Afternoon everyone, thanks for joining us. My name is greg mathis, i felt policy advisor to senator mark warner and again for joining us for this Cyber SecurityOffice Briefing today, is company on Cyber Security and healthcare area as many of you may know, underwater along with cory gardner the bipartisan adversary task force in 2016, this goal of shedding light on some of the most pressing issues are kind when it comes to Cyber Security threats and how theyimpact our nation. For todays briefing i think pacifically we seem a number of very high profile extensive and quite frankly potentially dangerous Cyber Security attacks in our Nations Health care sector. We brought in to individual today that have a wealth of knowledge in this area will robert lord who is chief Strategy Officer at protenus. Protenus, im sorry about that and so youll be here to give a presentation talk about this important topic as well as we have an who is ceo of dhi and so without further, ill let the first presentation get started. Thanks so much greg and thanks to everyone. I rarely thought that our standing room only so i really appreciate your guide today. As greg mentioned on robert lord, cofounder and president and chief he officer of protenus and a fellow at new americas Security Policy program. While a lot of information today comes from research that we got protenus and some of the work that we are currently a new america, im not speaking on behalf of either of those organizations today. Im just talking from experience and a little bit of perspective on the challenges we see in the space. I just to contextualize this a little bit because when we talk about cyber spirit itcan be a little too much and by and people inputs. The first thing that i would not when you think about healthcare cyber story is the patient that i had when i was at school. I was fortunate to work in a clinic that focused on treating hivpositive patients in baltimore when i was in school and one of the things you learn quicklyabout this population , other than there and absolutely wonderful, complex, rewarding population to work with his have ordinary concern around the privacy andsecurity of their information. They will go to extremely make sure that people do not find out about their diagnosis, treatment or that their coworkers, their community and so many others that might use this information against them, this extremely Vulnerable Community and one of the things that i began to think about treating the patients was what are we doing to defend their health data and information, these workers. And the more thatyou think that question , this is back in 2013 and 2014 when i started, more hard the answer is. The reality is the challenges that we face in health data are extraordinarily cool and say ill try and give you a case not only of the important and stories the color the salad and also the data behind all of that. So i think makes sense to start with the average back in 2015. This was really for many people and i show of hands, who got one of those at the notification letter from our idea to. This was about half of the Us Population more or less, a third area on the 40 million medical records free, will never know the exact number but for many, this was a massive wake up call the fact that health data was centralized in many cases, i vulnerable and highly valuable certain parties as well. Unfortunately, the story did not end with the average. We keep on coming. So we just had a brief, a lab or an mca breach. With about 20 million medical records or patient data, individual patient data is identified, not sure what the final numbers are back in 2016 we had a major read somewhere that that reduce the entire Hospital System the pencil and paper. So imagine all the Electronic Health records, all electronic systems, i cant think back to my days, and now youre using pencil and paper and one does not connect electronic system, its scary. And this isnt just a couple of active either. If you look scale it out, recent report really back not too long ago showed that 70 percent of Health Systems reportedexperiencing a major debris and a third of those experienced one in the last year. So if you think about this entire picture together, we are in a terrifying statement now and one not necessarily always talking about but i can tell you Health Systems are aware of it all the time. So im not a person on speculation but also always makes sense proactively. Theres also the significant possibility raise recently in a bloomberg article on the ability of whether state actors or individual or other types of criminals to engage in medical blackmail. Typically these incidents are highly behindthescenes. There are some great area reports but most of the time these are not reported if it is the case tracking. Can go for a on the black market. They suspended latest more medical records of come on the black market in these numbers have come way down but theres a lot of value in theres a lot of value for a lot of reasons. They can be used for insurance fraud, fraudulent claim. You can steal someones idea and you can do it very confidential anything about the information that medical record. Pretty much the entire medical history of someones past illnesses, their family members that location their Financial Information is all in there the only thing that has more information on an individual is a comprehensive. Copy. The insurance or Bank Accounts as you mentioned medical black male. You can also unfortunately people use it for monday in personal attacks for courtroom litigation and messy divorce cases. We have seen it all in there and of course you can run false fraudulent medicaid billing mills as well. So a lot of unfortunately really terrible and really deeply devastating crimes can be committed with medical records that obviously have impact that can go on for