When it comes to Cyber Security threats and the way it affects our nation. And we have seen high profile hacks in our Health Care Sector and weve brought it two individuals, robert lord chief at protenus. And hell give a presentation to us and talk about this important topic as well as jen, the ceo of ehi. Without further ado ill let the first presentation get started. Started. Thanks, greg and thanks so much to everyone. I fairly give talks that are standing room only, so, really appreciate your guys interest today. As greg mentioned im robert lord cofounder and president and chief officer of protenus. A lot of the information is from protenus and im not speaking on behalf of organizations today. To work in a clinic that focused on treating hivpositive patients in baltimore when i was in med school. One of the things you and click the about this population other than their an absolutely wonderful, really complex, rewarding population to work with is they have extraordinary concerns about the privacy and security of their information. They will go to extreme lengths to make sure people do not find out about their diagnosis, the treatment or that their coworkers or Team Communities o many others that might use this information against them, this extremely vulnerable unity. One of the things i begin to think about treating these patients was what are we doing to defend their health of data and information, these extremely sensitive records . The more you dig into that question, this is back in 2013, 2014 what i started, the more horrifying the answer is. The reality is the challenges that we face in protecting health data are extraordinarily difficult. Today ill try to give you taste not only of the important anecdote stories but the data behind all of them. I think it makes sense to start with the anthem breach back in 2015. This was really are many people, i dont ask for a show of hands. Who here got one of those anthem notification letters . I did, too. This was about half of the u. S. Population more or less, a third or half, 149 million records breach. We will never know the exact number of patients affected. For many of us this was a massive wakeup call to the fact healthcare data was highly centralized, highly vulnerable and highly valuable to certain parties as well. Unfortunately this story did not end with the anthem breach in 2015. That hits keep on coming. We decided a recent breach, lab core amc a breach about 20 million medical records or patient data individual patient data pieces that were identified and that well see what the finl numbers are. Of course back in 2060 with a major Ransomware Attack the reduced and without Hospital System to pencil and paper. Imagine all the Electronic Health records, all the Electronic Systems that use, i can thinking back to my days, and now youre pencil and paper and what is conducted not connected to an electronic system. Pretty scary. This isnt just a couple of anecdote either. If you look and scale out, a recent report back not too long ago showed 70 of Health Systems reported experiencing a major data breach, and the third experienced one in the last year. So if you think about this entire picture together we are in a pretty terrifying state right now and its one where we are not necessarily talking about but Health Systems are very aware of it all the time. Im not a big person on speculation but also it always makes sense to think proactively. Theres also this significant possibility raised recently and a bloomberg article of the ability of whether it state actors or individuals are other types of criminals to engage in medical blackmail. Typically these types of incidents are highly behind the scenes. There are some great area reports that this does happen but most of the time these are not reported if it isnt the case. These are the stories, the anecdotes, but it dont want a focus about what could be. I want to show you the data for the rest of my presentation that shows you what were facing right now and what the trends are. For some of you in the audience youre going to do everything im talking about really clearly. For others i do want to contextualize what health data is so valuable. So why some reports, and you think these are exaggerated but the give you a sense of what these records can be worth, a single individual medical record can go for upwards of 1000 on the black market. These event appointed as more medical records have come on the black market. Theres a lot of value to them and a lot of value to them for a lot of reasons. They can be used for insurance fraud, roger claims. You can steal someones id and you can do it very comprehensively when to think about the information in the medical record. Its pretty much the entire history of someones past illnesses, their family members, their location, financial information, its all ended. The only thing that has more information on individual is probably like it comprehensive topsecret clearance document in the united states. You could use to open financial accounts because of the richness of that data. Insurance or bank accounts, medical blackmail that could be criminal or statebased. You can also unfortunately people use for monday personal attacks or courtroom litigation a messy divorce cases, we stand at all. You can run fraudulent medicare, medicaid billing mills as well be seen that basically open up, create synthetic patients and built of his patients. A lot of unfortunately really terrible and really deeply devastating crimes that can be committed with medical records that have impacts that can go on for years and years. Recently there was a cbs this Morning Report that he could some of the data on going to show today that showcased an individual who basically, while he was in the service he had his medical identity stolen and he was resolving those challenges for, 15 or so afterwards and still suffers from