Is your cannabis business an attractive target for cyber criminals? With the influx of investment to this market and new businesses opening frequently throughout the United States, the legal cannabis industry is a prime target for cyber criminals.
Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.Cannabis industry hackers pick their targets by vulnerability, exploiting consumer or patient data to darknet black markets and forums. The impact can be devastating to both the business and their consumers. With new laws on protecting consumer and patient data on the horizon, businesses that do not adequately protect that data, could face stiff fines, in addition to losing the trust of their customers.
So, how do these attacks present themselves? Recent studies implicate employees as the “weakest link” in the cybersecurity chain due to a lack of cybersecurity best practices and training. Implementing safeguards and providing employee training is imperative to the cybersecurity health of your business.
Now, let’s identify the top 5 cybersecurity threats to the cannabis industry and some valuable tips for protecting against these criminal hacks:
Phishing: Phishing is a form of cyber-attack, typically disguised as an official email from a trustworthy entity, attempting to dupe the recipient into revealing confidential information or downloading malware. Don’t take the bait! 91 percent of cyber-attacks start as phishing scams, with most of these lures being cast through fraudulent emails.
Tips: Do not download attachments from unknown senders!
Never share personal information (login and passwords, social security numbers, payment card information, etc.) over email.
Password Management: Password complexity is key to protecting against cyber breaches. When it comes to data hacking, 81 percent of breaches are caused by stolen or weak passwords. With a password often being the only barrier between you and a data breach, creating a complex password will dramatically decrease those password-sniffers from obtaining your sensitive information.
Tips: Create passwords that are at least 12 characters in length – include letters, numbers and symbols (*$%^!), and never use a default password. This will fend off brute-force attacks.
Change passwords every six months to a year, keeping them complicated and protected. For IT Managers, make using a password manager mandatory for all employees. (Pro-tip: LastPass is free).Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
Public Wi-Fi: Being able to connect in public spaces, while a modern marvel of convenience, leaves us wide open to cyber-attacks. Whether you are in an airport or café, always err on the side of caution.
Tips: Be cautious with network selection as hackers set up free Wi-Fi networks that appear to be associated with an institution.
Browse in a “private” or “incognito” window to avoid saving information. If you have a VPN, use it. If not, then do not handle any sensitive data.
With these platforms providing greater access to mobile apps, comes greater responsibility on the part of the end user.
Tips: Password protect devices that will be used for work (and, any device in general).
Only download applications from a trusted, authorized app store. Do not use untrusted play apps.
Mobile device protection is recommended for any device being used on a business network.
Whether it is an app from an unauthorized website or a lost/stolen device that was not password protected, cyber criminals do not need much to compromise critical data.Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
SaaS Selectively: Keep Sensitive Data Safe: SaaS (Software As A Service) are cloud-based software solutions and chances are you are using one of these SaaS solutions for work purposes. IT is typically responsible for implementing security controls for SaaS applications, but ultimate responsibility falls on IT and the end user jointly. Here is what you can do to help keep these solutions safe:
Tips: Avoid logging into a SaaS application on a public computer or public Wi-Fi network.
Never share your SaaS login credentials with unauthorized persons over digital format or in person. Lastly, if you need to step away, always lock your screen during an active session.
While these tips will help keep your consumer/patient data from falling into the wrong hands, always have a plan B- backup plan! Your plan B must incorporate saving important data to a backup drive daily. Most likely, there is already a backup protocol in place for your mission-critical work data; however, for sanity’s sake, back up your BYOD devices as well.
Recent trends in the cannabis space and media headlinesreveal the challenges and complexities of the evolving cannabis industry with regard to traceability and compliance. Keeping abreast of the evolving state of legislative requirements is complex and requires effective procedures to ensure your business will flourish. At the forefront is the need to provide complete seed-to-sale traceability from the cannabis plant to the consumer, increasing the demand for effective tracking and reporting technologies to assure cultivators, manufacturers, processors and dispensaries are able to meet regulatory compliance requirements. An enterprise resource planning (ERP) solution offers a business management solution designed to integrate all aspects from the greenhouse and growing to inventory, recipe/formulation, production, quality and sales, providing complete traceability to meet compliance regulations.
The main force driving cannabusinesses’ adoption of strict traceability and secure systems to monitor the growth, production and distribution of cannabis is the Cole Memorandum of 2013issued by former US Deputy Attorney General James Cole. The document was designed to prevent the distribution of cannabis to minors, as well as prevent marijuana revenue from being used for criminal enterprises. Due to the non-legal status of cannabis on the federal level, the memo provides guidance for states whose voters have passed legislation permitting recreational or medical cannabis use. If states institute procedures for transparent inventory control and tracking documentation, the memo indicates that the federal government will refrain from interference and/or prosecution. Despite the Trump administration rescinding the memo in early 2018, companies have largely continued to follow its guidelines in an attempt to avoid targeted enforcement of federal law. Local government reporting is a primary reason for strict inventory control, necessitating reliable traceability documentation of the chain-of-custody.
