Tag Archives: security

Why Does GDPR Matter for The Cannabis Industry?

By Marguerite Arnold
1 Comment

The global cannabis industry is hitting thorny regulatory challenges everywhere these days as the bar is raised for international commerce. First it was recognition that the entire production industry in Canada would basically have to retool to meet European (medical and food) standards. And that at least for now for the same reasons, American exports are basically a no go.

However, beyond this, the battle over financial reporting and other compliance of a fiscal kind has been a hot topic this year on European exchanges.

As of this summer, (and not unrelated to the other two seismic shifts) there is another giant in the room.

If you haven’t heard about it yet, welcome to the world of EU GDPR (European Union General Data Privacy Regulation).

The German version is actually Europe’s highest privacy standard, which means for the cannabis industry, this is the one that is required for operations here across the continent if you are in this business.

What is it, and what does it mean for the industry?

GDPR – The Elevator Pitch

Here is why you cannot ignore it. The regulation affects bankers as much as growers, distributors as much as producers and of course the entire ecosystem behind medical production and distribution across Europe and actually far beyond it. Starting of course, with patients but not limited to them. The law in essence, applies to “you” whoever you are in this space. That is why it becomes all that much more complicated in the current environment.

While this is complex and far reaching, however, there are a couple of ways to think about this regulation that can help you understand it and how to manage to it (if not innovate with it).

The first is, to American audiences at least, that GDPR is sort of like HIPAA, the federal American privacy civil rights statute that governs medical privacy law. Except, of course, this being Europe, it is far more robust and far reaching. It touches every aspect of electronic privacy including data storage, retention, processing and security that is applicable to modern life. And far, far, beyond just “patients.”

On the marketing side, GDPR is currently causing no end of headaches. Broadly, the legislation, which came into force this year, with real teeth (4% of global revenues if you get it wrong), applies to literally every aspect of the cannabis industry for two big reasons beyond that. Medical issues, which are the only game in town right now in Europe (and thus require all importers to also be in compliance) and financial regulatory requirements.

The requirements in Germany are more onerous than they are in the rest of Europe. Therefore, they also affect the cannabis industry in a big way, especially since there is at this point a great deal of European cultivation with the German (and now British) medical market in mind. Further Germany is becoming European HQ for quite a few of the Canadian LPs. That means German standards apply.

The UK, for those watching all Brexit events with interest, will also continue to be highly affected by this. Whether it stays in the EU or not, it must meet a certain “trusted nation” status to be able to transact with the continent in any kind of favoured nation status.

Bottom line? It is big and here and expensive if you screw it up. If considering doing any kind of business with European customers, start hitting the books now. Large mainstream media organizations in the United States and Canada right now are so afraid of the consequences of getting this wrong that they have blocked readership from Europe for the present. Large financial institutions also must not only be in compliance but compliance of companies also guides their investment mandates on the regulatory front.

For all of these reasons, the cannabis industry would do well to take note.

What Does This Mean for The Cannabis Industry?

The Canadian and rest of the global industry is still struggling with compliance and this will have some interesting repercussions going forward.patient data must be handled and stored differently

Immediately, this means that all websites that are targeted to German eyes (read Canadian LPs and international, even English-only press) should hire German side compliance experts for a quick GDPR audit. There are few European experts at this point, and even fewer foreign ones. It is worth a call around to find out who is doing this auf Deutschland and bite the bullet.

It also means that internally, patient data must be handled and stored differently. And furthermore, it is not just “patients” who have this right, but everyone who transacts with your electronic or other presence. That includes consumers, subscribers to email newsletters and other stakeholders in the industry.

As the cannabis industry also starts to embrace technology more fully, it will also have highly impactful influence on what actually passes for a compliant technology (particularly if it is customer facing) but not limited to the same.

On the marketing side, GDPR is currently causing no end of headaches. Starting with PR and customer outreach teams who are trying to figure out how much of their master mailing lists they can keep and which they cannot. On this front, Mail Chimp is undeniably the go-to right now and has also implanted easy to understand and use technology that is being adopted by European marketers and those targeting Europe.

Stay tuned for more coverage on GDPR as we cover how data protection and privacy regulations will impact cannabis businesses, their marketing and outreach, plus service design efforts (in particular to patients) and other areas of interest.

Image 2: Temperature display provides quick view of sensor data

10 Questions To Ask Before Installing a Remote Monitoring System

By Rob Fusco
No Comments
Image 2: Temperature display provides quick view of sensor data

No matter the size of your cannabis greenhouse operation, keeping your plants alive and healthy requires the best possible growing environment. This means greenhouse managers and personnel must frequently monitor the status of environmental conditions and equipment. The sooner someone discovers extreme temperature fluctuations, rising humidity or equipment failure, the more inventory you can save.

