Skip to main content

tv   Health Care Cybersecurity Discussion  CSPAN  August 9, 2019 7:59am-9:01am EDT

7:59 am
>> in 1979 a small network with an unusual name rolled out a big idea, let viewers make up their own minds. season opened the doors washington policymaking for all to see. giving you unfiltered coverage in congress and beyond. now the ideas more relevant than ever, television and online, c-span is your unfiltered view of government so you can make up your own mind, provided by your cable or satellite provider. >> next a look at cyberthreats facing the healthcare industry. the cyber security caucus heard about risks and possible solutions, topics included insider threats, rents where attacked hospitals, hacking of medical devices and privacy challenges with healthcare apps. this is an hour. >> good afternoon, everyone. thanks for joining us today.
8:00 am
i'm greg mathis, policy advisor to senator mark warner. thank you for joining us for the cyber security caucus. as many of you know senator warner along with senator gardner started the bipartisan task force. .. and so he'll be here to give a presentation to talk about this important topic as well as we
8:01 am
have the ceo of dhi. without further ado i let the first presentation get started. >> i very rarely give talks that are standing room only so really appreciate your interest today. as greg mentioned i'm robert lord, cofounder, president and chief strategy officer of protenus, and also a fellow at new america cybersecurity policy program. while a lot of information today i'm presenting comes from research we've done at protenus and some of the work we are currently building at new america on the speaking on behalf of either of those organizations today. just talking from my experience and providing perspective on the challenges that we see in this space i guess to contextualize this because sometimes we talk about cybersecurity it can be a little too much and bites and
8:02 am
people in hoodies. the first thing i always think about when i think about health care cybersecurity is the patients i had when i was in medical school. i was fortunate to work in a clinic that focused on treating hiv-positive patients in baltimore when i was in med school. one of the things you learn quickly about this population other than they are an absolutely wonderful really complex, rewarding population to work with is they have extraordinary concerns about the privacy and security of their information. they will go to extreme lengths to make sure people do not find out about their diagnosis, their treatment or that their coworkers or communities and so many others that might use this information against them, this extremely vulnerable community. one of the things i begin to think about treating these patients was what are we doing to defend their health data and information, these extremely sensitive records? the more you dig into that question, this is back in 2013-2014 when i started, the
8:03 am
more horrifying the answers. the rally is the challenges we face in protecting health data are extraordinarily difficult, today i'll try to give a a tase not only of the important stories but also the day behind all them. i can't make sense to start with the anthem of breach back in 2015. this was really for many people, and i'll ask for a show of hands, who here got one of those anthem notification letters? i did, too. this was about half of the u.s. population more or less about a third or half, 140 million medical records breached. will never know the exact number. but for many this was this was a massive wake-up call to the fact health data was highly centralized in many cases, highly vulnerable and highly valuable to certain parties as well. unfortunately, this store did not end with the breach in 2015. the hits keep on coming. we just had a very recent
8:04 am
breach, a lab core amc a breach with about 20 million medical records for patient data, individual data pieces that were identified and we'll see what the final numbers are. back in 2016 we had a a major ransomware attack that reduced an entire hospital system to pencil and paper. so imagine all the electronic health records, all the electronic systems that use and health system, and now you're using pencil and paper. pretty scary. this isn't just a couple of anecdotes either. if you look and really scale it out, a recent report back not too long ago showed 70% of health systems reported experiencing a major data breach and a third experienced one in the last year. if you think about this entire picture together, we are in a pretty terrifying state right now and it's one where we are not always talking about what i can tell you elf systems are
8:05 am
very aware of it all the time. so i'm not a big person on speculation, but also it makes sense to think proactively. there's also the significant possibility raised recently in the bloomberg article of the ability of whether its state actors for individual or other types of criminals to engage in medical blackmail. typically these types of incidents are highly behind the scenes. there are some great area reports this does happen but most of the time is not reported if it is the case. these are the anecdotes, but i don't want to focus about what could be. i want to show you the data for the rest of my presentation that shows you what we're facing right now and what the trends are. i think for some of you in the audience you will know everything i'm talking about really clearly work for others i do want to contextualize why health data is so valuable. so by some report and i think these are exaggerated but they give you a sense of what these records can be worth come a
8:06 am