Process metrics within an ERP solution are essential in providing the accountability necessary to meet required cannabis compliance initiatives. With a centralized, streamlined and secure system, each process becomes documented and repeatable – enabling best practices to provide an audit trail for accountability in all cannabis activities. Whether cultivating, extracting, manufacturing or dispensing cannabis, an ERP’s functionality assists with compliance demands to manage and support traceability and other state-level requirements.
An ERP solution solves the traceability and compliance issuesfaced by the industry by providing inventory control management and best practices that automates track and trace record keeping from seed to consumer. Growers are also implementing cultivation management solutions within their ERP and highly secure plant identification methods to mobilize greenhouse and inventory to support real-time tracking. Monitoring the loss of inventory due to damage, shrinkage, accidentally or purposeful destruction is efficiently documented to assure that inventory is accounted for. Similar to other process manufacturing industries, it is possible to produce tainted or unsafe products, therefore an ERP solution that supports product recall capabilities is fundamental. With a centralized framework for forward and backward lot, serial and plant ID tracking, the solution streamlines supply chain and inventory transactions to further ensure compliance-driven track and trace record keeping is met.
Local government reporting is a primary reason for strict inventory control, necessitating reliable traceability documentation of the chain-of-custody. Data regarding inventory audit and inspection details, complete with any discrepancies, must be reported to a states’ seed-to-sale tracking system to conform with legal requirements. An ERP utilizes cGMP best practices and reporting as safeguards to keep your company from violating compliance regulations. Failure to complete audits and meet reporting guidelines can be detrimental to your bottom line and lead to criminal penalties or a loss of license from a variety of entities including state regulators, auditors and law enforcement agencies. A comprehensive ERP solution integrates with the state-administered traceability systems more easily and reliably as compared to manual or stand-alone systems – saving time, money and detriment resulting from non-compliance.
Similar to other food and beverage manufacturers, the growing market for cannabis edibles can benefit from employing an ERP system to handle compliance with food safety initiatives – encompassing current and future requirements. Producers of cannabis-infused products for recreational and medicinal use are pursuing Global Food Safety Initiative (GFSI) certification, employing food safety professionals and implementing comprehensive food safety practices–taking advantage of ERP functionality and processes currently in place in similarly FDA regulated industries.
As legalization continues and reporting regulations standardize, dynamic cannabis ERP solutions for growers, processors and dispensaries will evolve to meet the demands and allow for operations to grow profitably.In addition to lot, serial and plant ID tracking, tracing a product back to the strain is equally important. An ERP can efficiently trace a cannabis strain from seedling through the final product, monitoring its genealogy, ongoing clone potency, CBD and THC content ratios and other attributes. The health, weight and required growing conditions of each individual plant or group of plants in the growing stages may be recorded throughout the plant’s lifecycle. In addition, unique plant identification regarding the performance of a particular strain or variety, how it was received by the market and other critical elements are tracked within ERP system. This tracking of particular strains assists with compliance-focused labeling and determining the specific market for selling and distribution of cannabis products.
Collecting, maintaining and accessing traceability and compliance data in a centralized ERP system is significant, but ensuring that information is safe from theft or corruption is imperative as well. An ERP solution with a secure platform that employs automated backups and redundancy plans is essential as it uses best practices to ensure proper procedures are followed within the company. User-based role permissions provide secure accessibility restricted to those with proper authorization. This level of security allows for monitoring and recording of processes and transactions throughout the growing stages, production and distribution; ensuring accountability and proper procedures are being followed. Investing in an ERP solution that implements this level of security aids companies in their data assurance measures and provides proper audit trails to meet regulations.
In this ever-changing industry, regulatory compliance is being met by cannabusinesses through the implementation of an ERP solution designed for the cannabis industry. Industry-specific ERP provides functionality to manage critical business metrics, inventory control, local and state reporting and record keeping, and data security ensuring complete seed-to-sale traceability while offering an integrated business management solution that supports growth and competitive advantage in the marketplace. As legalization continues and reporting regulations standardize, dynamic cannabis ERP solutions for growers, processors and dispensaries will evolve to meet the demands and allow for operations to grow profitably.
The global cannabis industry is hitting thorny regulatory challenges everywhere these days as the bar is raised for international commerce. First it was recognition that the entire production industry in Canada would basically have to retool to meet European (medical and food) standards. And that at least for now for the same reasons, American exports are basically a no go.
However, beyond this, the battle over financial reporting and other compliance of a fiscal kind has been a hot topic this year on European exchanges.
As of this summer, (and not unrelated to the other two seismic shifts) there is another giant in the room.
The German version is actually Europe’s highest privacy standard, which means for the cannabis industry, this is the one that is required for operations here across the continent if you are in this business.
What is it, and what does it mean for the industry?
GDPR – The Elevator Pitch
Here is why you cannot ignore it. The regulation affects bankers as much as growers, distributors as much as producers and of course the entire ecosystem behind medical production and distribution across Europe and actually far beyond it. Starting of course, with patients but not limited to them. The law in essence, applies to “you” whoever you are in this space. That is why it becomes all that much more complicated in the current environment.
While this is complex and far reaching, however, there are a couple of ways to think about this regulation that can help you understand it and how to manage to it (if not innovate with it).
