Cyber Security for Medical Devices and Life Science Companies

By | July 3, 2014

Many medical devices and life science companies contain configurable embedded computer systems that can be vulnerable to cyber-security breaches. In addition, as medical devices are increasingly interconnected via the Internet, hospital networks, other medical devices or smartphones, there is an increased risk of cyber-security breaches, which could affect how a medical device operates.

The Food and Drug Administration (FDA) has recently become aware of cyber-security vulnerabilities and incidents that could directly impact medical devices and Life Science Companies, including:

  • Network-connected/configured medical devices infected or disabled by malware
  • The presence of malware on hospital computers, smartphones and tablets, targeting mobile devices using wireless technology to access patient data, monitoring systems and implanted patient devices
  • Uncontrolled distribution of passwords, disabled passwords, hard-coded passwords for software intended for privileged device access (e.g., to administrative, technical and maintenance personnel)
  • Failure to provide timely security software updates and patches to medical devices, manufactured products and networks and to address related vulnerabilities in older medical device models (legacy devices)
  • Security vulnerabilities in off-the-shelf software designed to prevent unauthorized device or network access, such as plain-text or no authentication, hard-coded passwords, documented service accounts in service manuals and poor coding/SQL injection.

The FDA has been working closely with other federal agencies and manufacturers to identify, communicate and mitigate vulnerabilities and incidents as they are identified.

FDA Recommendations/Actions

For all device manufacturers:

Manufacturers are responsible for remaining vigilant about identifying risks and hazards associated with their products, including risks related to cyber security, and are responsible for putting appropriate mitigations in place to address patient safety and ensure proper device performance.

The FDA expects medical device manufacturers and Life Science to take appropriate steps to limit the opportunities for unauthorized access to medical devices. Specifically, it is recommended that manufacturers review their cyber-security practices and policies to ensure that appropriate safeguards are in place to prevent unauthorized access or modification to their medical devices and life science companies. The extent to which security controls are needed will depend on the company, its environment of use, the type and probability of the risks to which it is exposed and the probable risks to patients from a security breach.

In evaluating your device or product, consider doing the following:

  • Take steps to limit unauthorized device or product access to trusted users only, particularly for those devices that are life sustaining or could be directly connected to hospital networks.
  • Appropriate security controls may include user authentication, such as user ID and password, smartcard or biometrics; strengthening password protection by avoiding hard-coded passwords and limiting public access to passwords used for technical device access; physical locks; card readers; and guards.
  • Protect individual components from exploitation and develop strategies for active security protection appropriate for the device’s use environment. Such strategies should include timely deployment of routine, validated security patches and methods to restrict software or firmware updates to authenticated code. Note: The FDA typically does not need to review or approve product software changes made solely to strengthen cyber security.
  • Use design approaches that maintain a device or product critical functionality, even when security has been compromised, known as “fail-safe modes.”
  • Provide methods for retention and recovery after an incident where security has been compromised.
  • Cyber-security incidents are increasingly likely and manufacturers should consider incident response plans that address the possibility of degraded operation and efficient restoration and recovery.

Reporting Problems to the FDA

Prompt reporting of adverse events can help the FDA identify and better understand the risks associated with medical devices. If you suspect that a cyber-security event has impacted the performance of a medical device or has impacted a hospital network system, file a voluntary report through MedWatch, the FDA Safety Information and Adverse Event Reporting program.

Health care personnel employed by facilities that are subject to the FDA’s user facility reporting requirements should follow the reporting procedures established by their facilities.

Device manufacturers must comply with the Medical Device Reporting (MDR) regulations.

Contact the cyber security professionals at The Buckner Company today to discuss how to keep your health care facility safe and secure from cyber threats.


Source: FDA


Information provided by :

Josh Creer

Life Science Risk Manager



Cyber Security for Medical Device and Life Science Companies

© 2013 Zywave, Inc. All rights reserved

Auto Insights: Is it Time to Replace Your Car Tires?

By | April 25, 2014

Personal Home & Auto InsuranceYour car’s tire performance is essential to both its safety and its efficiency. Tires eventually lose traction and braking ability, and should be replaced when necessary. When your tires are in tip-top shape, they ensure that you stay safe behind the wheel.

Do Your Tires Need Replacing?

Here’s how to determine if you need to replace your tires:

  • Inspect tread wear bars. These are small bridges that form between your treads. If you look at your tread pattern and notice the beginnings of these bars starting to form between the treads or running across the tires, and then become flush with the tires’ tread, you should replace your tires.
  • Conduct the penny test by placing the coin upside down with Lincoln facing you in the center of the tread.
    • o If you can see the top of Lincoln’s head or the metal above it, replace your tires immediately.
    • o If Lincoln’s hair is partially visible, start comparing tire prices, as you will need new ones soon.
    • o If you cannot see the top of Lincoln’s hair (tire tread should be as deep as his forehead), your tires do not need replacing yet.