challenges. Wonderful guy and hes been dealt quite a hard blow. What im going to show you next is specifically for data that we collect on a regular basis. So pretentious as a world healthcare leading platform folks at detecting dangerous activity and health care but ill let you to talk about my company on that side. We also had a Research Group that works with third parties to identify trends and Health Data Breaches and help cybersecurity june. What im going to shoot this information we collected both from public sources as well as at the end some interesting proprietary data i think well add, youre not, can see in this space. So one thing to start out is that since 2010, at item to all the way back, but since 2010 there is been a systematic increase in the number of eta breaches that occur every single year without fail. Without exception data breaches. We see the sense we been tracking the data specifically we seen every year and already we projected to have another record you come this number you see here, 285, as a half your have to estimate from a recent analysis and so it will continue along this trend we will be at 2018 unfortunately. This is the number of incidents. You want to look at the number of records breached. We are excluding the 2015 anthem breach or if you added that column, who up to about 170 million records that year or something and 2015. In 2060 we had a banner year banner year with big, big breaches so that was almost 30,000,000. 2017 some of the start to think now its what denormalized a little bit. Maybe that was just a couple of big breaches and it would get better. Then of course it triple in 2018. 2018. And in 2019 that estimate of almost 32 million is just a half your estimate. That is not yet annualized to the full year. Where once again on trend to break yet another record when it comes to the number of records breached. Importantly you may want to know all while the region is occurring. Of course hacking is a major concern. Its what people usually think about when you think of these challenges. That breaks down and i could go into more detail but thats a mix of what weve seen of a phishing perspective, malware, miscellanies threats and i wont go into all that deep details that we provide a breakdown of this in the breach barometer which you can download and subscribe to and its totally free. Just google protenus and you can find it. But huge proportion, this is relatively consistent, between 2540 of breaches are due to insiders. That is individuals with some legitimate level of access to Electronic Health record and abuse that access. I for instance, when i i was at the lowest of the low medical student like dorky little white coat, i could access any medical record of any individual who ever passed through the walls of my institution. That was not because the institution was unique in this respect. That is to basically Everything Health system in the world. The reason is because for emergency access you need to be able to get access to the er quickly. Youve extremely complex environments where proactively using Access Control as im sure some of you in the audience may be thinking about is really a failed paradigm. Too complex to tackle. This Insider Threat surface one we often underappreciated but one we see all the time. As far as who is most vulnerable, this may come as no surprise, but obviously the lions share is hospitals themselves. I want to note this is not because hospitals are lazy or do not care about this problem. Quite the contrary they care and exploit export them at the house was a running on razor thin margins, their Technology Investment in the space is not what the others wanted to be and have to take your patience. When you look at priorities theres a lot going on they have to be thoughtful of and, of course, be on the front lines. The most beloved access to this information, a large Health Systems will have 30,000 employees who have access to medical records. How do you make sure all those individuals are not committing privacy violations . A giant threat surface flyfishing attack. If you had 99. 9 rate of preventing phishing attacks at your institution injured 100,000 employees in one of these megasystems you will stop a lot of the breaches and thats a big problem. Question . [inaudible] so its hard for me to comment, as im a member of the private sector on about that the statebased activity that occurs in these spaces. Im not really a person to necessary talk about specifics just because that information is not normally available to me. What we see is the lions share is people who are not some sort of Foreign Espionage type of situation. Its just a hospitals own employees that might be using it for criminal gain, for abusing their access to maybe attack a call to come to look up a vip. Ive even seen people look up local sports stars for fantasy football edge. So it happens. Yeah, yeah. It is some pretty scary situations out there. Im going to chile a nice story as well. This is like the one good piece of data you will see here, and what this is it is the average time for an individual Health System to report a breach to health and Human Services which they are required to do within 60 days. They really good about this. Hospitals are extremely responsible and thoughtful about one thing once they know about something figure reported. Theyre doing a pretty good job. We seem a bit of a trend outwardly underreporting but most of the time everyone is falling inside these lines, which is good. However, the time to detect a breach is not so good. Oftentimes malicious actors will be insight Health Systems for weeks, months, years. Weve seen ten year plus bad actors occur inside Health Systems and they just keep on going. The problem is not in the reporting rapidly that it is in the detecting rapidly. Heres a number you will not necessarily see a lot, but an important one. Weve done analysis at