Will hear from Data Security health care officials, just Getting Started live coverage on cspan2. Shedding light on so no pressing issues of our time when it comes to cybersecurity threats and how they impact our nation. For todays briefing i think specifically of seeing a number of very highprofile, expenses and quite like a potentially dangerous cybersecurity attacks on our Nations Health care sector. We brought in two individuals today set up a wealth of knowledge in this area, both robert lord was a chief Strategy Officer at the tennis protenus and youll be here to give a presentation to us to talk about this important topic as well as we have jen covich was the ceo of dhi. Without further ado i will that the first presentation get started. Thanks a much, great. I very rarely give talks that are standing room only, to really appreciate your guys interest today. As great dimension im robert lord, cofounder and president chief Strategy Officer of protenus and also im a a fellw at new america cybersecurity policy program. While a lot of information today im presenting come some research that we done at protenus and some of the work that we are currently building a new america, im speaking on behalf of of either of those organizations state. Really just talking from my experience and providing perspective on the challenges that we see in this space. I guess to content choice of this because sometimes we talk about cybersecurity they can be a little bit too much bits and bytes and people in hoodies. The first thing i always think about what i think about in Health Care Cybersecurity is the patient i had when i was in medical school. I was fortunate to work in a clinic that focused on treating hivpositive patients in baltimore when i was in med school. One of the things you learned quickly about this population other than their not so the wonderful really complex rewarding population to work with is to have extraordinary concerns around the privacy and security of the information. They will go to extreme lengths to make sure people do not find out about their diagnosis, the treatment or their coworkers our communities and so many others that might use this information against them, this extremely vulnerable community. One of the things i began to think about treating these patients was what are we doing to defend their health data and information, the 16 the sensitive records . Than bore you dig into that question, this is back in 2013 at 2014 when i started, the, the more horrifying the answer is. The reality is the challenges that we face in protecting health data are extraordinarily difficult. And today i i will really try d do you taste that dont of the important anecdotes and stories that come of this judgment also the data behind that. I think it makes sense to start with the anthem breach back in 2015. This was really for many people, shorthand who here got one of those anthem notification letters . I did, too. This was about half of u. S. Population more of us about a third i have about 149 medical records breach. We will never know the exact number of patients affected. But for me this was a massive wakeup call to the fact health data was highly centralized in many cases, highly probable and highly valuable to certain parties as well. Unfortunately this story did not end with the breach in 2015. The hits keep on coming. We just had a very recent breach, lab core breach with about 29 medical records, individual data pieces that were identified. We with the with the numbers are. Of course back in 2016 wedding major Ransomware Attack that reduced entire Hospital System to pencil and paper. Imagine all the Electronic Health record of electronic system, i can thinking back to my the untoward, and now you using pencil and paper. Pretty scary. This isnt just a couple of anecdotes either. If you look and scale and outcome recent report from the back not too long ago, showed 70 of of Health Systems report experiencing a major data breach and onethird experience one in the last year. If you think about this entire picture together we are in a pretty terrifying state right now and its one where not always talking about but i can show Health System are very aware of it all the time. Im not a big person on speculation but also it makes sense to think proactively. Possibly raise recently in a bloomberg article of the billy of whether its state actors or individuals other types of criminals to engage in medical black pepper typically these types of incidents are highly behind the scenes. There are some great area report that this does happen but most of the time these are not reported if it is the case. These are the anecdotes, but dont we want to focus on what could be. I want to show you the data for the rest of a presentation, show you what were facing right now and what the trends are. For some of you intifadas you will know everything am talking about really clearly. For others i do want to contextualize health data is so valuable. So why some reports and to think these are exaggerated but they give you a sense of what these records can be worth. A single individual medical record cant go for upwards of 1000 on the black market. These have been deflated as more records, and the black market but theres a lot of value to them and theres a lot of value to them for a lot of reasons. They can be used for insurance fraud, fraudulent claims. You can steal someones id and you can do it very copperhead silly when you think about information in the medical record. Its pretty much the entire history of someones past illnesses, their family members, the location, financial information. The only thing more, that has more information on individual is probably like a comprehensive topsecret document in the united states. You can use it to open financial accounts because theres riches of the data so banking, medical black that i could be criminal or statebased peer you can also unfortunately people use it for monday and personal attacks for courtroom litigation and messy divorce cases. Weve seen it all. You can run fraudulent medicare, medicaid building mills as welll the we soon as we open up, create