When it comes to Cyber Security threats and the way it affects our nation. And we have seen high profile hacks in our Health Care Sector and weve brought it two individuals, robert lord chief at protenus. And hell give a presentation to us and talk about this important topic as well as jen, the ceo of ehi. Without further ado ill let the first presentation get started. Started. Thanks, greg and thanks so much to everyone. I fairly give talks that are standing room only, so, really appreciate your guys interest today. As greg mentioned im robert lord cofounder and president and chief officer of protenus. A lot of the information is from protenus and im not speaking on behalf of organizations today. To work in a clinic that focused on treating hivpositive patients in baltimore when i was in med school. One of the things you and click the about this population other than their an absolutely wonderful, really complex, rewarding population to work with is they have extraordinary concerns about the privacy and security of their information. They will go to extreme lengths to make sure people do not find out about their diagnosis, the treatment or that their coworkers or Team Communities o many others that might use this information against them, this extremely vulnerable unity. One of the things i begin to think about treating these patients was what are we doing to defend their health of data and information, these extremely sensitive records . The more you dig into that question, this is back in 2013, 2014 what i started, the more horrifying the answer is. The reality is the challenges that we face in protecting health data are extraordinarily difficult. Today ill try to give you taste not only of the important anecdote stories but the data behind all of them. I think it makes sense to start with the anthem breach back in 2015. This was really are many people, i dont ask for a show of hands. Who here got one of those anthem notification letters . I did, too. This was about half of the u. S. Population more or less, a third or half, 149 million records breach. We will never know the exact number of patients affected. For many of us this was a massive wakeup call to the fact healthcare data was highly centralized, highly vulnerable and highly valuable to certain parties as well. Unfortunately this story did not end with the anthem breach in 2015. That hits keep on coming. We decided a recent breach, lab core amc a breach about 20 million medical records or patient data individual patient data pieces that were identified and that well see what the finl numbers are. Of course back in 2060 with a major Ransomware Attack the reduced and without Hospital System to pencil and paper. Imagine all the Electronic Health records, all the Electronic Systems that use, i can thinking back to my days, and now youre pencil and paper and what is conducted not connected to an electronic system. Pretty scary. This isnt just a couple of anecdote either. If you look and scale out, a recent report back not too long ago showed 70 of Health Systems reported experiencing a major data breach, and the third experienced one in the last year. So if you think about this entire picture together we are in a pretty terrifying state right now and its one where we are not necessarily talking about but Health Systems are very aware of it all the time. Im not a big person on speculation but also it always makes sense to think proactively. Theres also this significant possibility raised recently and a bloomberg article of the ability of whether it state actors or individuals are other types of criminals to engage in medical blackmail. Typically these types of incidents are highly behind the scenes. There are some great area reports that this does happen but most of the time these are not reported if it isnt the case. These are the stories, the anecdotes, but it dont want a focus about what could be. I want to show you the data for the rest of my presentation that shows you what were facing right now and what the trends are. For some of you in the audience youre going to do everything im talking about really clearly. For others i do want to contextualize what health data is so valuable. So why some reports, and you think these are exaggerated but the give you a sense of what these records can be worth, a single individual medical record can go for upwards of 1000 on the black market. These event appointed as more medical records have come on the black market. Theres a lot of value to them and a lot of value to them for a lot of reasons. They can be used for insurance fraud, roger claims. You can steal someones id and you can do it very comprehensively when to think about the information in the medical record. Its pretty much the entire history of someones past illnesses, their family members, their location, financial information, its all ended. The only thing that has more information on individual is probably like it comprehensive topsecret clearance document in the united states. You could use to open financial accounts because of the richness of that data. Insurance or bank accounts, medical blackmail that could be criminal or statebased. You can also unfortunately people use for monday personal attacks or courtroom litigation a messy divorce cases, we stand at all. You can run fraudulent medicare, medicaid billing mills as well be seen that basically open up, create synthetic patients and built of his patients. A lot of unfortunately really terrible and really deeply devastating crimes that can be committed with medical records that have impacts that can go on for years and years. Recently there was a cbs this Morning Report that he could some of the data on going to show today that showcased an individual who basically, while he was in the service he had his medical identity stolen and he was resolving those challenges for, 15 or so afterwards and still suffers from challenges. Wonderful guy and hes been dealt quite a hard blow. What im going to show you next is specifically for data that we collect on a regular basis. So pretentious as a world healthcare leading platform folks at detecting dangerous activity and health care but ill let you to talk about my company on that side. We also had a Research Group that works with third parties to identify trends and Health Data