years and years. Recently there was a cbs this Morning Report that featured some debate im going to show you today that showcased an individual who basically while he was in the service yet his medical identity stolen and he was resolving those challenges for 15 years afterwards. A wonderful guy and hes been dealt quite a hard blow. So what im going to show you next is physically the data we collect on a regular basis. Protenus data focuses on health care but im not here to talk about my company. We also have a Research Group that works with third parties to identify trends and identified data breaches and help cybersecurity in general. What im going to show use to show used use the information collected from public sources as well as in the end interest in proprietary data that will add color you want normally see in this kind of thing. One thing to start out is that in 2010 and i dont show up away back here but in 2010 there is the systematic increase in the number of data breaches that occur every single year without fail, without exception. We see this since we have been tracking the data specifically. We have seen it every year and already we are projected to have another record year. This number you see here the 285 is just a half year estimate from a recent analysis so we will continue along the strand and we both beat out 2018 unfortunately. We also want to look at the number of records preached so including the 2015. Where if you go to 170 million records that year and 2015. In 2016 we had a banner year with big big breaches so that was almost 30 million. In 2017 we thought it would normalize a little bit. I was just a couple of the breaches and we will get better and of course a tripled in 2018 and in 2019. That estimate means 32 million. Thats just a half year estimate that is not a full year but we are once again on track to break another record when it comes to another record breached. Importantly you may want to know where this reaching is occurring. Of course packing information concerns what people think about when they think about these types of challenges and that breaks down and i can go into more detail but thats a mix of what we have seen from a phishing perspective with malware and miscellaneous threats and i wont go into all the details that we provide a break down of the switch by the way you can download. Its totally free. Just google protenus data and you can find it. This is relatively consistent. Between 25 and 40 of breaches are due to insiders. Thats an individual thread of some legit mall legitimate access entities that. When i was the lowest of the low medical student in my white coat that could access any medical record of any individual who ever passed through my institution and that was not because my institution was unique in this respect. That is true of virtually every Single Health institute in the world. The reason emergency access you need to be able to get access very quickly. You also have to have extremely complex of armed with where practically using Access Control as im sure somebody in the audience have been thinking about is too complex to tackle with that type of threat. This Insider Threats served as Insider Threats served as one week underappreciate that leads to a huge proportion of the breaches we see all the time. As far as who is the most vulnerable this may come as no surprise but obviously the lions share his hospitals themselves. This is not because hospitals do not care about this problem. Quite the contrary. They care an extraordinary amount but keep in mind hospitals are often running on and let laser then margin and their technology is not always what they want to be. When they look at their list of priorities theres a lot going on that they have to be thoughtful of and of course behalf to make sure that the most people have access to these records. How can you make sure that all of those individuals are not committing a violation. So major challenge in a giant threat do the phishing problem. If you have a 99. 973 of attacking systems there will be a lot of breaches and thats a big problem. Questions. [inaudible] its hard for me to comment as a member of the earth on a lot of the statebased activities that occurs in these places. Im not the person to necessarily talk about it because that information is not our money available to me however what we see as the lions share people who are not some sort of espionage type of situation. Just a hospital employee that might be using it for criminal gangs for abusing their access for a pack of colleagues to look up the vip. It seemed people look up local sports stars for fantasy football edge so it happens. It is a pretty scary situation out there. So im going to tell you a nice story as well. This is like the one good use of data you will see feared what this is is the average time for an individual Health System to report a breach to health and Human Services which they are required to do within 60 days. They are really good about this. Hospitals are extremely responsible and thought all. They want to know something they do report it so they are doing a pretty good job. He seen a little bit of a trend lately on reporting but most of the time everyone falls in line which is good however this time to detect a breach is not so good its oftentimes we will be inside Health Systems for weeks, for months, for years. We have seen 10 years plus of bad actors inside of Health Systems and they just keep on going. The problem is not reporting it rapidly but it certainly is in detecting it rapidly. Heres a number you wont necessarily see a lot. We have done some analysis at protenus to understand how many violations physically occur in a given month based on institution we have seen for every branded individuals you can expect about one privacy violation to the patients data per month. That means if you