patient and built those patients. A lot of enforceability terrible and really deeply devastating crimes can be committed with medical records that have impact that can go on for years and years. Actually recently there was cbs Morning Report the future some of the date unfunny show today that showcase an individual who basically, while he was in the service gets medical identity stolen and he was resolving those challenges 415 years afterwards and still suffers from challenges. A wonderful guy and hes been dealt quite a hard blow. What im going to show you next be specifically the data that we collect on a break of basis. So protenus as a world leading platform focus on detecting dangerous Activities Health care but im not here to talk about my company on that side. We also the Research Group that works with third parties identify trends in health of data breaches and health cyber screen journal. What im going to show is information with collected both from public sources as well as at the end some interesting proprietary data that will at some color youre not normally going to see in this space. One thing to start out is that since 2010 and it dont show all way back, since 2010 theres been a systematic increase in the number of data breaches that occur every single year without fail. Without exception. We see this since weve been tracking the data specifically pick recent every year and already where projected to have another record year. This number that you see you is just a half your estimate from our recent analysis and so if it were to continue along the stream we wont beat out 2018, unfortunately. This is the number of incidents. You want to look at the number of records breach. We are excluding the 2015 anthem breach ways he added that colin, go to about 170 million records that youre a something in 2015. In 2016 we had a banner banner year with some big, big breaches silence almost 30 million. 2017 some of the start to think that with going to normalize. Maybe that was just a couple of big breaches and it will get better. Of course it tripled in 2018 and in 2019 that estimate that you see of almost 13 million is just have to estimate. That is not yet annualized to the full you. We are once again on track to break yet another record what concern of records breached. Importantly you may want to know where all this preaching is occurring. Of course act is a major concern. Its what people usually think about when you think that these types of challenges. That breaks that im going to more detail but thats a mix of what weve seen from a phishing perspective, malware, miscellaneous threats and i wont go into all the deep details but we provide a breakout of this in the breach brahman which you can download and subscribe to and is totally free, google protenus and you can find it. A huge proportion and this is consistent between 2540 of breaches are due to insight. That is individuals with some legitimate level of access to the Electronic Health record and accuse the access. So i come for instance, when i was the most of the low medical student at my door give a white coat i could access any medical record of the individual who ever passed through the walls of my institution. That was not because my institution was unique into suspected that mr. Basically every single Health System in the world. And the reason is because for emergency access you need to be able to get access to the er quickly. Yet complex environments where proactively using control as after some of you in the about is really a failed paradigm. Its too complex to tackle with that type of threat. This Insider Threat is one we often underappreciated but one that has a huge proportion of the breaches we see all the time. As far as who is most probable, this may come as no surprise, but obviously lions share here is hospitals themselves most vulnerable. This is not because hospitals are leaving or do not care. Quite the contrary day care and extraordinary amount given my hospitals are often running on razor thin margins, their Technology Investment in the space is not always what they wanted to be added to take your patience. When you look at the list of priorities theres a lot going on at they have to be thoughtful of and, of course, bit on the front lines so the muscular access to this information. In large health at 1130000. 2 all of access to medical records. How do you make sure all those individuals are not commit privacy violations . A giant threat from a phishing attack. You at 99. 9 rate of preventing phishing attacks at your institution jet 100,000 toys at one of these mega systems, there would be a lot of breaches and thats a big problem. Question . [inaudible] [inaudible] so its hard for me to comment as i remember, as a member of the private sector on a lot of the statebased activity that occurs in the spaces. Im not really the person to necessarily talk about specifics there just because that information is not normally available to me. What we see is the lions share here is people who are not some sort of Foreign Espionage type of situation. Its just the hospitals on employees that might be using it for criminal gain, for abusing the access to maybe attack a colleague, to look up a vip. Ive seen people look up local sports stars for fantasy football edge. It happens. Yeah, yeah. It is some pretty scary situations out there. So im going to tell you a nice story as well. This is like the one good piece of data you will see here, and what this is it is the average time for an individual Health System to report a breach the health and Human Services which they required to do within 60 days. They are really good about this. Hospitals are extremely responsible and thoughtful about one things to know that something that you reported. Theyre doing a pretty good job weve seen a bit of a trend upward lately on reporting for most of the time everyone is falling inside these lines which is good. However, the time to detect the breach is not so good. So oftentimes malicious actors of the insight Health System for weeks, for months, for years. Weve seen ten year plus bad actors occur insight Health Systems and they just