Image 1: Cloud-based remote monitoring system in protective enclosure
Cloud-based remote monitoring system in protective enclosure

That’s why integrating a remote monitoring system into your greenhouse operation can save you time, money and anxiety. Monitoring systems that use cloud-based technology let you see real-time status of all monitored conditions and receive alerts right on your mobile device.

Installing a monitoring system and sensors can be easier than you might think. Here are answers to ten questions to ask before installing a cloud-based monitoring system:

  1. What is required to use a remote monitoring system?

Most remote monitoring systems require an internet or WiFi connection and access to an electrical outlet. Programming is done through a website, so it’s easiest to use a computer for the initial setup. If you don’t have an internet connection at your location, you’ll want to choose a cellular system. Make sure that there’s sufficient signal strength at your site, and check the signal quality in the area before purchasing a cellular device.

2. How do we determine what kind of monitoring system and sensors we need?

A reputable manufacturer will have a well-trained support team that can assess your needs even without a site visit to determine which products are best for your application. If you feel you need them to check out your greenhouse operation,many companies can set up a video conference or FaceTime chat to substitute for being on site.

You will want to provide details about the scope and purpose of your cannabis growing operation. Important factors to discuss include:

  • Skeletal structure of the greenhouse (metal, plastic, wood, etc.) and the covering material (glass or plastic).
  • Floor space square footage and height of each of your greenhouses.
  • Number of greenhouse structures in your operation.
  • Outdoor climate to determine if you rely more on heating or air conditioning and the level of humidity control needed.
  • Space dedicated to phases of growth (cloning and propagation, vegetative, flowering) and the microclimates needed for each.
  • Types of lighting, ventilation and irrigation systems.
  • Level of technological automation versus manual operation in place.

The monitoring system representative will then determine the type of system that would best serve your operation, the number of base units you will need and the types of sensors required.

Image 2: Temperature display provides quick view of sensor data
Temperature display provides quick view of sensor data

The representative should also be able to provide tips on the placement of the sensors you’re purchasing. For example, to ensure thorough air temperature coverage, place sensors throughout the greenhouse, next to the thermostat controlling the room temperature and in the center of the greenhouse out of direct sunlight.

Note that there shouldn’t be a cost for a demo, consultation or assistance throughout the sales process. Be sure to ask if there are any fees or licenses to keep using the monitoring equipment after you purchase it.

3. Are sensors included with the monitoring system?

In most cases, sensors are sold separately. The sensors you select depend upon the conditions you want to monitor and how many you can connect to your base unit. Certainly, temperature is critical, but there are many other factors to deal with as well, such as humidity, CO2, soil moisture, water pH, power and equipment failure, ventilation and physical security.

For example, humidity has a direct impact on the photosynthesis and transpiration of plants. High humidity can also cause disease and promote the growth of harmful mold, algae and mildew. Sensors can detect changes in humidity levels.

Image 3: Water pH sensor
Water pH sensor

Like any other plant, cannabis needs COto thrive, so it’s a good idea to include a COsensor that will signal to the monitoring device when readings go out of the preset range. There are even sensors that you can place in the soil to measure moisture content to help prevent over- or underwatering, budget water usage costs, promote growth and increase crop yield and quality.

Of course, all the critical systems in your growing facility—from water pumps to irrigation lines to louvers—rely on electrical power. A power outage monitoring sensor detects power failure. It can also monitor equipment for conditions that predict if a problem is looming, such as power fluctuations that occur at specific times.

Ventilation systems not only help control temperature, they also provide fresh air that is critical to plant health. Automated systems include features like vented roofs, side vents and forced fans. Sensors placed on all these systems will send personnel an alert if they stop running or operate outside of preset parameters.

To monitor the physical security of your greenhouses, you can add sensors to entrance doors, windows, supply rooms and equipment sheds. During off hours, when no staff is on duty, you can remain vigilant and be alerted to any unauthorized entry into your facility.

4. Do monitoring systems only work with the manufacturer’s sensors?

Not necessarily. For example, certain monitoring units can connect with most 4-20mA sensors and transmitters regardless of the brand. When selecting sensors, you might have a choice between ones that are designed by the manufacturer to work specifically with the monitoring system or universal components made by a third party. If the components aren’t made by the system manufacturer, you’ll want to find out if they have been tested with the monitor you are choosing and if you need to work with another vendor to purchase the parts.