Other Tire Tips

    • Rotate your tires from the front to the rear in pairs.
    • If you drive a four-wheel drive or all-wheel drive vehicle, replace all four tires when it is recommended in your service manual. The differences in tire diameter can cause permanent damage in your differentials if you do not do so.
    • If you notice uneven wear on your front tires, your front end may be out of alignment. Have them checked and rotate your tires to the rear of the vehicle. This should correct the problem.
    • Since tires do not wear evenly, perform the penny test at several points from the outside to the inside of the tires. Generally, tires will wear more on the inside but over-inflated tires will wear more in the middle.
    • Test and replace your tires at the same time. If you drive with mismatched tires, you will not have the level of safety, performance and efficiency that a matched pair provides.
    • Always keep your tires properly inflated.


    To learn more about our automobile insurance coverages for new or used vehicles, contact us today!

Auto Insights: The ABCs of Air Bag Safety

By | April 25, 2014

Personal Home & Auto InsuranceAccording to the National Highway Traffic Safety Administration (NHTSA), an airbag propels out of a dashboard at 200 miles per hour – faster than the blink of an eye. Though they are designed to absorb the impact of a crash for adult motor vehicle passengers and drivers, children can suffer major injuries from an air bag.


Air Bag Safety Recommendations

To keep children injury-free while riding in your car, consider these safety recommendations:

  • Place small infants in rear-facing child safety seats in the backseat. According to the American Academy of Pediatrics, babies properly buckled in a rear-facing car seat in the back of a vehicle are just as safe as if they were placed in a crib to sleep.
  • Place toddlers over 1 year old and at least 20 pounds in forward-facing convertible safety seats in the backseat of the vehicle. Since these seats would situate the child several inches closer to the dashboard, they pose a risk for air bag injuries if they are placed in the front seat. Therefore, they must be placed in the backseat only.
    • Place children who have outgrown convertible safety seats but do not fit correctly with a lap/shoulder seat belt in a car booster seat in the back seat of the vehicle.
    • Children under age 12 should ride in the backseat of the vehicle with a seat belt securely fastened.


    If you must ABSOLUTELY seat children under age 12 in the front seat, conduct the following safety precautions to reduce their risk of injury:

    • Restrain children in a safety seat appropriate for their age.
    • Push the seat all the way back to provide as much distance between the dashboard and the seat as possible.
    • Require that children sit with their backs firmly pressed against the seat. Do not allow them to wiggle or lean forward.
    • Tighten the seat belt as much as possible to reduce their movement in the event of a crash.


    Remember: we do more than help you avoid claims and arrive at your destination safely. Contact us today to learn more about all of our insurance solutions for your auto, home and life!

Retail Risk Insights: Protect Your Online Retail Network

By | April 25, 2014

Technology Risk InsightsWith the increasing popularity of smartphones and tablets, access to online shopping websites is only a fingertip away for most consumers. Online retailers can expect $327 billion in sales annually by 2016; but this growth comes at a price. The online retail industry is an increasingly attractive target for major cyber attacks. The results—including tarnished reputations, lost sales and costly lawsuits— can be devastating.

This happened to Zappos®, a large online shoe and apparel store owned by Amazon. In January 2012, cyber criminals broke into Zappos’ internal network and stole personal information from 24 million customers, including names, addresses and the last four digits of credit card numbers. Zappos attempted damage control by informing their customers about the incident and advising them to change their passwords, but much of the damage was already done.

As an online retail business, your success is dependent on the health and security of your biggest tool—your network. In order to protect your network and keep your online business profitable, it is critical that you understand the risks you face.

Hackers and Hacktivists

Do you think hackers only target big brand retail websites that can gain them national attention? Think again. According to statistics reported by Symantec, an Internet security provider, cyber attacks on businesses with fewer than 250 employees increased from 18 percent in 2011 to 31 percent in 2012. Hackers have begun to realize that small to medium size online retailers make easier targets because they generally lack IT departments and the high-level security software that big retailers have.

A cyber attack could knock a small to midsize online retailer offline for days, causing them to lose sales, customers and their reputation. Worse yet, a single data breach could even force some small retailers out of business. Visa, Inc. estimates that 95 percent of the credit card data breaches reported to them happened with their smallest business customers.

Not all hackers are after customers’ credit card numbers. “Hacktivists” attack computers or computer networks as a means of political protest. They’re not just targeting government websites, though. In April 2011, hacktivist group Anonymous attacked the Sony® website in hopes of gaining attention about recent legislation called the Stop Online Piracy Act (SOPA). They gained attention, and Sony’s website was down for hours.

What is a DDoS Attack?

Hackers can attack online retailers in a number of ways, one of which is a DDoS attack. DDoS, or distributed denial of service, is a type of cyber attack in which a hacker floods your retail website with traffic and overwhelms your server to the point that your legitimate customers are unable to access your site. DDoS attacks can last a few hours to a few days; meanwhile, your company loses out on business and may incur the cost of bringing in an IT specialist to investigate and stop the attack.

Can You Prevent a DDoS Attack?

