Host welcome. Im joined by greg garcia, ther director for the Health Care Sector coordinating council. Welcome to the prra guest thank you. Host can you tell us me what your organization does . Guest its an organized ing to the government and rest of the sector. To identifyd mitigate systemic threats to the Health Sector and in this case cyber can you tell us whats happening in the news that makes this discussion so relevant guest this one is a and exis i may say, cyber attack on the health system. Its exposed a major choke point in the infrastructure of health care that is how we get our prescriptions fil he get prior authorizations from our Insurance Companies. How hospitals and doctors get reimbursed. That has all been cut off by what is known as a ransom ware attack where attackers are able to get in and shut down major systems, the network, software, data, until the victim pays a ransom to the criminal group. And this is rampant now across the Health Sector because its 9 easy money for the criminals. Host a bit more information. Heres a story in the Washington Post. Health care hack spread pain across hospitals andoctors nationwide. Can you talk about who exactly is affected by this and how its showing up in the industry . Guest any Health Care System that uses the change Health Care System is going to be ades the o are receiving requests for claims and reimbursement■cital submitting those claims and to the patients who are waiting for their prescriptions. But that article brought up somethingid this didnt affect direct patient care but ransom ware attacks do affect, stories in the past where patients are actually affected, where a Major Health System in san diego, for example, wasttd suchc that their data was locked up, their scheduling systems, their reimbursement, all of this was shut down. So ambulances on the way to the hospital had to be diverse the to another hospital down the street and theres aiehospital. So this is, when i say existential, thats not hyperbole. Attacks like this can affect patient safety. It is a threat to life. Host the Washington Post hah a little bit more. ■7 so United Health care group said earlier this week that a wellknown russianbacked ransom ware group black cat was responsible for this. I want to play a audio from the biden administrations Deputy National security adviser for cyber who spoke at an event here washington last fall and was asked about efforts to combat ransom ware attacks. Here is a clip othat. Whats actually work sng is it arrests, disruption, crypto currency . How are we doing■ now this is te third year numbers are still going up or goij down . Give us a sense of how were doing on ransomware. By the numbers, the numbers are going up. I refrpsed a couple of statistics in the opening remarks. That is despite concerted effort. We kicked off the International Counter ransom initiative to get the energy flowing with success stories, soe the department of justice, f. B. I. , and the dutch and german colleagues brief on a number of takedowns, specifically the hyde, the genesis marketplace take down. Lots of related arrests. There have been focused efforts to infrastructure, arrest the attackers. And efforts to improve resilience. One of the key take aways is in the u. S. System, the leader of the office of director of national convened a discussion with key ransom ware negotiaters. And one of the things we learned had good backups were able to recover more quickly in days versus the weeks for companies that paid a ransom. So the resilience efforts are paying fruit as well. However, the data shows the number of attacks are going up and frankly the disruptive impact. In any given month ill get a latenight call about a Hospital System prospect th, sl hospitals across four states still working to recover from a disruptive attack. We saw the impact of color ox manufacturing process. Certainly we saw the impact on other companies, two major casinos operations as well although some would talk about that. In any event, and i think the core reason is because of the reason david rernsed as well which is it pays when in the United States we paid in a one years time 1. 3 billion in ransom, with everyones efforts on disruption and improvements made on resilience it still remains a problem. Host whats your reaction to that . The Sector Coordinating Council has been working with the white house, with the u. S. Department of health and human services, with the department ofeland securitys Cyber Security and infrastructure security agency. And this is a Public Private partnership. We need to exchange that kind of information as to what are the best ways that we can first prepare ourselves against those and then secondly she mentioned resiliency. How do operational continuity . So that is a collaborative effort between industry and government and Law Enforcement as to what the best way to protect ourselves and how do we respond when it happens . And thats a matter of operational cooperation but also policy. So h. H. S. And the white house and others are of basic fundame Cyber Security controls ought minimum mandatory types of controls . And were talking with them about that now. Host if you have questions or have a story to share if you think you might have been affected by a cyber attack you can give us a call. The numbers are on the bottom we are also on media. It feels like these Health Care Systems are stuck