Will hear from Data Security health care officials, just Getting Started live coverage on cspan2. Shedding light on so no pressing issues of our time when it comes to cybersecurity threats and how they impact our nation. For todays briefing i think specifically of seeing a number of very highprofile, expenses and quite like a potentially dangerous cybersecurity attacks on our Nations Health care sector. We brought in two individuals today set up a wealth of knowledge in this area, both robert lord was a chief Strategy Officer at the tennis protenus and youll be here to give a presentation to us to talk about this important topic as well as we have jen covich was the ceo of dhi. Without further ado i will that the first presentation get started. Thanks a much, great. I very rarely give talks that are standing room only, to really appreciate your guys interest today. As great dimension im robert lord, cofounder and president chief Strategy Officer of protenus and also im a a fellw at new america cybersecurity policy program. While a lot of information today im presenting come some research that we done at protenus and some of the work that we are currently building a new america, im speaking on behalf of of either of those organizations state. Really just talking from my experience and providing perspective on the challenges that we see in this space. I guess to content choice of this because sometimes we talk about cybersecurity they can be a little bit too much bits and bytes and people in hoodies. The first thing i always think about what i think about in Health Care Cybersecurity is the patient i had when i was in medical school. I was fortunate to work in a clinic that focused on treating hivpositive patients in baltimore when i was in med school. One of the things you learned quickly about this population other than their not so the wonderful really complex rewarding population to work with is to have extraordinary concerns around the privacy and security of the information. They will go to extreme lengths to make sure people do not find out about their diagnosis, the treatment or their coworkers our communities and so many others that might use this information against them, this extremely vulnerable community. One of the things i began to think about treating these patients was what are we doing to defend their health data and information, the 16 the sensitive records . Than bore you dig into that question, this is back in 2013 at 2014 when i started, the, the more horrifying the answer is. The reality is the challenges that we face in protecting health data are extraordinarily difficult. And today i i will really try d do you taste that dont of the important anecdotes and stories that come of this judgment also the data behind that. I think it makes sense to start with the anthem breach back in 2015. This was really for many people, shorthand who here got one of those anthem notification letters . I did, too. This was about half of u. S. Population more of us about a third i have about 149 medical records breach. We will never know the exact number of patients affected. But for me this was a massive wakeup call to the fact health data was highly centralized in many cases, highly probable and highly valuable to certain parties as well. Unfortunately this story did not end with the breach in 2015. The hits keep on coming. We just had a very recent breach, lab core breach with about 29 medical records, individual data pieces that were identified. We with the with the numbers are. Of course back in 2016 wedding major Ransomware Attack that reduced entire Hospital System to pencil and paper. Imagine all the Electronic Health record of electronic system, i can thinking back to my the untoward, and now you using pencil and paper. Pretty scary. This isnt just a couple of anecdotes either. If you look and scale and outcome recent report from the back not too long ago, showed 70 of of Health Systems report experiencing a major data breach and onethird experience one in the last year. If you think about this entire picture together we are in a pretty terrifying state right now and its one where not always talking about but i can show Health System are very aware of it all the time. Im not a big person on speculation but also it makes sense to think proactively. Possibly raise recently in a bloomberg article of the billy of whether its state actors or individuals other types of criminals to engage in medical black pepper typically these types of incidents are highly behind the scenes. There are some great area report that this does happen but most of the time these are not reported if it is the case. These are the anecdotes, but dont we want to focus on what could be. I want to show you the data for the rest of a presentation, show you what were facing right now and what the trends are. For some of you intifadas you will know everything am talking about really clearly. For others i do want to contextualize health data is so valuable. So why some reports and to think these are exaggerated but they give you a sense of what these records can be worth. A single individual medical record cant go for upwards of 1000 on the black market. These have been deflated as more records, and the black market but theres a lot of value to them and theres a lot of value to them for a lot of reasons. They can be used for insurance fraud, fraudulent claims. You can steal someones id and you can do it very copperhead silly when you think about information in the medical record. Its pretty much the entire history of someones past illnesses, their family members, the location, financial information. The only thing more, that has more information on individual is probably like a comprehensive topsecret document in the united states. You can use it to open financial accounts because theres riches of the data so banking, medical black that i could be criminal or statebased peer you can also unfortunately people