Skip to main content

tv   Politics and Public Policy Today  CSPAN  May 13, 2016 9:00am-11:01am EDT

9:00 am
. thank you chairman speaker for holding this hearing. please accept my deep gratitude and to all the staff members who have made this possible. i really appreciate all of your caring and support throughout this very difficult time for myself, my husband and my family. i would like to know as a request whether mr. chairman together with other members of congress could write a letter to president obama asking for his response, first to the hearing and also to other requests have been put in my statement previously, thank you. >> thank you. we'll be more than happy to send your statement and a letter encouraging the president in appeal to the president to raise your husband's case and that of other prisoners of conscience in
9:01 am
a specific fashion, not in oblique mention in wind up statement or some generality. there needs to be specific requests made so that we can engage whether or not vietnam is about to move in the right direction or continue its deterioration when it comes to human rights. there are a number of areas where human rights violations are worsening, human trafficking, religious freedom and administration could, today, designate vietnam as a cpc country, country of particular concern, the facts are warranted and they also could be known as a tier three country when it comes to egregious violations of sex and labor trafficking, especially labor trafficking in vietnam. so the president has tools in his tool box, the president of the united states, we hope that hef us
9:02 am
he uses them. we'll send per your request and your testimony your strong appeal backed up by our strong appeal, we'll do it immediately. i hope it's specific some general statement about human rights. it hasn't in any other country around the world. it hasn't in vietnam and it needs to be specific. so i want to thank you, again, for your very brave testimony and thank you four your husband's tremendous sacrifice for the cause of vietnam human rights and religious freedom. he is a truly remarkable man, as are others who are fighting this battle with nonviolence and with faith, know that our prayers are with you and with him. they are in solidarity with them, i assure you and i would like to note, for the record, that we will be having a follow up hearing to this hearing in
9:03 am
mid june, latter part of june 23rd or so and we'll be assessing the president's trip. >> you can watch this hearing on our web site. we're going to leave it at this point to go live to capitol hill to testimony on why social media information is not used in conducting background checks. chief information officer tony scott will be testifying this morning before two house oversight subcommittees. he is also expected to update members of why it's not used in federal background checks and result of pilot program. this is live coverage on cspan 3. it should start in just a moment.
9:04 am
we'll come to order without objection the chair is authorized to declare a recess at any time. we're here today to discuss incorporating social media into the federal security clearance and background investigations. having a security clearance means by definition you have access to information that would hurt our national security if it got out and that is why we perform background investigations on individuals who want a security clearance. all of our background investigations must be to find out if an individual is trustworthy. back in the 1950s, that meant talking to neighbors and family. today with more than a billion individuals on facebook, what a person says and does on social media can often give a better insight on who they really are. since 2008, various federal agencies have conducted studies
9:05 am
on using social media data in investigations and they all find the same thing, that there is a wealth of important information on social media. this issue now facing the federal government is how to use social media information while respecting the legitimate privacy concerns that are often brought forth. the good news is that using social media checks in security clearance investigation does not have to be a binary situation. there are several options to use social media data in a responsible way. it is encouraging to see that odni announced this morning in advance of today's hearing, a new policy that will follow -- will allow federal agencies to review publicly available social
9:06 am
media information as part of the clearance investigation process. we will continue to work with the agencies to ensure that the social media data of people with security clearances is used in a safe and responsible way. i'd like to thank the witnesses for coming here today and i look forward to their testimony. with that, i would recognize ranking member of subcommittee on government operations my good friend, mr. connolly. >> i thank my friend, the chairman, for holding this hearing to examine the youthfulness of social media and other crucial enhancements to federal background investigations process. on january 22nd, the administration announced to former entity of opm would transfer its functions to new national background investigation bureau. the department of defense assumed responsibility of designing and operating all information technology for the new. i think it's abundant sense to task the experts with protecting
9:07 am
the sensitive personal information of millions of clearance holders. today, we're discussing another enhancement, the inclusion of social media in the background investigation process. the army has a pilot program which used publicly available data from social media sites to enhance information available to investigators during background check processes. currently the department of defense is also connecting a pilot program that looks at all publicly available information online, such as news articles and commercial web sites. i'm interested in learning the major findings and lessons learned from these pilot programs. while social media is a promising valuable source, potentially of information, i remain concerned that the government should not retain social media data of third parties who happen to engage with the applicant but would not consent to waving privacy rights. we must not forget other ways to
9:08 am
enhance security processes. the performance accountability council is establishing ali yason office that will communicate with local governments to request that's a major enhancement. we must remember that on september 16th, 2013, aaron alexis, a federal subcontractor with the secret level clearance entered the washington navy yard tragically killed 12 people and injured four others. he had a security clearance. the background investigation failed to identify that mr. alexis had a history of gun violence. the local police record of mr. alex ix's 2004 firearm arrest had not been provided to federal investigators. improvements in communication between local law enforcement and federal background investigators could prevent and could perhaps have prevented a tragedy like that. i welcome you to the witness's back from the full committee
9:09 am
february hearing and look forward to hearing about their progress on the administration's plan to reform the security clearance and background investigation process while preserving privacy rights. thank you, mr. chairman. >> i think the gentleman chair now recognizes the chairman and subcommittee on national security, mr. santos for his opening statement. >> i thank you mr. chairman meadow. i think this is an important issue and it looks like we just got a directive late last night where this is now going to be implemented policy. so i'm interested in hearing how that it's going to be implemented i'm sure that's partly as a result of your oversight. thank you for doing that and i look forward to hearing the witness testimony. i now recognize the ranking member on subcommittee on national security. the gentleman from massachusetts, mr. lynch. >> thank you.
9:10 am
mr. chairman and i'd like to thank you chairman and my friend mr. connolly for holding this hearing. it's important for a number of reasons which you both have touched on already. when an individual applies to receive an initial or renewed security clearance, the federal government conducts a background investigation to determine whether he or she may be eligible to access classified national security information. every security clearance candidate is required to complete a standard form 86. i've got one right here, likely goes into a number of very personal aspects of each person's life, this 127 page form already requests a variety of personal applicant information such as criminal history and any history of alcohol use or illegal drug use, any mental health counseling. it does not currently request social media information. but as chairman noted last night
9:11 am
at about 11:00, we got copies of this policy. i want to say thank you, you know, we have now always had information forthcoming in a timely manner, even 11:00 at night. it's timely around here. you know, a few hours before the hearing, but i appreciate you sending it. i thought it might be a mistake, actually, that you sent the policy over. i did have a chance to read it a couple of times last night. i raises some questions, i think it's a very good first effort and we appreciate it. in december 2015 congress passed and president obama signed a bipartisan funding revelation to enhance the security process. the appropriations act also requires the director to direct federal agencies to use social media and other publicly available government and commercial data when conducting periodic reviews of clearance
9:12 am
holders. the law provides guidance on the types of information that can be obtained from social media and other sources and may improve relevant to determination of whether an individual should be granted clearance at all. this includes information suggested a change in etiology or ill intent or vulnerability to black male in allegiance to another company. the main impotence, as mr. connolly noted, was the terrible situation that the washington and also i would add that there has been exploitation of twitter, facebook, intel gram by the islamic state and also at one point we had everyone who filled out a standard form 86 hacked by the chinese as well. so they have a list of everybody who filled out an 86 requesting security clearance, which is
9:13 am
very troubling. there's a lot that needs to be talked about here. we're going to gather all this information on individuals in one place. in light of what has happened with the chinese hack, i'm concerned about putting medical information, all of this about people who apply in one place where it might be accessed by hostile nefarious actors. so we'll talk about a little bit about that this morning. as i said, i appreciate the security executive agent directive number five and, you know, i think it's a very good first effort and i appreciate your transparency with us, thank you, i yield back. >> i thank the gentleman and i would hold legislation open we'll now recognize our panel of witnesses, pleased to welcome mr. william, director of the
9:14 am
national counter intelligence and security system in the office of the director of national intelligence, ms. beth cobare acting director of the u.s. office of personnel management, i might add, in her new role working incredibly well and bipartisan and very transparent way that is recognized by this committee, so thank you so much. mr. tony scott, the u.s. chief information officer at the u.s. office of management budget, welcome to y'all pursuant to committee rules, all witnesses will be sworn in before they ef. so if you please rise and raise your right hand. do you solemnly swear or affirm that the testimony you're about to give will be the truth, the whole truth and nothing but the truth. please be seated. let the record reflect all witnesses answered in the affirmative in order to allow time for discussion, please limit your testimony to five
9:15 am
minutes. you're very familiar with the process. your entire written statement will be made part of the record and so you're now recognized for five minutes. >> thank you very much. and ranking member lynch, members of the subcommittee part of this team, participating in today's hearing. as national counter intelligence executive and director of national counter intelligence security center, i'm responsible for leading the security activities for the united states government which includes entire u.s. government in the private sector throughout the intelligence community. in addition, i'm responsible for providing out reach to u.s. private sector entities who are at risk for becoming a target of intelligence collection, penetration or attack by other adversaries. i also support the director of national intelligence responsibilities as a security executive agent. the role in which the social
9:16 am
media directive was developed. and i work close in partnership with the office of management and budget and the office of personnel management and my colleagues to my left. the department of defense also partners in this effort as well as part of the pack. agencies across the executive branch are also part of today's process and successes we have achieved with this policy. when i last appeared before this committee on february 25th, we discussed information on national background investigations bureau and security clearance reforms. today i've been asked to discuss the administration's policy on the use of social media as part of the personnel security background investigation and as adjudication process. mr. chairman, we've been steadfastly at work on directive that dresses the collection in use of publicly available social media and information during personal security, background investigations and adjudications. i want to acknowledge the important contributions to this
9:17 am
