Transcripts For CSPAN2 Health Care Cybersecurity Discussion

CSPAN2 Health Care Cybersecurity Discussion July 14, 2024

Im greg mathis, policy advisor to senator mark warner. Thank you for joining us for the Cyber Security caucus. As many of you know senator warner along with senator gardner started the Bipartisan Task force. And so hell be here to give a presentation to talk about this important topic as well as we have the ceo of dhi. Without further ado i let the first presentation get started. I very rarely give talks that are standing room only so really appreciate your interest today. As greg mentioned im robert lord, cofounder, president and chief Strategy Officer of protenus, and also a fellow at new america cybersecurity policy program. While a lot of information today im presenting comes from research weve done at protenus and some of the work we are currently building at new america on the speaking on behalf of either of those organizations today. Just talking from my experience and providing perspective on the challenges that we see in this space i guess to contextualize this because sometimes we talk about cybersecurity it can be a little too much and bites and people in hoodies. The first thing i always think about when i think about Health Care Cybersecurity is the patients i had when i was in medical school. I was fortunate to work in a clinic that focused on treating hivpositive patients in baltimore when i was in med school. One of the things you learn quickly about this population other than they are an absolutely wonderful really complex, rewarding population to work with is they have extraordinary concerns about the privacy and security of their information. They will go to extreme lengths to make sure people do not find out about their diagnosis, their treatment or that their coworkers or communities and so many others that might use this information against them, this extremely vulnerable community. One of the things i begin to think about treating these patients was what are we doing to defend their health data and information, these extremely sensitive records . The more you dig into that question, this is back in 20132014 when i started, the more horrifying the answers. The rally is the challenges we face in protecting health data are extraordinarily difficult, today ill try to give a a tase not only of the important stories but also the day behind all them. I cant make sense to start with the anthem of breach back in 2015. This was really for many people, and ill ask for a show of hands, who here got one of those anthem notification letters . I did, too. This was about half of the u. S. Population more or less about a third or half, 140 million medical records breached. Will never know the exact number. But for many this was this was a massive wakeup call to the fact health data was highly centralized in many cases, highly vulnerable and highly valuable to certain parties as well. Unfortunately, this store did not end with the breach in 2015. The hits keep on coming. We just had a very recent breach, a lab core amc a breach with about 20 million medical records for patient data, individual data pieces that were identified and well see what the final numbers are. Back in 2016 we had a a major Ransomware Attack that reduced an entire Hospital System to pencil and paper. So imagine all the Electronic Health records, all the Electronic Systems that use and Health System, and now youre using pencil and paper. Pretty scary. This isnt just a couple of anecdotes either. If you look and really scale it out, a recent report back not too long ago showed 70 of Health Systems reported experiencing a major data breach and a third experienced one in the last year. If you think about this entire picture together, we are in a pretty terrifying state right now and its one where we are not always talking about what i can tell you elf systems are very aware of it all the time. So im not a big person on speculation, but also it makes sense to think proactively. Theres also the significant possibility raised recently in the bloomberg article of the ability of whether its state actors for individual or other types of criminals to engage in medical blackmail. Typically these types of incidents are highly behind the scenes. There are some great area reports this does happen but most of the time is not reported if it is the case. These are the anecdotes, but i dont want to focus about what could be. I want to show you the data for the rest of my presentation that shows you what were facing right now and what the trends are. I think for some of you in the audience you will know everything im talking about really clearly work for others i do want to contextualize why health data is so valuable. So by some report and i think these are exaggerated but they give you a sense of what these records can be worth come a single individual medical record can go for upwards of 1000 on the black market. These of been deflated as more medical records come on the black market. But theres a lot of value to thin and theres a lot of value to them for a lot of reasons. They can be used for insurance fraud, fraudulent claims. You can steal someones id and you could do it very comprehensive legal and you think that the information in a medical record. Its pretty much the entire history of someones past illnesses, their family members, their location, financial information. Its all in there. The only thing that has more information on individuals is probably like it comprehensive topsecret clearance document in the trinity. If you use open financial accounts because of the richness of the data so insurance or banking accounts, medical blackmail that could be criminal or statebased. You can also unfortunately people use for monday personal attacks or courtroom litigation in messy divorce cases. We seen it all. You can run fraudulent medicare, medicaid billing mills as well. A lot of