His visit to capitol hill and how it is being interpreted. Of then the director National Museum of American History will discuss his book. Be sure to watch cspans washington journal on sunday. Join the discussion. Now a form forum on the cost of keeping health care safe. This is hosted by politico. It is one hour and 15 minutes. Ladies and gentlemen, please welcome executive editor for kenan. Care, joann ms. Kenan good afternoon, everyone. I am one of the executive editor for health care and i would like to thank you all for joining us and those of you on the live stream, too. Outside in is our event series focusing on health care and technology and being political we look at health care through politics and policy. Outside in was a way to conceived in a way to bring out outsiders with washington insiders. This is the first event this year. Weve taken the idea one step further this year and created a forum of Health Care Tech industry insiders who have a list of their names on your seat. And weve been doing surveys and interviews and events and this group is helping us better understand the new opportunities and challenges that Technology Innovation is bringing to the Health Care Policy world. Today some of the panelists will have, well have two panels. And some of the advisers will help us dig into medical privacy in the age of Cyber Attacks and we are going to ask questions like is Greater Health care , Information Exchange going to lead to more dangerous and increased hacks . Can Health Care Providers afford security . What kind of congressional or regulatory action, if any, is needed to keep medical records safe . Well have the conversation in two parts. Ehealth editor allen and i will first, talk to the policymakers and policy experts about medical Cyber Security and the second panel, dan diamond, a new colleague is writing pulse for us now and hes just begun the pulse check podcast that all you have to subscribe to as soon as this is over. And he is also helped us create and moderate this advisory panel, this forum and he will continue the conversation with experts who were on the forum. And youll find stories from today, the story written based on what these outside people are telling us, and this theme of that story shows how health care Cyber Security is getting worse and how the governments role is a mixed blessing. And we have a bar, for those of you who are here noticed. So stick around because the conversation could continue afterwards. Those of you in the live stream, you can just start right now. [laughter] ms. Kenan before i introduce the panel to the stage, i want take this time to say thank you to our partner phillips for their support of this event and the entire outside event series this year and all 3 years. Here to say a few words is artie arthur, Vice President of Health Care GovernmentSolutions Group for phyllis. Ms. Arthur thank you. Thanks, everyone, for coming to this event. Were really excited to be here. Thank you to politico for sponsoring the first installment of outsidein. This is phillips third year here. And just to give you a little bit of an understanding of what we did last year and how it is really going to integrate into how health care and Technology Meet each other for this series. Last year, we focused on areas such as digital medicine, aging and a Technology World and also population health. Why does that matter today . Well, you know what . Health care transformation is continuing on, right. And what we need to do is ensure that that data is meaningful and actionable. But the worst part about it, and the reason why were here today, is because we dont always know if it is safe, right. You dont know what youre going to get. And you guys have that sheet of paper, i just read it real briefly on how Expensive Health data is. So were here today to talk about how important it is to ensure that our health data is secure. Hackers dont care. They dont discriminate at all, amongst health data. If you think about what is happening today, you have seen a lot of articles on the health care ecosystem. Large Health Care Systems, as well as Insurance Companies, have had their data attacked. Whether it is by a hacker or any type of outside threat. And that is important. And it is scary. I think the really cool thing about working for phillips and why im so proud to be here tonight is that we take this very seriously. In fact, my group in the Health Care Space for the federal market, weve done a lot of work with d. O. D. In fact, most of our products today are, have been certified by the department of defense for Cyber Security and were really proud of that. We have more Cyber Security certifications than any other entity today. Additionally, we get to be an adviser on the task force for hhs. And so this is really empowering what we do in health care today. I cant, i cant tell you how excited and thankful i am for the panel that we have tonight and for politico to partner with us in this forwardthinking, thoughtprovoking series of 2016. And with that, i think id like to introduce your panel. Ms. Kenan ok. Thank you. And thank you phillips for your partnership. For those of you in the room and on live cast, our conversation on twitter, we use the the outsidein. That is one word. I have a tablet on stage and will take questions from those of you who tweet them in. A reminder our events are live , streamed and all on the record and they are recorded so people can watch them later on through our website. Without any further delay, i would like to welcome our panelists and my comoderator to the stage. First, we have representative