effort made by our entire branch colleagues, particularly at the office of management budget and opm. and i'm pleased, as you referenced, to announce that the director of national intelligence has recently approved this directive which is being publicly released. we've gathered social media will enhance our ability to determine initial and continued eligibility access to national security information and eligibility for sensitive positions. in the course of personal security background investigation adjudication raises some civil liberties and privacy concern. let me be clear, strong liviu that being able to collect and social media and other information available to the public is an important and valuable capability to ensure that those individuals with access to secrets continue to
9:18 am
protect them. and as capability can be aligned with the appropriate civil liberties and privacy protections. i would note to the committee that by the term publicly available social media information, we mean, social media information that has been published or broadcast with public consumption is available is accessible on line to the public and by subscription of a person where as otherwise lauffully accessible to the public. i believe the new director strikes this important balance, under think new directive social information pertaining to the information under investigation will be intentionally collected. absent national security concern or criminal reporting requirement information pertaining to the individuals other than the individual being investigated will not be investigated or pursued. in addition, u.s. government may not request or require individuals subject to the
9:19 am
background investigation to provide passwords or log in into private accounts or to take any action that would disclose nonpublicly available social media information. the complexity of these issues has led to lengthy and thorough review by the departments and agencies that would be effected by the policy. as well as coordination with different members of civil liberties and privacy offices, privacy back offices and office of general council. mr. chairman, the new guidelines approved by the director of national intelligence of collection in use social media information in security clearance investigations ensure this valuable avenue investigation can be pursued consistent with subjects, civil liberties and privacy rights. the use of social media has been integral and very public part of fabric and most americans daily lives. it is critical that we use this important source information to help protect our nation's security. many chairman i welcome any questions of you and your colleagues have regarding this
9:20 am
directive. >> thank you for your testimony, you're recognized for five minutes. >> thank you for the opportunity to testify today on the use of social immediate yand process. opm plays an important role in in conducting background investigates for the vast majority of the federal government currently, the federal investigative services, fiz, annually conducts approximately 1 million investigations for over 100 federal agencies approximately 95% of the total background government wide. these background investigations include more than 600,000 national security investigations and as we discussed in february we're in the process of
9:21 am
processing which will absorb fiz and its mission to become the government wide service provider for background investigations. the department of defense with its unique national security perspective will design, build, secure and operate the investigative it systems in coordination with the nbib. to provide some context for our discussion today, i would like to take a few minutes to review how the current security process operates in most cases. first an executive branch agency will make requirement as to sensitivity and risk level of the position. if an agency determines that a position requires and submits fingerprints. both of which are sent along with investigation request. opm through fiz now and mbib in the future the clearance
9:22 am
decision is made from the information in the investigation report in conformance with the guidelines that are the pursue of the office of the director of national intelligence. the requesting make using a whole person approach, meaning that available reliable information about the person past and present favorable and unfavorable should be considered by adjudicators in reaching a determination. one component of that approach in the 21st century is the topic of today's hearing, social media. obmi and role of security executive agent has developed social media policy that has undergone extensive coordination with relevant departments and agency officials. opm looks forward to
9:23 am
implementing the policy as part of its on going efforts to strengthen investigative process sees. in april, opm issued a request for information seeking to better understand the market and the types of products vendors can provide to meet social media requirements. the rfi in preparation for pilot that opm is planning to conduct this year that will incorporate automatic searches of publicly available social media into the background investigation process. this planned pilot will be conducted by opm in coordination of publicly available electronic information, including public post on social media for a population of security clearance investigation using investigative and it is distinct in that it will assess the practical aspects of incorporating searches into the operational end to end process.
9:24 am
the mechanics of adding this type of report to background investigation and the effects on quality, costs and timeliness. in addition traditional sources. supporting the implenation of the mbib and aiding success in all areas will kobt to be a core focus for opm as well as the performance accountability council, the pack. our goal is to have the mbib initial operating capability officially establish with new organizational design and leader in place by october 2016, though implementation work will remain to be done after that date. on behalf of opm, i am proud to be part of this most recent effort by the administration and i look forward to working with my colleagues on this panel and with this committee in a bipartisan manner on this important issue. i'm happy to answer any questions you may have.
9:25 am
>> thank you for your testimony. mr. scott, you're recognized for five minutes. appreciate the opportunity to appear before you today the administration recognizes the importance of gathering accurate up to date and relevant information in its background investigation to determine federal employment and security clearance eligibility. as a government we must continue to improve and modernize the methods by which we obtain relevant information for these background investigations as a part of the background investigations process. those pilots have informed the
9:26 am
development of new social media policy fairness to individuals seeking security of that individual. the resources required to process the collection adjudication and retention of the relevant data collected. as the policy is implemented the
9:27 am
administration will continue to assess the effectiveness and efficiency of the policy. to do so the government must keep pace with advancements and technology to anticipate, detect and counter external and internal threats to the federal government's personnel i'm confident this new policy will strike the correct balance between all of these considerations. i thank the committee for holding this hearing and for your commitment to improving this process. we look forward to working with congress and i'm pleadsed to answer any questions you may
9:28 am
have. >> personal information. >> congressman, in the process of the investigations, we do work with commercial vendors of publicly available vetted information, that is sort of our core element we use that in other methods to gather the information in the investigative process. >> that the federal government will use in other instances and i just wanted to ask if there is any type of prohibition on doing that or do you guys aren't doing that or are you trying to use all the tools that are potentially at your disposal. >> we use a variety of tools to gather information from public sources from both governmental and nongovernmental, so there's a variety of tools we use to do that. those are used to, you know,
9:29 am
gather some of the information, whether there's national, you know, law enforcement database from which we get information, we do, for example, use electronic methods to gather -- appropriately gather information about financial issue. i'll be happy to get back with you with bmore of the specifics if that will be helpful. >> thank you. >> i'll concur. i think we encouraged the most robust and effective efficient tools that are processed for ensuring a speedy effective background investigation that's going to different -- this process will be different pending which agencies doing background investigation, the tools they're capable of, the expense and number of volume of people that are apply r for clearance, we could encourage the most effective and efficient off the shelf capability as long as it's within the rules, regulations, policies so forth. >> in the years leading up to edward snowden's theft of
9:30 am
classified info. he used user name complaining about government surveillance in these posts may have alerted authorities that he could be an insider threat. have any of the social media pilot program evaluated have they been capable of detecting that sort of post where it's posting on an online identity that's not the individual's name. >> i'm not specific to the exact nature of granularity of the pilots. those particular posts would not have been caught in social media because it's not public facing and it was private chats beyond the password protected. >> so if if they're using anonymous names to the extent that there are public forums would requiring a disclose sure of any alternative online identities on the fa 86 form be something that would be helpful.
9:31 am
>> we're currently not asking anyone to provide any other alternative passwords or e-mail accounts or individual reference to their online persona. >> so, basically, if -- so we'll look at social media if they're posting -- if john smith applies for security clearance and you'll look for john smith, but if he goes by, you know, jack -- jack scott, then you're just not require that so they can post whatever there and that's not going to be something that would be considered? >> not currently, unless they're willing to consent to provide that information. >> okay. what reason could allow extensive questioning of friends -- i mean, the fs 86 is a very intensive investigation. i mean, you'll call up people's college roommates. you'll call up people's neighbors when -- if they've lived in a place for a short period of time. so there's a lot of extensive
9:32 am
investigation, so why would you want to do that and i'm not saying you shouldn't do that. why would you want to do that but then not want to get the whole, i guess, picture of their online identities. >> well, i think if -- if the additional information is obtained that the individual has a pseudonym or has off line persona that's different in his name that can be pursued. that's not something we're going to ask or that's not a way for us to identify fox smith dave jones online without someone telling us that. >> what would be the reason, since there's so much information required, what would be the negative of asking, hey, do you post online under any type of pseudonym? >> i think when you get to -- pass the public facing interface of social media. you get to the, i think, the border of privacy and similarities in terms of what are your practices beyond what
9:33 am
you would do in the course of daily lives. that analogy would be we don't look at their e-mails and telephone conversations part of background investigation as well. >> my time is up. i'll recognize the gentleman from virginia for five minutes. >> thank you mr. chairman, and welcome. help me understand how this works, because it's one thing for a private individual to be sort of trolling facebook, it's another for the government to be doing it. and so how does this work? i mean, somebody in government gets on the internet and looks up your facebook history, your subject, your harry hue deanny, applied for security clearance and we're looking at, you know, two social media, anything that you use, twitter, facebook, youtube, hue lou, whatever it might be. and so we just go online and
9:34 am
look at whatever we can find under his name; is that right? >> i'll start. -- if you could pull the mic closer, thank you. >> congressman, i think when we set forth this policy we looked at it and tried to provide the most flexibility for investigative agencies and service providers to do what they feel is most practical and reasonable for their individual agency. for instance, some of the bigger agencies may provide data service provider to aggregate this data for multiple people to go out and do the search. we are clearly acknowledging that the effort will be exhaustive initially to identify people's social media footprint that's out there. >> okay. what are the red lights, though, that flag for us kind of follow up on this. so, you know, my facebook posting, you know, we're talking about the block party for july cul-de-sac, you know, talking
9:35 am
about maybe a family reunion and with all of that, oh, by the way, the president needs to die. how do we flag the serious from the trivial and how do we make sure that if it's all trivial, that's the end of it. it's deleted, it's not retained because there may be other names in that facebook. it may be pictures of other people that are not the subject of an investigation unless that association is suspect. how do we make sure that we don't just have some enormous government depository of personal information of american citizens that's really not at all relevant or parts of it may be -- how do we do. >> that's a great question, congressman. let me put this in context. this is just one tool of many that we're currently using in background investigations and the collection and retention of that data will be parallel to any other data that we collect as an individual.