A humidity sensor mounted in a weatherproof enclosure
A humidity sensor mounted in a weatherproof enclosure

5. Is a monitoring system easy to set up, or do we need to hire an electrician?

Many monitoring systems are quick and easy to install, and users can often set them up without hiring an outside expert. Look for one that requires only a few simple physical installation steps. For example:

  1. Mount the device to the wall or somewhere secure;
  2. Plug it into an electrical outlet and an internet connection;
  3. Connect the sensors.

You connect the sensors to the base unit’s terminal strip using wire, which is included with many sensors. The range of many wired sensors can be extended up to 2,000 feet away from the base unit by adding wire that can be easily purchased at any home store. It’s a good idea to hire an electrician if you need to run wires through walls or ceilings.

Usually, once you plug in the device and connect the sensors, you then create an account on the manufacturer’s designated website and begin using your device. There should be no fee to create an account and use the site.

If the manufacturer doesn’t offer installation services, ask if they can recommend a local representative in your area who can set up your system. If not, make sure they provide free technical support via phone or email to walk you through the installation and answer any questions you might have about programming and daily usage.

6. Is there a monthly fee to access all the functionality of a monitoring device?

Many web- or cloud-based systems provide free functionality with some limitations. You might have to purchase a premium subscription to unlock features such as text messaging, phone call alerts and unlimited data logging access.

 7. Should we get a system that is wired or wireless? Will we need to have a phone line, cable, internet or something else?

Wireless can mean two different things as it relates to monitoring: how the system communicates its data to the outside world and how the sensors communicate with the system.

The most popular systems require an internet or WiFi connection, but if that’s not an option, cellular- and phone-based systems are available.

A hardwired monitoring system connects the sensors to the base device with wires. A wireless system uses built-in radio transmitters to communicate with the base unit. Some monitoring systems can accommodate a combination of hardwired and wireless sensors.

8. Can one system monitor several sensor inputs around the clock?

Once the monitoring system is installed and programmed, it will constantly read the information from the sensors 24/7. Cloud-based systems have data logging capabilities and store limitless amounts of information that you can view from any internet-connected device via a website or app.

If the system detects any sensor readings outside of the preset range, it will send an alarm to all designated personnel. The number of sensors a base unit can monitor varies. Make sure to evaluate your needs and to select one that can accommodate your present situation and future growth.

When a monitoring system identifies a change in status, it immediately sends alerts to people on your contact list. If you don’t want all your personnel to receive notifications at the same time, some devices can be programmed to send alerts in a tiered fashion or on a schedule. Multiple communications methods like phone, email and text provide extra assurance that you’ll get the alert. It’s a good idea to check the number of people the system can reach and if the system automatically cycles through the contact list until someone responds. Some systems allow for flexible scheduling, so that off-duty personnel don’t receive alerts.

9. Do monitoring systems have a back-up power system that will ensure the alarming function still works if the power goes out or if someone disconnects the power?

The safest choice is a cloud-based system that comes with a built-in battery backup that will last for hours in the event of a power failure. Cloud-based units constantly communicate a signal to the cloud to validate its online status. If the communication link is interrupted—for example by a power outage or an employee accidently switching off the unit—the system generates an alarm indicating that the internet connection is lost or that there is a cellular communications problem. Users are alerted about the disruption through phone, text or email. All data collected during this time will be stored in the device and will be uploaded to the cloud when the internet connection is restored.

If you opt for a cloud-based monitoring system, make sure the infrastructure used to create the cloud platform is monitored 24/7 by the manufacturer’s team. Ask if they have multiple backups across the country to ensure the system is never down.

10. What should we expect if we need technical support or repairs to the system?

Purchase your system from a reputable manufacturer that provides a warranty and offers full repair services in the event the product stops working as it should. Also, research to make sure their tech support team is knowledgeable and willing to walk you through any questions you have about your monitoring system. Often, support specialists can diagnose and correct unit setup and programming issues over the phone.

It helps to record your observations regarding the problem, so the tech team can look for trends and circumstances concerning the issue and better diagnose the problem. Ideally, the manufacturer can provide loaner units if your problem requires mailing the device to their facility for repair.

Documentation: Are You Prepared?

By Radojka Barycki
No Comments

Documents play a key role in the world of regulations and global standards. Documents tell a story on programs development, implementation and verification during an inspection or audit. Documents are used as evidence to determine conformance to the law or standard. However, do you know what kind of documents may be reviewed during a regulatory inspection or a food safety audit? Are you prepared to show that the implementation of regulatory requirements or a standard is done efficiently at your facility?