Corero, a network security company, reports that DDoS attacks have risen 30 percent in recent years. This could cause a huge loss for online retailers, especially if the attack occurs on Cyber Monday or during the busy holiday shopping season. Although many times DDoS attacks occur on larger brand online retailers, no retailer is immune.  Small and midsize companies that rely on larger e-commerce providers or payment processing companies could be affected if those larger companies come under attack.

With DDoS attacks, you’ll usually never find the source of the attack. Instead, focus on procedures to carry out once an attack happens, including communicating the incident to customers.

Mitigate the DDoS Risk

To mitigate some of the DDoS risk, it is important to understand your Web hosting environment. Some examples of Web hosting include:

  • Shared hosting. Multiple websites share a single server. This is the most common and economical option for small companies, as the host already has a DDoS response plan in place.
  • Cloud hosting. This is a newer platform where the hosting is decentralized and users are only charged for the services they use, not a flat fee.
  • In-house hosting. A company, such as a larger online retailer, hosts its own site and assumes all of the responsibility for DDoS attacks.

Many small and midsize online retailers use shared hosting because they don’t have IT departments and the capabilities to host their own sites. When selecting a Web hosting service, consider the following:

  • Does the hosting company cater only to e-commerce clients or to a variety of clients? The behavior of other users on the server could impact the performance of your website.
  • How many websites are packed on a single server?
  • What type of DDoS response plan does the host have in case of a cyber attack to the network?

Data Breaches

Hackers love to steal credit card data, and online retail websites have plenty of that. With the increased use of wireless networks, data theft can occur more easily. Cyber threats include fraud, worms and viruses.

Most websites use secure socket layers (SSL), which are supposed to guarantee that log in, password and credit card information is safe during a customer’s online shopping. SSL relies on special electronic certificates issued to a secure website, but each browser validates the certificates in a different way. Keep in mind that SSL is not immune from hacking, and beware of fake certificates.

Mitigate Data Breaches

Are you providing your customers with a secure online shopping experience? Consider the following:

  • Comply with the Payment Card Industry-Data Security Standard (PCI-DSS). Merchants who don’t can get fined by credit card companies.
  • Purchase as much security as you can afford. Consider how much lost customer data or lost customers would cost your company.
  • Maintain continuous vigilance of your site and know your real customers.
  • Have firewall segmentation between wireless networks and point-of-sale networks, or in front of any network that comes in contact with credit card information.
  • If you suffer a data breach, communicate this to your customers.

Cyber security is a serious concern for online retailers of all sizes. We are here to help. Contact The Buckner Company to learn about our risk management resources and insurance solutions, such as Internet/Media Liability, Security and Privacy Liability and Identity Theft insurance today.

Cyber Risks & Liabilities: Complying with HIPAA

By | April 25, 2014

Technology Risk InsightsThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) addresses the privacy of individuals’ health information by establishing a federal standard concerning the privacy of health information and how it can be used and disclosed.


As health care institutions began storing larger volumes of private health data digitally, the need to protect this sensitive data from loss or theft grew.

To address this risk, the U.S. Department of Health and Human Services (HHS) issued HIPAA’s Privacy Rule and Security Rule in August 1996.

The Privacy Rule standards address the use and disclosure of individuals’ health information (called “protected health information”) by organizations subject to the Privacy Rule (called “covered entities”) as well as standards for individuals’ privacy rights to understand and control how their health information is used.

The Security Rule establishes a national set of security standards for protecting certain health information that is held or transferred in electronic form.

All covered entities were required to be in compliance by April 14, 2003, for the Privacy Rule and April 20, 2005, for the Security Rule.

What is a Covered Entity?

HIPAA defines “covered entities” as

  • Health care providers
  • Health plans
  • Health care clearing houses

If you are not sure whether your organization is a covered entity, the Centers for Medicare & Medicaid Services (CMS) has an easy-to-follow chart available at

HIPAA Requirements for Your Organization

Essentially, HIPAA has two primary components that your firm must follow:

  • Administrative simplification, which calls for use of the same computer language industry-wide
  • Privacy protection, which requires covered entities to take “reasonable” measures to protect patient health information

If your organization is a covered entity, you must comply with the following:

  • Implement a required level of security for health information, including limiting disclosures of information to the minimum necessary to accomplish the intended purpose. This standard does not apply to:
    • Disclosures to or requests by a health care provider for treatment purposes
    • Disclosures to the individual who is the subject of the information
    • Uses or disclosures made pursuant to an individual’s authorization
    • Uses or disclosures required for compliance with HIPAA’s Administrative Simplification Rules.
    • Disclosures to HHS when disclosure of information is required under the Privacy Rule for enforcement purposes.
    • Uses or disclosures that are required by other law.
    • Designate a privacy officer and contact person
    • Train employees on privacy policies
    • Establish sanctions for employees who violate privacy policies
    • Establish administrative systems that can respond to complaints about health information, respond to requests for corrections of health information by a patient, accept requests not to disclose for certain purposes and track disclosures of health information
    • Create a privacy notice to patients concerning the use and disclosure of their protected health information

Cyber Liability and HIPAA

Patients’ health information is extremely sensitive and should always be handled with the utmost care. All it takes is a simple misclick or misspelling to send private information to the wrong person. Such a mistake could lead to a lawsuit and/or fines.