single individual medical record can go for upwards of $1000 on the black market. these of been deflated as more medical records come on the black market. but there's a lot of value to thin and there's a lot of value to them for a lot of reasons. they can be used for insurance fraud, fraudulent claims. you can steal someone's id and you could do it very comprehensive legal and you think that the information in a medical record. it's pretty much the entire history of someone's past illnesses, their family members, their location, financial information. it's all in there. the only thing that has more information on individuals is probably like it comprehensive top-secret clearance document in the trinity. if you use open financial accounts because of the richness of the data so insurance or banking accounts, medical blackmail that could be criminal or state-based. you can also unfortunately people use for monday personal attacks or courtroom litigation in messy divorce cases. we seen it all. you can run fraudulent medicare,
8:07 am
medicaid billing mills as well. a lot of i'm terrible -- terrible crimes that have impacts that can go on for years and years. actually recently there was a cbs this morning report that featured some of the data i'm going to show today that showcased an individual who basically while he was in the service he had his medical identity stolen and he was resolving those challenges 15 years after and still suffers from challenges. a wonderful guy and he's been dealt quite a hard blow. what i'm going to show you next specific of the data we collect on a regular basis. protenus is the world's leading health care complaint analytics platform focusing on detecting dangerous activities and health care, but i'm not here to talk about my company on that side. we have research that works with third parties to identify trends and health data breaches and
8:08 am
health cybersecurity in general. so one thing to start out is that since 2010, and i don't show all the way back, but since 2010 there's been a systematic increase in the number of data breaches that occur every single year, without fail. without exception. we see this since we've been tracking the data specifically, we've seen every year and already we are projected to have another record year. this number that you see here is just a half year estimate from a recent analysis. if a work to continue, we will beat out 2018 a fortune. this is is the number of incidents. you want to look at the number of records breached. we're excluding the 2015 anthem creek where if you added that calling it would go up to about 170 million records that you or something in 2015. in 2016 we had a banner year
8:09 am
with some big, big breaches, almost 30 million for 2017 some of us started to think that we were normalized. a bee does just a couple of big breaches and it will get better. that of course it tripled in 2018 and in 2019 that estimate you see up there of almost 32 million is just the half your estimate. that is not yet annualized to the full year. we are once again on track to break yet another record when it comes to the number of records breached. importantly, you may want to know all this preaching is occurring. of course hacking is a major concern. it's what people think about anything but these types of challenges. and that breaks down and i can go into more detail but that's a mix of what we've seen from a phishing perspective, certain that some hour, submits links miscellaneous threats and about go into all the deep details but we provide a breakdown of this in the barometer which you can download and subscribed and is
8:10 am
totally free, just google protenus. a huge proportion between 25-40% of breaches are due to insiders. that is individuals with some legitimate level of access to the electronic health record and have used that access. so i for instance, when i was the lowest of the low medical student with my dorky little white coat, , i can access any medical record of any individual who ever passed through the walls of my institution. that was not because my institution was unique in this respect. that is true of basically every single health system in the world. and the reason is because for emergency access you need to be able to get access to the er quickly. you also have extremely complex environments where proactively using control as i'm sure some of you may be thinking about is a failed paradigm. it's simply too complex to tackle with that type of threat. and so this insider threat surface, one we often underappreciated the one that
8:11 am
leads to huge proportion of the breaches we saw all the time. as far as whose most vulnerable, this may come as no surprise, but obviously lion's share is hospitals themselves. i want to know, this is not because hospitals are lazy or do not care about this problem. quite the contrary. they care and extort him out but keep in mind hospitals are often running on razor thin margins, their technology investment in this space is not always what they want it to be and they have to take care of patients. when you look at their list of priorities there's a lot going on they have to be thought of and, of course, they are on the front lines so the most people have access to this. a large health system and have 30,000 employees. how do you make sure all of those individuals are not committing privacy violations? a major, major challenge him. if you 99.9% rate of preventing phishing attacks at your institution and you would 100,000 employees, you will still have a lot of breaches,
8:12 am
and that's a big problem. question? [inaudible] >> it's hard for me to comment as a member, as i'm in the of the private sector on a lot of the state-based activity that occurs in these spaces. i'm not really the person to necessary talk about specifics just because that information is not readily available to me. what we see is the lion's share here is people who are not some sort of foreign espionage type of situation, it's just the hospitals own employees that might be using it for criminal gain, for abusing their axis media attack a a colleague, to look up the pip. i've even seen people look up local sports stars fantasy football edge.