9:36 am
to your example of facebook, an example, as you gave, the only relevant information that were there for processes would be if to the president. all the other stuff would not be retained. we'll collect and retain the presidential. >> let me interrupt. >> god forbid, should there be such a reference, well the other stuff not being retained actually i might not want to take a fresh look at your associations. because maybe they're involved or, i mean, wouldn't we want to check that out. >> sir, so -- >> if for no other reason talk to neighbors to say is harry talk this way. so social media application, like many other tools that are provide investigative lead, so that in particular posts on your web site would lead to an investigative lead before -- with your colleague, family, friends, neighbors as just another lead, no different than we would find in an financial
9:37 am
disclose sure. >> mr. scott, in the time i have left, on behalf of my constituents but in return to the opm security breach and if you can take some time to bring us up to date. this is identified have they been addressed so they can't be recurrence and how are we coming in trying to make people whole again in terms of the come propliez pr promiez of their personal information. >> let me respond in terms of that. in terms of improving the security systems, we have made significant strides in our on going efforts and we will continue to do so working cloeszly with dhs, dod as part of the mbib stand up. we have staff from dod on-site working with us as well as on going working sessions. we've installed the latest version of eistien. we've got whole series improvements that we've made to firewalls. we have the ability to much -- >> eistien three.
9:38 am
>> we're one of the first agencies to put that in place. >> it was in place at the time of the breach, right. >> excuse me. >> we continue to work to fry and put in place a whole series of tools and we've seen real improvements in that. as well as strengthening with a security officer, i could go on and on, we still will continue to work at that issue. in terms of the individuals whose information was taken, we have the identity theft, identity monitoring contracts in place, we continue to monitor those in terms of the quality of their customer service, we are also actively working to put in place the provisions to extend the identity theft insurance to $5 million as well as being in the process of figuring out how to extend those to the ten years that was also approved by congress. we continue to work at these quite closely, including with tony and the team from omb. >> and i will just add, i'm seeing almost as much about this
9:39 am
as i did when she was at omb as we work on this project. beth and i and dod cio meet regularly to review the process that the teams are making in both the transition but also ensuring that security and integrity of existing system. so i'm pleased with the progress. >> thank you. thank you mr. chairman. >> chair now recognizes the gentleman from georgia, mr. heist, for five minutes. >> thank you mr. chairman. let me begin with you as we all know in 2008 the commission to in regard to the benefits of examining certain aspects of social media. why has it taken eight years to implement this and get it started? >> congressman, i can't really
9:40 am
answer the eight year issue. but i can tell you to get to where we are it took a lot of extensive effort and inner agency coordination to be able to strike the right bounds to what we need to obtain or should obtain reasonable social media and the ever growing internet age. and balance that with civil liberties but u.s. citizens so that process, not only was exhausted but it was the right thing to do. also, i think, with the pilots that have started and continue to move on. we haven't really identified the correct value or weighted measure for what the efforts of social media, collection will be or has been. we're still is the effort resource allocation worthy of collecting other social media and using it as part of the background investigative process. number one, number two, if it is, where do we allocate within the investigative process, in the beginning, middle and end.
9:41 am
it will be resource intensive. >> it seems like eight years is an awfully long time to try to find a balance between privacy and, you know, that which is public information. i mean, this is not highly private information that people are publicizing out on social media like this and i understand that we want to be very careful with that. we all do. but -- let me ask you this, from the -- it seems that the new policy that we saw this morning, that within there and correct me if i'm wrong. it seems like finding information on an individual's background appears ton largely at the discretion of individual agencies. can you tell me why odni decided to leave that decision to individual agencies rather than
9:42 am
opening this up for all departments of our federal government. >> it's a great question, congressman. i will say that there's only 22 agencies who have the authority to conduct background investigations so -- and they do that on behalf of federal organizations or agency departments who require that. so those individual it is ones that were covered under this policy. it was perfectly made flexible because i will proffer from 2008 until two years ago the social media definition has changed dramatically and will continue to change, so in order to provide the agency who is conducted the investigations maximum flexibility to go about utilizing social media as part of this process was paramount in this effort because i'm pretty sure a year from now the social definition may change and we wanted to make sure that each agency had the flexibility from resource perspective to identify the most efficient way to implement this policy. >> do you believe those other 22
9:43 am
agencies will begin utilizing this. >> i do. >> okay. can you explain how opm plans to implement this policy? >> thank you, congressman. as i mentioned in my testimony, we are working through this pilot process to figure out the best way to utilize social media as a standard consistent part of the process. as was described, we are committed to its value, it's a question of how. we need a way to make sure that when we gather information on social media, it's accurate. it's not always accurate. what you find is not always the reality. we need to find a way to make sure as we do this, we're -- the resources to follow up on whatever information is revealed, how do we get those resources to follow up on those things. that is the goal of this is to embed it into the operational process. are there places whereby using social media or other tools we can replace some steps that exist today, take those
9:44 am
resources and deploy them to something else. are there other cases where the value of the information will merit adding additional resources. that's the issue we're working through in the pilot process will be starting that pilot before the end of this fiscal year. we also will continue through the pack and other forums working with dod and other agencies as they start to implement this, so we all can learn from each other. we've got to figure out how to do this right and to do it in scale and we want to move expeditiously but cautiously as we do that. >> thank you. can you provide committee with a time frame for implementation besides just by the end of the year more specific time frame. >> we'll get back to the -- the first piece is the pilot and then we'll take that and happy to provide you more information what we're doing. >> thank you very much. >> i yield. gentleman's time expired tf chair recognizes mr. lynch from massachusetts for five minutes. >> thank you mr. chairman. i want to thank everybody for holding the hearing and thank
9:45 am
the witnesses for. every once in a while my happy talk alarm goes off. sometimes i think i'm hearing happy talk and i think i just heard some. look, i appreciate the idea that, you know, we've got this eight year continuum of improvement we're trying to improve our systems. you know, there's this kaurns progress of protecting and balancing, you know, private information versus, you know, doing these background checks. but the reality on this committee is ten months ago -- sat there and told me that ten months ago we were not even encrypting the social security numbers of the 4 million people who were hacked at opm that's the reality, ten months ago we
9:46 am
were r weren't even encrypting social security number. we painfully had to admit that and they confirmed that fact. i'm very concerned about what's happening. i am very encouraged that dod is going to take over cyber security in your shop and you're going to help them with that. how is that going and what steps have you taken, be specific, that should give me some level of reassurance that we don't have another problem like that. >> thank you, congressman. let me start with how we're working with dod in the stand up of the mbib and then i can come back to some things we have underway and that we will be doing in that context. we are working very closely with dod, as mr. scott described, in a process -- >> let me just cut you off. i don't want to go on this long
9:47 am
diatrit. >> there are still elements of the opm systems that are difficult to encrypt. we have a multi layer defense. >> and you've got all these different systems. i've been at this a while, okay. and we've tried to get ahold of this and i've been here for years working on this problem and it's been very difficult. there's no shame in admitting how difficult that is. what i don't want is happy talk that it's all going well, that's the problem, we'll have another hearing and there will be gnashing of teeth and criticism and there will be somebody else in your spot. what i'm trying the to get at is what are we getting done and where are the obstacles, if there are obstacles here in terms of what you're trying to do? i believe you're all trying to do the right thing, mr. scott as well. you can get in on this, you're part of this. you know, what are we actually doing to try to protect the information that we do gather?