keep on going. The problem is not in the reporting rapidly but it is in the detecting rapidly. Heres a number you will not necessarily see a lot but an important one. Weve done analysis at protenus to understand how many privacy violations typically occur in a given month based on the size of the institution. What weve seen is that for every 300 individuals you can expect about one privacy violation to a patients data per month. If you 30,000 employees at the whole system can you talk about 100 privacy violations of month, and 1200 per year. If you think about what is being reported, you can only get this once you get comp rancid analysis of the system to understand how many violations are happening but it gives you a sense of the size and scope of these threats were seeing across the whole spectrum. In addition, theres a great opportunity here to focus on education and remediation. Another thing we see is the majority of events that we detecting a repeat offenses which means someone has already violated patient privacy in some way, and we have cotton and educated them. They would do it again and again and again. We see this pattern over and over again. It means we could reduce by half the number of violations that occur if we were proactively detecting these threats and ensuring that individual is educated or appropriately sancn for the activity. This looks bad but its somewhat of a hopeful step because it means we can predict and prevent these threats to just really thoughtful workforce management. I want to be brief in this next session and note briefly that my work at numeric as to focusing on a white paper which should be released next month that really addresses three core areas of challenge in this space, and i will be thoughtful of the time because im running over but the areas are essentially culture, workforce, and technology. We would look at culture its all about how do we create accountability from the board level on down. How do we find hospitals so they can make sure theyre getting the job done . How do we work with existing regulatory structures to be more effective and more forward thinking . Our workforce is how to build a future workforce thats effective. Its how do we retain the valley the workforce we have and its how do we prevent Workforce Burnout through making sure we are not having people do continuous or repetitive low value task and focus in what is strategically important. Finally from a Technology Perspective its about getting a lot of legacy junk out of the system. We know theres a lot of Legacy Technology that needs to be remitted. Theres areas we can clarify when it comes to guidance. Finally its about making an it into and whether its device or software a security default lifecycle when it comes to creating these Software Devices but again ultimately treating and surfing patients right. Its all about Patient Safety. We do all these things at the end of protecting patients, defendant from these threats in addition we keeping them safe. Thats what the hippocratic oath is all about and in a way thats what weve got to do from a cybersecurity and piracy perspective. And so i will now wrap things up, hopefully you can take a look at this in september and now there would be a much more interesting speaker talking to you. Thanks so much, everyone. [applause] good afternoon, guys. My neighbor jen covich and on the seal of the ehealth initiatives and foundation in washington, d. C. Robert just that a really Nice Supreme Court for us, kennedy a basic overview in terms of where the data is on breaches and where were going. Im going to spend a few minutes talking about it at some of the misperceptions about hipaa policy insider policy and talk about current policies and practices and how we are involving into what could be a National Security threat around cybersecurity and health. Cybersecurity has nothing to do with elections, just health care. Ehealth initiatives have been around about 19 years and were a group of influential executives from across the spectrum of health care we bring together leaders from all different groups, payers, providers, vendors, pharmacy, et cetera to work on really tough issues. Our belief is you cant just talk the hospitals about health care. You cant just talk to providers and clinicians about health care. Health care is a continuum. We need to join with pharmacies, patients, consumers, vendors. This is a problem, and interconnected problem, a network problem. We need to also done together to pick figure out how to solve it. Weve done a lot of research, education and policy work around cybersecurity. I think we passed out today, we have a new white paper out on risky business. We had some fact sheets on myths surrounding hipaa, and many me on a website. We really need to stop looking at cyber and Privacy Policy, and stop thinking about Health Care Data in terms of what building it belongs in queue, or what office should be in. Health care data doesnt stop at the door to your Hospital Data shouldnt only be within the hospital. You should be able to access it from home, from your phone. Its all over the place. So in terms of thinking about rules around cybersecurity and Health Care Data, it doesnt make sense to think about with an institution always. We need to think about in terms of greater spectrum. I just want to be frank with you here. We have done a horrendous job in health care, and technology talking about the mac, Privacy Policy have amec, what health care did is, where he lives, why its important, all of those things. When people think about cybersecurity they generate think about elections and banks, whatever the latest story on the news is right now theyre not thinking about their Health Care Data. Part of the issue is that we have made so technical and confusing and refill these acronyms out at you, so people just understand it. It sounds really overwhelming and ill be honest with you when a start in health care, two decades ago, i felt silly asking questions about hipaa. I felt had to be a lawyer or legal analyst to ask questions because it was so complicated and tactical at that point. How many of you been in a doctors