It’s important to remember that HIPAA protects patients, not covered entities. That’s why it’s critical that your organization has a cyber liability insurance policy to cover any potential data breaches. According to the Ponemon Institute’s Cost of a Data Breach Survey, the average per record cost of a data breach was $188 in 2012, and the average organizational cost of a data breach was $5.4 million.

If a Data Breach Occurs

If a data breach occurs, notify your state’s public health department immediately. Failing to do so can result in fines upward of $250,000.

Under HIPAA, covered entities must immediately notify affected individuals following the discovery of a breach of unsecured protected health information.

Covered entities that experience a breach affecting more than 500 residents of a state or jurisdiction are, in addition to notifying the affected individuals, required to provide notice to prominent media outlets serving the state or jurisdiction.

In addition to notifying affected individuals and the media (where appropriate), covered entities must notify the Secretary of breaches of unsecured protected health information.

Plan Ahead

You can never see a data breach coming, but you can always plan for a potential breach. Contact The Buckner Company today. We have the expertise to ensure you have the proper coverage to protect your company against a cyber attack.

Cyber Risks & Liabilities: Defining, Identifying, and Limiting Cyber Crime

By | April 25, 2014

Technology Risk InsightsA vast amount of information is now stored on computer servers and databases, and it’s growing every day. Because that information has great value, hackers are constantly looking for ways to steal or destroy it.

Cyber crime is one of the fastest growing areas of criminal activity. It can be defined as any crime where:

  • A computer is the target of the crime
  • A computer is used to commit a crime
  • Evidence is stored primarily on a computer, in digital format

Understanding the various types of cyber crimes can help [C_Officialname] identify and plan for a potential cyber crime against your firm.

Computer Intrusions

It is both a federal and state crime to gain unauthorized access to a computer system. There are seven different offenses that can be characterized as unauthorized access or computer intrusion:

  1. Obtaining national security information
  2. Compromising confidentiality
  3. Trespassing in a government computer
  4. Accessing to defraud and obtain value
  5. Damaging a computer or information
  6. Trafficking in passwords
  7. Threatening to damage a computer

Types of Computer Intrusions

Computer intrusions can come from an internal source, such as a disgruntled employee with an intimate knowledge of the computer systems, or an external source, such as a hacker looking to steal or destroy a company’s intangible assets. The hacker can use a host of different means to try and steal or destroy your data in the following ways:

  • Viruses – A virus is a small piece of software that attaches itself to a program currently on your computer. From there, it can attach itself to other programs and can manipulate data. Viruses can quickly spread from computer to computer, wreaking havoc the entire way. Email viruses became a popular method for hackers to infect computers in the late 1990s. These viruses were triggered when a person downloaded an infected document. When the document was opened, the virus would send that document to the first few recipients in the person’s email address book. Some email viruses were so powerful that many companies were forced to shut down their email servers until the virus was removed.
  • Worms – A worm is a computer program that can copy itself from machine to machine, using a machine’s processing time and network’s bandwidth to completely bog down a system. Worms often exploit a security hole in some software or operating system, spreading very quickly and doing a lot of damage to a business.
  • Trojan horses – Common in email attachments, Trojans hide in otherwise harmless programs on a computer and, much like the Greek story, release themselves when you’re not expecting it. And also like the story, the computer user has a part in letting the Trojan into the system. Trojans differ from viruses in that they must be introduced to the system by a user. A user can knowingly or unknowingly run an .exe file that will let a Trojan into the system.
  • Spyware – Spyware can be installed on a computer without the user ever knowing it, usually from downloading a file from an untrusted source. Spyware can be used by hackers to track browsing habits or, more importantly, collect personal information such as credit card numbers.
  • Logic bombs – Logic bombs are pieces of code that are set to trigger upon the happening of an event. For example, a logic bomb could be set to delete all the contents on a computer’s hard drive on a specific date. There are many examples of disgruntled employees creating logic bombs within their employer’s computer system. Needless to say, logic bombs can cause serious damage to a company’s digital assets.
  • Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks – DoS and DDoS attacks are used to send an overwhelming amount of data to a target server, rendering that server useless. A hacker does this by gaining control of several or more computers and then sending a large amount of data to a target server that it can’t possibly handle. The result could be thousands or millions of dollars in lost sales for an online retailer and a complete loss of productivity for many businesses.