9:48 am
>> well, i would say as best, there's been all kind of work done in this area, penetration testing, new tools deployed, multiple examinations and on going help from dod, dhs, and so on. so i think opm, actually, is leading federal agencies right now in terms of, you know, their efforts and the amount of progress that they've made. they've applied tools to the limits that they can within the limits of current technology, but as best said, there's some things that just can't be encrypted because the technology doesn't -- >> dod is funding in this area is much better than opm and some of the other departments, so we use in there personnel and now -- have they come over and taken over this. >> they've been in their side by side with the team at opm helping not only review but look
9:49 am
at architecture and also build out the plans for the future and bib technology. i'm pleased with where it's going. i don't think there's anybody who will say our job is done or that we're not interested in pursuing what else we can do. >> the cost estimate, you know, we've had some pilot programs that tell us it's somewhere between $10,5100 to $500 per pe. is that pretty close to what the -- in practice, what we're finding? >> yeah, i would say some of the pilots that have run the estimates have been in that range. clearly, one of the things that we'll -- that will have to happen and i think the pilots will inform this, is some greater level of automation. as you can probably appreciate when you do a search, you get a ton of data that has to be
9:50 am
sifted through and adjudicated. i happen to be a person who has a name that's shared with, you know, a professional baseball player, professional musician, a movie director and a bunch of other things. and just a simple search would turn up a bunch of crazy stuff that wouldn't be relevant. so some degree of automation ultimately is going to have to help bring the cost down of that. >> all right. i see my time has expired. mr. chairman, thank you for your indulgence and i yield back. >> i thank the gentleman. the chair recognizes the gentleman from kentucky, mr. massey, for five minutes. >> thank you, mr. chairman. this is a great hearing. thank you for conducting it. i have a friend who suggests that the government should outsource this background research to the consultants that do opposition research on us, on the politicians, because they seem to find anything, all the way back to junior high. on a serious note, though, you
9:51 am
know, i see edward snowden as an example here in our notes as somebody who maybe you would have known something about if you'd done social media research. that may or may not be true, but one thing that does stand out is that political contributions are available online. and i suppose even before social media and the online availability of this they were available. so you already have an analog or probably a way of considering whether you should consider or not consider political contributions when doing background research. but now that you have social media available to you, there's another layer of transparency or layer of opaqueness that's been remo removed. you can see where somebody supports a political candidate or not. by the way, edward snowden and i have similar contribution histori histories, so. and my colleague here suggested
9:52 am
that you should be suspect to anybody that contributes to me as well. but my question is this, do you take into account political support when you're doing background research in social media? >> we do not. i mean, i think it's important for the committee to understand that the investigators who conduct background investigations are very well trained and they follow the federal investigative standards, and there are plenty of policies that they put forth in their rigorous background investigation, and they conduct investigations on information obtained that's relevant to whether or not you are capable of obtaining and holding a security clearance. so a political contribution would not be one of those. >> so if they encountered somebody who in their social media supported a candidate who was strong on the fourth amendment and believed very strongly in the right to priva privacy. and there are different interpretations of the fourth amendment.
9:53 am
i'm not saying everybody doesn't feel strongly about the fourth amendment. that would wouldn't be a consideration? >> absolutely not. that wouldn't have anything to do with whether you could hold or maintain security clearance. >> thank you very much. i'll yield back my time. >> i thank the gentleman. the chair recognizes the gentle woman from illinois, ms. kelly, for five minutes. >> thank you, mr. chair. many of us have become so accustomed to using technology in our day-to-day lives that it seems second nature to examine the social media accounts of individuals applying for a security clearance. however, it's important to note that when incorporating social media into the federal background check process, a number of steps must be taken that go far beyond those we view as a friend's facebook profile. dr. cobert, opm conducts approximately 95% of background checks governmentwide. that's in our notes. the initial data collection portion of these investigations is completed by federal contractors in part because you must comply with the various
9:54 am
laws governing what information can be collected, used and stored by federal government. is that accurate? >> congresswoman, we work with federal contractors in the investigative process to enhance our capacity to conduct background investigations. they have to follow the same federal investigative standards that mr. evenina referenced. the individuals from those contractors who work on investigations also have to undergo through training against those standards, and we work to ensure that that is the appropriate training. >> okay. the incorporation of social media data's not as simple as it may sound to many people, so i'd like to delve a little deeper into how we get to a vendor running query for publicly available information to the point at which we have variable, verified information for use in the adjudication process. again, to begin with, contractors must conduct social media checks on clearance applicants based on guidance from you about the kind of information relevant to
9:55 am
clearance investigations, correct? >> we are going to start with the social media thing -- the social media efforts with the pilot i mentioned. that will help us understand what kind of guidance we should be putting in place when individuals are conducting social media searches to verify that information to ensure we're focused on the pieces that are relevant to a security clearance, not the other issues that are not part of the process. that's why we're going to work this through in a pilot, so we can create standards and processes that will get us relevant information, reliable information and protect privacy. >> and then your current contractors will need proper training and proper guidance to do all of that. >> they will need training. yes, they will. >> okay. once the data has been collected, a human being is necessary to make a judgment and verify that it does, in fact, belong to the individual in question. >> we are working to find the processes that will enable us to
9:56 am
actually match individuals. as mr. scott described, there are multiple tony scotts. so we are working through the pilots, and i think this will be an ongoing process to see where are the places where we need human intervention, where are the places where technology can help with that resolution. >> mr. ebenina, can you speak to some of the challenges associated with verifying identities and social media data? >> yes, congresswoman. i think challenges cannot be understated in where we're headed in terms of, number one, identity resolution. as my colleagues have mentioned, the ability to identify bob from -- or mr. scott from mr. scott and all that goes with it, the resources that it will take to make sure we are firmly in agreement that mr. scott is mr. scott. then what we found out about mr. scott, is it investigatively and adjudicatively relevant? does it make sense to be put forward? and if so, it's put in the same box all the investigative data would be to make sure it follows
9:57 am
the policies and investigative guidelines. i want to reiterate, the social media identification of information is in the same box of all other tools and techniques investigators have. >> and even after we have verified individuals account, additional manual processing is needed in order to analyze, interpret and contextualize information, particularly photographs. is there any way to fully automate the analysis of photographs? >> i want to refer back to my colleague, ms. cobert, in terms of the ability to maximize any type of automation we can to facilitate not only effectiveness of this tool, but at the end game. but i want to inform the committee that at the end of the day, no matter what we identify, the adjudicator is a fundamentally government role, so the adjudicator will make the ultimate decision if the individual is mr. scott, if the information obtained is relevant and it should be a value add to whether or not he gets a clearance or not. >> thank you. i yield back the balance of my time. >> thank you. the chair recognizes the
9:58 am
gentleman from south carolina, mr. mulvaney, for five minutes. >> i thank the chairman for the opportunity. thank you all for coming here. i just have a couple random questions. you said something during your open statement which i wanted to go back to, and a couple of you used the same terminology. and maybe i just don't understand the issue. and full disclosure, mr. massie and i are sort of in the libertarian-leaning wing of the party, so we take civil liberties very seriously. and you mentioned that there were civil liberties concerns, i think in doing this research in the first place. i don't get that. what civil liberty of mine could be at risk from you doing research on me? >> well, may i correct -- i don't think in terms of the previous pilots and this particular policy -- >> right. >> in order to get to where we went, we had to negotiate strongly to ensure that each individual who applies for the security clearance, we are going to protect their privacy and civil liberties, at the same
9:59 am
time collect the information we deem necessary to ensure they can get a clearance. >> and again, i'm not trying to split hairs with you, but if i'm coming to you -- and we've had a very similar discussion, mr. chairman, when it comes to folks who want to come into the country on various visas. the lady who shot the people in san bernardino came on a fiancee visa, and we didn't do any social media on her. and one of the arguments we got from customs enforcement was it would violate her civil liberties to do that. if i come to you and i'm asking for a job or i'm asking in my current job to get a security clearance, can't you just ask permission to look at everything? >> yes. the first thing you can do is consent to the government searching you, not only with regard to social media, but all your other financial, medical records. you content to do that on the fs-86. >> okay, so there's no privacy concerns. i have the right to waive that and i do, correct? >> correct. >> so there is no privacy issue on the front end when you're doing your background research
10:00 am
on me, correct? >> as long as you consent to it -- >> right. okay, good, then we're all on the same page. because the real privacy concerns comes with what mr. lynch mentioned, which is what do you do with the information on me after you had it? because while i consent to let you go and get it, i certainly don't consent with you giving it to other people. so i think that's why the focus, i think for many of us who are interested in our civil liberties, is what are you doing after you have it. and i want to go deeper than just the social security numbers, which i think mr. lynch properly pointed out. what are you doing with mr. massie's medical records when you're doing the research on him? how are we -- yeah, especially on massie, right? and his mental health records. no. >> actually, i've got it right here. page 17's kind of interesting. >> so, tell me about that, because again, we all know about the risks -- everyone in the country now has gotten hardwired to sort of thing, well, my social security thing is really important. i hope they're protecting that. but what about the stuff that
10:01 am
doesn't on its face look like it could be damaging to us? you know, maybe mr. scott went to marriage counseling, okay? not illegal, and i don't even know if that's true and i'm not suggesting it is. i'm using it as an example. it's not illegal. it's certainly not the type of thing, though, that you want to have public. what are you doing to protect that kind of information? not just the number data, not just the social security numbers, but the detail, the meat of the stuff that you might find on anybody that you're looking at? >> i'll start and pass to my colleague. but i want to ensure that the only collection and retention of data will be what is investigatively relevant to completing and authorizing a background investigation. if it's not relevant to you obtaining a clearance, it won't be retained. >> okay, let's focus on the one word, then, because it's an open-ended question. let's narrow it down.
10:02 am
nothing is retained right now. once you have it, it's someplace. even if you hit "erase" on your hard drive, it's someplace. what do you do to make sure the stuff that you don't retain really isn't retained? >> congressman, when we get the records of your background investigati investigation, we have a set of rules and guidelines that govern those, that govern the sharing of those. so it is used for the investigative decision, but there are very specific guidelines about how that information is used. we have specific guidelines about records retention consistent with nara and their policies. and a core element in the cyber security design of our systems, particularly as we're thinking about as we go forward, is how do we make sure we've got the appropriate protections in place for all of that information, not just social security numbers. but there are very explicit policies around records retention, around record-sharing, both externally but within the government, right? this government was gathered for a specific purpose. that's what it was used for, and there are guidelines around that
10:03 am
in place. >> just a quick question, and i honestly don't know the answer. but when the data was hacked that mr. lynch mentioned before, was it just social security numbers that were lost or was it other information as well? >> the information that was lost was data in people's backgrounds investigations, so it included a range of information, not exclusively social security numbers. >> thank you. thank you, mr. chairman. >> i thank the gentleman. the chair recognizes the gentleman from california, mr. lou, for five minutes. >> thank you, mr. chair. my questions are from mr. evenina. first of all, thank you for your service and i support incorporating social media into federal background investigations. i have a broader concern, which is whether race or ethnicity play a role in security clearance denial or granting. and let me give you some context for this. recently, four american citizens were arrested and indicted for espionage. and then all charges were dropped. these were in different cases.