Inspectors and auditors will look for compliance either to regulations or to a standard criterion. Regulations and standards require that documentation is controlled, secured and stored in an area where they cannot deteriorate. Therefore, writing a Document Management Program (DMP) will help a business owner ensure consistency in meeting this and other requirements.Radojka Barycki will host a a plenary session titled, “Cannabis: A Compliance Revolution” at the 2018 Food Safety Consortium | Learn More

A well-developed and implemented DMP provides control over documents by providing a number sequence and revision status to the document. In addition, ownership for development, review and distribution of the documents are assigned to specific individuals within the company to ensure that there are no inconsistencies in the program. Documents must also have the name of the company in addition to a space to write the date when the record is generated. It is recommended to include the address if there are multiple operational sites within the same company.

There are different types of documents that serve as support to the operations:

  1. Program: A written document indicating how a business will execute its activities. When it comes to the food industry, this is a written document that indicates how quality, food safety and business activities are controlled.
  2. Procedures: General actions conducted in a certain order. Standard Operational Procedures (SOPs) allow the employee to know what to do in general. For example, a truck receiving procedure only tells the employee what the expected conditions are when receiving a truck (cleanliness, temperature, etc.) However, it doesn’t tell the employee how to look for the expected conditions at the time of the truck arrival.
  3. Work Instructions: Detailed actions conducted in a certain order. For example, truck inspection work instruction tells the employee what steps are to be followed to perform the inspection.
  4. Forms: Documents used to record activities being performed. 
  5. Work Aids: are documents that provide additional information that is important to perform the job and can be used as a quick reference when performing the required activities within the job. 
Are you prepared to face document requirements now and in the future?

The inspectors and auditors base their role on the following saying: “Say what you do. Do what you say. Prove it!” The programs say what the company do. The procedures, work instructions and work aids provide information on implementation (Do what you say) and the forms become records that are evidence (prove) that the company is following their own written processes.

Regulatory requirements for cannabis vary from state to state. In general, an inspector may ask a cannabis business to provide the following documentation during an inspection:

  1. Business License(s)
  2. Product Traceability Programs and Documents
  3. Product Testing (Certificate of Analysis – COAs)
  4. Certification Documents (applicable mainly to cannabis testing labs)
  5. Proof of Destruction (if product needs to be destroyed due to non-compliance)
  6. Training Documents (competency evidence)
  7. Security Programs

As different states legalize cannabis, new regulatory requirements are being developed and modeled after the pharma, agriculture and food industries. In addition, standards will be in place that will provide more consistency to industry practices at a global level. The pharma, agriculture and food industries base their operations and product safety in programs such as cGMPs, GAPs, HACCP-based Food Safety Management Systems and Quality Management Systems. Documents required during an inspection or audit are related to:

  1. Good Agricultural Practices (GAPs)
  2. Current Good Manufacturing Practices (cGMPs)
  3. Food Safety Plan Documents
  4. Ingredient and Processing Aids Receiving
  5. Ingredient and Processing Aids Storage
  6. Operational Programs (Product Processing)
  7. Final Product Storage
  8. Final Product Transportation
  9. Defense Program
  10. Traceability Program
  11. Training Program
  12. Document Management Program

In the always evolving cannabis industry, are you prepared to face document requirements now and in the future?

canna grow
Soapbox

CannaGrow Expo Heads to Palm Springs

By Aaron G. Biros
No Comments
canna grow

We’ve covered the CannaGrow Expo previously, but this time around we catch up with Joseph De Palma, founder of CannaGrow, to talk about the genesis of his conference and what makes the event so special. This year’s CannaGrow Expo heads to Palm Springs, California, a new location for the event, on May 19thand 20th.

We’ve watched De Palma’s conference grow over the years, moving around the country and becoming the tight-knit community we know it as today. The meat and potatoes of the show are definitely the educational sessions, panel discussions, roundtables and the expo hall. But covering it year after year we’ve noticed a real sense of community develop, one where genuine idea sharing, collaboration and inclusivity are preached. There are no dumb questions at the CannaGrow Expo.

Tom Lauerman speaks to a room full of attendees at CannaGrow San Diego

According to Joseph De Palma, CannaGrow started in 2014, when the original event was held in Denver. “From the beginning, we wanted to create an event specifically for growers, where the focus was always on education and ‘becoming a better grower’,” says De Palma. “We had experienced the existing events in the marketplace, and almost all fit into two categories at the time, festival, or generic tradeshow. Those were fine for their purpose, but they didn’t foster an environment of education, and that’s what we believed was most important to the emerging cannabis industry.” Back in 2014, their show only had 10 sessions and 30 exhibitors. “Passionate growers from around the country had 2 days of grow-focused sharing and learning, and you could see the energy and excitement,” De Palma says. “Discussions would dive deep, people made new friends, and it really elevated the conversation around cultivation.”