when it comes to these attacks, they can be completely immobilized at the same time theres a risk to paying off hackers, right . What is the impact when they doi do that . Guest it varies. Sometimes most of the things when they do pay the hackers are business people. If they impose a ransom and the the information back, they dont unlock the systems, thats bad business. They do it because it pays and they want that pay spigot to keep flowing. So impose theand give the data back. But there are sometimes where its worse, where once they pay they give the da back but they keep it and they use that data. Our personal health data for example to restore the indivial now if youll just pay me this i will release the data back to you or i will not blackmail where they extend the reach of their hacking activities. Host is there any indication affects patients individual data . Guest absolutely. They can steal the datan they can sell what is your data . Your data is your name, your address, your Social Security number, your credit card, your email. All of this stuff can then be used for identity theft. And thats, thats a horrible state of affairs for individuals who have tho to get their identity back when it has been used to open new cred to buy lu and that is the downstream affect of these hack attacks. Host i want to read a statement from the American Hospital association related to. It says . What should congress or other rt federal government be doing about this . Guest well i would start on the Incident Response side. If you think you have been affected by this, i would first go to hhs. Gov to und whats go. H. H. S. Is building its capability and its organizational struc industry a cyber threats, both on the what we call left of boom the preparedness side and the right of boom when happened how do we collectively respond . So that is the principle responsibility of h. H. S. To the primary partner to the can being industry. Congress can support by making sure that they have the resources to do that, the resources to support, Financial Support to some of those small rural hospitals who are operating at zero to negative margins. How are they going to be able to actually prepare themselves against this and to respond after it happened . So h. H. S. Is in the role of ss needs to give them the resources to do so. Host we have a comment here. What can businesses and people do when the scale and the sophistication of these attacks is so great . Guest theres a saying we have in Cyber Security that to play defense, which is what we are doing in the industry against hackers, youve got to get it right 100 of the time. To play offense, that is the hacks, you just once to get into a network to wreak havoc. So its sort of the question when are we going to stop crime . Well, when are we going to stop hack sng so the Defense Mechanisms can be very basic to very sophisticated and costly. So for every Critical Infrastructure organization which is what health care is, we need to measure the risk and the threat and to develop and build a cybermal. So its hard to do and thats why we need to have this partnership with the government. Theyve got a lot of classified intelligence about where some of these attacks are coming from and what their techniques and tactics are. We areand operators that are on the hook for making sure that our systems stay working, so its a chess game that never ends. There is no checkmate. Host lets go to a couple of allen in hawaii on our independent line. Go ahead. Caller hi there. Ok, well, a few things. I discovered recently that an Insurance Company thats very large in hawaii, that their subsidiary or whatever they were, and i think that was a ransomware and its ve many frit parts of the u. S. Who have been affected in different ways. I would be interested in knowing the line for a followup about the concept, what they call ransomware as a service and the fact that this Business Structure which has a hot line, 800 number, and Customer Support on how people can pay bitcoins and stuff. They also have possibly a mechanism that they pay bribes or, they pay commissions to people to go even do social network to get into these things where if they cant get in through hacking they they bribe them these. Host lets get the response. Guest its a great question. Youre exactly right. This is organized crime. And criminals are resourceful. If theres a moneymaking opportunity, theyre going to do it. Either directly by hacking into asome or theyre going to sell the capability. And it isnt just ransom ware, itsng as a service. Theres all kinds of different methods. Ransom ware is simply one manifestation of what can happen when a hacker is able to get into a net work. So theres all kinds of ways that you can hack into sell tha. Its like selling anything else, any other service. Host what was caller csia apparently was also hit and i dont think it was a ransomware but they discl. The big problem is that at the level and scale this is occurring right now, what it makes Medium Business holders realize is that they dont have a chance because they even theyre trying to pay insurance■ fees for these things and the Insurance Companies are telling them well you know your premiums are going to be high and if you want to use this coverage and its very limited, you know, so theres a lot of things that need to be addressed and i just dont know if anybody in the