office, filling out a form and you said why do i need to do this again . They said to you, because of hipaa, right . Hipaa is the big bad wolf of health care, okay . Whenever you cant get something done, a lot of times there excuse we can do is its because of hipaa. Your doctor cant talk your loved one about your condition because of hipaa. Thats a myth. Your doctor needs a written authorization or they get show your health information. Thats another myth. Doctors are not allowed to email patients. Thats another myth. Hipaa protects all of your Health Care Data, another myth. Im going to go into these last two because these are really, drive me nuts. If an organization is hipaa certified its okay to share information with them. There is no such thing as a hipaa certified organization. Ill say that again. There is no such thing as a hipaa certified organization. Hhs does not go bad and certified organizations and say, you are completely in compliance. They dont do that to every Single Health care organization. So what also happens is an organization say they are hipaa certified but that basically means they are complying with hipaa the way that they interpret it. Another myth out there is that consume consumer uploads their medical records into a health app, that that information is in protected by hipaa. Wrong. Theres no such thing as a Health Certified or a hipaa Certified Health app. Its not out there. If a Company Offers a direct to consumer apsley could download an app from an organization and its not provide a bit of a covered entity, its not subject to hipaa. I just to any word that might configure, covered entity. This is where we get a little bit confusing and people start, their eyes glaze over a little bit and they get a little bit, start to fall asleep a little. Lets talk about what that means. Theres a a couple of key questions around apps and whether or not they fall underneath hipaa. It all depends how an app is branded. It depends how the consumer gets to the app. It depends how the data flows between the app and maybe the hospital or the doctors office. It depends whether or not it is coming from there. These are all a lot of Little Things that can really determine whether or not a health app is covered under hipaa and has to follow hipaa regulations. Generally hipaa covers data that is in health plans with Health Care Providers that are conducting transactions like claims transactions, building, clearing houses, and business associates. Another term thats probably a little bit confusing, which we will talk about. So who counts as as a business associate . Im not going to make you read this. Im going to tell you. Lets did you guys an example. Give you guys an example. Say we have sally, okay . Sally goes to her doctor. Her doctor says you know what, you have diabetes, ive got this really great at this can help you manage your condition and youll get some counseling along with vigor i heard about it from this great app company so her physician gives her the app. She goes out and she uses the app. That app is covered by hipaa because again from the provider. The provider recommended it. The providers name might be on it, so it is in effect coming directly from the provider. So that app is now supposed to comply with hipaa, which means it should protect all of your Health Care Data in there. Now, this is what gets gets a little bit tricky. Say we have sally, same sally. Sally picks up the newspaper or picks up her phone and reads about this really new cool health app that apple has. She downloads the same exact app directly, puts the same kind of data in it. That app is not covered by hipaa. Because it was direct to the consumer. So you see you can have the same app with information in it that is supposed to comply with hipaa, and you can have one thats not come even though its the same information from the same company. This is what makes hipaa a little tricky to figure out. It doesnt quite make sense and thats just one of the reasons went to really think about where this is all going. Theres also kind of this healthyish type data, i like to call it, thats not covered under hipaa. Things like you join a Disease Network to talk about your cancer care, or a Counseling Network online you purchase agassi i get to test if you purchase information about a sexually transmitted disease. You join an hiv group. Gps data that shows you go to your psychiatrist every thursday. Gps data that shows you are in a rehab center for six months. All of that information is healthyish kind of data. It says a lot about your current condition and could reveal a lot about you. Thats not covered as well. A lot of people would be a lot more concerned about all the items they purchased at walgreens or cvs or on amazon going public and it might about their medical record. Everybody is using these thirdparty apps, third party as a calling, even cvs. I went on last night has a list of thirdparty apps be used if you go to the site you can see all of the different organizations that cvs is sharing information with the you can link to them. In some cases you can opt out. Its that so much of this data that we are trying to protect so carefully, were actually giving itaway. So you have how are we giving this data away . Has anybody read the fine print western mark i mean, i just pulled thisdown from my own personal health plan and some of the doctors offices that i go to. Its my personal information. But if you actually read that and i encourage all of you to read the fine print, you will see in many cases the policy says they dont have to agree to do what it says theyre going to do. In many cases it says that they will share this information with contractors and authorized partners but they dont tell you who those people are. It says they will use it for normal routine Health Care Operations, im not sure what a normal routine Health Care Operation is. Does that meana Web Developer happens to be in the office today gets to look at my Health Record . Maybe. Or the guy thats working on the xerox machine, i dont know but its important to understand what it is youre signing away. And then a lot of these will