service providers.

Exhibit 1

Immigration Reform Impacts and Possible Mitigation Strategies

Let’s look at the likelihood of the above mitigation strategies. This is not an exhaustive analysis, but these factors are the primary ones of concern for the Indian firms.

U.S. clients lobby. It is possible that the big U.S. clients of Indian providers might lobby Congress to change the language of the 15 percent ratio of H-1B holders to U.S. employees due to their concerns about significant disruption to their operations and talent access. However, our research indicates this has not happened to date, and we don’t believe it will occur.

Political factors. India’s government could eliminate its protectionist policies limiting the sale of U.S. tech products in India with the hope that, in turn, this strategy would influence Congress to water down the 15 percent ratio provision. However, there is currently no U.S. political force stepping up to help the Indian firms.

In fact, our observance is that it may be more important politically to pass comprehensive immigration reform than it is to avoid bilateral issues with India.

Although the U.S. tech firms were allies of the Indian firms initially in the visa reform debates in order to increase the “pie” of available visas, this is no longer the case. Presumably the reason for their about-face in support is that the proposed higher cap on available visas and greater share of the “pie” of visas going to U.S. firms meets their visa desires. We have observed statements by such tech firms as Microsoft and IBM in support of the Senate’s visa reform provisions and in support of putting pressure on India to change its protectionist policies.

Staffing  model alterations. The proposed ban on eligibility to apply for new visas (triggered by a 75 percent ratio of H-1B or L1 visa holders to U.S. employees, with the ratio dropping to 50 percent after FY 2016) limits the access of Indian firms to new visa holders.

If these restrictions become law, Indian firms could respond by increasing their offshore staff or increasing their nearshore staff in locations such as Canada or in U.S. rural areas and low-cost states (e.g., Louisiana, Mississippi, Alabama). We believe their offshore staffing mix is already at optimal levels.

Alternatively, they could hire subcontractors from companies that primarily operate in the United States that are below the visa headcount threshold ratio.

Or they could acquire businesses with high levels of U.S. staff and rebadge them. However, there are well-known risks in achieving return on investment in acquisitions of services firms. But let’s assume Indian firms decide to take this risk. At what point does an acquisition clearly make sense for an Indian IT firm? Where is the break-even point for low-margin work with high headcount? Would it break up the business of some firms into sub-businesses?

We also note that the proposed legislation includes language stating that if 90 percent of an employer’s visa holders have applied for Green Cards, they would be removed from the visa headcount ratio calculation. However, we do not believe this mitigating factor is feasible to pursue.

Higher wages. The proposed reforms require that, for new visa holders, employers pay higher wages for H-1B workers than they currently pay. We assume this also will necessitate higher wages to existing workers, especially since they have more tenure and relevant experience. The only mitigating factor we see for this provision is for the House to draft wage requirements lower than the Senate’s proposed requirements.

Increased application fees. The legislation also increases visa application fees to $10,000 per visa for employers with 50 or more employees if more than 50 percent are H-1B or L1 employees. As a point of reference, a fee of $10,000 on 5,000 visa applications ($50 million) equates to 3.2 percent of Cognizant’s current operating income. Note that 5,000 applications are fewer than Cognizant’s FY2012 level but similar tot FY 2011. The Indian firms could mitigate the expense impact by using fewer new visas.

Another mitigating factor is that the language in this provision could be watered down in the House and/or during conference. However, we believe it will remain in the legislation because Congress needs to raise funds to ensure the bill is cost neutral.

Pass costs through to clients. Another strategy for mitigating the financial impact from visa reform is for the Indian firms to try to pass the costs onto clients by renegotiating contracts and/or raising prices. For reasons detailed in our second blog post in the series, we do not believe this strategy would succeed.    

Although the Indian firms will likely need to consider all of the above mitigation strategies; however, as shown in Exhibit 2, we believe the tactics with the highest viability are the tactics for staffing alteration.

Exhibit 2

Most Likely Mitigation Strategies

Fortunately the top Indian firms have substantial inventories of visas that they can use to mitigate the short/medium-term impact if Congress passes the immigration/visa reform into law.

The BPO side

We believe that building U.S.-based platforms for vertical-specific BPO markets is a viable strategy for growth among the Indian firms as this would add U.S. headcount that would help lower the ratio for visa holders vs. U.S. employees.

In addition, many of the BPO players are in the position to rebadge their clients’ staffs in order to drive a higher ratio of U.S. staff. It’s fairly easy to transfer a visa to another employer; thus the Indian firms could transfer their visa workers to their clients or even to other services firms.

Possibility of joint ventures

We believe an interesting and creative mitigating strategy is for large U.S. or multinational service providers to create joint venture structures with the Indian players. This would ensure that current U.S. clients of Indian firms would not experience major service disruption. It would also enable the U.S. players to organically capture market share that the Indians otherwise would lose due to visa restrictions.