use it for monday and personal attacks for courtroom litigation and messy divorce cases. Weve seen it all. You can run fraudulent medicare, medicaid building mills as welll the we soon as we open up, create patient and built those patients. A lot of enforceability terrible and really deeply devastating crimes can be committed with medical records that have impact that can go on for years and years. Actually recently there was cbs Morning Report the future some of the date unfunny show today that showcase an individual who basically, while he was in the service gets medical identity stolen and he was resolving those challenges 415 years afterwards and still suffers from challenges. A wonderful guy and hes been dealt quite a hard blow. What im going to show you next be specifically the data that we collect on a break of basis. So protenus as a world leading platform focus on detecting dangerous Activities Health care but im not here to talk about my company on that side. We also the Research Group that works with third parties identify trends in health of data breaches and health cyber screen journal. What im going to show is information with collected both from public sources as well as at the end some interesting proprietary data that will at some color youre not normally going to see in this space. One thing to start out is that since 2010 and it dont show all way back, since 2010 theres been a systematic increase in the number of data breaches that occur every single year without fail. Without exception. We see this since weve been tracking the data specifically pick recent every year and already where projected to have another record year. This number that you see you is just a half your estimate from our recent analysis and so if it were to continue along the stream we wont beat out 2018, unfortunately. This is the number of incidents. You want to look at the number of records breach. We are excluding the 2015 anthem breach ways he added that colin, go to about 170 million records that youre a something in 2015. In 2016 we had a banner banner year with some big, big breaches silence almost 30 million. 2017 some of the start to think that with going to normalize. Maybe that was just a couple of big breaches and it will get better. Of course it tripled in 2018 and in 2019 that estimate that you see of almost 13 million is just have to estimate. That is not yet annualized to the full you. We are once again on track to break yet another record what concern of records breached. Importantly you may want to know where all this preaching is occurring. Of course act is a major concern. Its what people usually think about when you think that these types of challenges. That breaks that im going to more detail but thats a mix of what weve seen from a phishing perspective, malware, miscellaneous threats and i wont go into all the deep details but we provide a breakout of this in the breach brahman which you can download and subscribe to and is totally free, google protenus and you can find it. A huge proportion and this is consistent between 2540 of breaches are due to insight. That is individuals with some legitimate level of access to the Electronic Health record and accuse the access. So i come for instance, when i was the most of the low medical student at my door give a white coat i could access any medical record of the individual who ever passed through the walls of my institution. That was not because my institution was unique into suspected that mr. Basically every single Health System in the world. And the reason is because for emergency access you need to be able to get access to the er quickly. Yet complex environments where proactively using control as after some of you in the about is really a failed paradigm. Its too complex to tackle with that type of threat. This Insider Threat is one we often underappreciated but one that has a huge proportion of the breaches we see all the time. As far as who is most probable, this may come as no surprise, but obviously lions share here is hospitals themselves most vulnerable. This is not because hospitals are leaving or do not care. Quite the contrary day care and extraordinary amount given my hospitals are often running on razor thin margins, their Technology Investment in the space is not always what they wanted to be added to take your patience. When you look at the list of priorities theres a lot going on at they have to be thoughtful of and, of course, bit on the front lines so the muscular access to this information. In large health at 1130000. 2 all of access to medical records. How do you make sure all those individuals are not commit privacy violations . A giant threat from a phishing attack. You at 99. 9 rate of preventing phishing attacks at your institution jet 100,000 toys at one of these mega systems, there would be a lot of breaches and thats a big problem. Question . [inaudible] [inaudible] so its hard for me to comment as i remember, as a member of the private sector on a lot of the statebased activity that occurs in the spaces. Im not really the person to necessarily talk about specifics there just because that information is not normally available to me. What we see is the lions share here is people who are not some sort of Foreign Espionage type of situation. Its just the hospitals on employees that might be using it for criminal gain, for abusing the access to maybe attack a colleague, to look up a vip. Ive seen people look up local sports stars for fantasy football edge. It happens. Yeah, yeah. It is some pretty scary situations out there. So im going to tell you a nice story as well. This is like the one good piece of data you will see here, and what this is it is the average time for an individual Health System to report a breach the health and Human Services which they required to do within 60 days. They are really good about this. Hospitals are extremely responsible and thoughtful about one things to know that