10:04 am
and it turned out that the government just got it wrong. and the one fact that was the same among all these cases is the defendants looked like me. they happened to be asian americans. cases of sherry chen and shu yu li. their lives were turned upside down because of what our government did. "the new york times" has asked our government to apologize. i wrote a letter signed by over 40 members of congress asking the department of justice to investigate. since i wrote that letter, our office has been contacted by federal employees who happen to be asian american, alleging that their security clearance was denied because of their race or ethnicity. and so, my question to you is does race or ethnicity play a role in federal background investigations? >> sir, absolutely not. and it unequivocally not. i don't think there's ever been a situation where an investigator has used race or ethnicity for determination of
10:05 am
clearance for a u.s. citizen, number one. number two, the situation you referenced, i could say that with 19 years in the fbi, i can assure you that the fbi does not conduct investigations relative to whether your race or ethnicity comes to play. >> thank you. let me ask you a question about how this policy would be implemented in terms of social media. let's say a japanese american federal employee has a facebook page and friends of this federal employee living in japan or relatives post on that facebook page. does this federal employee become more suspicious because of that? >> absolutely not. and the only issue would be if on that public-facing facebook page there is derogatory or negative information that's relevant to an adjudication investigation will result in a follow-up lead. but otherwise, it would not. >> thank you. the u.s. government under the obama administration runs something called the insider
10:06 am
threat program, where federal employees are asked to report on other federal employees who may be suspicious. is race or ethnicity allowed to be taken into account under that program? >> sir, first of all, the national threat task force is housed within the national securities center. and again, race or eiththnicitys no part in the insider threat process or the criticality we have across the government. >> are federal employees when they're given training on the insider threat program and how to report, are they given that training about race and ethnicity playing no part? >> well, i think the race -- any fundamental training regarding race and ethnicity crosses all boundaries, not just investigative. that's part of the federal workforce and our fabric as americans, number one. but in terms of the insider threat task force, race, ethnicity or any other type of genre of covered classes is never a part of the task force. our number one mission is to identify potential insiders,
10:07 am
spies, espionage matters or those who seek to do harm to others. >> could you provide my office with guidance on how you train federal employees? >> absolutely, sir. >> great. thank you. i have gone to a number of national security events and briefin briefings. i think it's not a secret that the management looks very nondiverse. there's been articles about the state department having trouble recruiting people who are minorities. and i'm wondering if that has anything to do with security clearances and the inability of some folks or minorities who might not be able to get them. could you provide my office with some data or statistics on who gets security clearances based on race and ethnicity? >> i'm sure we can, sir. >> great, thank you. and with that, i yield back. >> i thank the gentleman. the chair recognizes himself for a series of questions. and i'll be very brief. let me follow up on a couple of
10:08 am
clarifying things. you've obviously put out this new policy, and we applaud that. we thank you for that. is there any particular legal reason or practical reason why we would not be asking them for their online identities? >> well, sir, i think as part of the sf-86 application, and when you write your name, it's asked, do i have any other names or aliases that i go by. so that's the first -- >> yeah, but i'm talking about online identity. so twitter, facebook, you know, because i'm not going to give it in a public forum, but i have actually twitter accounts that don't actually have my name associated with them, and yet, i would tweet out things based on that. so, is there any reason why we wouldn't ask for those types of things? practical or legal? >> i don't believe it's a legal issue. i think it's a policy issue. and i think we have to have some clear differentiation between what is investigatively relevant. and we can get to those areas -- >> but if we're talking about
10:09 am
social media, that would be relevant. i mean, there's no expectation of privacy, other than, well, you know, you could perhaps make the case, if i'm wanting to be private about it. i'm not putting my name. but if you just ask for those online identities, would that online identities be synonymous with an alias? >> they could be, sir. they absolutely could be. >> so i guess if there's no legal or practical reason why we wouldn't do it, why would it not be part of your new policy? >> again, i will say that the policy is a start, where we're going right now to get where we are -- >> so, are you willing to look at that particular component, about asking for other online identities and maybe report back in your philosophy here within the next 60 days to this committee? >> sir, i think we're willing to look at all aspects of social media and how it pertains to background investigations -- >> but specifically with regards to that question. are you willing to look at it and just report back? i'm not asking you to give me a
10:10 am
definitive answer, just that you get back to this committee on what your opinion is on -- >> yes, sir. >> -- why you should or should not do that? >> yes, sir. >> thank you. ms. cobert, i'm going to finish with you, and it's really something from in the past. i would just like to ask you, with regards to the cio and ig relationship, how would you characterize that from where it has been and where it is today? if you could speak to that. >> let me turn that on. thank you, congressman. we have been working across the agency to strengthen our effectiveness of our dialogue with the cio, and i believe we've made real progress in a number of different areas. we've set up a cadence of regular communications at my level with the inspector general, currently acting inspector general, on a bi-weekly basis we meet and get an overview of the issues. we have specific working teams that meet on a periodic basis as well. both around the cio, around
10:11 am
procurement. we've set up that same kind of mechanism around the stand-up of the mbib, given the oversight issues and making sure we get those right. so, i think we've made considerable progress in terms of the dialogue, the clarity of the communications. we welcome their input on what we could be doing as better, as we welcome input from our colleagues here and elsewhere. >> so you would characterize it as much improved under your leadership? >> i would characterize it as much improved, yes, sir. >> all right, thank you. the chair recognizes mr. lynch for a closing question or statement. >> thank you, mr. chairman. and again, i want to thank you for being here. i want to ask a question sort of off the grid here. i appreciate that you're making progress, and that's a good thing. and we're working together with dod to secure our systems. there's another issue. you know, these hackers have become so proficient. you know, this morning we got
10:12 am
news that the swift commercial bank system -- i think it's 11,000 banks and companies that handle international banking transactions. they were hacked again. they were just hacked through bangladesh and the new york fed, which is troubling, to the tune of about $81 million. now we find out there's another hack going on similar to that one. so, they're being breached. the fdic, chinese hackers, news again this morning that the fdic has been hacked. and these are entities that have fairly robust, you know, protections. and we're about to enter into this -- well, we're about to debate the trans-pacific partnership. and one of the provisions in that trans-pacific partnership requires u.s. companies to
10:13 am
establish databases in foreign countries. there's about 12 countries, but one of them's vietnam, a communist country. so we would have to -- the u.s. companies would have to establish physically databases in those countries -- malaysia, vietnam. and a lot of the banks and companies involved here are very concerned about the security aspect of this overseas. and i just wonder, especially mr. ebenina, i know you worry about this stuff all the time, as well, ms. cobert, you're dealing with, mr. scott, you as well. what about that dimension of this? i know you weren't prepared this morning to address this question, and i appreciate it if you want to take a pass, but i'm just worried about that, about it's tough enough to protect the data when it's in the united states. and now we're being asked to force our companies that are
10:14 am
dealing in international trade to actually deposit their data in these foreign countries that don't have the security protections that even we have. mr. ebenina. >> sir, i concur with your concern for cyber security and the need for us to be prepared to at least meet where we are in the global economy. i'm not particularly familiar with requirements contained within this policy, so i can't speak to that, but from the purview of national security, the cyber threat is real and i think we have to take that into consideration for anything we do moving forward, whether here domestically in the united states or any of our businesses and government operations overseas. >> okay, thank you. ms. cobert, mr. scott, do you want to take a bite at that or are you all set? >> i would just say one of the lessons learned i think worldwide has been that cyber security knows no national boundaries. and concerns about cyber security are, you know, global.
10:15 am
physical location is one element, but probably in the case of cyber security not the most dispositive in terms of concerns i would have. it's more about the secure by design sort of notion, you know, what have you put in place and how well is it implemented and so on. so those would be more my primary concerns. >> yeah, my -- >> in some cases the physical location. >> right. my concern is obviously the communist government in vietnam is going to require access. so that was my concern. you've suffered enough. i want to yield back. thank you. >> i thank you. and i want to thank all the witnesses for being here today. and if there's no further business before the subcommittees, the subcommittees stand adjourned.
10:16 am
10:17 am
10:18 am
the importance of cyber security at medical facilities around the country was the focus of an event hosted by politico yesterday. this is about an hour and 15 minutes. >> ladies and gentlemen, please welcome politico's executive
10:19 am
editor for health care. >> good afternoon, everyone. i'm politico's executive editor for health care and i'd like to thank you all for joining us for our outside-in event and those of you on the live stream, too. outside-in is our event series that focuses on the intersection of health care and technology. and being politico, we look at health care and technology through the lens of politics and policy. outside-in was conceived as a way to bring together outside experts and washington insiders. this is our third year on this series, although our first event of this year. we have taken the idea one step further this year. we've created a forum of health tech industry insiders. you have a list of their names on your seat. and we're doing surveys, interviews and events. and this group is helping us better understand the new opportunities and challenges that technological innovation is bringing to the health care policy world. today some of these panelists -- we'll have two panels. some of these advisers are going to help us as we dig into the issue of medical privacy in an age of cyber attacks.