say we can change the rights. We reserve theright to change the terms of this policy at any time we want. And if you want to learn about that, you can pick up a copy of thechanges. So a lot of the fine print is really just giving a lotof information away. So weve heard a lot about healthcare data and how valuable it is. I think everyone in this room can probably attest to the fact that we need this datato find cures for cancer, to discover new drugs, to save lives. Its valuable data that were finding that actors want this data as well. So guess who else wants your data as well . I was pretty nacve when i started in Cyber Security. I thought the reason everybody wanted this data was because they wanted to break into medical records and find out about Britney Spears or helena, somebody in rehab or will the medical condition . Was someone present pregnant, all the celebritythings you hear about or they wanted to bribe people. Dont put yourself. Its nacve to think this is just about bribery or understanding celebrities or someone even trying tosteal your credit card. This is happening right now. There is a new space race and its around healthcare data. This is the Fastest Growing business globally. Chinese investors right now are pouring in the first nine months of 2018 23 percent of all their investments went into biotech, in 2018. Companies globally are involved in economic espionage. And companies that handle patient data are really particularly greater risk. They are taking this data. This is really a space race. Whoever has the most datawins. Think about it. Think about the amount of profit can be made by the next influenza vaccine. The evil of vaccine. Think about the potential of bioterrorism that would take place. If you discovered a certain population was susceptible to a certaingerman drug. Im really grateful to you supervisory special agent and you the fbi, i dont know if anybody heard him talk before. Hes from the weapons of mass discussion directory here. And thats all he does is he the Different Countries that are basically not just having our information but taking our information. When we get to them. And thats whats generally happening. The data that theyre taking can be used to exploit us, they can discriminate against certain groups. They can create by weapons, target us most importantly they can geteconomic advantage. Look in the news. All of these companies are working with Chinese Companies in this case. Its not just china but not many examples from china where us corporations are sharing their data with chinese zone organizations. So basically, our information is in many cases being given to the chinese. There is a clear certified and clear surviving cms for medicaid and medicare services. Allows you to work with organizations outside of the us and share data with them. Imagine your health plan in the us you direct all your last. All your dna testing,whatever it might be pretty handled by a Chinese Company. That doesnt have our best interest at heart. If you look in the news, sometimes a year that the chinese acting data but more often than not, were giving them the data. There was a report released this year, february 2019 by oig here the fbi and identified National Security risks related to sharing genomic data this is happening right now that identified china as a primary source of those risks. There are concerns right now because nih has given access to us genomic data before companies in china. And these companies have ties to the chinese government. Now, this is not reciprocal. So in healthcare we like to think everybodys sharing data for the greater good. And thats how i believe that things were. But thats not the case. In fact, in china they have a law. Doesnt go outsidetheir boundaries, they dontshare any of their data. Our data but they dont share any data. In fact, theres a new law there, you cant even use any biomaterial from china unless theres a tiny collaborative for anorganization involved. So its really important to understand what the National Security risks are sharing help data with china and other countries. Its important to understand what regulations we have in place for sharing our us human data. Its important for us to understand what payments we are making through cms, what payments are federal government and cms is making to other countries to hold and handle our data. And its really important for cms and for private companies to consider what are the National Security risks that we think about before wedo business with these companies. These are things we had worried about before. I mean, weve been worrying about people acting in to take celebritiesinformation or blackmail. An individual persons. But thats not whats happening. We are actually at a different point right now. Senator grassley and rubio drafted a letter just a couple months ago, is anybody here from the offices . Around asking for cms to put a plan together and asking to kind of understand better nih and how theyre sharing that and to be clear about what payments are going there. And what the rules are going to be at the beginning exploration around but this is something i think is important for people to keep asking about. Because this is going to sneak up on us very quickly. Once that data is gone not coming back, you can. So in summary, this healthcare data is valuable. And i want to emphasize that. It is important to share this data, be identified so that we can do the research we need to do to find cures and bettertreatments. Find appropriate treatments for alzheimers or als you need vast amounts of data to do that so we dont wantto siphon that. But we need to make some really tough decisions about how much data we want to shareand in what form. Who we want to share it with. And today, i havent seen a lot of discussion about that. But the time to have that discussion is now for its too late. So that and i want to thank you for listening and im happy to take any questions. Thank you again to jen and robert for those presentations. They were able to cover what i would consider an enormous amount of information and dance into those slides but im sure theres tons of questions