Attendees gather at a lighting exhibit at CannaGrow San Diego

Since the show’s debut, it’s grown substantially. The 7th CannaGrow Expo is fast approaching, and this upcoming conference has four separate tracks and roughly 100 exhibitors. But it still keeps its sense of community, one where you don’t feel crowded, where everyone has time to chat and network, without the overwhelming feeling that can come with larger trade shows. “That inclusivity and open dialog is built in,” says De Palma. “If you go to an event that’s tradeshow dominant, most people are there to walk, shop, and leave. At CannaGrow, growers and extractors come together with a plan for the weekend, remaining in a constant state of engagement with others at the show.”

This year’s show has some exciting additions to look out for. The agenda covers a wide range of topics, including everything from an introduction to growing with living soil to a discussion of cyber security. The Extraction Summit, new to this year’s event and held on Day 2, is their response to the massive rise in popularity and demand of extracts.

Eric Schlissel
Eric Schlissel, president and chief executive officer of GeekTek

Eric Schlissel, cybersecurity specialist, president and chief executive officer of GeekTek, is giving a talk focused on IT infrastructure. “My presentation will center around the actions cannabis businesses need to take right now to repel cybercrime and potential federal seizure,” says Schlissel. “As cannabis operators build their businesses and develop their security strategies, they often focus exclusively on the physical portion of their business – the merchandise and the cash in particular – and overlook the importance of designing and fortifying a secure IT infrastructure. I will discuss the importance of a holistic security strategy that embraces both and how you can both create one and prepare it for expansion into other states or even globally from the very start.” Schlissel’s discussion is one example of just how all-encompassing CannaGrow intends to be.

De Palma and his team leave few stones unturned as the show truly delivers vital information for cannabis cultivators in every area. Some things we are looking forward to? Seeing old friends and learning everything under the sun about cannabis science, growing and extraction. “People get to know each other, and with everyone sharing a core passion for cultivation and extraction, lifelong friendships are made,” says De Palma.


To check out the agenda, speakers and exhibitors, click here.

Iowa’s Medical CBD Program Gets Tracking System

By Aaron G. Biros
No Comments

BioMauris, LLC became the 5th company in the United States to win a state contract for a seed-to-sale platform today. BioMauris is a technology company that manages product tracking, fulfillment and distribution with a focus on the healthcare market. According to a press release, the company announced today that the state of Iowa selected BioMauris to manage their tracking system for the medical cannabidiol (CBD) program.

That program’s contract includes inventory tracking, medical cannabidiol sales and patient and caregiver registration. In 2014, Iowa’s Medical Cannabidiol Act was signed into law. Three years later, in May of 2017, Governor Terry Branstad expanded the state’s program, including manufacture and dispensing in the previous legislation. On December 1st, 2018, Iowa expects sales to begin and fully implement the program.

This is BioMauris’ first state contract in the cannabis industry. According to the press release, BioMauris bases their platform on Salesforce for point of sale, tracking, customer loyalty and distribution services in the healthcare sector. The company says they use Salesforce because it is extremely customizable and secure.

Erik Emerson
Erik Emerson, founder and president of Biomauris

According to Erik Emerson, founder and president of BioMauris, they’re poised to deliver on this front, given their experience in other industries. “Our team has extensive history in the pharmaceutical business, and therefore has a unique appreciation for data integrity and security,” says Emerson. “Additionally, we fundamentally believe the opportunity to track patient progress and associate the benefits received with the products used, is an incredible opportunity for the cannabis industry.” BioMauris has worked with clients on similar projects in the healthcare space for some time.

The company touts their platform as fully PCI-DSS and HIPAA compliant, allowing them to process payments and protect sensitive patient information. “Our patented technology, makes this not only possible, but simple for all users,” says Emerson. “We are excited to bring our product to the great state of Iowa and look forward to a long partnership with them. We believe strongly in what Iowa is attempting to do with their program and believe it is a perfect fit with our strategy for the cannabis industry.”

OLCC-Logo

Audit Finds Oregon Lacking Regulatory Oversight and Proper Security

By Aaron G. Biros
No Comments
OLCC-Logo

Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.

The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.

Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.

Oregon Secretary of State Dennis Richardson
Oregon Secretary of State Dennis Richardson

This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.

The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.

The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.