10:20 am
and we're going to ask questions like is greater health care information exchange going to lead to even more dangerous and increased hacks? can health care providers afford security? what kind of congressional or regulatory action, if any, is needed to keep medical records safe? we'll have the conversation in two parts. first, politico's ehealth editor and i will talk to the first panel of experts about medical cyber security. in the second panel, dan diamond, a new colleague, he's writing pulse for us now and he's just begun the pulse check podcast that all of you have to subscribe to as soon as this is over. and he's also helped us create and moderate this outside-in advisory panel, this forum, and he will continue a conversation with experts who are on that forum. and you'll find dan's stories from today, first story he's written based on what these outside people are telling us. and the theme of that story shows how health care cyber security's getting worse and how
10:21 am
the government's role is a mixed blessing. and we have a bar, as those of you here noticed. so stick around, because the conversation can continue afterwards. those of you in the live stream can just start right now. before i introduce the panel to the stage, i want to take a minute to thank our partner, phillips, for their support of this event and the entire outside event series this year and all three years. here to say a few words is artie arthur, vice president health care government solutions group. >> thank you. >> thanks to everyone for coming to this event. we're really excited to be here. thank you to politico for spons sponsoring the first installment of outside-in. this is phillips' third year here. and just to give you a little bit of an understanding of what we did last year and how it's really going to integrate into how health care and technology meet each other for this series. last year we focused on areas such as digital medicine, aging
10:22 am
in a technology world, and also population health. why does that matter today? well, you know what, health care transformation is continuing on, right? and what we need to do is ensure that that data is meaningful and actionable. but the worst part about it and the reason why we're here today is because we don't always know if it's safe, right? i mean, you don't know what you're going to get. and you guys have that sheet of paper. i just read it real briefly, on how expensive health data is. so, we're here tonight to really talk about how important it is to ensure that our health data is secure. hackers don't care. they don't discriminate at all. amongst health data. if you think about what's happening today, you've seen a lot of articles on the health care ecosystem, large health care systems as well as insurance companies have had their data attacked, whether
10:23 am
it's by a hacker or any type of outside threat. and that's important and it's scary. i think the really cool thing about working for phillips and why i'm so proud to be here tonight is that we take this very seriously. in fact, my group in the health care space for the federal market, we've done a lot of work with dod. in fact, most of our products today have been certified by the department of defense for cyber security, and we're really proud of that. we have more cyber security certifications than any other entity today. additionally, we get to be an adviser on the newly formed cyber security task force for hhs. and so, this is really empowering what we do in health care today. i can't tell you how excited and thankful i am for the panel that we have tonight and for politico to partner with us in this forward-thinking,
10:24 am
thought-provoking series of 2016. and with that, i think i'd like to introduce your panel. >> thank you, artie. and thank you to phillips for your partnership. for those of you in the room and those of you on live cast, our conversation on twitter, we use #outsidein. that's one word, outsidein. i have a tablet on stage. i'll take some questions from those of you who tweet them in. a reminder, our events are live-streamed. they are all on the record and they are recorded so people can watch them later on through our website. without any further delay, i would like to welcome our panelists and my co-moderator at the stage. first, we have representative will heard from texas, chairman of the i.t. subcommittee for oversight and government reform, and he is a former cia undercover officer. and then in the private sector he was a cyber security expert. he came to congress in 2015 and he swiftly has emerged as a really important voice on this topic on privacy and security and looking at where the
10:25 am
government is not doing a good enough job. lesl leslie krigstein is head of government affairs at c.h.i.m.e., bringing the concerns of health care ceos and health i.t. leaders to the hill and to the agencies. devon mcgraw is the deputy director for health information privacy at the hhs office of civil rights, and she is the point person hhs for concerns about privacy, and she helps inform hipaa -- she helps enforce hipaa, so you all have to behave. clinton michael is a partner at the health law partners, chairman of ehealth privacy and security interest group at the american bar association health law section. and he is one of the top national experts in legal issues that barely existed a couple of years ago. and we hope he can help us understand what's still needed in the legislative or regulatory framework to protect health care privacy, because every day we are reminded that it is a problem. and of course, arthur allen, my friend, colleague and ehealth editor in the office.
10:26 am
they call him big data, and i'm little data. [ laughter ] thank you. arthur, you're going to take it. you're going to start it. >> well, welcome, everyone. so, i represent -- i'm the ceo of a small hospital chain, and i've been busy taking care of meaningful youths and dealing with mack area and a million other things. and somebody just came to me and said that there's this issue called cyber security, like problems with people attacking the health care system? and i'm just going to ask our distinguished guests here to explain some of these things. congressman, who is attacking the health care system and what are they after? >> the majority of it is going to be organized crime, and a lot of it is russian organized crime. they're the ones that are trying to leverage the data they're collecting for monetary gain. a health record gets more on the black market, on the digital black market than a financial
10:27 am
record. and some even estimate that a medicare record is in the couple of hundreds of dollars per record. so it's lucrative financially. to give some context, in 2012 alone, fbi had some data that there was $414 million worth of thefts in the united states, and the estimates in the cyber realm, it was over $100 billion impact to our economy. so it's a big issue. >> so it's a good field to be in, obviously. leslie, tell me about the experience that hospital cios are having dealing with this probl problem. are hospital systems spending a lot more money? what are they doing to adjust to this new reality? >> and you're right, it is the reality. there's only, you know, so many fingers to plug the holes, and the reality is we can find every
10:28 am
possible vulnerability and try to block it, and they only have to find one. so, when you're looking at health i.t. as a small fraction of the overall health system budget, something like 3.5% to 4%, a subset of that is i.t. security. so you know, it's something that you're not necessarily getting reimbursed for, but it's absolutely necessary for the public good, but it's tough. you know, resources are hard to come by, whether it be financial or even personnel, and you're only as strong as your weakest link. and in this day in age, we're sharing data with more and more partners. we're sharing data directly with patients. and you're just opening up the doors. and so, it's incumbent to train your workforce and work with your board, but it's definitely a tough fight that the odds are stacked against us. >> devon, so you're sort of the cop on this beat, in a way.
10:29 am
how much do you blame -- you know, how do you figure out how much, or how does the legal structure share the blame, decide who's going to be punished, how much you punish people who are really in a way the victims of the crime? i mean, because hospital health care systems, to be sure they're the custodians of the records, but they're also the ones who are directly being attacked. so how do you, you know, at the same time punish and at the same time, you know, try to improve the system to make it more secure? >> well, so we have a set of expectations with regard to security and health care, and they're absolutely critical. i mean, it is a sunk cost of doing business. if you're going to be out there collecting health data, it's valuable. not only is it valuable to criminals, but it should be valuable to you. it's probably one of your most critical business assets. so protecting that data from the threats that are out there is
10:30 am
really sort of -- it should be expected, and frankly, from a public policy perspective, it's important for patients to be able to trust that their data is safeguarded, not necessarily perfectly safeguarded, but safeguarded. we do not expect perfection. if you take a look at the cases that we have pursued, those entities in our view based on our investigations had significant deficiencies in their security policies, processes. they were not doing enterprisewide risk assessments, or maybe they did one like ten years ago and it hadn't been updated. the adoption of basic security safeguards is slow. so i'm not suggesting that we have a right to demand perfection in terms of accountability, but we do expect entities to devote resources to security. we do expect them to be aware of
10:31 am
security resources. you as the ceo of that hospital, if they're coming to you and you don't know what cyber security is, that's a big problem. >> okay. clinton, what do you think is -- i mean, are they exercising their role appropriately, are they being too harsh, too lenient? and do you think that the regulatory and legal framework needs to change in order to deal with this problem that's rather quickly kind of arisen in health care? >> no. i think ocr is doing a really good job -- >> you're not in a good seat, are you? >> no, i'm not. so, i am a client of devon. no, i think ocr's doing a good job. and one of the stated purposes they have is to essentially teach. and they have a really strained budget for their teaching. but you will see them issuing technical assistance as opposed to being punitive. now, we have a lot of agencies in the government that are
10:32 am
punitive in the health care sector. ocr is not one of them, thankfully. and they've done a good job, i think, with splashing out their enforcement actions, pursuing some big dollars so that people in the industry see it as a deterrent effect and will also take it seriously. and they've hit business associates, they've hit covered entities, laboratories, hospitals, physician practices. so i think they've done a great job. now, as far as the regulatory framework, i've really only seen one truly bipartisan proposal so far, and i think it's workable. so we take the servers and we put them in the bathroom closet, and then we build a wall around them and we make the hackers pay for it. >> good. >> we're looking for solutions, so i'm glad you -- >> but to pile on there, if you're the ceo of a hospital and
10:33 am
you're looking to ocr for guidance, you're already behind the curve, right? >> absolutely. >> you need to be -- and no offense to ocr. you need to be following the best practices and good digital system hygiene. and if you're not doing that, the regulatory environment is not going to save you. and the fact that the ceos should know about these things because this is an integral part of your business and you need to make sure that you have a cio that knows what they're doing in order to protect that infrastructure because that's your responsibility to protect the information of the people that you have in your systems. >> right. >> when there's a ransomware and there's a headline and it makes news, i mean, five or six years ago when there was a breach, it was always the breach that at least the public heard about, it was always somebody spying on a movie star in hollywood, right? that's what we thought. and i thought, i'm not sharing, i'm not having plastic surgery, i don't have to worry. but that sort of -- that's how i think a lot of us sort of came
10:34 am
across it. it was nosiness and internal -- lack of internal controls. now we really have some kind of organized crime, cyber crime going after health because the health data is valuable on so many different levels. but are these occasional things we read about in the newspaper with the bitcoins and the ransom, is that occasional or is it happening all the time and we don't know about it? >> i mean, to pipe up in talking to cios. a small hospital in rural america, 300-bed community hospital, was victim, or attempted 3,500 attacks on sunday, on mother's day. they faced 90% of them were internal from the u.s., 10% of them were external from countries from china to costa rica. >> the internal ones actually -- do we know they're internal or -- >> from the u.s. >> but do we know that's where -- >> yeah, they're able to track where the threats are coming from, but that's a 300-bed hospital in rural america. and so, if they're facing it,
10:35 am
think about like an academic medical center that has ip. or think about as we're starting to exchange and the number of opportunities for intrusion. so you may have -- or to give you another example, there is a large health system on the east coast, $10 billion health system. they faced -- they turned away a million ransomware e-mails in the month of march. so the attempts are regular. they're happening to providers large and small across the country, and it's a matter of making sure that you've trained your staff properly to say no to them. but there's also times where as long as you've got your, you know, incident response plan in place, you should have those systems backed up. and so, if they hit one computer, hopefully, that computer's useless, you've got your systems back up. there's absolutely no need to even consider the ransom. so it's a matter of having your best practices. so -- >> how common is it that they have those best practices in