The first is, to American audiences at least, that GDPR is sort of like HIPAA, the federal American privacy civil rights statute that governs medical privacy law. Except, of course, this being Europe, it is far more robust and far reaching. It touches every aspect of electronic privacy including data storage, retention, processing and security that is applicable to modern life. And far, far, beyond just “patients.”
On the marketing side, GDPR is currently causing no end of headaches. Broadly, the legislation, which came into force this year, with real teeth (4% of global revenues if you get it wrong), applies to literally every aspect of the cannabis industry for two big reasons beyond that. Medical issues, which are the only game in town right now in Europe (and thus require all importers to also be in compliance) and financial regulatory requirements.
The requirements in Germany are more onerous than they are in the rest of Europe. Therefore, they also affect the cannabis industry in a big way, especially since there is at this point a great deal of European cultivation with the German (and now British) medical market in mind. Further Germany is becoming European HQ for quite a few of the Canadian LPs. That means German standards apply.
The UK, for those watching all Brexit events with interest, will also continue to be highly affected by this. Whether it stays in the EU or not, it must meet a certain “trusted nation” status to be able to transact with the continent in any kind of favoured nation status.
Bottom line? It is big and here and expensive if you screw it up. If considering doing any kind of business with European customers, start hitting the books now. Large mainstream media organizations in the United States and Canada right now are so afraid of the consequences of getting this wrong that they have blocked readership from Europe for the present. Large financial institutions also must not only be in compliance but compliance of companies also guides their investment mandates on the regulatory front.
For all of these reasons, the cannabis industry would do well to take note.
What Does This Mean for The Cannabis Industry?
The Canadian and rest of the global industry is still struggling with compliance and this will have some interesting repercussions going forward.patient data must be handled and stored differently
Immediately, this means that all websites that are targeted to German eyes (read Canadian LPs and international, even English-only press) should hire German side compliance experts for a quick GDPR audit. There are few European experts at this point, and even fewer foreign ones. It is worth a call around to find out who is doing this auf Deutschland and bite the bullet.
It also means that internally, patient data must be handled and stored differently. And furthermore, it is not just “patients” who have this right, but everyone who transacts with your electronic or other presence. That includes consumers, subscribers to email newsletters and other stakeholders in the industry.
As the cannabis industry also starts to embrace technology more fully, it will also have highly impactful influence on what actually passes for a compliant technology (particularly if it is customer facing) but not limited to the same.
On the marketing side, GDPR is currently causing no end of headaches. Starting with PR and customer outreach teams who are trying to figure out how much of their master mailing lists they can keep and which they cannot. On this front, Mail Chimp is undeniably the go-to right now and has also implanted easy to understand and use technology that is being adopted by European marketers and those targeting Europe.
Stay tuned for more coverage on GDPR as we cover how data protection and privacy regulations will impact cannabis businesses, their marketing and outreach, plus service design efforts (in particular to patients) and other areas of interest.
No matter the size of your cannabis greenhouse operation, keeping your plants alive and healthy requires the best possible growing environment. This means greenhouse managers and personnel must frequently monitor the status of environmental conditions and equipment. The sooner someone discovers extreme temperature fluctuations, rising humidity or equipment failure, the more inventory you can save.
That’s why integrating a remote monitoring system into your greenhouse operation can save you time, money and anxiety. Monitoring systems that use cloud-based technology let you see real-time status of all monitored conditions and receive alerts right on your mobile device.
Installing a monitoring system and sensors can be easier than you might think. Here are answers to ten questions to ask before installing a cloud-based monitoring system:
What is required to use a remote monitoring system?
Most remote monitoring systems require an internet or WiFi connection and access to an electrical outlet. Programming is done through a website, so it’s easiest to use a computer for the initial setup. If you don’t have an internet connection at your location, you’ll want to choose a cellular system. Make sure that there’s sufficient signal strength at your site, and check the signal quality in the area before purchasing a cellular device.
2. How do we determine what kind of monitoring system and sensors we need?
A reputable manufacturer will have a well-trained support team that can assess your needs even without a site visit to determine which products are best for your application. If you feel you need them to check out your greenhouse operation,many companies can set up a video conference or FaceTime chat to substitute for being on site.
You will want to provide details about the scope and purpose of your cannabis growing operation. Important factors to discuss include:
Skeletal structure of the greenhouse (metal, plastic, wood, etc.) and the covering material (glass or plastic).
Floor space square footage and height of each of your greenhouses.
Number of greenhouse structures in your operation.
Outdoor climate to determine if you rely more on heating or air conditioning and the level of humidity control needed.
Space dedicated to phases of growth (cloning and propagation, vegetative, flowering) and the microclimates needed for each.
Types of lighting, ventilation and irrigation systems.
Level of technological automation versus manual operation in place.
The monitoring system representative will then determine the type of system that would best serve your operation, the number of base units you will need and the types of sensors required.
The representative should also be able to provide tips on the placement of the sensors you’re purchasing. For example, to ensure thorough air temperature coverage, place sensors throughout the greenhouse, next to the thermostat controlling the room temperature and in the center of the greenhouse out of direct sunlight.