Bottom line

Due to the contentious issue of undocumented immigrants, the comprehensive immigration reform and related visa reform might not be passed into law. Even if enacted, there is still a possibility that the House’s version of the legislation will water down the restrictions in the Senate’s version. However, if it passes into law at close to its current version, the visa reform provisions will cause a seismic shake-up among the Indian service providers that are aggressive users of visa workers.

Stay tuned. We’ll keep you apprised of significant changes in visa reform impact to providers and customers in the global services industry.


Check out Peter’s other blogs on immigration reform here and here.

Critical Impacts on the Global Services Industry Due to Upcoming Immigration Reform | Sherpas in Blue Shirts

We’ve reached an interesting point in the use of H-1B work visas in the global services industry. Despite many years of debating the necessity to change U.S. visa policies, visa reform failed to get traction. However, the situation has changed with the sweeping U.S. immigration bill. H-1B visa reform is by necessity part of this proposed legislation.

Assessing the probability of immigration reform passing is difficult. However, we believe that Wall Street in its valuation of Indian stocks is currently factoring in a 50 percent probability that the immigration bill will pass.

The U.S. Senate introduced a bipartisan plan to the Judiciary Committee in April with a vote planned for late June or early July. On May 16, a bipartisan group from the U.S. House of Representatives reached an “agreement in principle” and is currently planning to introduce legislation early in June.

If the legislation passes Congress with the visa reform provisions intact, or close to the current form introduced by the Senate, the legislation will result in a much-wanted increase in H-1B visas but will also plunge the global services industry into business model changes because of some onerous provisions in the bill.

We’ve been working with a group of industry experts on the issues involved in the proposed legislation. In this blog post we explore the hard truths of the fundamental provisions and their critical impact on the services industry. We draw heavily on an analysis presented by Rod Bourgeois of Bernstein Research at his 10th annual equity analyst conference and worked with him on this material. We sincerely thank Rod and as well as Jeff Lande of The Lande Group both of whom have been instrumental in helping to develop the thinking in this analysis.

Let’s look at key aspects and implications of the reform provisions and how those fundamentals will impact service providers and their customers.

Who will be affected by the visa reform provisions?

The impacts — both negative and positive — from the visa reform will affect the India-based outsourcing providers, technology companies (such as Microsoft), MNCs (multinational providers such as Accenture and IBM), Global In-house Centers (GICs), sometimes called “captives,” and customers. I’ll discuss the impacts to MNCs, GICs and customers later in this blog.

The two major constituent groups that are most impacted are the Indian outsourcing firms and the technology companies. Historically, these groups were nearly identical in their perspective on H-1B visa: both wanted the “pie” of visas to increase, as providers exhausted the quotas within a week or two after issuance.

But today, getting a larger slice of the visa pie is also of paramount importance to the tech firms. To achieve this they have an interest in restricting access to that pie by other large consumers of H-1Bs (mainly the Indian firms).

In addition, there is a growing sense on Capitol Hill that, although they are operating within the current law, the Indian service providers exploit the H-1B structure to achieve a competitive advantage by paying lower wages than they otherwise would have to pay in the United States.

What will the legislation do?

Objectives. The legislation specifically targets service providers that have a high proportion of H-1B visa holders in their U.S. workforces. The primary objectives are wrapped in the “outplacement” provision, which aims to:

  • “Crack down” on large Indian outsourcers that Senator Durbin contends are snatching U.S. jobs from Americans.
  • Deter the practice of “benching” by staffing firms that place visa holders as temporary staff at below-market wages in client locations (a practice that Congress is not attributing to large Indian outsourcing providers).

Threshhold of H-1B use by providers. The legislation also establishes a threshold for the use of H-1B visa holders serving U.S. clients, with the threshold ratcheting downward as follows:

  • Year one: 70% H-1Bs in a provider’s U.S. workforce
  • Year two: 60%
  • Year three: 50%

Providers operating with a larger ratio of H-1Bs than the allowed threshold will not be allowed any new H-1B visas.

Heightened wages. The legislation includes a provision that effectively will make the providers aggressively using visa holders pay their H-1B employees approximately 20 percent more than they currently pay. This likely will necessitate raising wages for other employees too.

H-1Bs on site in client locations. We believe the most onerous provision of the legislation is a clause prohibiting providers from placing H-1B visa holders on clients’ sites if the provider’s overall U.S. workforce includes more than 15 percent H-1B visa holders.

In picturing the impact to Indian providers, think of Cognizant. We believe their current U.S. staff includes more than 85 percent H-1B visa holders.