Washington Security Breach Delays Traceability System Rollout

By Aaron G. Biros
No Comments

On February 8th, Peter Antolin, the deputy director for the Washington State Liquor and Cannabis Board (WSLCB), sent an email to licensees explaining why the transition to their new traceability system was disrupted. Last Saturday, someone gained access to the sensitive information in Leaf Data Systems, the state’s traceability software that is powered by MJ Freeway.

“A computer vulnerability was exploited on Saturday, allowing unauthorized access to the traceability system,” Antolin told licensees in the email. “There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users. We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”WSLCB

The email goes on to say that no personally identifiable information was available to the ‘intruder,’ but some sensitive information was clearly accessed. That data includes route information of manifests filed between February 1st and 4th as well as transporter vehicle information including VIN, license plate number and vehicle type, according to the email.

That email leaves much to be desired. For one, they do not exactly have a solution, instead trying to alleviate licensees’ worries with a hollow inanity full of meaningless jargon: “The WSLCB and MJ Freeway continue to implement several strategies to prevent future vulnerabilities to future intrusions,” reads the email. “This includes full logging and monitoring and working with third-party entities. Since this remains an active investigation, details on security are not publicly available.” However, today the WSLCB is hosting a webinar where Peter Antolin, their IT division, the MJ Examiners unit and enforcement will be available to answer questions, according to the email.

WSLCB emailThis is by no means the first security breach that Washington and MJ Freeway have suffered. In May of 2017, Washington originally selected Franwell’s METRC as the contract partner for their traceability software system. Less than a month later in June of 2017, after a mistake in the selection process, Washington selected MJ Freeway instead of Franwell for the traceability contract. Three days later, MJ Freeway’s source code was stolen and published online. Then in September, Nevada cancelled their contract with MJ Freeway after a security breach, their services crashed in Pennsylvania and Spain, and in October it became clear that the company could not meet the October 31 deadline for their new Washington contract.

In November of 2017, BioTrackTHC, the company that held the previous contract for Washington’s traceability software, helped the state through the transition period with a temporary Band-Aid solution to hold the state over until January of 2018. A month after they expected to implement the new MJ Freeway system, the latest security breach occurred this week and disrupting the rollout yet again.

At the end of the email Antolin sent to licensees yesterday, he says there will continue to be attempts to breach the system’s security. “The bottom line is that this incident is unfortunate,” says Antolin. “There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system.” This begs a few questions: why aren’t we hearing about this kind of security breach in other states’ traceability systems? What are other companies doing that prevents this from happening? Why does this keep happening to MJ Freeway?

Soapbox

Digitalization Begins To Innovate Insurance Industry: What Does That Mean For Cannabis?

By Marguerite Arnold
No Comments

Munich, Germany- In a darkened movie studio on the east end of town, the Digital Insurance Agenda or DIA, the largest insurtech conference in the world, kicked off its annual event in mid-November. The sold-out event attracted about 1,000 top insurance executives from 40 countries and all six continents.

CannabisIndustryJournal attended from the perspective of investigating the overall status of digitalization in the industry. However, there were a couple of things we were on the hunt for. The first was to see how and where blockchain has begun to penetrate the industry. This revolutionary processing and identification layer of digital communications is coming – and fast – to the insurance industry everywhere.

All image credits: MedPayRx (Instagram)

We were also there of course to see if cannabis was anywhere on the agenda. Digitized or not.

By way of disclosure, I am also a high tech entrepreneur with my own insurtech, blockchain-based start-up that we are in the process of launching. MedPayRx is intended to be the first insurance product that will help patients access their meds facing nothing but their co-pay and help insurers automate the approvals process for all prescription drugs and medical devices.

By definition, in Germany, this includes medical cannabis.

Ultimately, our mission is to take the paper and the pain of all reimbursement out of the prescription process. At present, as anyone with a chronic condition knows, many medications and medical devices must be paid for out of pocket first and then reimbursed via a claims process that is paper-based, laborious and expensive. This is not a model that works for anyone. Certainly not poor and chronically ill patients who face this process at least monthly. And certainly not insurers who are now facing higher drug costs if not more claims reimbursements for the same from an aging population.

In a country like Germany where 90% of the population is covered by public health insurance, the situation also poses quandaries of a kind that are rocking the fundamental concept of inclusive public healthcare.

The Impact of Digitalization On The Insurance Industry

As one insurance executive and speaker mentioned from the stage during DIA, there are few industries that are more universally despised than insurance in general. And few verticals where the existing mantra is “you cannot do it worse.” The insurance industry is well aware of that. Further, for all insurances that are not “mandatory” the competition is fierce for consumers’ bucks. Particularly in places like Europe where insurance is also seen as a kind of savings scheme.