have 30,000 employees in the Health System you are talking about 100 or visit violations and 1200 per year. If you think about whats being reported you can only get this want to get a conference of analysis in the system to understand how many violations are happening. Its the scope of the threat we are seeing got the whole system. In addition is a great opportunity here to focus on education and remediation because another thing we see is the majority of the fence we are detecting a repeat offense which means someone is already violated patient privacy and we havent educated them so we are going to do it again and again we see this pattern over and over. Often we can reduce by half the number of violations that occur if we are proactively protecting these threats and ensuring the individuals appropriately sanction for that activity. This is somewhat of a whole because it means to a certain extent we can predict and prevent these defense through thoughtful workforce management. So i want to be brief in this next section and note very briefly that my work at new america is on a white paper which should be released next month that addresses three core areas of challenge and i will be thoughtful of the time because im running over here but the areas are essentially culture, workforce and technology. When we look at culture is all about how do we create accountability quest that we appropriately Fund Hospital so they can make sure they are getting the job done and how to work with existing regulatory structures to be more effective and more forwardthinking . Our workforce is how we build the future workforce and had we retained the available workforce that we havent had we prevent burn out or making sure we are not having people do continuous repetitive low value attacks. Finally from a Technology Perspective its about getting a lot of legacy junk out of the system. We know theres a lot of legacy technology. There areas where we can clarify when it comes to guidance and then finally its about whether its devices or Software Lifecycle when comes to creating these abusive Software Devices that are ultimately treated. At the end of the day its all about patient safety. We do all of these things in the end to protect patients and defend them from these threats and make sure we do. Its with the hippocratic oath in a way and thats what we do here for privacy and security. I will now wrap things up and hopefully we can take a look at this in september and therell be a much more interesting speaker talking to you then. Thank you very much everyone. [applause] its true. I havent been affirmed as crowded. Its been a while. My name is Jennifer Bordenick and robert to set up a really nice framework for us. A kind of give you basic overview in terms of where the data is on breaches and where we are going. Im going to spend a few minutes talking a little bit about some of the misperceptions around pippa policy and cyber policy and talk about current policies and practices and how we are actually evolving into what could be a National Security threat around cybersecurity and health. Cybersecurity has nothing to do with health care. Ehealth initiative has been around for about 19 years and we are group of influential executives from across a spectrum of health care. We bring together leaders from all different groups, payers providers vendors pharmacies etc. To work on really tough issues and our belief is that you cant just talk to hospitals about health care. You cant just talk to providers and clinicians about health care. Health care is a continuum so we need to join with pharmacies, patients and vendors. This is a problem, an interconnected Network Problem that we need to sit down together to figure out how to solve it. We have done a lot of research, education and policy work around cybersecurity. We have a new white paper out. We have some fact sheets surrounded but which are available for you and many more and our web site. We really need to stop looking at cyber and privacy policies and stop thinking about Health Care Data in terms of what welding it belongs to or what about the should it be and great Health Care Data doesnt stop at the door. Your Hospital Data shouldnt only be within the hospital. You should be able to access it from your home, from your phone. Its all over the place so in terms of thinking about rolls around cybersecurity and secure data doesnt make sense to think about it within an institution always. New to think about it in terms of the greater spectrum. I just want to be frank with you here. We have done a horrendous job in health care and technology talking about hipaa. Privacy policies, would Health Care Data is, where it lives, why its important all of those things. When people think about cybersecurity they generally think about elections whatever the latest story on the news is right now. They are not thinking about their Health Care Data. Part of the issue is we have made it so technical and confusing and we throw these acronyms that use of people just understand it and it sounds really overwhelming and i will be honest with you when i started in health care two decades ago i felt silly asking questions. I felt like i had to be a lawyer or legal analyst to ask questions they were so complicated and technical. How many of you have been in the Doctors Office filling out a form and you say why do i need to do this again and they said to you because of hipaa, right . Hipaa is the big bad wolfe of health care, okay . Whenever you cant get something done a lot of times and the excuse given to you will be because of hipaa so your doctor cant talk to your loved one about your condition because of hipaa. Thats a myth your doctor needs a written authorization or they cant share your health information. Thats another myth. Doctors arent allowed to email patients are thats another myth p