10:36 am
place? >> it's a work in progress. it's very definitely a learning curve. >> she's shaking her head, so -- >> sorry. you know, they're trying is the reality. our industry is rapidly becoming more digital, and we are trying to keep pace with the progression that everyone is making while meeting patient expectations. but the reality is the threats are real, they are regular, and it's a matter of being up to snuff in working with ocr and looking at the cyber security framework and sharing threat indicators across the industry, which to modern -- to date is not as regular as it could be as other industries. and so, i think we've seen some very significant progress, particularly in what the hill did last year in setting up the cyber task force and setting up the framework to share threat intelligence, because that's the only way the small critical access hospital in rural america is going to be able to leverage their lessons learned from their colleagues. >> and ceos of hospitals --
10:37 am
>> what are you hearing as a lawmaker that has access to information that i don't have? >> well, there are more attacks than we are aware of and more people are paying the ransom than what is out there for public consumption. >> widespread more or a little bitty more? >> more than -- it's more than little bitty. >> and a lot of bitty? >> somewhere in between, all right? and so, folks need to recognize that and understand that the threat is real, that everybody is potentially a target. and if you don't have -- as an attacker, you're looking for the person in the lowest hanging fruit, all right? the person that hasn't had their information backed up, that are using out-of-date software to defend their infrastructure. so that's who you're going to go after. and if you think you're the right one, then you're the person that's probably going to get targeted. >> i'm comfortable giving it a widespread. and it's widespread and it's underreported. and lots of folks are paying the ransom, and --
10:38 am
>> are these ransom attacks -- from the looks of it, some of them are random. in other words, somebody's sending out bugs and they happen to land on a hospital. are any of them -- are people -- have the ransomwarists figured out specifically how to target a hospital? because they must realize a hospital's kind of got to pay if they want to -- >> well, if you look at the studies and the reports out there, 2016 is really predicted to be the tipping point for ransomware becoming mainstream in the health care industry because folks are seeing that, yes, the hospitals will pay good money, more so than your individual or your law firm that gets hit with it. and a lot of it is random, but i think it will become more targeted. and it's not just our organized crime. i mean, there was a hospital in flint, michigan, that was hit, somewhat related to the water
10:39 am
crisis. and it was a hacktivist-type scenario. >> the way this seems to be playing out is very much a crime of opportunity. and so, the health care industry, they have -- clearly, there's vulnerabilities that the hackers have perceived, and they're going for it. and i think that leslie put her finger right on it when she said, you know, the lack of contingency planning and data backup always has been part of the hipaa security rule, but i think to the extent people didn't realize how important that was. they sure should know that now. >> so, devon, are you saying, then, that if people are reading a few rules and they're reading your guidelines and they've looked at hipaa's, you know, security guidelines, that some person in the middle of nebraska with 300 beds is as ready to deal with this threat as partners -- >> loaded question. >> i mean -- >> my lawyer is advising me. >> i mean, can you really defend yourself if you're a small
10:40 am
player and you don't have a lot of resources? >> look, we've already put out there that entities need to do contingency planning and disaster planning. in fact, if you're in the middle of rural america, your systems could be hit by a tornado and disabled, right? so, already we have an expectation out there and always have that there is to be contingency planning. that hipaa security rule is flexible and scaleable. we do not necessarily have the same expectations of small facilities that we would for larger ones that are larger resourced. but at the same time, this is a threat now that i think everyone should be aware of. and if you don't have the contingency planning in place, you're a target, if you're not already being targeted. and having that in place will arm you so much better to be able to resist something like this. you're either going to pay for security or you might be paying for ransom, but you don't get out of this without putting some resources at this problem. >> is the security something that -- i mean, a lot of the
10:41 am
small, rural hospitals that, you know, they've had a lot of demands on them. >> yes. >> and it's not blame it on obamacare. i mean, there's some real problems. there are issues, many complicated issues facing rural hospitals and health i.t. has been one -- i don't want to use the word burden. financially, it's a burden. it has been hard. is the security so expensive that they're going to go under, they're going to have to consolidate, they're going to lose their independence? i mean, how -- is it sort of the straw that broke the camel's back for the smaller practices and the smaller rural hospitals or the smaller -- don't have to be rural, but that's the category that has a lot of trouble. i mean, can you do this? can you fix it if you're not a giant? >> no, i don't think it's even limited to the small rural hospitals or the small hospitals. hospitals are financially taxed. and i.t. security is hard, and it's ever evolving. like leslie said, they only have to find one hole, and we have a
10:42 am
world to deal with. so i think absolutely hospitals are under a great financial strain these days, and there's not really good money allocated towards securing this. so i think if you peer into the dark minds of a lot of hospital executives, they're rolling the dice with where they allocate their budget. and it's a matter of surviving as a hospital. >> leslie, what's your take on that? >> i mean, you're right, it's something that your budget's finite and you're going to get incentive payments or take penalties from the federal government for any number of reasons. that's your market basket, how you're going to dictate getting paid. and security's not a line item on there. but the reality is we don't have a choice. you know, we're going to scrape
10:43 am
together every penny. it might mean you don't get a new mri system. it might mean you don't hire as many new nurses or doctors. the reality is the fines that you're going to take, or you're not willing to risk your reputation or your business. because as arthur, you asked, are they targeting health systems? yes, they are. first it was just the data, but now they've recognized, hey, if we disrupt their operations, we can put them out of business. they have to turn away patients. and then their name's going to be all over the headlines. and so, there really is an inevitability that you have to address this, regardless of, you know, what your budget looks like. so it's working with the boards, it's creating security teams. if you're a small practice, you're scraping together with your colleagues and hiring consultants to help. it's just the world we're living in today. >> what's the -- what are you hearing as a government official? do you just, like, want to scream? >> look, if you have a network that can be attacked, then you need to array your network properly, right?
10:44 am
if you take the financial incentive away from the attack e ers, or your data is not all in one place that can be captured and held to pay the ransom, then you take the financial motivation away from the attacker to go after it, right? so look, there's a building this nice somewhere in moscow that has hundreds of hackers that are developing the next software, and they're learning from all the attacks that they've done, and they're looking for targets of opportunities. they get a pretty good payoff, so they're going to learn more and be like, hey, how many other people fit that mold? and then they're going to be a little bit more targeted. and instead of doing phishing, they're going to do spear phishing, which is targeting an individual. so, but if you have the network, make sure you're doing the very basics to protect yourself. and sometimes it's going to cost more, but if you're relying on the government to defend yourself, then you know, you have a much larger problem. >> but can't we expect the government to do more to defend us? i mean, we can't defend against,
10:45 am
you know, nuclear attack by ourselves. >> fair. >> i mean, sorry, terrible comparison. but i mean, is there more that the pentagon or somebody like that could be doing to interfere with some of this stuff? >> one of the things that the federal government can be doing is sharing tactics, techniques and procedures more with entities or with the information-sharing groups that can get that out to the rest of the community. and that is an area where if you know what the attack over the horizon is or other industries are being focused, understanding what that is so you can array your limited resources against the most immediate threats, all right? so, i think that can happen. >> we're all in the health care world, and that's was we focus on. but if we were a bunch of bankers, would we be having this conversation or have they solved it? >> no, same problem. >> it's the same problem. >> is health care worse or just those of us are now paying more attention to us? >> we talked about this before. there is a perceived
10:46 am
vulnerability out there, and the hackers are going for it. and we know this now, if we didn't know it before. i suspect leslie's been hearing about it for a long time. this is certainly, you know, the vulnerability of the health care system is not necessarily news to us either. >> right. >> so i mean, there is work to do to shore up what is an important national asset, which is this data that really is critical to the health care system. we have a role to play with respect to hipaa where we put it out for small providers to help them with the basic security expectatio expectations. we're currently working on additional guidance for ransomware to try to help entities get ahead of this. it's going to focus very much on the contingency planning issue that leslie raised, but also some of the tips that have come out about how you might be able to detect it before it happens. but nevertheless, it's absolutely not an issue that we can ignore. we don't deal with punishing
10:47 am
criminal behavior, so you know, we're doing what we can to try to help the entities who we regulate to try to meet this threat and creating a set of expectations with respect to how they meet the threat. but i do think there could be some more that we could be doing on a national level on the criminal aspect of all of this. easy for me to say because i don't do that work, but this is criminal behavior with respect to the hacking piece of it. >> and is that on the agenda adequately with law enforcement? >> is it on the agenda adequately? so, law enforcement is looking to do everything it can to help the private sector, no matter what the industry is, defend themselves. does law enforcement, does you know, whether it's department of homeland security or fbi or secret service have enough resources to help everybody across these industries? no. but that's why the importance of
10:48 am
the isacs, where you have industries come together to share and the legislation we passed last year is going to help facilitate that, but we've got to make sure the federal government is passing and sharing information. one thing that i hear a lot from health care providers is that there's a bunch of old and antiquated rules and regulations that is confusing, and they don't know what they're supposed to do, what is meaningful use mean and all this kind of stuff. so these are some issues that need to be streamlined as well so that health care providers know exactly what they should be protecting. >> and i think there was an element as well in this part -- past this part of sisa. we heard from our members in terms of looking directly at hhs and not just at law enforcement. but just within hhs, there are so many different entities that have so many responsibilities in this space. so, the fda approves medical devices. are those medical devices secure? ocr covers hipaa. how does hipaa intervene with
10:49 am
the nist framework? and that requires some interagency coordination. and you're looking at onc and how they're certifying electronic health records. are they certified with enough security from the beginning? and so, as we're looking kind of even within hhs and something that we asked and we're really pleased that ended up being included was a directive for hhs to kind of line up who's running point on this issue and how can we, you know, look to the agency and get a singular answer. and i would say more than that, we've noticed this shift. traditionally, we were looking at privacy and security, unfortunately, as two separate things in health care. and i think until we recognized that the privacy of the data absolutely is an element of security and patients have the right to know their data is secure, that's going to be a game-changer, i think. >> so do you think we need to appoint like a health cyber security czar who runs the whole -- no. >> no, i think we're waiting.