If you are a private insurer, of any kind, or offering services to both end consumers and B2B services, you are out of the game if you are not now thinking how to streamline and upgrade all aspects of your business in the digital era. There are many start-ups now tackling what is euphemistically called “cloud2cloud” integrations.

What does that mean?

According to DIA co-founders Reggy de Feniks and Roger Peverelli, the influence of tech in general is here to stay and is now driving widespread innovation across the industry. “The DIA line-up and the massive response among the audience show that insurtech is now mainstream,” says de Feniks. “This edition clearly showed the…ever growing attention for artificial intelligence, machine learning and other shapes of advanced analytics.”

“Platform thinking, thinking beyond insurance and creating new insurtech enabled services will be the next challenge for insurers,” added Peverelli.

Subtext? Insurers want your data. They want to use tech to analyse and understand it. The technology is here. But is the regulation? Specifically, in an industry that wants to know everything about you, how is privacy understood and implemented with revolutionary tech?

A Cloud-Based Future

Paper is rapidly becoming an old-fashioned concept in insurance, much like it has in banking. And like banking, insurance has a strong “financial” side to it. Germans, for example, tend to use insurance policies as retirement accounts, (the idea of a 401K is almost unheard of here). And by far, the most dynamic and digitalized part of the industry tends to be in areas unrelated to healthcare.

Some of the most interesting start-ups at DIA were actually weather-based.

The challenges of these types of insurtechs of convincing both regulators and the industry that such services are not only feasible but needed, pale in comparison however, to the challenge now facing all public health insurers.

And while they were certainly present at DIA, this industry segment was underrepresented at the November gathering. There is a reason for this. The real threat to consumer medical privacy is only growing, not receding in an era where data can be seamlessly transferred globally and digitally.

For that reason, blockchain has many uses and applications in this part of the vertical.

MedPayRx – even as a pre-seed start-up, was not, even this year, the only blockchain-based service we found in attendance at DIA. Next year look for even more.

Blockchain might be the next new “buzzy” tech, but in the insurance industry, there is a real reason for it.

What Was The Response To A Cannabis-Themed “Insurtech?”

As readers in the United States know, health insurance and cannabis is a loaded subject. And while insurance services are beginning to be available as high-risk commercial services for the industry, inclusive health insurance is still off the table because of the lack of federal reform.

Other places, however, the issue is taking a fascinating turn. And in Germany, right now, the situation so far has shaped up to be cannabis vs. public health insurance. It is a mainstreaming trial drug in other words. For that reason, beyond any lingering but rapidly fading stigma, it is a fertile time to be in the middle of it, with a tech solution.

It is also perfect timing from the digitalization and privacy perspective. Unlike the U.S., Germany in particular has tended to keep its insurance services, certainly on the health front, undigitalized because of privacy concerns. That is no longer feasible from a cost perspective. It is also increasingly one that has to be dealt with from a tech and regulatory one.

Why Is CannabisIndustryJournal At DIA?

My nametag identifying me as both “media” and of a certain green source, was the source of endless discussion with everyone I talked to. Many attendees were extremely curious about why a cannabis industry publication was at an insurance conference. And most people, certainly the non-Germans in attendance, were unaware that per federal law, cannabis is now, at least in theory, covered by public health insurance here.

Medical insurance that treats cannabis just like “any other drug” is a discussion at the forefront of the medical community in Europe. Even if not at health insurance industry events like DIA. Yet. In the last year, in fact, Dutch insurers have started refusing to cover the drug as the German government moved forward on mandating coverage.

In other places, like Australia, Israel and Canada, the conversation is also proceeding, albeit slowly within the context of public health coverage.

However compliance and tracking of the drug itself, not to mention the need for research on how cannabis interacts with other drugs mandates a consideration of how digital health records, privacy and tracking can exist in the same conversation. And further, can be accessed by the insurance industry, the government and policy makers as reform moves into its 2.0 iteration – namely federal recognition of the drug as a legitimate medicine.

We at MedPayRx think we have one answer. And next year, we hope to present from the stage as we continue to move forward with engaging the insurance industry here on all such fronts. Not to mention helping move the conversation forward in other places. And of course, launching services.

BioTrackTHC To The Rescue: Contingency Plan for Washington

By Aaron G. Biros
1 Comment

According to a press release published this morning, BioTrackTHC successfully implemented their Universal Cannabis System (UCS) in Washington State, a temporary solution for the state’s seed-to-sale cannabis tracking system, while the new system is yet to be deployed.