will hurd from texas. He is the chairman of the i. T. Subcommittee for oversight and government reform and a former cia undercover officer. And then in the private sector he was a Cyber Security expert. He came to congress in 2015 and he swiftly has emerged as an important voice on this topic on privacy and security and looking at where the government is not doing a good enough job. Leslie krigstein from affairs at crime which is a management executive. She brings the concern of Health Care Ceos to the hill and to the agencies. Devin mcgraw is from the Health Information privacy from the hhs office of civil rights and the point person for concerns about privacy and she helps inform hippa, enforce hippa so you all have to behave. Clinton michael, from the ehealth Interest Group at the American Bar Association health law section. And he is one of the top National Experts in legal issues that barely existed a couple of years ago. And we hope he can help us understand what is still needed in the legislative and Regulatory Framework to protect Health Care Privacy because every day we are reminded that it is a problem. And of course, arthur allen, and my friend and colleague and ehealth editor and they call him big data, and im little data. [laughter] thank you. Arthur, you are going to start it. Mr. Allen so, welcome, everyone. So i represent, im the ceo of a small hospital chain. And ive been busy taking care of meaningful youth and dealing use and dealing with macro and a million other things and Somebody Just came to me and said there is some issue called Cyber Security. Like a, a problem with people attacking the Health Care System. And im going to just ask our distinguished guests here to explain some of these things. Congressman hurd, who is attacking the Health Care System and what are they after . The majority of it is going to be organized crime. A lot of it is russian organized crime. They are the ones that are trying to leverage the data they are collecting for monetary gain. A health care record gets more on the black market on the Digital Black market than a financial record. And some estimate that medicare record is in the couple of hundreds of dollars per record. So its lucrative financially. To give some context, in 2012, alone, fbi had data there was 414 million worth of thefts in the united states. And the estimates in the cyber realm, it was over 100 billion. Right. So in impact to our economy. So it is a big issue. Mr. Allen it is a good field to be in, obviously. Leslie, tell me about the experience that hospitals, cios are having dealing with this problem. Are you spending, are hospitals systems spending a lot more money and what are they doing to adjust to this new reality . Ms. Mcgraw and youre right, it is the reality. There is only so many fingers to plug the holes and the reality is we can find every possible vulnerability and try to block it and they only have to find one. And so when you are looking at this as a fraction of the budget, Something Like 3. 5 to 4 , a subset is security. So it is something that you are not necessarily getting reimbursed for but it is absolutely necessary for the public good. But it is tough. Resources are hard to come by. Whether it be financial or even personnel. And youre only as strong as your weakest link and in this day and age, were sharing data with more and more partners, were sharing data directly with patients and youre just opening up the door. And so it is incumbent to train your work force and work with your boards. But it is definitely a tough fight that the odds are stacked against us. Mr. Allen so you are the cop on this beat in a way. How much do you blame, how do you figure out how much or how does the legal structure share the blame, decide who is going to be punished, how much you punish people who are really in a way the victims of the show crime . Because hospital Health Care Systems, to be sure, they are the custodians of the record but also the ones who are directly being attacked. So how do you, at the same time punish and at the same time try to improve the system to make it more secure . Well, so we have a set of expectations with respect to security and health care and they are absolutely critical. It is a cost of doing business. If you are going to be out there collecting health data, it is valuable, not only is it valuable to criminal, it should be valuable to you. It is one of the most critical business assets. So protecting the data from the threats out there is really sort of, it should be expected and frankly from a Public Policy perspective, it is important for patients to be able to trust their data is safeguarded. Not necessarily perfectly safeguarded, but safeguarded. We do not expect perfection. If you take a look at the cases that we have pursued, those entities in our view, based on our investigations, had significant deficiencies in their security policies, processes. They were not doing enterprisewide risk assessments or maybe they did one like, 10 years ago and they have not been updated. The adoption of basic security safeguards is, is slow. So im not suggesting that we have a right to demand perfection in terms of accountability, but we do expect entities to devote resources to security. We do expect them to be aware of security resources. And you as the ceo of that hospital, if they are coming to you and you dont know what several security is, that is a big problem. Mr. Allen clinton, what do you think . Are they exercising their role appropriately or being too harsh or too lenient and do you think that the regulatory and Legal Framework needs