something that you reported. Theyre doing a pretty good job weve seen a bit of a trend upward lately on reporting for most of the time everyone is falling inside these lines which is good. However, the time to detect the breach is not so good. So oftentimes malicious actors of the insight Health System for weeks, for months, for years. Weve seen ten year plus bad actors occur insight Health Systems and they just keep on going. The problem is not in the reporting rapidly but it is in the detecting rapidly. Heres a number you will not necessarily see a lot but an important one. Weve done analysis at protenus to understand how many privacy violations typically occur in a given month based on the size of the institution. What weve seen is that for every 300 individuals you can expect about one privacy violation to a patients data per month. If you 30,000 employees at the whole system can you talk about 100 privacy violations of month, and 1200 per year. If you think about what is being reported, you can only get this once you get comp rancid analysis of the system to understand how many violations are happening but it gives you a sense of the size and scope of these threats were seeing across the whole spectrum. In addition, theres a great opportunity here to focus on education and remediation. Another thing we see is the majority of events that we detecting a repeat offenses which means someone has already violated patient privacy in some way, and we have cotton and educated them. They would do it again and again and again. We see this pattern over and over again. It means we could reduce by half the number of violations that occur if we were proactively detecting these threats and ensuring that individual is educated or appropriately sancn for the activity. This looks bad but its somewhat of a hopeful step because it means we can predict and prevent these threats to just really thoughtful workforce management. I want to be brief in this next session and note briefly that my work at numeric as to focusing on a white paper which should be released next month that really addresses three core areas of challenge in this space, and i will be thoughtful of the time because im running over but the areas are essentially culture, workforce, and technology. We would look at culture its all about how do we create accountability from the board level on down. How do we find hospitals so they can make sure theyre getting the job done . How do we work with existing regulatory structures to be more effective and more forward thinking . Our workforce is how to build a future workforce thats effective. Its how do we retain the valley the workforce we have and its how do we prevent Workforce Burnout through making sure we are not having people do continuous or repetitive low value task and focus in what is strategically important. Finally from a Technology Perspective its about getting a lot of legacy junk out of the system. We know theres a lot of Legacy Technology that needs to be remitted. Theres areas we can clarify when it comes to guidance. Finally its about making an it into and whether its device or software a security default lifecycle when it comes to creating these Software Devices but again ultimately treating and surfing patients right. Its all about Patient Safety. We do all these things at the end of protecting patients, defendant from these threats in addition we keeping them safe. Thats what the hippocratic oath is all about and in a way thats what weve got to do from a cybersecurity and piracy perspective. And so i will now wrap things up, hopefully you can take a look at this in september and now there would be a much more interesting speaker talking to you. Thanks so much, everyone. [applause] good afternoon, guys. My neighbor jen covich and on the seal of the ehealth initiatives and foundation in washington, d. C. Robert just that a really Nice Supreme Court for us, kennedy a basic overview in terms of where the data is on breaches and where were going. Im going to spend a few minutes talking about it at some of the misperceptions about hipaa policy insider policy and talk about current policies and practices and how we are involving into what could be a National Security threat around cybersecurity and health. Cybersecurity has nothing to do with elections, just health care. Ehealth initiatives have been around about 19 years and were a group of influential executives from across the spectrum of health care we bring together leaders from all different groups, payers, providers, vendors, pharmacy, et cetera to work on really tough issues. Our belief is you cant just talk the hospitals about health care. You cant just talk to providers and clinicians about health care. Health care is a continuum. We need to join with pharmacies, patients, consumers, vendors. This is a problem, and interconnected problem, a network problem. We need to also done together to pick figure out how to solve it. Weve done a lot of research, education and policy work around cybersecurity. I think we passed out today, we have a new white paper out on risky business. We had some fact sheets on myths surrounding hipaa, and many me on a website. We really need to stop looking at cyber and Privacy Policy, and stop thinking about Health Care Data in terms of what building it belongs in queue, or what office should be in. Health care data doesnt stop at the door to your Hospital Data shouldnt only be within the hospital. You should be able to access it from home, from your phone. Its all over the place. So in terms of thinking about rules around cybersecurity and Health Care Data, it doesnt make sense to think about with an institution always. We need to think about in terms of greater spectrum. I just want to be frank with you here. We have done a horrendous job in health care, and technology talking about the mac, Privacy Policy have amec, what health care did is, where he lives, why its important, all of those th