im terrible terrible crimes that have impacts that can go on for years and years. Actually recently there was a cbs this Morning Report that featured some of the data im going to show today that showcased an individual who basically while he was in the service he had his medical identity stolen and he was resolving those challenges 15 years after and still suffers from challenges. A wonderful guy and hes been dealt quite a hard blow. What im going to show you next specific of the data we collect on a regular basis. Protenus is the worlds leading Health Care Complaint Analytics Platform focusing on detecting dangerous activities and health care, but im not here to talk about my company on that side. We have research that works with third parties to identify trends and Health Data Breaches and Health Cybersecurity in general. So one thing to start out is that since 2010, and i dont show all the way back, but since 2010 theres been a systematic increase in the number of data breaches that occur every single year, without fail. Without exception. We see this since weve been tracking the data specifically, weve seen every year and already we are projected to have another record year. This number that you see here is just a half year estimate from a recent analysis. If a work to continue, we will beat out 2018 a fortune. This is is the number of incidents. You want to look at the number of records breached. Were excluding the 2015 anthem creek where if you added that calling it would go up to about 170 million records that you or something in 2015. In 2016 we had a banner year with some big, big breaches, almost 30 million for 2017 some of us started to think that we were normalized. A bee does just a couple of big breaches and it will get better. That of course it tripled in 2018 and in 2019 that estimate you see up there of almost 32 million is just the half your estimate. That is not yet annualized to the full year. We are once again on track to break yet another record when it comes to the number of records breached. Importantly, you may want to know all this preaching is occurring. Of course hacking is a major concern. Its what people think about anything but these types of challenges. And that breaks down and i can go into more detail but thats a mix of what weve seen from a phishing perspective, certain that some hour, submits links miscellaneous threats and about go into all the deep details but we provide a breakdown of this in the barometer which you can download and subscribed and is totally free, just google protenus. A huge proportion between 2540 of breaches are due to insiders. That is individuals with some legitimate level of access to the Electronic Health record and have used that access. So i for instance, when i was the lowest of the low medical student with my dorky little white coat, i can access any medical record of any individual who ever passed through the walls of my institution. That was not because my institution was unique in this respect. That is true of basically every Single Health system in the world. And the reason is because for emergency access you need to be able to get access to the er quickly. You also have extremely complex environments where proactively using control as im sure some of you may be thinking about is a failed paradigm. Its simply too complex to tackle with that type of threat. And so this Insider Threat surface, one we often underappreciated the one that leads to huge proportion of the breaches we saw all the time. As far as whose most vulnerable, this may come as no surprise, but obviously lions share is hospitals themselves. I want to know, this is not because hospitals are lazy or do not care about this problem. Quite the contrary. They care and extort him out but keep in mind hospitals are often running on razor thin margins, their Technology Investment in this space is not always what they want it to be and they have to take care of patients. When you look at their list of priorities theres a lot going on they have to be thought of and, of course, they are on the front lines so the most people have access to this. A large Health System and have 30,000 employees. How do you make sure all of those individuals are not committing privacy violations . A major, major challenge him. If you 99. 9 rate of preventing phishing attacks at your institution and you would 100,000 employees, you will still have a lot of breaches, and thats a big problem. Question . [inaudible] its hard for me to comment as a member, as im in the of the private sector on a lot of the statebased activity that occurs in these spaces. Im not really the person to necessary talk about specifics just because that information is not readily available to me. What we see is the lions share here is people who are not some sort of Foreign Espionage type of situation, its just the hospitals own employees that might be using it for criminal gain, for abusing their axis media attack a a colleague, to look up the pip. Ive even seen people look up local sports stars fantasy football edge. So it happens, yeah. It is some pretty scary situations out there. So im going to tell you a nice story as well. This is like the one good piece of data you will see here, and what this is it is the average time for an individual Health System to report a breach to health and Human Services which they are required to do within 60 days. They are really good about this. Hospitals are extremely responsible and thoughtful about once they know about something they do reported. We have seen a bit of a trend outwards lately on reporting but most of the time everyone is falling inside these lines, which is good. However, the time to detect a breach is not so good. So oftentimes malicious actors will be inside Health Systems for weeks, for months, for years. We have seen ten year plus bad actors occur inside Health Systems and they just keep on going. The problem is not in the