8:13 am
so it happens, yeah. it is some pretty scary situations out there. so i'm going to tell you a nice story as well. this is like the one good piece of data you will see here, and what this is it is the average time for an individual health system to report a breach to health and human services which they are required to do within 60 days. they are really good about this. hospitals are extremely responsible and thoughtful about once they know about something they do reported. we have seen a bit of a trend outwards lately on reporting but most of the time everyone is falling inside these lines,, which is good. however, the time to detect a breach is not so good. so oftentimes malicious actors will be inside health systems for weeks, for months, for years. we have seen ten year plus bad
8:14 am
actors occur inside health systems and they just keep on going. the problem is not in the reporting rapidly but it is in the detecting rapidly. here's a number you will not necessarily see a lot, but it's a really important one. we've done some analysis at protenus to understand how many privacy violations typically occur in a given month based on the size of an institution. what we've seen is that for every 300 individuals you can expect about one privacy violation to a patient's data per month. that means if you have 30,000 employees at a health system you are talking about 100 privacy violations a month, and 1200 per year. if you think about what is being reported, you can really only get this once you get comprehensive analysis of the system and understand how many violations are happening but it gives you a sense of the size and scope of these threats whizzing across the whole spectrum. in addition, there's a great opportunity to focus on education and remediation. another thing we see is the
8:15 am
majority of events that we are detecting i repeat offenses, which means someone has already violated patient privacy in some way and we haven't caught them and educate them so they'll do it again and again and again. we see this pattern over and over again. it means we can reduce by half the number of violations that occur if we're proactively detecting these threats and ensuring that individual is educator or appropriate sanction for that activity. to meet this looks bad but it is the hopeful stat because it means we can predict and prevent these threats through really thoughtful workforce management. so i want to be brief in this next session and just note very briefly my work at new america is focusing on a white paper which will be released next month that addresses three core areas of challenge in this space, and i will be thoughtful of the time because i'm running over but the aries are essentially culture, workforce, and technology. when we look at culture it's all
8:16 am
about how to re-create accountability from the board level on down? how do we appropriately fund hospitals so they can make sure they're getting the job done? how do we work with existing regulatory structures to be more effective and more forward thinking? our workforce is how do we build a workforce in the future that is effective and retain the valuable workforce we have and how to prevent workforce burnout through making sure we're not having people to continuous or repetitive low value task and it their focusing on what is strategically important. finally from a technology perspective it's about getting a lot of luck as he jumped the system. we know there's a lot of legacy technology. it needs to be remediated. there's areas we can clarify when it comes to guidance. and then finally it's about baking and with its devices or software security development lifecycle it comes to creating the software devices that again are ultimately trading and serving patients. at the end of the it's all about patient safety. we do all these things at the
8:17 am
end of protecting patient to defend them from these threats and to making sure we keeping them safe. that's what the hippocratic oath is all about and in a way that's what we've got to do hear from a cybersecurity and privacy perspective. and so i will now wrap things up. hopefully you can take a look at this in september and now there will be a much more interesting speaker talking to you. thanks so much, everyone. [applause] >> well, it's too. i think the last time is in rome this crowded it's been a while. good afternoon guys. my name is jen bordenick. robert just that of the really nice supreme court for us. kind of give you basic over ovw terms of what the date is on breaches and where were going.
8:18 am
i'm going to spend a few minutes talking a little bit about some of the misperceptions around hipaa policy and cyber policy and talk about current policies and practices -- how we are evolving into what could be a national security threat around cybersecurity and health. cybersecurity has nothing to do with elections, just with health care. e-health initiatives has been around about 19 years, and where a group of influential executives from across the spectrum of health care. we bring together leaders from all different groups, payers, providers, vendors, pharmacy, et cetera to work on really tough issues. our belief is you can't just talk to hospitals about health care. you can't just talk to providers and clinicians. health care is a continuum so we need to join with pharmacies, nations, consumers, vendors. it's an interconnected problem. it's a network problem.
8:19 am
we need to offset that together they get how how to solve it. we've done a lot of research, education policy workprint cybersecurity. we passed out your today we have a new white paper out on risky business. we have some fact sheets on myths surrounding hipaa which are available in many more on her website. we really need to stop looking at cyber and privacy policy, and stop thinking about health care data in terms of what building it belongs into, or what office should it be in. health care data doesn't stop at the door. your hospital data shouldn't only be within hospital. you should be able to access it from home, from your phone. it's all over the place. in terms of thinking about rules around cybersecurity and health care data, it doesn't make sense to think about it with an institution always. you need to think about in terms
8:20 am
of the greater spectrum. now, i just want to be frank with you here. we have done a horrendous job in health care and technology talking about federal aviation administration, diversey policy -- talking about the mac, privacy policy. they think the elections and fixing whatever life story on the news is right now. they are not thinking about their health care data. part of the issue is have made it so technical and confusing and with so these acronyms out at you from some people just don't understand it. it sounds really overwhelming and i'll be honest with you a start in health care two decades ago, i i felt silly asking questions about hipaa. i felt i had to be a lawyer legal analyst to ask questions because it was so collocated and technical at that point.