and i want to drill down a bit deeper on certain son objects. The first question. I think we definitely got a good understanding of the risk of our data being out there and how it is shared and how we dont know is being shared some of the inherent risks with that and one question id like to start with is is there a concern or should there be a greater concern that beyond the inherent risks in the jeopardy of Patient Safety with the data being shared, is there a direct Patient Safety from malicious actors, there are other avenues we might want to be worried about and if we can talk about that for a bit as well. You guys probably hear me out. So we certainly see this, you got just one . Okay. That works. So one of the things that i mentioned was the potential ran somewhere tax. This is when essentially you have a formal malware that encrypts all of the data in a Health System and inaccessible to anyone using those systems, actively shutting down anything that runs on any foreign data so that everything. Well, there are still some hospitals that probably should but they dont. That means the Patient Safety effects can be huge because suddenly youve lost access to Critical Systems and another big concern that has been proven time and again at least in the Theoretical Research and we dont know if and in a while yet is potential device related things so you can imagine an insulin or an implant or later. Could readily be compromised and then can be used easily the function of those devices to kill patients were seriously injured and so those are just a few examples but they are very serious and they are very possible and they are either actually extend out there or have been proven to becompletely possible and deployable. So right now, there is malicious where attacking microsoft and other widely used software and a lot of the medical devices on top of that software. So it could be there not necessarily attacking the medical device itself but the software connected to that happening right now. And a lot of people dont recognize when their machines were the device or hospitals dont know that their device is connected to something i think the fact maliciously. There is happening right now, just not in the way that you think about. Everybody on the whole land episode with the pacemaker getting and were not seeing that somuch right now. But definitely we are seeing a lot of attacks on General Software connected to those things. And we dont have a good way right now to notify people and reachout there because if you think about medical devices , once theyre out there we would need to know exactly where the manufacturer soldthem. What provider often, which patient they were given to, think about the chain of events in terms of where medicaldevices go. Its a pretty long chain. Though in terms of the notification, there are specific guidelines about how notification is supposed to take place but its a real concern, the more this happens i think more dangerous. [inaudible] your money where the sources were coming from, whether attackers or outsiders, based on instances or the proportion or number ofpatients , does that make sense. That faith incident numbers, those percentages, yet. The number of incidents so you have a different view toward packing when you look at percentage of record compromised so because those will tend to be the biggest types of breach events, that being said, what sometimes can be the most damaging tell systems are sometimes the one off types of attacks because they can be very public. They might be personal and they might be one on one then that is or legal actions so when you look at the total risk to the system, you can make an argument that it can be either way but to your point is a good one, you total number of record compromised you get more packs. It just depends, sometimes its an insidertype of error that needs to that and i can get insider events, good question. We going to go in the futon back there. [inaudible] we see impact to Patient Safety and ran somewhere tax is typically. Because the end effect, surgery is canceled. The ambulances possibly diverted and weve seen among members so its, using the adversary so after mueller hospitals most recently. And increasing the ransom attacks. And using an attack going into the backups first, equipped backups. Troubling because thats the normal sense of ran somewhere im very concerned about that and im going to change your comments there. Then on your data point to, i think the majority of the records as you say you are compromised from external hackers, would you agree with that . The number of record compromised. We from a number of records but sometimes we need to be thoughtful about incidents versus records as our measure of risk is sometimes those incidents and up being some of the greatest vulnerabilities versus the bowl record may or may not be exploited in these large web sales, things that might have less of an impact on the institution and their patient. It does depend but its a good point and i would applaud also pha for a lot of great work theyve been doing in this case bring life and specifically i know some of the work youve been doing. Reinforcing your point, we launched an issue to help our members become aware of these strategic threats posed by nationstates targeting medical research and innovation thanks for bringing that. Just to piggyback as well, i think these attacks are the most common so that is external but it can be , you can address that withtraining. A lot of companies and trained their employees on phishing attacks so they will send in an email and the people that put itafter the training. You can address that but that is the number one way that people get in. We show that breakdown in our data if you want to look at the report, we confirmed overtime fishing is by far the largest portion of these acting section of that event. Right there in the back, if you dont mind this gentlemanwill find you with a microphone and if you could introduce yourself. What policy has been recommended or should be recommended to address this issue . Which part . Mainly hospitals or making information and protecting