Note that there shouldn’t be a cost for a demo, consultation or assistance throughout the sales process. Be sure to ask if there are any fees or licenses to keep using the monitoring equipment after you purchase it.
3. Are sensors included with the monitoring system?
In most cases, sensors are sold separately. The sensors you select depend upon the conditions you want to monitor and how many you can connect to your base unit. Certainly, temperature is critical, but there are many other factors to deal with as well, such as humidity, CO2, soil moisture, water pH, power and equipment failure, ventilation and physical security.
For example, humidity has a direct impact on the photosynthesis and transpiration of plants. High humidity can also cause disease and promote the growth of harmful mold, algae and mildew. Sensors can detect changes in humidity levels.
Like any other plant, cannabis needs CO2 to thrive, so it’s a good idea to include a CO2 sensor that will signal to the monitoring device when readings go out of the preset range. There are even sensors that you can place in the soil to measure moisture content to help prevent over- or underwatering, budget water usage costs, promote growth and increase crop yield and quality.
Of course, all the critical systems in your growing facility—from water pumps to irrigation lines to louvers—rely on electrical power. A power outage monitoring sensor detects power failure. It can also monitor equipment for conditions that predict if a problem is looming, such as power fluctuations that occur at specific times.
Ventilation systems not only help control temperature, they also provide fresh air that is critical to plant health. Automated systems include features like vented roofs, side vents and forced fans. Sensors placed on all these systems will send personnel an alert if they stop running or operate outside of preset parameters.
To monitor the physical security of your greenhouses, you can add sensors to entrance doors, windows, supply rooms and equipment sheds. During off hours, when no staff is on duty, you can remain vigilant and be alerted to any unauthorized entry into your facility.
4. Do monitoring systems only work with the manufacturer’s sensors?
Not necessarily. For example, certain monitoring units can connect with most 4-20mA sensors and transmitters regardless of the brand. When selecting sensors, you might have a choice between ones that are designed by the manufacturer to work specifically with the monitoring system or universal components made by a third party. If the components aren’t made by the system manufacturer, you’ll want to find out if they have been tested with the monitor you are choosing and if you need to work with another vendor to purchase the parts.
5. Is a monitoring system easy to set up, or do we need to hire an electrician?
Many monitoring systems are quick and easy to install, and users can often set them up without hiring an outside expert. Look for one that requires only a few simple physical installation steps. For example:
Mount the device to the wall or somewhere secure;
Plug it into an electrical outlet and an internet connection;
Connect the sensors.
You connect the sensors to the base unit’s terminal strip using wire, which is included with many sensors. The range of many wired sensors can be extended up to 2,000 feet away from the base unit by adding wire that can be easily purchased at any home store. It’s a good idea to hire an electrician if you need to run wires through walls or ceilings.
Usually, once you plug in the device and connect the sensors, you then create an account on the manufacturer’s designated website and begin using your device. There should be no fee to create an account and use the site.
If the manufacturer doesn’t offer installation services, ask if they can recommend a local representative in your area who can set up your system. If not, make sure they provide free technical support via phone or email to walk you through the installation and answer any questions you might have about programming and daily usage.
6. Is there a monthly fee to access all the functionality of a monitoring device?
Many web- or cloud-based systems provide free functionality with some limitations. You might have to purchase a premium subscription to unlock features such as text messaging, phone call alerts and unlimited data logging access.
7. Should we get a system that is wired or wireless? Will we need to have a phone line, cable, internet or something else?
Wireless can mean two different things as it relates to monitoring: how the system communicates its data to the outside world and how the sensors communicate with the system.
The most popular systems require an internet or WiFi connection, but if that’s not an option, cellular- and phone-based systems are available.
A hardwired monitoring system connects the sensors to the base device with wires. A wireless system uses built-in radio transmitters to communicate with the base unit. Some monitoring systems can accommodate a combination of hardwired and wireless sensors.
8. Can one system monitor several sensor inputs around the clock?
Once the monitoring system is installed and programmed, it will constantly read the information from the sensors 24/7. Cloud-based systems have data logging capabilities and store limitless amounts of information that you can view from any internet-connected device via a website or app.
If the system detects any sensor readings outside of the preset range, it will send an alarm to all designated personnel. The number of sensors a base unit can monitor varies. Make sure to evaluate your needs and to select one that can accommodate your present situation and future growth.
When a monitoring system identifies a change in status, it immediately sends alerts to people on your contact list. If you don’t want all your personnel to receive notifications at the same time, some devices can be programmed to send alerts in a tiered fashion or on a schedule. Multiple communications methods like phone, email and text provide extra assurance that you’ll get the alert. It’s a good idea to check the number of people the system can reach and if the system automatically cycles through the contact list until someone responds. Some systems allow for flexible scheduling, so that off-duty personnel don’t receive alerts.
9. Do monitoring systems have a back-up power system that will ensure the alarming function still works if the power goes out or if someone disconnects the power?
The safest choice is a cloud-based system that comes with a built-in battery backup that will last for hours in the event of a power failure. Cloud-based units constantly communicate a signal to the cloud to validate its online status. If the communication link is interrupted—for example by a power outage or an employee accidently switching off the unit—the system generates an alarm indicating that the internet connection is lost or that there is a cellular communications problem. Users are alerted about the disruption through phone, text or email. All data collected during this time will be stored in the device and will be uploaded to the cloud when the internet connection is restored.