8:21 am
how many of your event and the doctor's office, filling out a form and you said like i need to do this again? they said to you, because of the hipaa, right? hipaa is the big bad wolf of health care, okay? whenever you can you can't getg done a lot of times the excuse is because of hipaa. your doctor can't talk to your loved one about your condition because of hipaa. that's a myth. your doctor needs a written authorization or they can't share your health information that's another myth doctors are not allowed to e-mail patients. that's another myth. hipaa protects all of your health care data. another myth. i'm going to go into these last two because these are really, drive me nuts. if an organization is hipaa certified it's okay to share information with them.
8:22 am
there is no such thing as a hipaa certified organization. i'll say that again. there is no such thing as a hipaa certified organization. it just does not go rent and certified organization and say -- hhs does not go around and certified organizations. so what often happens, an organization will say they are hipaa certified but that basically means they are complying with hipaa the way they interpret it. another myth out there, if a consumer upload to the medical records into a health apco that information is a been protected by hipaa. wrong. there's no such thing as a health certified or hipaa certified health. it's not out there. if a company offers a direct to consumer outcome so you could download an app directly from an
8:23 am
organization and its it's not provide a bit of a covered entity, it's not subject to hipaa. i just threw in a word that might confuse you, covered entity. this is where we get confusing and people start to come their eyes glaze over and they get a little bit, start to fall asleep a little. let's talk about what that means. there's a couple of key questions around apps and whether or not they fall underneath hipaa. it all depends how an app is branded. it depends how the consumer gets the app. it depends how the data flows between the app and maybe the hospital or the doctor's office. it depends whether or not it is coming from there. these are all a lot of those things that can really determine whether or not a health app is covered underneath hipaa and has to follow hipaa regulation.
8:24 am
generally, hipaa covers data in health plans with health care providers that are contacting claims transactions, building, living houses, and business associates. another term that's probably a little bit confusing which we will talk about. so who counts as as a business associate? i'm not going to make you read this. i'm going to tell you. let's give you guys an example. say we have sally, okay? sally goes to her doctor. her doctor says you know what? you have diabetes. i got this really great at that point help you manage your condition and you get some counseling along with it. i heard about it from this great app company, so her physician gives her the app. she goes so and she uses the app. that is covered by hipaa because
8:25 am
it came from the provider. the provider recommended it. the providers may might be on it, so it is in the coming directly from the provider. saw that app is now supposed to comply with hipaa, which means it should protect all of your health care data. now this is what it gets a little tricky. say we've got sally, same sally. sally picks up the newspaper or picks up her phone and reads about this really new cool health app that apple has. she downloads the same exact app directly, puts the same kind of data in it. that app is not covered by hipaa because it was direct to the consumer. so you see, you could have the same app with information in it that is supposed to comply with
8:26 am
hipaa, and then you can have one that's not even though it's the same information from the same company. this is what makes hipaa a little bit tricky to figure out. it doesn't quite make sense, and that's just one of the reasons we have to really think about where this is all going. there's also kind of this healthy-ish type data, i like to call it, that's not covered under hipaa. things like you join a disease network to talk about your cancer care, or a counseling network online. you purchased pregnancy test did you purchase information about a sexually transmitted disease. you join in hiv group. gps data that shows that you go to your psychiatrist every thursday. gps data that shows you were in a rehab center for six months. all of that information is healthy-ish kind of data. it says a lot about your current condition and could reveal a lot about you. that's not covered as well.