BioTrackTHC had a contract with Washington State for four years, which expired just weeks ago at the beginning of November. Back in June, after a few minor hiccups, the state announced that MJ Freeway would be the successive software platform used for the state’s seed-to-sale traceability system.

The deadline for the new software to be ready for deployment was set for November 1st, when the BioTrackTHC contract would expire and the MJ Freeway contract would begin. Between when the contract was awarded and the deadline for implementation, MJ Freeway made headlines for a series of security hacks and systems failures. Subsequently, MJ Freeway said they could not deliver the software platform until January of 2018, leaving a two-month gap where businesses have no state-mandated software to use for the tracking system.

The contingency plan that the state laid out consisted of business owners manually inputting data in excel spreadsheets. When first pressed for a Band-Aid solution, representatives of BioTrackTHC cited security concerns related to MJ Freeway’s hacks as reason for being hesitant to extend their contract through the interim period.

In an open letter to the Washington cannabis industry back in October before the end of their contract, Patrick Vo, president and chief executive officer of BioTrackTHC, laid out an explanation for what went wrong and provided an alternative solution, essentially a private sector version of their government-mandated traceability software system.

The open letter to the Washington cannabis industry, written by Patrick Vo

Announced this morning, the new system, UCS, is being used by over 1,600 of the 1,700 cannabis licensees in Washington. The UCS has so far submitted 39,000 individual excel spreadsheets to the Washington State Liquor and Cannabis Board (WSLCB). “After the WSLCB announced that their replacement system would not be ready in time and that the only other option was for all 1,700 licensees to submit their seed-to-sale data via manual spreadsheets, BioTrackTHC created the UCS—a privatized clone of the government system—within a few days and deployed it minutes after the termination of the old system to minimize the impact on all licensees,” reads the press release.

The UCS allows business owners to streamline data recording, instead of manually entering information into spreadsheets. It is also integrating with 3rd party software competitors such as WeedTraQR, GrowFlow, Mr. Kraken, TraceWeed, GreenBits, S2Solutions and DopePlow. “After the WSLCB’s announcement, we knew that we had only a few days to provide a universal system to which the whole industry could submit compliance data and enable communication across the supply chain between licensees and their seed-to-sale system,” says Vo. “Our priority was to ensure that licensees could continue to operate in the absence of a government seed-to-sale system. Not having that system in place could have left Washington licensees vulnerable to noncompliance in a variety of ways, not to mention the potentially crippling volume of extra work needed to manually track a business’ entire inventory.”

Washington State’s new traceability software system by MJ Freeway is expected to deploy in January of 2018.

KIND Financial Launches Canadian Payment Solution

By Aaron G. Biros
1 Comment

KIND Financial, a technology and compliance software solutions provider in the cannabis industry, is launching a new e-commerce and payment processing platform in Canada. According to the press release, they are partnering with a Canadian bank to launch the KIND Seed to Payment platform, which is essentially an e-commerce gateway integrated with their compliance software, KIND’s RegTech platform.

David Dinenberg, founder and CEO of KIND Financial

David Dinenberg, founder and CEO of KIND Financial, says this is an approach to help alleviate the cannabis industry’s banking woes. “We’ve been very focused on a global vision and taking a strategic approach towards solving the cannabis industry’s largest problem – banking,” says Dinenberg. “Not only have we built a broad portfolio of finance and compliance solutions with a high-level of technical sophistication, but we’ve made a strong commitment to security and compliance, which is evident through our partnership with Microsoft.” A little over a year ago, they entered a partnership with Microsoft to utilize their cloud-based solutions for government traceability software.

According to the press release, the software has regulatory and security features built in, such as age and identity verification, which can help companies comply with security and chain of custody regulations. “Our mission is to ensure business and technological growth for all constituencies within the cannabis industry while ensuring full compliance with evolving regulations, and that’s why we’re thrilled to make these services available to our great neighbors in the north,” says Dinenberg. “We understand compliance will be a critical issue for some time to come, but with our solution, all providers and their partners can focus on the job at hand while keeping in line with regulatory mandates.”

KIND Financial has not done much work in Canada previously, but this could be a sign of a greater push for international expansion. “We’re excited to be working in a new country to boost the Canadian cannabis industry in a safe and regulated manner, and we look forward to expanding into other markets overseas,” says Dinenberg. The press release says the new platform is designed to work with different languages and foreign currencies, including the euro and Australian dollar, which could help Canadian producers enter emerging markets.

In addition to their announcement of the KIND Seed to Payment platform, the company also announced they will be rolling out a mobile payment system called KIND Pay, a digital payment option for consumers that will accept Visa and MasterCard. They anticipate that KIND Pay will launch before the end of this year.