Breaches and help cybersecurity june. What im going to shoot this information we collected both from public sources as well as at the end some interesting proprietary data i think well add, youre not, can see in this space. So one thing to start out is that since 2010, at item to all the way back, but since 2010 there is been a systematic increase in the number of eta breaches that occur every single year without fail. Without exception data breaches. We see the sense we been tracking the data specifically we seen every year and already we projected to have another record you come this number you see here, 285, as a half your have to estimate from a recent analysis and so it will continue along this trend we will be at 2018 unfortunately. This is the number of incidents. You want to look at the number of records breached. We are excluding the 2015 anthem breach or if you added that column, who up to about 170 million records that year or something and 2015. In 2060 we had a banner year banner year with big, big breaches so that was almost 30,000,000. 2017 some of the start to think now its what denormalized a little bit. Maybe that was just a couple of big breaches and it would get better. Then of course it triple in 2018. 2018. And in 2019 that estimate of almost 32 million is just a half your estimate. That is not yet annualized to the full year. Where once again on trend to break yet another record when it comes to the number of records breached. Importantly you may want to know all while the region is occurring. Of course hacking is a major concern. Its what people usually think about when you think of these challenges. That breaks down and i could go into more detail but thats a mix of what weve seen of a phishing perspective, malware, miscellanies threats and i wont go into all that deep details that we provide a breakdown of this in the breach barometer which you can download and subscribe to and its totally free. Just google protenus and you can find it. But huge proportion, this is relatively consistent, between 2540 of breaches are due to insiders. That is individuals with some legitimate level of access to Electronic Health record and abuse that access. I for instance, when i i was at the lowest of the low medical student like dorky little white coat, i could access any medical record of any individual who ever passed through the walls of my institution. That was not because the institution was unique in this respect. That is to basically Everything Health system in the world. The reason is because for emergency access you need to be able to get access to the er quickly. Youve extremely complex environments where proactively using Access Control as im sure some of you in the audience may be thinking about is really a failed paradigm. Too complex to tackle. This Insider Threat surface one we often underappreciated but one we see all the time. As far as who is most vulnerable, this may come as no surprise, but obviously the lions share is hospitals themselves. I want to note this is not because hospitals are lazy or do not care about this problem. Quite the contrary they care and exploit export them at the house was a running on razor thin margins, their Technology Investment in the space is not what the others wanted to be and have to take your patience. When you look at priorities theres a lot going on they have to be thoughtful of and, of course, be on the front lines. The most beloved access to this information, a large Health Systems will have 30,000 employees who have access to medical records. How do you make sure all those individuals are not committing privacy violations . A giant threat surface flyfishing attack. If you had 99. 9 rate of preventing phishing attacks at your institution injured 100,000 employees in one of these megasystems you will stop a lot of the breaches and thats a big problem. Question . [inaudible] so its hard for me to comment, as im a member of the private sector on about that the statebased activity that occurs in these spaces. Im not really a person to necessary talk about specifics just because that information is not normally available to me. What we see is the lions share is people who are not some sort of Foreign Espionage type of situation. Its just a hospitals own employees that might be using it for criminal gain, for abusing their access to maybe attack a call to come to look up a vip. Ive even seen people look up local sports stars for fantasy football edge. So it happens. Yeah, yeah. It is some pretty scary situations out there. Im going to chile a nice story as well. This is like the one good piece of data you will see here, and what this is it is the average time for an individual Health System to report a breach to health and Human Services which they are required to do within 60 days. They really good about this. Hospitals are extremely responsible and thoughtful about one thing once they know about something figure reported. Theyre doing a pretty good job. We seem a bit of a trend outwardly underreporting but most of the time everyone is falling inside these lines, which is good. However, the time to detect a breach is not so good. Oftentimes malicious actors will be insight Health Systems for weeks, months, years. Weve seen ten year plus bad actors occur inside Health Systems and they just keep on going. The problem is not in the reporting rapidly that it is in the detecting rapidly. Heres a number you will not necessarily see a lot, but an important one. Weve done analysis at protenus to understand how many privacy violations typically occur in a given month based on the size of an institution. What we see is that for every 300 individuals you can expect about one privacy violation to a patients data per month. If you have 30,000 employees at Health System, youre talking about 100 privacy violations of month, and 1200 per year. If you think about what is being reported, you can only get this once you get comprehensive analysis of the system and understand how many violations are happening but he gives you a sense of the size and scope of these threats we are seeing across the whole spectrum. In addition, theres a great opportunity to focus on education and remediation. Another thing we see is that the majority of events that we are detecting our repeat offenses, which means