8:27 am
a lot of people would be a lot more concerned about all the items they purchase of walgreens or cvs or on amazon going public then they might about the medical record. everybody is using these third-party apps, even cms. i went online last night, has a list of third-party apps to use. if you go to the site you can see all of the different organizations that cms is sharing your information with. you can link to them. in some cases you can opt out. but this isn't just happening in the private sector. this is happening in the government as well. it's important to know that when you're thinking about hipaa. so we spend all this time and effort worried about our health care data and taking sure is protected underneath hipaa are learning it's not protected underneath hipaa. we don't want to reveal it, but
8:28 am
what's so amazing to me is that so much of this data that we're trying to protect, so carefully, with actually giving it away. so you ask how are we giving this data away? has anybody read the fine print? i mean, i just pulled this down from it own personal health plan and some of the doctors offices that i go to. this is my personal information he. but if you actually read that, and i encourage all of you to actually read the fine print, you will see in many cases the policy says that they don't have to agree to do what it says they are going to do. in many cases it says that they will share this information with contractors and authorized partners, but they don't tell you those people are. it says they will use for normal routine health care operations that are not sure what a normal routine health care operation is. does that mean the web developer
8:29 am
happens to be in the office that they gets to look at my medical record? matey. or the guy who's working on the xerox machine? i don't know. but it's important to understand what it is you are signing away. and then a lot of these will say we can change the rights, you know, we reserve the right to change the terms of this policy at any time we want. and if you want to learn about that, you can come pick up a a copy of the changes. so a lot of the fine print, we are really just getting a lot of this information away. so we've heard a lot about health care data and how valuable it is. i think everyone in this room can probably attest to the fact that we need this data to find cures for cancer, to discover new drugs, to save lives. if valuable data but we're finding bad actors want this
8:30 am
date as well. so guess who else wants your data. i was pretty naïve when i started in cybersecurity. i thought reason everybody wanted this date was because they wanted to break into medical records and find that about britney spears or salena or somebody in rehab or -- what was the medical condition? with someone pregnant? all the celebrity things you hear about. or that they wanted to bribe people. don't fool yourself. it's naïve to think this is just about bribery or understanding celebrities, or someone even trying to steal your credit card. this is happening right now. there is a new space race, and it's around health care data. this is the fastest growing
8:31 am
business globally. chinese investors right now are pouring, in the first nine months of 2018, 23% -- 43% of all the investments went into biotech. in 2018. companies globally are involved in economic espionage, and companies that handle patient data are really particularly at a greater risk. they are taking this data. this is really a space race. whoever has the most data wins. think about it. think about the amount of profit that can be made by the next
8:32 am
influenza vaccine, the next ebola vaccine. and about the potential bioterrorism that could take place, if you discover a certain population was susceptible to a certain charm or drug. i'm really grateful to supervisory special agent at the fbi. i don't know if anybody heard him talk before. he's from weapons of mass distraction directorate here,, and that's all he does is study these different countries that are basically not just hacking our information, but taking our information when we give it to them. and that's what's generally happening. the data they are taking can be used to exploit us. they can discriminate against certain groups. they can create bio weapons. they can target as. but most important they can get economic advantage. look in the news. all of these companies are
8:33 am
working with chinese companies, in this case. it's not just china but i but t many examples are from china, where u.s. corporations are sharing their data with chinese own organizations. so basically our information is in many cases being given to the chinese. there is a clear certified allows you to work with organizations outside of the u.s. and share data with them. so imagine you are a health plan here in the u.s. and you direct all your labs, all your dna testing, whatever it might be, to be handled by a chinese company. that doesn't have our best interests at heart. if you look in the news,
8:34 am
sometimes you hear about the chinese hacking data, but more often than not we are actually giving them the data. there was a report released this year, february 2019 by oig here and the fbi and identify national security risks related to sharing genomic data. this happening right now. that identify china as a primary source of those risks. there are concerns right now because nih has given access to for-profit companies in china. and these companies have ties to the chinese government. now, this does not reciprocal. but in health care would like to think anybody sharing data for the greater good. that's how i always believed that things were but that's not the case. in fact, in china they have a
8:35 am
law. their data doesn't go outside of their bounty. villager any of their data. they get our data if you don't share any data. in fact, there's a new law there you can even use the biometry sometime unless there's a chinese collaborative or an organization involved. so it's really important to understand what the national security risks are for sharing health data with china and other countries. it's important to understand what regulations we have in place for sharing rus genomic data. it's important for us to understand what payments we are making through cms, what payments our federal government and the cms is making to other countries to hold and handle our data. and it's really important for cms and for private companies to
8:36 am
consider what other national security risks that we need to think about before we do business with these companies. these are things we haven't really worried about before, right? i mean, we've been worrying about people hacking in to take celebrities information blackmail an individual person, but that's not what's happening. we are actually at a different point right now. senators grassley and rubio actually drafted a letter just a couple months ago -- is you and anyone hear offices? around asking her cms to put a plan together and asking to kind of understand better nih and how they're showing that, and to be clear about what payments are going there and what the rules are going to be. that's just the beginning expiration around that this is something i think is really important for people to keep asking about.
8:37 am
because this is going to sneak up on us very quickly. once that date is gone, it's not coming back. you can't get it back. so in summary, you know, this health care data is valuable. it saves lives and who really want to emphasize that. it is important to share this data, be identified so we can do the research we need to do to find cures and better treatment treatments, find appropriate treatment for alzheimer's or als. we need vast amounts of data to do that so we don't want to siphon that. but we need to make some -- -that. we need to make tough decisions what data want to share and what form, who we want to share with. antedate have seen a lot of discussion about that. but the time to have that discussion is now before it's too late.