protenus to understand how many privacy violations typically occur in a given month based on the size of an institution. What we see is that for every 300 individuals you can expect about one privacy violation to a patients data per month. If you have 30,000 employees at Health System, youre talking about 100 privacy violations of month, and 1200 per year. If you think about what is being reported, you can only get this once you get comprehensive analysis of the system and understand how many violations are happening but he gives you a sense of the size and scope of these threats we are seeing across the whole spectrum. In addition, theres a great opportunity to focus on education and remediation. Another thing we see is that the majority of events that we are detecting our repeat offenses, which means someone has already violated patient privacy in some way and we havent caught them and educate them. They will do it again and again and again. We see this pattern over and over again. It means we can reduce by half the number of violations that occur if we were proactively taking these threat century that individual is educated on appropriate sanction for that activity. This looks bad but at some of a hopefuls that because it means we can predict and prevent these threat through just really thoughtful workforce management. I want to be brief in this next section and just note briefly that my work at new america is now focusing on a white paper which should be released next month that addresses three core areas of challenge in this space, and i will be thoughtful of the type because im running over but the entries are essentially culture, workforce, and technology. When we look at culture its all about how to recreate accountability from the board level on down. How do we Fund Hospital so they can make sure theyre getting the job done . And how it would work with existing regulatory structures to be more effective and more forward thinking . Our workforce is how do we build a future workforce at effective. Its how do we retain the valuable workforce we have and how do we prevent Workforce Burnout through making sure we are not having people to continuous, repetitive load value task and focusing on what is strategically important. Finally from a Technology Perspective its about getting a lot of legacy junk out of the system. We know theres a lot of legacy technology. It needs to be remediated. Theres areas we can clarify when it comes to guidance. And finally its about baking and and two and whether devices were sought for a secure Development Lifecycle when it comes to creating these Software Devices that they can ultimately treating and serving patients. At the end of the day its all about Patient Safety. We do all these things to the end of protecting patients to defend them from these threats and to making sure were keeping them safe. Thats what the hippocratic oath is all about and and in a way s weve got to do from cybersecurity and privacy perspective. I will now wrap things up. Hopefully you can take a look at this in september and now it would be a much more interesting speaker talking to you. Thanks so much, everyone. [applause] will well, its true, the last time i was in a this crowded its been a while. Good afternoon, guys. My name is Jen Covich Bordenick and im on the eHealth Initiatives foundation in washington. Robert set up a Nice Supreme Court for. To get basic overview in terms of where the data is on breaches and we are recording. Im to spend a few minutes talking about some of the misperceptions around federal Aviation Administration policy and cyber policy and talk about current policies and practices hipaa and how were involving into what could be a National Security threat around cybersecurity and health. And cybersecurity has nothing to do with elections which is just healthcare. The Health Initiative has been around about 19 years and we are a group of influential executives from across a spectrum of health care. We bring together leaders from all different groups, payers, providers compare discount pharmacies, et cetera to work on really tough issues. Our belief is that you cant just talk to hospitals about health care. You cant talk to providers and clinicians about health give her healthcare is a continuum. We need join with pharmacies, patients, consumers, thinkers. This is a problem, and interconnected problem, and network problem. We need to sit down together to figure out how to solve it. Weve done a lot of research, education and policy work around cybersecurity. I think we passed out your today, weve got a new white paper out on risky business. We have fact sheets on myths surrounding hipaa which are available for you and many more on a website. We really need to stop looking at cyber and privacy policy, and stop thinking about healthcare data in terms of what building it belongs into, or what office should it be in. Healthcare data doesnt stop at the door. The Hospital Data shouldnt only be within the hospital. You to be able to access it from home, from your phone. Its all over the place. In terms of thinking about rules around cybersecurity and healthcare data it doesnt make sense to think about it with an institution always. We need to think about in terms of greater spectrum. I just want to be frank with you here. We have done a tremendous job in healthcare and technology, talking about hipaa, privacy policy, what healthcare data is, where it lives, why its important, all of those things. When people think about cybersecurity they generally think about elections and banks, whatever the latest story on the news is right now. They are not thinking about the healthcare data. Part of the issue is that we have made it so technical and confusing and restore these acronyms out at you. So people just dont understand it. It sounds really overwhelming, and ill be honest with you, when i started in healthcare two d