If you opt for a cloud-based monitoring system, make sure the infrastructure used to create the cloud platform is monitored 24/7 by the manufacturer’s team. Ask if they have multiple backups across the country to ensure the system is never down.
10. What should we expect if we need technical support or repairs to the system?
Purchase your system from a reputable manufacturer that provides a warranty and offers full repair services in the event the product stops working as it should. Also, research to make sure their tech support team is knowledgeable and willing to walk you through any questions you have about your monitoring system. Often, support specialists can diagnose and correct unit setup and programming issues over the phone.
It helps to record your observations regarding the problem, so the tech team can look for trends and circumstances concerning the issue and better diagnose the problem. Ideally, the manufacturer can provide loaner units if your problem requires mailing the device to their facility for repair.
Documents play a key role in the world of regulations and global standards. Documents tell a story on programs development, implementation and verification during an inspection or audit. Documents are used as evidence to determine conformance to the law or standard. However, do you know what kind of documents may be reviewed during a regulatory inspection or a food safety audit? Are you prepared to show that the implementation of regulatory requirements or a standard is done efficiently at your facility?
Inspectors and auditors will look for compliance either to regulations or to a standard criterion. Regulations and standards require that documentation is controlled, secured and stored in an area where they cannot deteriorate. Therefore, writing a Document Management Program (DMP) will help a business owner ensure consistency in meeting this and other requirements.Radojka Barycki will host a a plenary session titled, “Cannabis: A Compliance Revolution” at the 2018 Food Safety Consortium | Learn More
A well-developed and implemented DMP provides control over documents by providing a number sequence and revision status to the document. In addition, ownership for development, review and distribution of the documents are assigned to specific individuals within the company to ensure that there are no inconsistencies in the program. Documents must also have the name of the company in addition to a space to write the date when the record is generated. It is recommended to include the address if there are multiple operational sites within the same company.
There are different types of documents that serve as support to the operations:
Program: A written document indicating how a business will execute its activities. When it comes to the food industry, this is a written document that indicates how quality, food safety and business activities are controlled.
Procedures: General actions conducted in a certain order. Standard Operational Procedures (SOPs) allow the employee to know what to do in general. For example, a truck receiving procedure only tells the employee what the expected conditions are when receiving a truck (cleanliness, temperature, etc.) However, it doesn’t tell the employee how to look for the expected conditions at the time of the truck arrival.
Work Instructions: Detailed actions conducted in a certain order. For example, truck inspection work instruction tells the employee what steps are to be followed to perform the inspection.
Forms: Documents used to record activities being performed.
Work Aids: are documents that provide additional information that is important to perform the job and can be used as a quick reference when performing the required activities within the job.
The inspectors and auditors base their role on the following saying: “Say what you do. Do what you say. Prove it!” The programs say what the company do. The procedures, work instructions and work aids provide information on implementation (Do what you say) and the forms become records that are evidence (prove) that the company is following their own written processes.
Regulatory requirements for cannabis vary from state to state. In general, an inspector may ask a cannabis business to provide the following documentation during an inspection:
Product Traceability Programs and Documents
Product Testing (Certificate of Analysis – COAs)
Certification Documents (applicable mainly to cannabis testing labs)
Proof of Destruction (if product needs to be destroyed due to non-compliance)
Training Documents (competency evidence)
As different states legalize cannabis, new regulatory requirements are being developed and modeled after the pharma, agriculture and food industries. In addition, standards will be in place that will provide more consistency to industry practices at a global level. The pharma, agriculture and food industries base their operations and product safety in programs such as cGMPs, GAPs, HACCP-based Food Safety Management Systems and Quality Management Systems. Documents required during an inspection or audit are related to:
Good Agricultural Practices (GAPs)
Current Good Manufacturing Practices (cGMPs)
Food Safety Plan Documents
Ingredient and Processing Aids Receiving
Ingredient and Processing Aids Storage
Operational Programs (Product Processing)
Final Product Storage
Final Product Transportation
Document Management Program
In the always evolving cannabis industry, are you prepared to face document requirements now and in the future?
We’ve covered the CannaGrow Expo previously, but this time around we catch up with Joseph De Palma, founder of CannaGrow, to talk about the genesis of his conference and what makes the event so special. This year’s CannaGrow Expo heads to Palm Springs, California, a new location for the event, on May 19thand 20th.
We’ve watched De Palma’s conference grow over the years, moving around the country and becoming the tight-knit community we know it as today. The meat and potatoes of the show are definitely the educational sessions, panel discussions, roundtables and the expo hall. But covering it year after year we’ve noticed a real sense of community develop, one where genuine idea sharing, collaboration and inclusivity are preached. There are no dumb questions at the CannaGrow Expo.