8:38 am
so that's it. i want to thank you for listening and i'm happy to take any questions. [applause] >> thank you again to jennifer and robert for those presentations. they were able to cover what i would consider an enormous amount of information and condense it into those slides that i'm sure there's tons of questions and want to drill down a bit deeper on certain subjects. i think we definitely got a good understanding of risk of our data being out there and how it can be shared and have don't know what is being shared. i guess one question i i would like to start with is, is there or is is the concern or should there be greater concern that beyond the inherent risk and the jeopardy of patient safety with the data being shared, is right
8:39 am
direct threat to patient safety, other avenues we might want to be worried about? to talk about that a bit as wel well. >> anyway, you guys can probably hear me. we certainly see this all the time -- this one? okay. does that work? so one of the things that are mentioned was the potential ransomware attack. this is when essentially you have a form of malware that encrypts all of the data in the health system and makes it inaccessible to anyone using the systems, effectively shutting down anything that runs on any form of data. that's everything. well, there are still some things that hospitals probably should but they don't. so that means the patient safety effect can be huge because suddenly you've lost access to critical system. another day concern that is been proven time and time again at these from a theoretical research and we don't know if it
8:40 am
is happen in a while yet is potential device would hacking. you can imagine an insulin pump or an implanted defibrillator could readily be compromised and then could be used easily given the function of those devices to kill a patient or seriously injure them. those are just two two really f examples but they are very serious, very possible and they are either actually out there or a been proven to be completely plausible and deployable. >> right now there is malicious where that's attacking microsoft and other widely used software. a lot of the medical devices sit on top of that software. it could be then that messerli attacking the medical device itself but the software is connected to and that's happening right now. a lot of people don't recognize when their machine or the device or hospitals that no other device is connected to something that's been attacked maliciously. it is happening right now, just that in what you think about it.
8:41 am
i think everybody saw the homeland episode with a pacemaker getting attacked him and when it seemed that so much right now. but definitely we are seeing a lot of attacks on general software that is connected to those things, and we don't have a good way right now to notify people and reach out. if you think about medical devices, once they are out there, we would need to know exactly where the manufacturer sold then, what providers by then, which patients they were given two. think about the chain of events in terms of where medical devices go. it's a pretty long chain. so in terms of the notification there are specific guidelines of how that notification is to take place but it's a real concern. the more that this happens i think the more dangerous it is going to get. [inaudible] -- about like where the source
8:42 am
of a coming from whether hacking or insiders. was that based on instances or the proportion of number of patients attacked? does that make sense? >> that is based on incident numbers. those percentages, yes, , the number of incidents. obviously you have different view towards hacking when you look at it from percentage of records compromised. because those looking to be the biggest types of breach events that being said, what sometimes can be the most damaging to help systems are sometimes the one of types of attacks because they can be very public. they might be for personal and they might be one and one types of vendettas or legal action. when you look at the total risk to the system, you could make an argument it could be either way but to you point it's a very good one. if you look at total number of records compromised you would probably get more hacks. sometimes it is an insider type of air that leads to that. good question.
8:43 am
>> we are going to go enough blue tie back there. [inaudible] >> appreciate your comments and just want to echo what you said earlier. we see impact of patient safety care delivering, ransomware attack specifically because the net effect, surge is canceled. the ambulance is possible the verdict, and we seen that from our members, , and we sang the adventures go after smaller hospitals most recently, and increasing the ransom attacks. and using an attack those going into the backups first, critical backups, which is very troubling because that's the normal defense against ransomware so very concerned about that and appreciate your comments there. again come under data point, i think the majority of records as you say that a compromise of external hackers, would you
8:44 am
agree with that? >> i think from a number of records but i think sometimes we need to be thoughtful about incidents versus records as our measure of risk. sometimes those incidents in the think some of the greatest vulnerabilities which may or may not be exploited in these large dark web sales, things that might have less of an actual impact on the institution or patience. it really does depend but it's a good point and i would applaud also aag for a lot of great work they've been doing in the space. specifically i know some of the work you've been doing, john. >> we have launched an initiative to our members become aware of the strategic threat posed by nationstates targeting medical research and innovation. so thanks or bringing that up. >> can adjust piggyback as well? i think he's phishing attacks are the most common. that is external but it can be,, you can address that with training. a lot of companies have trained
8:45 am