u. S. Government has understanding of the scale this is going towards right now. Guest we certainly understand the scale both in industry and in government. Martialing all of those differing resources. You mentioned can be a market influencer in terms of our behavior as businesses. But because of the scale and the cost of ransom ware these days, Cyber Security insurance is starting to become a less■ attractive way to manage risk because they are increasing the premiums and reducing the coverage because its becoming so costly. So it matter of how collectively organizations in the Health Care Industry or any other criticalre working together to create a collective defense. Host theres also potential legal ramifications. Im looking here at a story. What is your assessment thus far of what kind of Economic Impact this cyber attack is having . Guest it is a cascading impac be paid, their rather low salary in a hospital as a nurse or orderly, or what have you. You know, on the legal question, the legal ramifications, that continues, that needs to be a greater concern to class actio lawsuits for example. And the need to determine what Due Diligence did in organization that was hacked, did they do everything they could do and still got hacked or did they genuinely not do and that needs to be assessed. You asked earlier about what the congress can do. They did something good a few years ago as an incentive. They told h. H. S. That, which enforces hippa, thhirule, that insurance portability and accountability act. If a hospital gets breached and i talked about a short time ago, h. H. S. Should look at the extent to which that hospital has done the right thing in Cyber Security. Theyve implemented generally recognized Cyber Security controls. If they did maybe take it easy on them a little bit because theres going to be fines and audits. But if theyve done the right thing and still got victimized how can you punish the victim . But if you havent done enough they should suffer the consequences because they know that there are right things to do in Cyber Security and they should be shielded michelle in our independent line. Good morning. Caller good morning. I issue. I wanted to suggest that to address this issue that we start looking at theon from russia and Eastern Europe in ou coming over and getting jobs as it contractors on federal contracts. I work for a federal agency and one day was in the office and there was a russian contractor working on an it contract at a fede he and i were in the office and i started engaging him in conversation and he basically laid out a putin agenda very definitely pro putin. And im an African American woman, ou know, a white person will feel free to speak to me about these issues. And i was just shocked that he would have a position at a federal agency on an it contract. And ive had that experience before, and so thats an entry way into the our systems, through our protocol and firewall. Host i wan a chance to respond to the point. The plan noted a shortage of se professionals. I wonder if you can talk about what the industry looks like in response to the points michelle was raising. Guest thats the workforce, we continue not just in health care but across the board and in government to face a shortage of good Cyber Security skills and talents. Not just the technical people but you and i as users of it in a Large Organization do we know the right things towrong things not to do when we are interacting with our laptops and other technologies. So getting the fiveyear strategic referenced, tries to drive towards the next five years how do we build that■l workforce capacity both as the user and the Cyber Security experts, and that takes more training in the workplace, it takes more education post grad in universities for the stem disciplines, science, technology, engineering, and math, and to make Cyber Security cool. And its more cool now than it has been in a long time. To the callers point, one thing we noted is insidious about and beneficial about the internet is it respects no borders. I think we heard that in the clip with ann that you dont need to be in the United States to be waging cyber attack on the United States and on United StatesCritical Infrastructure. If you are an immigrant working in the United States presumably through the appropriate vetting process through the visa program to ensure that you are not malicious in any way, and course that system is not foolproof. But thats where you have you he concerned. Host to be clear, are most of these Ransomware Attacks coming from outside the United States . Guest i think■u most of them a. Criminal gangs from china, from iran, from russia and elsewhere, who do not have the same network of laws enforced about the use of internet ■ for macious purposes. Host we have a question from connie in parker, colorado. Mr. Garcia, would you have any sense of what kind of entities these are, for example, if they are financing terrorist groups, interference from Foreign Countries or e■ money. Click on this site and weve got you. We computer and we have your data. So, there are any number of ways that the internet can be used to exploit people, their beliefs, and their greed and theirr. The internet has great promise and it has great peril. Host jeff is on the internet line. Caller you guys must bemy mind. I was going to ask about foreign actors and what if we can do anything about