Limiting Intrusions

A computer intrusion could put your valuable digital assets at risk. That’s why your company should have the following measures in place to limit computer intrusions and protect your assets:

  • Firewalls – Firewalls are pieces of software that control the incoming and outgoing network traffic on a computer system and decide whether it should be allowed through or not. Most computer operating systems now come with a preinstalled firewall for security. While they are not the be-all and end-all of preventing intrusions, they are a reliable start.
  • Routers – Routers are pieces of hardware that keep unwanted traffic out of a computer system. They differ from firewalls in that they are stand-alone devices that must be bought separately–they are not included in an operating system.
  • Antivirus programs – As their name implies, antivirus programs are designed to catch and eliminate or quarantine viruses before they can harm a computer system. Antivirus programs run in the background to ensure your computer is protected at all times. While they are updated frequently, they may not catch the newest viruses that are floating around.
  • Policies – Every company, no matter its size, should have policies in place to educate employees on the dangers of computer intrusions and ways to prevent them. Make sure your employees know not to open, click on or download anything inside emails from untrusted sources. Employees with an intimate knowledge of the company’s computer network should also be alerted of the potential consequences of hacking into the system.
  • Common sense – Everyone claims to have it, but if that were actually the case, many viruses, worms and Trojans would cease to exist. The simple fact is that everyone in the company needs to exhibit some common sense when using a computer. Encourage employees to disregard emails with subject lines and attachments that seem bogus or too good to be true.

Review Your Risks and Coverage Options

A computer intrusion could cripple your company, costing you thousands or millions of dollars in lost sales and/or damages. Contact The Buckner Company today. We have the tools necessary to ensure you have the proper coverage to protect your company against losses from computer intrusions.

Cyber Risks & Liability: Basic Loss Control Techniques

By | April 25, 2014

Technology Risk InsightsProtecting your business from cyber risks can be an overwhelming venture. A new day means more viruses are being discovered, more spam is being delivered to your inbox and yet another well-known company is the victim of a data breach.


The world will never be free of cyber risks, but there are many loss control techniques you can implement to help protect your business from exposures.


  1. 1.     Install a firewall for your network.

Operating systems often come with pre-installed firewalls, but they are generally designed to protect just one computer. Examine the firewall’s options and select the best configuration to keep the computer safe.


If your business has a network of five or more computers, consider buying a network firewall. They can be pricey but network firewalls provide a fine level of coverage for an entire network.


  1. 2.     Install anti-virus, anti-malware and anti-spyware software.

This loss control technique is the easiest and most effective way to increase security at your business. Make sure to install the software on each computer in your network—computers that don’t include these types of software are much more likely to be exposed and can possibly spread malware to other computers in the network. There are a host of viable options for each type of software, ranging in price from free to an annual subscription. Be sure to keep the software as up-to-date as possible.


  1. 3.     Encrypt data.

No firewall is perfect. If a hacker manages to get through your firewall and into your network, your data could be a sitting duck. Encryption will make the data unreadable to a hacker. Consider using an encryption program to keep computer drives, files and even email messages safe from hackers.


  1. 4.     Use a Virtual Private Network (VPN).

A VPN allows employees to connect to your company’s network remotely. VPNs eliminate the need for a remote-access server, saving companies lots of money in remote server costs. In addition to these savings, VPNs also provide a high level of security by using advanced encryption and authentication protocols that protect sensitive data from unauthorized access. If your company has salespeople in the field or employs workers who work from home or away from the office, a VPN is an effective way to minimize cyber risks.


  1. 5.     Implement an employee password policy.

One of the most overlooked ways to keep your business safe is instituting a password policy. Essentially, a password policy should force employees to change work-related passwords every 90 days. The policy should encourage the creation of easy-to-remember, hard-to-guess passwords that include letters, numbers and special characters. For example, an easy-to-remember, hard-to-guess password could be “M1dwbo1025.” (My first daughter was born on Oct. 25th.)


Passwords that contain words from the dictionary or contain sensible combinations (abc123, qwerty, etc.) should never be allowed. Let employees know that they should not write passwords down and leave them in a desk or out in the open. If they are having trouble remembering passwords, there are password-keeping programs available for download.


  1. 6.     Back up data regularly.

Important data should be backed up daily and in multiple locations, one being off-site. In addition to being safe from cyber risks, off-site data would not be exposed from physical attacks, like a fire or tornado.


Restrict access to backed up data. The public should never have access to it. If the data is tangible, keep it in locked filing cabinets in a locked room, and only issue keys to those who absolutely need them.


  1. 7.     Develop a business continuity plan.

If the worst should happen and your company suffers a data breach or similar attack, you should have a business continuity plan in place. A business continuity plan helps:

  • Facilitate timely recovery of core business functions
  • Protect the well-being of employees, their families and your customers
  • Minimize loss of revenue/customers
  • Maintain public image and reputation
  • Minimize loss of data
  • Minimize the critical decisions to be made in a time of crisis


The plan should identify potential cyber risks, along with the recovery team at your company assigned to protect personnel and property in the event of an attack. The recovery team should conduct a damage assessment of the attack and guide the company toward resuming operations.


We Are Your Loss Control Expert

Keeping your data safe from cyber risks requires constant attention to ensure an attack never happens. The Buckner Company has the resources and know-how to help you identify potential risks and keep your business running smoothly in the event of an attack.

Construction Risk Insights: Providing Safety for Women in Construction

By | April 22, 2014

Construction Risk InsightsAs increasing numbers of women enter the construction trades, concerns about their health and safety are growing. In addition to the primary safety and health hazards faced by all construction workers, there are safety and health issues specific to female construction workers. The small percentage of females within the construction trades and the serious health and safety problems unique to female construction workers have a circular effect. Safety and health problems in construction create barriers to women entering and remaining in this field. In turn, the small numbers of women workers on construction worksites foster an environment in which these safety and health problems arise or continue.