reporting rapidly but it is in the detecting rapidly. Heres a number you will not necessarily see a lot, but its a really important one. Weve done some analysis at protenus to understand how many privacy violations typically occur in a given month based on the size of an institution. What weve seen is that for every 300 individuals you can expect about one privacy violation to a patients data per month. That means if you have 30,000 employees at a Health System you are talking about 100 privacy violations a month, and 1200 per year. If you think about what is being reported, you can really only get this once you get comprehensive analysis of the system and understand how many violations are happening but it gives you a sense of the size and scope of these threats whizzing across the whole spectrum. In addition, theres a great opportunity to focus on education and remediation. Another thing we see is the majority of events that we are detecting i repeat offenses, which means someone has already violated patient privacy in some way and we havent caught them and educate them so theyll do it again and again and again. We see this pattern over and over again. It means we can reduce by half the number of violations that occur if were proactively detecting these threats and ensuring that individual is educator or appropriate sanction for that activity. To meet this looks bad but it is the hopeful stat because it means we can predict and prevent these threats through really thoughtful workforce management. So i want to be brief in this next session and just note very briefly my work at new america is focusing on a white paper which will be released next month that addresses three core areas of challenge in this space, and i will be thoughtful of the time because im running over but the aries are essentially culture, workforce, and technology. When we look at culture its all about how to recreate accountability from the board level on down . How do we appropriately fund hospitals so they can make sure theyre getting the job done . How do we work with existing regulatory structures to be more effective and more forward thinking . Our workforce is how do we build a workforce in the future that is effective and retain the valuable workforce we have and how to prevent Workforce Burnout through making sure were not having people to continuous or repetitive low value task and it their focusing on what is strategically important. Finally from a Technology Perspective its about getting a lot of luck as he jumped the system. We know theres a lot of legacy technology. It needs to be remediated. Theres areas we can clarify when it comes to guidance. And then finally its about baking and with its devices or Software Security Development Lifecycle it comes to creating the Software Devices that again are ultimately trading and serving patients. At the end of the its all about Patient Safety. We do all these things at the end of protecting patient to defend them from these threats and to making sure we keeping them safe. Thats what the hippocratic oath is all about and in a way thats what weve got to do hear from a cybersecurity and privacy perspective. And so i will now wrap things up. Hopefully you can take a look at this in september and now there will be a much more interesting speaker talking to you. Thanks so much, everyone. [applause] well, its too. I think the last time is in rome this crowded its been a while. Good afternoon guys. My name is jen bordenick. Robert just that of the really Nice Supreme Court for us. Kind of give you basic over ovw terms of what the date is on breaches and where were going. Im going to spend a few minutes talking a little bit about some of the misperceptions around hipaa policy and cyber policy and talk about current policies and practices how we are evolving into what could be a National Security threat around cybersecurity and health. Cybersecurity has nothing to do with elections, just with health care. Ehealth initiatives has been around about 19 years, and where a group of influential executives from across the spectrum of health care. We bring together leaders from all different groups, payers, providers, vendors, pharmacy, et cetera to work on really tough issues. Our belief is you cant just talk to hospitals about health care. You cant just talk to providers and clinicians. Health care is a continuum so we need to join with pharmacies, nations, consumers, vendors. Its an interconnected problem. Its a network problem. We need to offset that together they get how how to solve it. Weve done a lot of research, education policy workprint cybersecurity. We passed out your today we have a new white paper out on risky business. We have some fact sheets on myths surrounding hipaa which are available in many more on her website. We really need to stop looking at cyber and privacy policy, and stop thinking about Health Care Data in terms of what building it belongs into, or what office should it be in. Health care data doesnt stop at the door. Your Hospital Data shouldnt only be within hospital. You should be able to access it from home, from your phone. Its all over the place. In terms of thinking about rules around cybersecurity and Health Care Data, it doesnt make sense to think about it with an institution always. You need to think about in terms of the greater spectrum. Now, i just want to be frank with you here. We have done a horrendous job in health care and technology talking about federal aviation administration, diversey policy talking about the mac, privacy policy. They think the elections and fixing whatever life story on the news is right now. They are not thinking about their Health Care Data. Part of the issue is have made it so technical and confusing and with so these acronyms out at you from some people just dont understand it. It sounds really overwhelming and ill be honest with you a start in health care two decad

© 2025 Vimarsana