According to Joseph De Palma, CannaGrow started in 2014, when the original event was held in Denver. “From the beginning, we wanted to create an event specifically for growers, where the focus was always on education and ‘becoming a better grower’,” says De Palma. “We had experienced the existing events in the marketplace, and almost all fit into two categories at the time, festival, or generic tradeshow. Those were fine for their purpose, but they didn’t foster an environment of education, and that’s what we believed was most important to the emerging cannabis industry.” Back in 2014, their show only had 10 sessions and 30 exhibitors. “Passionate growers from around the country had 2 days of grow-focused sharing and learning, and you could see the energy and excitement,” De Palma says. “Discussions would dive deep, people made new friends, and it really elevated the conversation around cultivation.”
Since the show’s debut, it’s grown substantially. The 7th CannaGrow Expo is fast approaching, and this upcoming conference has four separate tracks and roughly 100 exhibitors. But it still keeps its sense of community, one where you don’t feel crowded, where everyone has time to chat and network, without the overwhelming feeling that can come with larger trade shows. “That inclusivity and open dialog is built in,” says De Palma. “If you go to an event that’s tradeshow dominant, most people are there to walk, shop, and leave. At CannaGrow, growers and extractors come together with a plan for the weekend, remaining in a constant state of engagement with others at the show.”
This year’s show has some exciting additions to look out for. The agenda covers a wide range of topics, including everything from an introduction to growing with living soil to a discussion of cyber security. The Extraction Summit, new to this year’s event and held on Day 2, is their response to the massive rise in popularity and demand of extracts.
Eric Schlissel, cybersecurity specialist, president and chief executive officer of GeekTek, is giving a talk focused on IT infrastructure. “My presentation will center around the actions cannabis businesses need to take right now to repel cybercrime and potential federal seizure,” says Schlissel. “As cannabis operators build their businesses and develop their security strategies, they often focus exclusively on the physical portion of their business – the merchandise and the cash in particular – and overlook the importance of designing and fortifying a secure IT infrastructure. I will discuss the importance of a holistic security strategy that embraces both and how you can both create one and prepare it for expansion into other states or even globally from the very start.” Schlissel’s discussion is one example of just how all-encompassing CannaGrow intends to be.
De Palma and his team leave few stones unturned as the show truly delivers vital information for cannabis cultivators in every area. Some things we are looking forward to? Seeing old friends and learning everything under the sun about cannabis science, growing and extraction. “People get to know each other, and with everyone sharing a core passion for cultivation and extraction, lifelong friendships are made,” says De Palma.
BioMauris, LLC became the 5th company in the United States to win a state contract for a seed-to-sale platform today. BioMauris is a technology company that manages product tracking, fulfillment and distribution with a focus on the healthcare market. According to a press release, the company announced today that the state of Iowa selected BioMauris to manage their tracking system for the medical cannabidiol (CBD) program.
That program’s contract includes inventory tracking, medical cannabidiol sales and patient and caregiver registration. In 2014, Iowa’s Medical Cannabidiol Act was signed into law. Three years later, in May of 2017, Governor Terry Branstad expanded the state’s program, including manufacture and dispensing in the previous legislation. On December 1st, 2018, Iowa expects sales to begin and fully implement the program.
This is BioMauris’ first state contract in the cannabis industry. According to the press release, BioMauris bases their platform on Salesforce for point of sale, tracking, customer loyalty and distribution services in the healthcare sector. The company says they use Salesforce because it is extremely customizable and secure.
According to Erik Emerson, founder and president of BioMauris, they’re poised to deliver on this front, given their experience in other industries. “Our team has extensive history in the pharmaceutical business, and therefore has a unique appreciation for data integrity and security,” says Emerson. “Additionally, we fundamentally believe the opportunity to track patient progress and associate the benefits received with the products used, is an incredible opportunity for the cannabis industry.” BioMauris has worked with clients on similar projects in the healthcare space for some time.
The company touts their platform as fully PCI-DSS and HIPAA compliant, allowing them to process payments and protect sensitive patient information. “Our patented technology, makes this not only possible, but simple for all users,” says Emerson. “We are excited to bring our product to the great state of Iowa and look forward to a long partnership with them. We believe strongly in what Iowa is attempting to do with their program and believe it is a perfect fit with our strategy for the cannabis industry.”
Last week, Oregon Secretary of State Dennis Richardson published his office’s audit of The Oregon Liquor Control Commission (OLCC). The audit uncovered a number of inadequacies with the regulatory agency, most notably the problems with their tracking system, designed to prevent cannabis form being sold on the black market.
The report highlights the need for Oregon to implement a more robust tracking system, citing reliance on self-reporting, overall poor data quality and allowing untracked inventory for newly licensed businesses. The audit also found an insufficient number of inspectors and unresolved security issues. According to The Oregonian, the OLCC only has 18 inspectors, roughly one for every 83 licensed businesses.
Auditors also found inadequacies in the application system, saying the OLCC doesn’t monitor third-party service providers and doesn’t have a process in place for reconciling data between the licensing and tracking systems. The audit found there is a risk that decisions made for the program could be based on unreliable data. It also found a risk of unauthorized access to the systems, due to a lack of managing user accounts.