Hazards for Women on Construction Sites

  1. 1.       Workplace culture – The construction industry has been overwhelmingly male-dominated for years, and on many job sites, female construction workers are not welcome. Isolation—working as the only female on a job site or being ostracized by co-workers—evokes both stress and fear of assault. Many female construction workers say that they are reluctant to report workplace safety and health problems for fear of tagged as complainers or whiners, which would further strain their workplace relationships and jeopardize their employment.
  2. 2.       Hostile workplace – A hostile workplace presents safety and health concerns on several levels, ranging from a lack of training and safety information to physical assault. The effects of a hostile workplace can be reflected in acute as well as chronic stress reactions. OSHA has already begun to recognize workplace violence as an occupational safety and health issue.
  3. 3.       Sexual harassment – Sexual harassment is a serious problem for female construction workers. Sex discrimination and anti-women attitudes are still prevalent on worksites, despite the fact that sex discrimination is illegal. According to a USA Today analysis of U.S. Equal Employment Opportunity Commission and Bureau of Labor Statistics data, female construction workers had the second-highest rate of sexual harassment complaints per 100,000 employed women. Female miners had the highest rate.

Sexual harassment complaints at worksites range from subtle forms such as being stared at or seeing “pinups” of naked and nearly naked women to more blatant forms such as unwanted sexual remarks (including comments on appearance), being touched in sexual ways and sexual assault.

One illustration of how sexual harassment is an occupational safety and health issue can be found in a recent settlement between a construction company and 14 employees, seven of them female. According to the Department of Labor, L&M Construction permitted sexual harassment, retaliated against workers who complained about a hostile work environment and interfered with a federal investigation. During a workers’ outreach forum in May 2012, department officials were alerted to complaints of sexual harassment that included inappropriate touching, lewd acts, sexual gestures, comments and propositions directed at female employees of L&M between May 1, 2011, and April 30, 2012. Officers discovered that the company terminated nine employees for complaining about the hostile work environment created by this harassment and then fired five more workers to prevent them from being interviewed during a compliance review.

  1. 4.       Hazard reporting – The work culture described above—combined with female construction workers’ more tenuous hold on their jobs than that of the more senior workers or male workers—often deters women from reporting unsafe or unhealthy working conditions. Women in a NIOSH study reported that they could not bring up the issue of proper restrooms or worksite safety, because doing so might threaten their jobs.
  2. 5.       Access to sanitary facilities – Access to sanitary facilities is frequently a problem on new construction sites. Temporary facilities are usually unisex, often without privacy and generally not maintained well. The availability and cleanliness of restroom facilities are major concerns for women. According to a survey report by Chicago Women in Trades (CWIT), 80 percent of female construction workers have encountered worksites with dirty toilets or no toilets. Respondents to the CWIT survey said that facilities, when available, were filthy or were some distance from the site. Unclean facilities and the avoidance of using them can result in disease, including urinary tract infections (which can happen when a person delays urinating). Because of this, women report that they avoid drinking water on the job, risking heat stress and other health problems. Courts have found that the lack of appropriate sanitary facilities is discriminatory and violates OSHA standards.
  3. 6.       Personal protective equipment (PPE) and clothing (PPC) fitment – Many women in nontraditional jobs, such as the construction trades, complain of ill-fitting PPC and PPE. Clothing or equipment that is not sized properly or does not fit can compromise personal safety and the protection offered. It also may not function effectively in the manner for which it was designed. This can cause serious health and safety risks for women.

Ill-fitting PPE may be due to unavailability (i.e., manufacturers don’t make it or distributors don’t stock it), limited availability or lack of knowledge among employers and workers about where equipment designed for a woman’s body structure can be obtained.

  1. 7.       Ergonomics – Studies have shown that to reduce work-related musculoskeletal disorders, tools, materials and equipment should be designed based in part on ergonomic considerations. Tools and equipment, like clothing, are often designed to be used by average-sized men.

Handle size and tool weight are designed to accommodate the size and strength of men, yet the average hand length of women is 0.8 inches shorter than the average man’s. A woman’s grip strength averages two-thirds of the power of a man’s grip. The grips of tools are typically too thick. Tools like pliers require a wide grasp, which puts too much pressure on the palm, leading to the loss of functional efficiency. In addition, women do not receive training on how best to use tools and equipment designed for men.

  1. 8.       Reproductive hazards – There is inadequate information on the extent to which female construction workers are exposed to reproductive hazards in the workplace. Reproductive hazards are defined as chemical, physical or biological agents that can cause either reproductive impairment or adverse developmental effects on fetuses.