to change in order to deal with this problem thats rather quickly kind of arisen in health care . Mr. Mikel no, i think ocr is doing a really good job. You are not in a good seat, are you . Mr. Mikel no, im not. [laughter] so as a client, i think ocr is doing a great job. And one of the stated purposes they have is to essentially teach. And they have a really strained budget for their teaching. But you will see them issuing Technical Assistance as opposed to being punitive. We have a lot of agencies in the government that are punitive in the health care sector. Ocr is not one of them, thankfully. And theyve done a good job, i think, with splashing out their Enforcement Actions and pursuing big dollars so people in the industry see it as a deterrednt effect and they have hit Business Associates, hospitals, laboratories and physician practices. So i think theyve done a great job. As far as the Regulatory Framework, ive really only seen one truly bipartisan proposal so far. And i think it is workable. So we take the servers and we in the bathroom closet and build a wall around them and we make the hackers pay for it. [laughter] so. Mikel very good. Were looking for solutions, so im glad,. But to pile on there, if you are the ceo of a hospital and youre looking to ocr for guidance, you are already behind the curve, right. Absolutely. You need to be, and no offense to ocr. You need to be following the best practices in good digital system hygiene. And if you are not doing that, the Regulatory Environment is not going to save you. And the fact that the ceo should know about these things, because this is an integral part of your business and you need to make sure you have a cio that knows what they are doing in order to protect that infrastructure. Because that is your responsibility to protect the information of the people that you have in your systems, right. Ms. Kenan how, when there is a rand somewhere and a headline that makes news, five or six years ago when there was a breach, it was a breach that the public heard about and it was somebody spying on a movie star in hollywood. And im not sharon and im not having Plastic Surgery so i dont have to worry. But i think that is how a lot of us came across it. It was nosiness and internal, lack of in ternal controls. And now we have organized crime and cyber kriekcrime because the health data is on so many sources. But the things in the paper, with the bit coins and the hacks, is it occasional or happening all of the time and we dont know with it, about it . To pipe up in it talking to cios, a small hospital in a rural area was a victim or attempted 3500 attacks on sunday, on mothers day. They faced 90 of them internal from the u. S. 10 were external from countries from china to costa rica. Do we know they are internal . From the u. S. , i should say. Ms. Kenan were they able, they are able to track where the threats are coming from. But that is a 300bed hospital in Rural America and if they are facing it, think about a Academy Medical center with ip and as we are starting to exchange and the number of opportunities for intrusion. So you may have, or to give you another example, there is a Large Health System on the east coast, 10 billion health system. They faced, they turned away a million ran some ware emails in the month of march. So the attempts are regular. They are happening to providers large and small across the country and it is a matter of making sure that youve trained your staff properly to say no to them. But there are also times where, as long as youve got your Incident Response plan in place, you should have those systems backed up. And so if they hit one computer, hopefully, that computer is useless and you have your systems back up. There is no need to even consider the ransom. So it is a matter of having best practices. Ms. Kenan and how common is it they have the best practices in place . It is a work in progress. It is very definitely a learning curve. Ms. Kenan she is shaking her head. Sorry. They are trying, is the reality. Our understand is rapidly becoming more digital. And we are trying to keep pace with the progression that everyone is making, while meeting patient expectations. But the reality is, the threats are real. They are regular. And it is a matter of being up to snuff and working with ocr and looking at the Cyber Security framework and sharing threat indicators across the industry. , today, it isn not as regular as it could be as other industries. And so i think weve seen some very significant progress, particularly in what the hill did last year in setting up the cyber task force. And setting up the framework to share threat intelligence. Because that is the only way that the small critical access hospital in Rural America is going to be able to leverage their Lessons Learned from their colleagues. Ms. Kenan what are you hearing as a lawmaker that has access to information . Mr. Hurd well, there are more attacks than what were aware of and more people are paying the ransom than what it out there for public consumption. Ms. Kenan widespread more or a little more . Mr. Hurd more than, it is more than a little bitty. Ms. Kenan and a lot of bitty. Mr. Hurd somewhere in between. All right. And so folks need to recognize that and understand that the threat is real, that everybody is potentially a target. And if you dont have, and as an attacker, you are looking for the person in the lowest hanging fruit. The person that hasnt had their information backed up, that are using outofdate software for their infrastructure. And that is who you are going after. And you think you