against companies outsourcing the data to foreign nations . We generally havent seen that, what weve seen in terms of hospitals is the phishing scams so its a training, education right of the larger hospital organizations and how large corporations are launching largescale efforts to train their employees do not click on things because thats the number one way that people get into your organization. Is that how some externally and from other nations get in, yes but it is kind of all around for themost part , they get in from inside door. The only thing id add is i think you bring up a ready broad set of challenges that are faced, even if you look at any one discretepiece , the challenges are across many different dimensions and that a lot of what were working on a new america in particular which is to understand how wechange the culture of these organizations , to your point around education. How do we look at the technology, are we using the most artificial intelligence, looking at the Development Life cycle and using everything we can and ultimately workforce, at the end of the day if human beings that are defending the systems as well as serving the vulnerabilities and the training and pipelines we create there have a strong adverse and welltrained workforce in the future is just incredibly important and theres a lot of specific policy recommendations in this paper that will be released soon and im hoping can help empower this and make more concrete recommendations. I think its important organizations like aha and the other associations and societies get out there and do what ha is doing, educate people. People dont even know this is a problem or that is happening. And you know, the more you can talk about it and your offices work with your constituents in, its important and bring up reallife examples with them. Ive been seeing a lot in academic literature, pushed the idea of the internet of things that will save us from human error when weretalking about iv transfusion. But i kind of always have this fear in the back of my mind of these things are handled most of the literature ive seen lately dealing with security is focused on either the of Data Collection do you think that theres not really as much direct risk there or is that something that could be forthcoming as the more of these devices become mainstream . A lot of the systems are very smart. And there is all always human error and were finding that medical records are in many cases more secure than they were when they were paper records, in many cases but everythings going to be couple eventually. Theres always going to be a way in. Theres no one hundred percent guarantee something can be saved so if anyones looking for that, theyre not going to find it. For meand just from my perspective , when i was in medical researcher in school, i focused almost entirely on Patient Safety as the topic i worked on and i can tell you absolutely, there is a really Important Role to the internet of things and improving Patient Safety. One thing that gets lost you cant lock everything down and say theres no system and lets go back to a scalpel and a pencil, not going to work. We have real gains we can make by leveraging data and modern technology and leveraging conceptual frameworks like the internet of things but i think sometimes we frame it as an either or. Its not an either or. We need to use these advanced technologies to help patients Deploy Advanced Technology to protect this data so until we start thinking about it as an and instead of or, were not going to fundamentally shift this her but its an absolutely possible thing and receive Health Systems doing it all the time. Hi jennifer, i had a question. Im not sure how familiar you are with the mit has been obviously is a big center for medical innovation but one thing left out of the conversation , robert briefly was talking about it in his research but universities are a giant, are a giant hole for a lot of this hacking but also particularly from foreign influences because most universities, maybe want a partner with other universities, especially in china. Youre right, we should be encouraging that. We should want collaboration because thats the nature of academia in the sciences but i would argue that especially with some of the research that come out of mit and how we know that it leads to actively monitor leaders, especially with the genome stuff you were talking about earlier, their tracking peoples dna and identifying them they go on their ethnic heritage and i feel like to an extent it brings up the question of should we ban chinese investments and investors from the us Tech Industry . Its an extreme option but its ridiculous considering we always have American Science being at least somewhat culpable and in whats currently going on at the moment. Its a good question. And i dont think theres an easy answer to it. Of course not. First of all, there were these two chinese scientists who i believe were just indicted for doing exactly that, what youre talking about and its going to happen again but we need to share this data openly. We need more data were not going to find these, were not going to discover the diseases we need a real complex question. It could be a matter of how we share the data and inwhat format. It needs to bereciprocal. The other issue is one of money. Chinese investors are putting a lot of money into biotech in this country. So theres a financial question as well as an ethical one. Its a conversation that has to be had. One of the things i dont think we passed at all to the general public and we dont know about consumers is what do consumers think . How hoping you people actually think their data should be . Are the people in this room willing to share their data but only be identified . I dont think we have a good sense of which way the general public is going as well and its hard to make policy without even knowing that. So theres no easy answers but they are all questions that need to be discussed and we need to find out what the Public Perception is as well. Sorry i didnt answer your questions. Thats a frustration that a lot of us in the National