Only a few agents or conditions have been identified as being capable of producing structural abnormalities or birth defects, with a fraction of those being common to construction sites (e.g., polychlorinated biphenyls (PCBs), hypothermia and, for hazardous waste workers, ionizing radiation). In addition, several agents such as lead, solvents and pesticides have been recognized to affect sperm development. The vast majority of construction workers are of reproductive age and are at risk of potential harm if exposed to chemicals and conditions which have not been fully studied with respect to their reproductive hazards in humans.

Some employers find it easier to resolve potential problems by denying jobs to women, especially pregnant women. This is in spite of Supreme Court rulings prohibiting employers from continuing this practice. While these actions may be well-intended, their effect is needless limitation on work opportunities for women. This can lead to discriminatory treatment and result in a female construction worker hiding her pregnancy, possibly endangering herself and/or her unborn child.

Recommendations for Improving Female Safety

  • Workplace culture
  • Include sexual harassment prevention training in safety and health programs.
  • Ensure all communication materials are gender-neutral and include women. Visual materials should include examples of female construction workers to promote an integrated construction workplace.
  • To address the problem of workplace isolation, employers, apprenticeship programs and unions (where responsible) should assign female workers to work in groups of two or more when possible, especially those who are relatively new to the construction trade.
  • Make sure supervisors are trained in ensuring the safety of female workers and can answer any questions workers may have.
  • Sanitary facilities
  • Gender-separate sanitary facilities should be provided on worksites.
  • Where changing rooms are provided on construction sites, they should also be gender-separated and provided with inside and outside locking mechanisms.
  • Employees should be allowed to use sanitary or hand-washing facilities as needed.
  • Toilet facilities should be kept clean and in good repair with clean toilet paper within reach.
  • Hand-washing facilities should exist within close proximity to toilet facilities.
  • Health and safety training
  • Employers and unions should make skills training courses available and encourage all workers to take advantage of them.
  • Journeymen should establish mentoring relationships with new workers to provide informal skills and safety training.
  • Supervisors need to emphasize safety as well as productivity on the job site.
  • Employers should emphasize that safety training is as important as skills training.
  • PPE and PPC
  • The design of PPE and PPC for women should be based on female measurements.
  • Union apprenticeship programs should provide female construction workers with resources on where to find equipment and clothing that fits.
  • Employers should make sure that all workers of all sizes have well-fitting PPE and PPC for safe and efficient performance.
  • PPE intended for use by women workers should be based upon female anthropometric (body measurement) data.
  • Ergonomics
  • It should be accepted that some workers need to use different lifting and material handling techniques.
  • Employers, unions, apprenticeship programs and other training entities should review skills training programs to see whether alternative methods are included for getting work accomplished by workers of different sizes or strengths. All programs should emphasize the importance of safe lifting.
  • Workers need to hear from employers and unions that it’s acceptable to ask for help and to explore alternative ways to lift and carry.
  • All workers should be trained in the proper ways to lift and bend.
  • Reproductive hazards
  • Employers should post Safety Data Sheets (SDS) for each chemical present on the worksite.
  • Workers should read all SDSs and share the information with their physicians if they are pregnant or planning to start a family.
  • All workers should educate themselves about the potential reproductive risks from exposure to certain chemicals.
  • Employers should make reasonable accommodations for workers in later stages of pregnancy, rather than forcing them out of the workplace.
  • During the later stages of pregnancy, women should consult with their physicians about strenuous physical activities on the job.


Source: OSHA

Construction Risk Insights: Job-made Wooden Ladders

By | April 22, 2014

Construction Risk InsightsWorkers who use job-made wooden ladders risk permanent injury or death from falls and electrocutions. By understanding the hazards that workers are likely to encounter while working on job-made wooden ladders, employers can take steps to reduce injuries through proper training.

What is a Job-made Wooden Ladder?

A job-made wooden ladder is a ladder built at the construction site. It is not commercially manufactured. A job-made wooden ladder provides access to and from a work area. It is not intended to serve as a work platform. These ladders are temporary, and are used only until a particular phase of work is completed or until permanent stairways or fixed ladders are installed.

Training Requirements

Employers must provide a training program for employees who use ladders and stairways. The training must enable each worker to recognize ladder-related hazards and to use ladders properly to minimize hazards.


Constructing a Safe Job-made Wooden Ladder


Side rails

  • Use construction-grade lumber for all components.
  • Side rails of single-cleat ladders up to 24 feet long should be made with at least 2-by-6-inch nominal stock lumber.
  • Side rails should be continuous, unless splices are the same strength as a continuous rail of equal length.
  • The width of single-rung ladders should be at least 16 inches, but not more than 20 inches between rails measured inside to inside.
  • Rails should extend above the top landing between 36 inches and 42 inches to provide a handhold for mounting and dismounting, and cleats must be eliminated above the landing level.
  • Side rails of ladders that could contact energized electrical equipment should be made using nonconductive material. Keep ladders free of any slippery materials.



  • Cleats should be equally spaced 12 inches on center from the top of one cleat to the top of the next cleat.
  • Cleats should be fastened to each rail with three 12d common wire nails which are nailed directly onto the smaller surfaces of the side rails.
  • Making cuts in the side rails to receive the cleats is not advisable.
  • Cleats should be at least 1 inch by 4 inches for ladders 16 feet to 24 feet in length.