This audit’s publication is very timely. Most notably because U.S. Attorney Billy Williams, who called Oregon’s black market problem “formidable,” convened a summit this week to examine how Oregon can prevent cannabis being exported to other states. According to the Oregonian, Williams said Oregon has an “identifiable and formidable overproduction and diversion problem.” The audit’s findings highlighting security issues are also very timely, given that in the same week, Oregon’s neighbor to the North, Washington, experienced a security breach in its own tracking system.
The problems with the Oregon tracking system’s security features are numerous, the audit says. They found that the OLCC lacks a good security plan, IT assets aren’t tracked well, there are no processes to determine vulnerabilities, servers and workstations not using supported operating systems and a lack of appropriately managing antivirus solutions. “Long-standing information security issues remain unresolved, including insufficient and outdated policies and procedures necessary to safeguard information assets,” reads the report’s summary.
The audit proposes 17 recommendations for the state to bolster its regulatory oversight. Those recommendations intend to address undetected compliance violations, weaknesses in application management, IT security weaknesses and weaknesses in disaster recovery and media backup testing. You can read the full audit here.
On February 8th, Peter Antolin, the deputy director for the Washington State Liquor and Cannabis Board (WSLCB), sent an email to licensees explaining why the transition to their new traceability system was disrupted. Last Saturday, someone gained access to the sensitive information in Leaf Data Systems, the state’s traceability software that is powered by MJ Freeway.
“A computer vulnerability was exploited on Saturday, allowing unauthorized access to the traceability system,” Antolin told licensees in the email. “There are indications an intruder downloaded a copy of the traceability database and took action that caused issues with inventory transfers for some users. We believe this was the root cause of the transfer/manifest issue experienced between Saturday and Monday.”
The email goes on to say that no personally identifiable information was available to the ‘intruder,’ but some sensitive information was clearly accessed. That data includes route information of manifests filed between February 1st and 4th as well as transporter vehicle information including VIN, license plate number and vehicle type, according to the email.
That email leaves much to be desired. For one, they do not exactly have a solution, instead trying to alleviate licensees’ worries with a hollow inanity full of meaningless jargon: “The WSLCB and MJ Freeway continue to implement several strategies to prevent future vulnerabilities to future intrusions,” reads the email. “This includes full logging and monitoring and working with third-party entities. Since this remains an active investigation, details on security are not publicly available.” However, today the WSLCB is hosting a webinar where Peter Antolin, their IT division, the MJ Examiners unit and enforcement will be available to answer questions, according to the email.
This is by no means the first security breach that Washington and MJ Freeway have suffered. In May of 2017, Washington originally selected Franwell’s METRC as the contract partner for their traceability software system. Less than a month later in June of 2017, after a mistake in the selection process, Washington selected MJ Freeway instead of Franwell for the traceability contract. Three days later, MJ Freeway’s source code was stolen and published online. Then in September, Nevada cancelled their contract with MJ Freeway after a security breach, their services crashed in Pennsylvania and Spain, and in October it became clear that the company could not meet the October 31 deadline for their new Washington contract.
In November of 2017, BioTrackTHC, the company that held the previous contract for Washington’s traceability software, helped the state through the transition period with a temporary Band-Aid solution to hold the state over until January of 2018. A month after they expected to implement the new MJ Freeway system, the latest security breach occurred this week and disrupting the rollout yet again.
At the end of the email Antolin sent to licensees yesterday, he says there will continue to be attempts to breach the system’s security. “The bottom line is that this incident is unfortunate,” says Antolin. “There will continue to be malicious cyberattacks on the system. This is true of any public or private system and is especially true of the traceability system.” This begs a few questions: why aren’t we hearing about this kind of security breach in other states’ traceability systems? What are other companies doing that prevents this from happening? Why does this keep happening to MJ Freeway?
Munich, Germany- In a darkened movie studio on the east end of town, the Digital Insurance Agenda or DIA, the largest insurtech conference in the world, kicked off its annual event in mid-November. The sold-out event attracted about 1,000 top insurance executives from 40 countries and all six continents.
CannabisIndustryJournal attended from the perspective of investigating the overall status of digitalization in the industry. However, there were a couple of things we were on the hunt for. The first was to see how and where blockchain has begun to penetrate the industry. This revolutionary processing and identification layer of digital communications is coming – and fast – to the insurance industry everywhere.
We were also there of course to see if cannabis was anywhere on the agenda. Digitized or not.
By way of disclosure, I am also a high tech entrepreneur with my own insurtech, blockchain-based start-up that we are in the process of launching. MedPayRx is intended to be the first insurance product that will help patients access their meds facing nothing but their co-pay and help insurers automate the approvals process for all prescription drugs and medical devices.
By definition, in Germany, this includes medical cannabis.
Ultimately, our mission is to take the paper and the pain of all reimbursement out of the prescription process. At present, as anyone with a chronic condition knows, many medications and medical devices must be paid for out of pocket first and then reimbursed via a claims process that is paper-based, laborious and expensive. This is not a model that works for anyone. Certainly not poor and chronically ill patients who face this process at least monthly. And certainly not insurers who are now facing higher drug costs if not more claims reimbursements for the same from an aging population.
In a country like Germany where 90% of the population is covered by public health insurance, the situation also poses quandaries of a kind that are rocking the fundamental concept of inclusive public healthcare.