it. It seems like we dont really have police that can go there and arrest them and, fectively, the local co. Stabbed larry has to do that. Whether they are interested is another story prayed i dont know if you can shed a light on whats being story. I dont know if you can shed a light on whats being done. Guest that is a good question. There neutral recognition agreements among countries, the United States and any other countries, that criminals or criminal groups that are culpable for attacks on the u. S. Infrastructure. That can be deported, can be prosecuted as a cooperative arrangement between countries. There have been efforts a broader, multilateral scale, to develop norms of internet behavior. ■tr get some uniformity and coherence among internet laws. It doesnt work across all countries because there are different forms of government. You know, one thing that the u. S. Has been working on and■ very much so on the classified level, is developing principles of deterrence. So, if Cyber Attacks from a nationstate, Cyber Attacks on Critical Infrastructure are e action will have a connecticut effect, such as an attack on the electric grid, which actually causes athf war. We donthat has been determined by the government. But, it is a consideration. So, at what point does a cyberattack equal dropping a bomb on the United States . Host this was brought up with nato couple of years ago. Guest yes. Nato and other cybersecurity specific multilateral agreements. Enforcement is difficult and being able to actually identify who did it. Because, sophisticated cyber actors, nationstates can cover their tracks. And you cant necessarily pin country, one group, if they have successfully covered their tracks. Host x bernie is on our line fr democrats. Go ahead ernie is on ou■ons go ahead. Caller every two or three years, i get a notice that weve been hacked. Because we have been hacked and your personal identity information has been stolen, we will give you 23 years of identity protection. Im asking about United Health care, which im not a big fan of, its a company that strips of care dollars out of the country. The ceo makes 450 million a year. What is their obligation to the subscribers, that they should print provide a Protection Plan for each and every subscriber. Lets recognize that united has one of the biggest lobbyists in the country. Any penalties coming from hhs are probably going to be offset by their industrious work with the lobbies. Guest accountability is increasingly an issue that we need to be looking at. Both from the industry side, as a collective, and from the government. As a health insurer, United Health group hascybersecurity ul Services Regulations and also because they are handling protected health, that they are responsible for complying with the hipaa privacy and hipaa security rules. Whether the penalties that come from the impact of a cyber incident are persuasive for any organization to invest more, that is not something we have visibilityy as to what thek appetite is. But, we also have to note that, again, as i saidprogram, to defu have to get it right 100 of the time. They have to get it right wants to get in. The hacker has to get it right once to get in. You can do everything right and still getr times, you can be negligent and not be doing enough. That is when penalties should prevail and ac should be held. Host theres a question from barbara in whiting, vermont, who says i remember when you could go to a doctor and they would have your paper file, prescriptions were written out and handed to a pharmacy. Any records needeto be sent to a hospital could be fax over or handdelivered by the individual. S the change to computerized systems which cost a fortune created just to make money for certain industri . Lets go back to privatizing information and papers. Guest what a great question. We talk about digital and going electronic and its going to save all of this paper. It doesnt always do that, does it . I think a systems will say that the emergence of Health Information technology and medical Record Technology and software has made the transmission of Health Care Data quicker. More easily distributed. We have not yet gotten to that nerve ana of total inte nirvana of interoperability untry. It is a mixed bag. We see the doctor looking at the computer and not looking at us and they are looking at the data that they are entering. When we no longer have that data because it has been ransomed out of commission, hospitals have to go to a paperbased system. And many young doctors coming out of medical school never actually learned how to write a prescription with a pen and a pad of paper. Its all on the computer. Moving to a paperbased system , i think that cat is out of the bag. It might be very difficultback. Host a couple more calls before we have to let you go. Rachel is in houston, texas on our independent line. Go ahead. Caller good morning. I was wondering when hackers return the data, how do we know that that data is accurate . Are they able to alter that information . Guest yes. Thats a great question, rachel. They are able to. It is not necessarily in their interest to do so. Their main in■uterest is in the money. There have been hacker groups who have said we are not going to do anng patient care. They present themselves as morally and to return data, that changes my blood type or removes somebodys warning that they are