Increased H-1B application fee. A consequence of the reform legislation effort will substantially raise the H-1B application fee to $10,000 for employers with 50 or more employees of which more than 50 percent are H-1B or L-1 employees. This sting especially will significantly affect the Indian outsourcing providers as they currently pay $4,325 per visa application.

It’s clear that the service providers that are currently major users of H-1B visas will see the most impact on their business from the visa reform. Who are they? Exhibit 1 shows the 13 top H-1B visa recipients based on their inventories in FY2011-FY2012.

Top Recipients of New H-1B Visa Approvals

Bottom line

If Congress enacts the legislation in or close to its current state being considered by the Senate, service providers that heavily depend on H-1B visas as part of their business model will need to change their U.S. operating business model in order to accommodate the legislative mandates. It will become significantly more costly for providers whose models depend on the H-1B visas.

Complying with the mandates will require providers to lower their number of H-1B employees as well as pay them higher wages. We believe this will raise their costs to the equivalent of reducing their net margins by 20-30 percent if they don’t employ mitigation strategies.

Moreover, the legislation will result in a larger pie of H-1B visas available and thus will be beneficial to firms that have wanted more visas but availability ran out. But the Indian providers (who currently hold the largest slices of that pie) will not be able to participate as aggressively in the new larger pie.

How will the legislation impact MNCs and GICs?

From an outsourcing perspective, we don’t believe the proposed legislation will have any negative effect on MNCs because companies such as Accenture, IBM, and others already are below the 15 percent threshold. Their overall U.S. business models do not depend on H-1Bs (although they do certainly leverage them in their outsourcing businesses), and they have a relatively small proportion of H-1Bs in their workforce.

Indeed, we believe the visa reform legislation could have a positive effect on MNCs because it will raise the operating costs of their Indian competitors and thus could result in a modest advantage of leveling the playing field.

Likewise, we don’t believe the legislation will negatively affect the GICs. Their parent organizations already have large onshore employee population and will easily fall below the 15 percent threshold for H-1Bs. In fact, it may become more attractive to move work to GICs once Congress passes the legislation because the Indian service providers are constrained in their operating models (i.e., offshore internally vs. through third-parties).

As discussed already, the large Indian outsourcing firms will take the biggest hit. While a few Indian heritage providers, particularly on the BPO side, may fall below the threshold ratios, overall we don’t believe the legislation will have a negative impact on this class of Indian providers.

Applicability issues 

We won’t know the full impact to service providers until the legislation is adopted. But if Congress passes it with provisions close to the bill’s current form, the impact to the global services industry will be far reaching.

It’s important to note that the language in some clauses of the current form of the legislation lack clarity and some clauses currently lack Congressional consensus on how to apply the provisions. We believe the most significant of these areas are as follows:

  1. Location. The outplacement provision’s current language is as follows: “An H-1B dependent employer may not place, outsource, lease, or otherwise contract for the services or placement of an H-1B nonimmigrant employee.” Some believe this language only restricts the Indian providers’ ability to place visa holders on site at clients’ offices. But our analysis is that Senator Durbin’s intent by the language in the provision is broader and intends to restrict the ability to “contract for” H-1B visa holders to serve clients. Obviously, this would significantly undermine the Indian firms’ current business model.

  2. Triggering ratio of H-1Bs. What will be the triggering ratio of visa holders to U.S. employees in the outplacement provision? While some assume it will be the same as for other visa-related provisions (50 percent), we believe the current language calls for a triggering ratio of 15 percent. Again the hit is hardest to Indian firms.

  3. Applicability to new or existing visas. The current lack of clarity in the legislation brings question to when the heightened wage requirements will apply to new or existing visa holders. If the outplacement provision were to apply only to new H-1B visas — which expire after three years — the provision would be phased in over three years. The outcomes of this scenario include:

    • A service provider’s visa holders would be precluded from serving U.S. clients until the provider reduces its ratio of H-1B visa holders to U.S. employees.
    • The provider would be restricted from leveraging new H-1B visas during the three-year period.
    • The end-state annualized expense impact is that all H-1B visa employees would be paid roughly 20 percent higher wages.

    Everest Group believes the provision is most likely to apply only to new visa holders. Even so, we don’t believe that this will reduce the amount of the margin impact on Indian firms due to heightened wage requirements.

This is just the first in a series of blog posts exploring the multi-faceted impacts from the proposed legislation. In future blogs over the next two weeks, we’ll provide more detailed analysis and guidance on the impact to the Indian heritage firms and the possible mitigation actions providers can employ to protect their business. We’ll also discuss in detail how the outcomes will likely impact customers. Everest Group is also preparing to publish a more in-depth analysis in a viewpoint for our research subscribers.


Check out Peter’s other blogs on immigration reform here and here

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

"*" indicates required fields

Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.