The Impact of Digitalization On The Insurance Industry
As one insurance executive and speaker mentioned from the stage during DIA, there are few industries that are more universally despised than insurance in general. And few verticals where the existing mantra is “you cannot do it worse.” The insurance industry is well aware of that. Further, for all insurances that are not “mandatory” the competition is fierce for consumers’ bucks. Particularly in places like Europe where insurance is also seen as a kind of savings scheme.
If you are a private insurer, of any kind, or offering services to both end consumers and B2B services, you are out of the game if you are not now thinking how to streamline and upgrade all aspects of your business in the digital era. There are many start-ups now tackling what is euphemistically called “cloud2cloud” integrations.
What does that mean?
According to DIA co-founders Reggy de Feniks and Roger Peverelli, the influence of tech in general is here to stay and is now driving widespread innovation across the industry. “The DIA line-up and the massive response among the audience show that insurtech is now mainstream,” says de Feniks. “This edition clearly showed the…ever growing attention for artificial intelligence, machine learning and other shapes of advanced analytics.”
“Platform thinking, thinking beyond insurance and creating new insurtech enabled services will be the next challenge for insurers,” added Peverelli.
Subtext? Insurers want your data. They want to use tech to analyse and understand it. The technology is here. But is the regulation? Specifically, in an industry that wants to know everything about you, how is privacy understood and implemented with revolutionary tech?
A Cloud-Based Future
Paper is rapidly becoming an old-fashioned concept in insurance, much like it has in banking. And like banking, insurance has a strong “financial” side to it. Germans, for example, tend to use insurance policies as retirement accounts, (the idea of a 401K is almost unheard of here). And by far, the most dynamic and digitalized part of the industry tends to be in areas unrelated to healthcare.
Some of the most interesting start-ups at DIA were actually weather-based.
The challenges of these types of insurtechs of convincing both regulators and the industry that such services are not only feasible but needed, pale in comparison however, to the challenge now facing all public health insurers.
And while they were certainly present at DIA, this industry segment was underrepresented at the November gathering. There is a reason for this. The real threat to consumer medical privacy is only growing, not receding in an era where data can be seamlessly transferred globally and digitally.
For that reason, blockchain has many uses and applications in this part of the vertical.
MedPayRx – even as a pre-seed start-up, was not, even this year, the only blockchain-based service we found in attendance at DIA. Next year look for even more.
Blockchain might be the next new “buzzy” tech, but in the insurance industry, there is a real reason for it.
What Was The Response To A Cannabis-Themed “Insurtech?”
As readers in the United States know, health insurance and cannabis is a loaded subject. And while insurance services are beginning to be available as high-risk commercial services for the industry, inclusive health insurance is still off the table because of the lack of federal reform.
Other places, however, the issue is taking a fascinating turn. And in Germany, right now, the situation so far has shaped up to be cannabis vs. public health insurance. It is a mainstreaming trial drug in other words. For that reason, beyond any lingering but rapidly fading stigma, it is a fertile time to be in the middle of it, with a tech solution.
It is also perfect timing from the digitalization and privacy perspective. Unlike the U.S., Germany in particular has tended to keep its insurance services, certainly on the health front, undigitalized because of privacy concerns. That is no longer feasible from a cost perspective. It is also increasingly one that has to be dealt with from a tech and regulatory one.
Why Is CannabisIndustryJournal At DIA?
My nametag identifying me as both “media” and of a certain green source, was the source of endless discussion with everyone I talked to. Many attendees were extremely curious about why a cannabis industry publication was at an insurance conference. And most people, certainly the non-Germans in attendance, were unaware that per federal law, cannabis is now, at least in theory, covered by public health insurance here.
Medical insurance that treats cannabis just like “any other drug” is a discussion at the forefront of the medical community in Europe. Even if not at health insurance industry events like DIA. Yet. In the last year, in fact, Dutch insurers have started refusing to cover the drug as the German government moved forward on mandating coverage.
In other places, like Australia, Israel and Canada, the conversation is also proceeding, albeit slowly within the context of public health coverage.
However compliance and tracking of the drug itself, not to mention the need for research on how cannabis interacts with other drugs mandates a consideration of how digital health records, privacy and tracking can exist in the same conversation. And further, can be accessed by the insurance industry, the government and policy makers as reform moves into its 2.0 iteration – namely federal recognition of the drug as a legitimate medicine.
We at MedPayRx think we have one answer. And next year, we hope to present from the stage as we continue to move forward with engaging the insurance industry here on all such fronts. Not to mention helping move the conversation forward in other places. And of course, launching services.
Strictly Necessary Cookies
Strictly Necessary Cookie should be enabled at all times so that we can save your preferences for cookie settings.
We use tracking pixels that set your arrival time at our website, this is used as part of our anti-spam and security measures. Disabling this tracking pixel would disable some of our security measures, and is therefore considered necessary for the safe operation of the website. This tracking pixel is cleared from your system when you delete files in your history.
If you disable this cookie, we will not be able to save your preferences. This means that every time you visit this website you will need to enable or disable cookies again.