allergic to penicillin, that, of course, is malicious. That would more likely be for the purpose of a direct attack on somebody. Somebody prominent that you could get into a major public Figures Health data and change it so thatrgency, they would be administered a drug or something that would actually cause harm. ■hwe dont have any instances, y data that shows that that is happened. Host harriet is in maryland on our puine. Go ahead, harriet. Caller good morning, mr. Garcia. My concern is the amount of information required at the doctors offices and medical places we go to. Ive actually been asked for my mothers maiden name, my Social Security number, then they want to scan my drivers license. My whole identity is required. I mean, i would show them my license and let them know who i am this is sounding like its an open book and they assure me it sounds to, they tell me the federal government requires it. It sounds like its an open book you are exactly right. It seems like you had to give themll oyo doctors office. Didnt i just give this to you last time . Yes, we do need to find better ways to have a national identitd specifically on your Social Security number. In most c, think it is not legal for organizations to ask for your Social Security number as identification. Perhaps in some Financial Services settings. But yes, we do nd to think of more creative ways that we can manage identities on a National Scale expose individuals to so much risk. Host we have a question from text message. Good morning, cspan. Im a patient at a major n. Y. C. Health care system. I have United Health care insurance. Hodo i find out if my personal data has been compromised . United health care tells me im fine. The half spi hospital tells me my information wasnt compromised. What can people do if they are worried . Guest there are laws in premuch eve state of the nation that requires an entity that is doing business in that state, the caller, the text■s as an example, that if they get breached, if they have been hacked to the popersonal data hs likely to have been exposed, exploited, they ha to inform everybody. Weve all gotten those letters, havent we . That says your data may have been cases, it was exposed. We advise that you change your passwords, do this and do that and you are going to get free credit rating■x protection. So, they are under obligation by law to inform their as to the possibility of breach. Otherwise, you can go to the website and they are required to report as we barbara is in bronw york on our line for democrats. Go ahead, barbara. Caller yes, the first question i had when i heard this story is why does one company have such power . Control all this information to get it hacked . And i think one of your callers dave me an answer. That is the lobbying. I guess we dont have antitrusts anymore. One Company Keeps gobbling up every other company and we end up with just we make p it so easy for the hackers. Can anything be done about that . Money and politics, we know is hopeless. Anything be done about it . Guest you raise an interesting point. For me, less about the question that has been could occupy thousands of hours of airtime. But, about that mentioned. This is something that the Health Industry needs to do. What we found in this■t■ changed health care company, the software program, it serves one third of the market. That is a concentration risk. As an industry, the Health Care Center needs to look at what are all of those chokepoints . What are those Critical Services that are provided to the Health Care System that a certain part of the plumbing, that if that one service, maybe there is only two or three of those services that do business in the United States, that facilitates the function of the health system. One of those 1, 2 or three services were hacked and brought down . That shuts down the whole health know what companies, what services, what software, what technology is indispensable to the healthcare industry. And to any Critical Infrastructure, whether it is transportation, this is why we have this partnership with the government, to be able to collectively assess the risk about concentration, threats and risks. Host ken in richmond, virginia on our independent line. Caller yes, greg. Ive been listening to the commentary and it is quite ne say. Id like to know if you have some examples of the federal apprehending, prosecuting, convicting and punishing individuals who have engaged in whats disrupting the Health Care System. I see you smiling right now. But it doesnt sound i want to hear some deterrence and some retribution. What can you say . Guest there is plenty of that. The fbi in particular for domestic crimes in the United States has extensive and sophisticated Cyber Security division. When an organizations hacked from any sector, its fairly typical that they go to the fbi. One of the first because they are going to make is to the Regional Field Office of the fbi, where they start an investigation. They will bring in the company. The hacked company will bring in a cyber down where did this come from . Where are the footprints and the fingerprints . The fbi is involved in that process as well. There where prosecution of the criminals is brought to bear. But, when are we going to stop crime . Its overwhelming. Any local Police Department will tell you that. The fbi will tel that. I think they do the best they can. Host ■x