their employs and phishing attacks. they will send it in e-mail and the people that click it have to go to training. >> we can speedy you can address that but that is the number one way people get in. >> we show that break and enter data if you want to look at the actual report. we confirmed over the phishing is by far the largest portion of the hacking section of that event. >> right there in the back. if you don't mind, this gentleman will find you with the mic what kind of policy has been recommended or should be recommended to address this issue are? which part? >> minute hospitals leaking or insiders in hospital leaking information to protect against companies are outsourcing the data to foreign nations? >> we general haven't seen that. what we sang in terms of hospitals is of these phishing scams. it's really a training,
8:46 am
education. large corporations are launching large-scale efforts to train their employees do not click on things. because that's the number one way that people get into your organization. is that how some folks externally and from other nations get in? yes, but it is all around for the most part, they get in from an inside door. >> the only thing i would add is, i think you bring up a pretty broad set of challenges that our faith, even if you look at any one discrete piece, , the challenges are across many different dimensions and that's a lot of what we're working on a new america in particular which is to understand how do we change the culture of these organizations, to your point about education. how do we look at the technology. technology. are we using the most modern technology, artificial intelligence, using everything we can and workforce. at the end of the day it's human beings that are both defending the systems as well as serving as the role of the lease and the
8:47 am
training and pipeline we create their have a strong, diverse and well-trained workforce in the future is just incredibly important and there's a lot of specific policy recommendations in this paper that will be released soon that and hoping can help empower to make some are concrete recommendations. >> it's important organizations like aha and other associations and societies really get out there and do what aha is doing, is educate people. people don't even know this is a problem or that it's happening. the more that you can talk about it in your offices or with your constituents, it's really important, bring up real-life examples with them. >> i've been seeing a lot in the academic literature and real push to the idea of the internet of things because it will save us from kind of human air when we're talking about niv transfusion pump. i kind of always did have this fear in the back of my mind,
8:48 am
these things are packable but most of the literature icing lately dealing with security focus on the passive data collection. do you think that there's not really as much direct risk their oars at something that could be forthcoming as kind of more of these devices become mainstream? >> a lot of the systems are very smart, and there is always human error. with finding that medical records are in many cases more secure than they were when they were paper records, in many cases. but everything is going to be hackable eventually. there will always be a way in. there's no 100% guarantee that something can be safe. if anyone is looking for that, they will not find it. >> i mean, for me and just from my perspective, when i was a medical researcher in school, i focused almost entirely on patient safety as the top of that i worked on. i can tell you, absolutely there
8:49 am
is a really important role of the internet of things in improving patient safety. one thing that gets lost in cyberspace and privacy is you can't just walk everything that an sick there's no systems and let's all go back to using the scalpel at the pencil. not going to work. we have real gains we can make a leveraging data and modern technology and leveraging conceptual frameworks like the internet of things. but it think sometimes we frame as an either/or and is not an either/or. we both need to use these advanced technologies to our patients and we need to deploy advanced technologies to protect these data and systems. until we start thinking about it as an and instead of or, we are not going to fundamentally shift this curve but it's absolutely possible think and we see top health systems doing it all the time. >> jennifer, i just had a question. i'm not sure how familiar you
8:50 am
are with mit has been a big center for medical innovation for what one thing that was left out of this conversation, robert refill was talking about it and when you talk to his research but universities are a giant hole for a lot of this hacking, but also particularly from foreign influences especially because most universities, when you want a part of with other universities, especially in china, i mean, you're right. we should be encouraging that. we should want collaboration because that's the nature of academia particularly in the sciences, but i would argue especially some of the research that's come out of mit and how we know that at least two actively monitor leaders him a special with the genome stuff you were talking about earlier, they were tracking peoples dna evidence-based on ethnic heritage. i feel like to an extent it brings up the question of, should we just banned chinese investment and investors from
8:51 am
the u.s. tech industry? it's an extreme option but is it really ridiculous considering we all have american science being at least somewhat culpable in what's really going on at the moment? >> it's a really good question. i don't think there is an easy answer to it. because -- of course that. first of all, i mean, there were those two meck county site is likely were just indicted for doing exactly that, what you're talking about. it's going happen again. but you know what? we need to share this data openly. we need more data or we are not going to find these cures, we're not going to discover the diseases we need. it's a real complex question. so it could be a matter of how we show share the data come int format. it could it needs to be reciprocal. the other issue is one of money. chinese investors are putting a lot of money into biotech in
8:52 am