Security community when it comes to china have , is that frankly, when it comes to trade, when it comes to science, when it comes to the south china sea, seems like china gets the benefit of this with any other system but not the responsibility or the burden of having to follow any rules so even if we do set up like wine, you can have access to American Health data but you can only do it through cms and they have to be monitoring it and the reality is many of these investors will have thechoice as to whether or not they want to do that because many of these companies are owned by the chinese government. And in most companies i believe in number of the Chinese Communist party has to sit on the board of that company. We seen this with several other companies and i guess the question is its true, we should be having a conversation as the general public and asking what the general public thinks about issues like this but my issue i have is the same issue a lot of people have when dealing with china is how do you deal with an actor that isnt going to deal with you on even terms to mark should we try to make them for a little bit and make them understand that while the relationship is one of symbiosis, we rely on them for trade and investment and other things, at what point do we have to stand up and say no, not today. We are starting to dothat. The administration put a halt to the 23 and meinvestment that was going to take place from the Chinese Company recently. This is already happening. So their money is already here in many places so its a real comment yes. Im not sure what putting a stop to it would mean right now, what that would look like but maybe that is a decision that policymakers have to figure that out, what that looks like but at the same time, nih hasgotten a lot of important data from other nations. We really have to balance whats important. Right here. Good afternoon, im from the Management Office and i want to take the time to thank you all for taking the time to come to castle hill and speak on this issue. I come from West Virginia and while our state has Incredible Community Health Networks such as in huntington, morgantown, charleston, so much of our work is done at the local level in small rural clinics and relative information that theyre able to retain on patients is incredible. And obviously as we talked about earlier, resources are scarce, especially money. Whenever margins are so small within healthcare but particularly in rural , the resources are even more scarce and as we see advancements in these things such as telemedicine, what advice or recommendation could you all offered to make sure that even though the resources are scarce that we are still utilizing technology at the local level and still have the best protection in place to mark. I can speak briefly to that, we have a recommendation in the space that relates to ruralsettings. As you may know, some of the barriers to protecting these facilities are related to the existing antikickback and stark loss associated with larger organizations providing elective funding to these mother affiliated clinics that represent major weak links so you could put them under the security umbrella of a larger hospital and alarger hospital may want to do that to protect them but theyre not allowed to because of current legislation and regulation so awful reforms that would be an easy move. I think in the longerterm sense to awfully scale using technology the types of automation and the types of insight and the types of proactive detection of threats that can reach out into all of these communities, that can reach out to networks of different providers and not necessarily have an individual at every one of these sites but overall technologically enabled oversight of these organizations that are connected back to central hubs and this is all possible and i think theres relatively low hanging fruit that we could modify to transform the landscape and improve the care that were delivering to our patients at rural clinics. Its reflective of the inequity we have right now between smaller rural, less resources and these larger Corporate Companies that have all the research they need to do the Technology Updates and have a full breadth of security and its going to be really hard for some of these smaller places to be completely secure, so its not going to beequitable. I think thats a real problem and were seeing that across the country. I do think asa and other organizations are doing a good job in the rural hospitalassociation is doing a greatjob of trying to share some of the resources they have , but its tough. We have come up on the end of our time here looks like perfect timing. No more questions remaining. Thank you both again, youve been generous withyour time and thank everyone that came out today. I would like to say as you can tell from the context of our conversation that theres a lot of work to be done in this area, theres a lot we need to focus on moving forward and explore to a greater extent. This is helping that Cyber Security caucus would be committed to exploring in the future so we definitely invite all of your bosses to join the caucus and we thank you once again on behalf of senator warner for coming today. [applause] if anyone would like to reach me directly its robert. The benefit of having a single name. [inaudible conversation] in 1979 a Small Network with an unusual name rolled out a big idea. Let viewers make up their own minds. Cspan opened the door to washington policymaking for all to see, bringing you unfiltered content of congress and beyond. A lot has changed in 40 years but today that big idea is more relevant than ever area on television and online, cspan is your unfiltered view of government so you can make up your own mind. Brought to you as a Public Service by your cable or satellite provider. Maryland congressman Elijah Cummings who chairs the House Oversight Committee Fees wednesday at the National Press club. Live coverage at 1 pm eastern tomorrow on cspan. Our reminder, you can follow all our coverage online at cspan. Org and with the free cspan r a
vimarsana.com © 2020. All Rights Reserved.