10:50 am
hhs i believe was given a year to put forth this interagency plan. and so, i think when we see the results of that, i think it will really help in terms of knowing who to go to within the addition that i'm not sure if the rest of the world caught. but it was -- it was in the range of things that were health care specific that passed with sisa. >> we're all thinking about this in terms of our personal information and the threat to -- many of us in this room have had our information hacked, whether we know it or not. maybe everybody. but this is a big data question. but i'll -- we're also at the brink of -- we're talking about using data in lots of really interesting potentially really helpful ways, right. we're talking about patient generated data. all of the things that we've been talking about after two years there are cool things happening. the patients, the way we participate in clinical trials and patient engagement and
10:51 am
pushing data and arthur could talk about the cohort from precision medicine. there is so much going on that requires use of health care i.t., way more than just turning your paper chart on to a computer chart. >> so how are we going to let that data sort of -- how will it flow. >> when we can't protect it, yeah. >> well, getting away from the data flow part -- >> which doesn't flow all that well right now. >> and deven will have something to say about that. or not. >> there is interoperability issue. but there is also the -- say we have the magic wand and we get everything interoperable tomorrow and there is lock issues and we have in the next few years we are supposed to be able to exchange and produce data in ways that we couldn't do before and it has an amazing amount of potential but is the private or the security thing, since you just said they are two different things, how much in the way is that going to be.
10:52 am
>> i think this illustrates why health care is actually a much scarier place to be in than the financial industry. which is much further ahead than hospitals, health systems, anyone in the health care industry. because when we're talking about ransom ware, we're talking about data. we're talking about patient safety. what keeps a lot of us up at night, especially on the i.t. subcommittee is not necessarily the known quantity of stealing patient data, but it is all of the other inputs that go into that. it's the network medical devices. it is the network anesthesia machine. it is the temperature and the air saturation in the o.r. >> so the dick cheney scenario. >> absolutely. he got widely mocked for that, but he was on to something. >> has it happened already?
10:53 am
>> i don't think it has. >> not that we've heard. >> somebody's actual pacemaker hasn't been hacked but there have been many demonstrations of how to hack a pacemaker. some people talked about the attack on our -- on the utility grid was philosophical, but that happened recently, the russians attacking the grid in the ukraine. and it is possible. outside of the theoretical. but those fears shouldn't prevent us from moving toward interoperability. i own that data. and that is my data. and i want to pull it up on a dashboard and figure out what happened in the last couple of doctor visits and i want to make sure my future doctor has access to this stuff. and let's say -- we can anonymize that data and protect privacy to make sure that we
10:54 am
have interoperability to detect zika faster and make sure that medicine is being developed on a quicker basis. and when we do, we increase the surface area of attack. >> and that is one of the reasons why the hippa rules are not just about security. it is also about availability and data integrity. because always those regulations have presumed that the data has no value until it is used. appropriately. and as often as necessary and needed. and that is why the rules are built the way they are. so it is never -- it is never going to be, well, we can have this or have that. it is, we have to figure out how to have both. >> if you are a provider, don't you think the instinct is going to be to shut down and not send your information through a health information exchange because you are not sure that they -- that all of the players there are -- have good security. >> so something, if you are talking to a cio or chief security officer, there is no set rules of the road. in terms of security. so the framework is a great starting point and we've heard there is a health care-specific
10:55 am
guidance coming which we're excited about, but in reality it is optional. we are not saying we want more man dates but the reality is if there is an industry-led effort or someplace to look for standards, it is really valuable to know that if you are engaging with another provider or with the health care information exchange, that they've got a set level of security that then you could deem, okay, they follow this or they've done that. so i know that i can share with them and i should be okay. and so i think we're coming together as an industry and starting those conversations. but if you ask, there is a desire for a minimum set of requirements that you could build on top of. but the expectation, hopefully, some day we'll all be at one point, that we have some level of confidence to embark on that sharing. >> we are going to be able to take a couple of questions before we go to the other panel. and want to start -- darius is -- where are you? we have a reporter.
10:56 am
darius is in the room and probably standing -- where are you? okay. he is one of our reporters and he shouldn't -- >> oh, dear. >> so what we always hear in the cyber security discussions is how valuable the stolen records are. i was wondering if there are any efforts to track what these records are being used for and how extensively they might be used for being leveraged for financial gain? >> anybody want to take that on. >> well, i think, the only thing i will say, it isn't part of our purview to track where it goes after -- after we get a breach report. for example, in our investigation, we'll take a look at what happened during the breach and do we have some significant issues of lack of compliance with the rules that we have to pay attention to. but one of the things that i've definitely seen is a connection between -- between medical identity theft and fraud.
10:57 am
and the increase in health care fraud that is out there and the ties between security and strengthening health care security and helping to combat fraud. >> so we've been able to track this record was stolen in this anthem hack and later that same number that was stolen on that record ended up in this fraud case. has that been done? because it -- that is -- that is the cause and effect would be -- >> you need to put a tracer on data so we could figure out where it goes, right. >> well the fraud units that -- that are involved in whether it is -- a big insurance company or the government are the ones that would see the impact that it is having and they should be keeping track of that data. i think that is something that would be interesting to see, within the health sector isac on the kinds of things they are seeing where that data is going. >> there was a question over here. could we bring --
10:58 am
>> should i wait for the mike. >> over here in the front row. >> i could project, that is fine. >> no. >> okay. steve luckin. i work and study in the city. at the outset, thank you to the politico team. alexis, mike and rodney shooting photographs here in the city. i guess first to the congressman, three quick ones. how do you deem your efforts or the efforts by your colleagues in bringing forth a cyber security protocol? the second is have you received either from capital police or fbi any of the other organizations notice about having your own or your peer's medical information hacked? and the elephant in the room is casualty. so what about the insurance companies that -- to the extent that a lot of their patients get hacked could face a serious, massive class-action suit. and thanks.
10:59 am
>> the first -- the first question -- look, the oversight rule of congress to make sure we are providing performance standards rather than trying to bake something in, into a law, is important. because the reality is as soon as we say this is a best practice, it will change in six months. and so we have to create legislation that is flexible and grows with the times. and that is when you talk about performance. what should -- what should the outcomes be. i'm not aware of anything dealing with individual members being -- their health information being targeted. and the last one? >> liability of insurers. >> oh, absolutely. i think this is something that everybody is looking at. this is a question that insurance companies are looking at, at major breaches, whether at retailers or banks, what is the insurance aspect to a major breach and when it comes to --
11:00 am
when it comes to the health industry, it is huge and i don't think there is any answers on how to deal with that yet. >> and when we planned this panel and we thought, maybe the american bar association has somebody looking at this. so we went to the website and we found not only do they have somebody looking at it, they have an entire new section on e-health and data and all of this. and you tell me there are what -- 1800 or 1400 -- >> 14 -- >> 1400 lawyers already in something that didn't exist -- when did you start this? >> about six or seven years ago. >> so that is -- i think that sort of tells you something about the magnitude and the growing magnitude. a couple of quick takeaways we need to get -- because we need to get through with this panel to start the other one. dan will be out here in a minute. before we wrap up, arthur and i will think of a quick takeaway. this is a bigger problem than most people realize and a bigger problem than i realize coming in, that it is massive and rv

12 Views

info Stream Only

Uploaded by TV Archive on