Filler Blocks

  • Filler should be 2-by-2-inch wood strips.
  • Insert filler between cleats.
  • Nail filler at the bottom of each side rail first. Nail the ends of a cleat to each side rail with three 12d common nails. One nail is placed 1½ inches in from each end of the filler block.
  • Nail the next two fillers and cleat, and then repeat. The ladder is complete when filler is nailed at the top of each rail.
  • Make all side rails, rungs and fillers before the ladder is assembled.


Inspecting Ladders

  • A competent person must visually inspect job-made ladders for defects on a periodic basis and after any occurrence that could affect their safe use.
  • Defects to look for include: structural damage, broken/split side rails (front and back), missing cleats/steps and parts/labels painted over.
  • Ladders should be free of oil, grease and other slipping hazards.


Safe Ladder Use—Dos:

To prevent workers from being injured from falls from ladders, employers are encouraged to adopt the following practices:

  • Secure the ladder’s base so that it does not move.
  • Smooth the wood surface of the ladder to reduce injuries to workers from punctures or lacerations and to prevent snagging of clothing.
  • Use job-made wooden ladders with spliced side rails at an angle so that the horizontal distance from the top support to the foot of the ladder is one-eighth the working length of the ladder.
  • Ensure that job-made wooden ladders can support at least four times the maximum intended load.
  • Only use ladders for the purpose for which they were designed.
  • Only put ladders on stable, level surfaces that are not slippery, unless they are secured to prevent accidental movement.
  • Ensure that the worker faces the ladder when climbing up and down.
  • Maintain a three-point contact (two hands and a foot, or two feet and a hand) when climbing a ladder.
  • Keep ladders free of any slippery materials.
  • Maintain good housekeeping in the areas around the top and bottom of ladders.


Safe Ladder Use—Don’ts:

To prevent injuries, employers are encouraged to avoid the following practices:

  • Painting a ladder with nontransparent coatings
  • Carrying any object or load that could cause the worker to lose balance and fall
  • Subjecting a job-made wooden ladder to excessive loads or impact tests


Contact The Buckner Company at [B_Phone] for additional information and employee training materials on ladder safety or fall prevention in general.


Source: OSHA

Work Comp Insights: The Defense Base Act

By | April 22, 2014

Work Comp InsightsThe Defense Base Act (DBA) was established in 1941 to protect workers on military bases outside the United States. Overseas federal military and public works contractors are subject to the same workers’ compensation rules—including the same insurance requirements and schedules of benefits for affected workers—as maritime firms covered by the Longshore and Harbor Workers’ Compensation Act (LHWCA). As an employer, it is your responsibility to buy insurance or to self-insure injuries sustained by workers covered in the DBA.



The DBA is an extension of the LHWCA, which was passed in 1927 to implement the uniformity of workers’ compensation benefits available to longshoremen and harbor workers from injuries that occur on the navigable waters throughout the United States.


The rules of the LHWCA apply to the DBA in regard to:

1. Compensation rates

2. Filing times

3. Forms

4. Appeals

5. Rules of evidence and submission

6. Medical benefits

7. Schedule for permanent loss


An amendment was added in 1958 to clarify that service contracts, even those which do not directly provide for “construction, alteration, removal or repair,” are included in the definition of public work.



Who/What is Covered by the Defense Base Act?

The DBA covers the following employment activities:

  1. Any defense base acquired from any foreign government
  2. Lands occupied or used by the United States for military purposes outside the continental United States
  3. Public work in any Territory or possession under a contract with the United States
  4. Public work outside the United States  not covered under (3)
  5. Contract outside the United States approved and financed by the United States.
  6. Welfare or similar services outside the United States for troops authorized by the Department of Defense


Zone of Special Danger Doctrine

The DBA applies to injuries and deaths that arise out of and in the course of employment abroad. Under the “Zone of Special Danger” doctrine, injuries and deaths that occur outside of regularly assigned job duties or work hours may be covered. Because overseas workers are far away from families and friends, courts of law have ruled that recreational and social activities are in different circumstances from employees working at home. Therefore, personal activities of a social or recreational nature must be considered as incident to the overseas employment relationship and injuries that occur as a result of those activities may be covered under the Zone of Special Danger doctrine.


Defense Base Act Exceptions

Common exceptions to coverage under the Defense Base Act include injuries caused by the willful misconduct of an employee, the drug or alcohol use of an employee, or “acts of God.” Traditionally, only injuries or deaths that resulted from specific accidents were covered by workers’ compensation. Today’s workers’ compensation policies generally provide coverage for illnesses or other conditions, such as hearing loss, that are the result of prolonged exposure to a dangerous workplace environment.


Your Workers’ Compensation Resource

Since Defense Base Act coverage can be a complex issue, depending on both the location and the nature of the employee’s work, it is best to discuss coverage details with The Buckner Company today.


More information is also available from your local Longshore District Director office, which covers DBA claims, at Benefit levels can be calculated using the statistics found at