this country. so there's a financial question as well as an ethical one. i think it's a conversation that has to be had. one of the things i don't think we've asked at all of the general public and we don't know about consumers is, what do consumers think? how open to people think their data should be? are the people in this room will need to share the data, but only the identified? i don't think we have a really good since of which way the general public is going as well, and it's hard to make policy without even knowing that. so there's no easy answers, but they are all questions which need to be discussed and we need to find out what the public perception is as well. sorry i didn't answer your question. [inaudible] >> i guess the frustration a lot of us in the national security community especially comes to china have come is that frankly, when it comes to trade come when
8:53 am
it comes to science, when it comes to stuff like the south china sea, it seems like china gets the benefit of operating within the international system but not the responsibility for the burden of having to follow any rules. even if we do set up like all right, fine can you can access to american updated but you can only do a through cms. cms has to be monitoring it. the reality is many of these investors don't have a choice as to whether not want to do that because many of the companies are also on by the chinese government. in most companies, i believe a member of the chinese communist party has to sit on the board of that company. we have seen this with apple, with several other companies. i guess the question is, because it's true, we should be having a conversation about, as a general public and asking with the general public thinks about issues like this. but my issue i have, the same issue a lot of people have winded with china is how to do
8:54 am
with an actor that isn't going to do with you on even terms? should we try to make them hurt a little bit and make them understand that while relationship is one of symbiosis, we rely on them for trade and investment and other things. at what point do we have to just stand up and say no, not today? >> we are starting to do that. the administration put a halt to the 23 and investment that was going to take place here from the chinese company most recently. this is already happening. their money is already here in many places so it's a real, yes, i'm not sure what putting a stop to it would mean right now, what that would look like. maybe that is a decision that paulson et cetera figure that out, what that looks like. but at the same time in ages gone a lot of important data from other nations. so we really have to balance what's important. >> right here.
8:55 am
>> good afternoon. i'm from senator manchin's office i want to take the time to thank you all for taking the time to come to capital speak to us on this issue. i come from west virginia, and while our state has incredible community health networks such as in huntington, morgantown, charleston, so much of her work is done at the local level in very small rural clinics. the amount of information they are able to retain on patients is incredible. obviously, as we talked about earlier, resources are scarce, especially money, whenever margins are so small within health care, but particularly in rural appalachian west virginia, the resources are even more scarce. as with the advancements in things such as telemedicine, what advice or recommendations could you offer to make sure
8:56 am
that even though the resources are scarce, that we are still utilizing technology at the local level and still have the best protections in place? >> i can speak briefly to that. we have a recommendation in the space that specifically relates to rural settings. as you may know, some of the barriers to protect and gives the settlers are often led to the existing antikickback and star clause associate with larger organization providing proactive funding to these small affiliate clinics that represent major weak links. for instance, you could put them under the security umbrella of a larger hospital and that larger hospital may want to does a protective but they are not about to because of current legislation and current regulation. thoughtful reforms to that would be an easy move. i think also in the longer term since, it's how do we thoughtfully skill using technology, the types of automation and the types of insight and the types of proactive detection of threads
8:57 am
that can reach up into all these communities, can reach out through networks of different providers and not necessarily have an individual human at every one of the sites watching it, but overall technologically enabled oversight of these organizations that are connected back to central ups. this is all very possible and if think there's some relatively low hanging fruit we could modify to transform the landscape and approve the care that we are delivering to our patients in rural clinics and the security of their data. >> it's reflective of the inequity we have right now between smaller, rural, maybe less resources and these larger corporate companies that have all the resource they need to do the tech lg updates and have the full breadth of security. it's going to be really hard for some of the smaller places to be completely secure. and it's not going to be equitable. i think that's a real problem and we are seeing that across the country. it's a lot tougher. i do think aha and other
8:58 am
organizations are doing a really good job and the real hospital association is doing a great job with trying to share some of the resources they have, but it's tough. >> we have come up on the end of our time here, so looks like perfect timing, number questions remaining. i want you think you both again. you've been very generous with your time, i think everyone that came out today. i would like to say as you can probably tell from the context of a conversation that there is a lot of work to be done in this area, a lot we need to focus on the fort and export to a great extent. this is something that the senate cybersecurity caucus will be committed to exploring in the future. we deftly invite all of your bosses to join the caucus, and we thank you once again on behalf of senator warner for coming today. [applause] >> if anyone would like to reach me directly, it's robert at
8:59 am i get the benefit of having just a single name. >> c-span has live coverage of the 2020 presidential candidates at the iowa state fair. today we live at 10 a.m. eastern with former hud secretary julian castro. watch anytime online at or listen live from wherever you are on the go using the free c-span radio app.
9:00 am
>> we take you live now next u.s. senate, in for a short pro forma session. .. they won't


info Stream Only

Uploaded by TV Archive on