someone has already violated patient privacy in some way and we havent caught them and educate them. They will do it again and again and again. We see this pattern over and over again. It means we can reduce by half the number of violations that occur if we were proactively taking these threat century that individual is educated on appropriate sanction for that activity. This looks bad but at some of a hopefuls that because it means we can predict and prevent these threat through just really thoughtful workforce management. I want to be brief in this next section and just note briefly that my work at new america is now focusing on a white paper which should be released next month that addresses three core areas of challenge in this space, and i will be thoughtful of the type because im running over but the entries are essentially culture, workforce, and technology. When we look at culture its all about how to recreate accountability from the board level on down. How do we Fund Hospital so they can make sure theyre getting the job done . And how it would work with existing regulatory structures to be more effective and more forward thinking . Our workforce is how do we build a future workforce at effective. Its how do we retain the valuable workforce we have and how do we prevent Workforce Burnout through making sure we are not having people to continuous, repetitive load value task and focusing on what is strategically important. Finally from a Technology Perspective its about getting a lot of legacy junk out of the system. We know theres a lot of legacy technology. It needs to be remediated. Theres areas we can clarify when it comes to guidance. And finally its about baking and and two and whether devices were sought for a secure Development Lifecycle when it comes to creating these Software Devices that they can ultimately treating and serving patients. At the end of the day its all about Patient Safety. We do all these things to the end of protecting patients to defend them from these threats and to making sure were keeping them safe. Thats what the hippocratic oath is all about and and in a way s weve got to do from cybersecurity and privacy perspective. I will now wrap things up. Hopefully you can take a look at this in september and now it would be a much more interesting speaker talking to you. Thanks so much, everyone. [applause] will well, its true, the last time i was in a this crowded its been a while. Good afternoon, guys. My name is Jen Covich Bordenick and im on the eHealth Initiatives foundation in washington. Robert set up a Nice Supreme Court for. To get basic overview in terms of where the data is on breaches and we are recording. Im to spend a few minutes talking about some of the misperceptions around federal Aviation Administration policy and cyber policy and talk about current policies and practices hipaa and how were involving into what could be a National Security threat around cybersecurity and health. And cybersecurity has nothing to do with elections which is just healthcare. The Health Initiative has been around about 19 years and we are a group of influential executives from across a spectrum of health care. We bring together leaders from all different groups, payers, providers compare discount pharmacies, et cetera to work on really tough issues. Our belief is that you cant just talk to hospitals about health care. You cant talk to providers and clinicians about health give her healthcare is a continuum. We need join with pharmacies, patients, consumers, thinkers. This is a problem, and interconnected problem, and network problem. We need to sit down together to figure out how to solve it. Weve done a lot of research, education and policy work around cybersecurity. I think we passed out your today, weve got a new white paper out on risky business. We have fact sheets on myths surrounding hipaa which are available for you and many more on a website. We really need to stop looking at cyber and privacy policy, and stop thinking about healthcare data in terms of what building it belongs into, or what office should it be in. Healthcare data doesnt stop at the door. The Hospital Data shouldnt only be within the hospital. You to be able to access it from home, from your phone. Its all over the place. In terms of thinking about rules around cybersecurity and healthcare data it doesnt make sense to think about it with an institution always. We need to think about in terms of greater spectrum. I just want to be frank with you here. We have done a tremendous job in healthcare and technology, talking about hipaa, privacy policy, what healthcare data is, where it lives, why its important, all of those things. When people think about cybersecurity they generally think about elections and banks, whatever the latest story on the news is right now. They are not thinking about the healthcare data. Part of the issue is that we have made it so technical and confusing and restore these acronyms out at you. So people just dont understand it. It sounds really overwhelming, and ill be honest with you, when i started in healthcare two decades ago, i felt silly asking questions that hipaa. I felt i had to be a lawyer or a legal analysts to ask questions because it was so complicated and technical at that point. How many of you have been in a doctors office, you are filling out a form and you said why do i need to do this again . And they said to you, because of hipaa. Right . Hipaa is the big bad wolf of healthcare, okay . Whenever you cant get something done, a lot of times that excuse will be given to you is its because of hipaa. So your doctor cant talk to your loved one about your condition because of hipaa. Thats a myth. Your doctor needs a written authorization, or they cant share your health information. Thats another myth. Doctors are not allowed to email patients. Thats another myth. Hipaa protects all of your healthcare data. Another myth. And im going to go into these last two because these are really, drive me nuts. If an organization is hipaa certified, its okay to share information with them. There is no such thing as a hipaa certified organization. Ill sit say that again. There is no such thing as a hipaa certified organization. Hhs does not go around and certified organizations and say, you are completely in compliance. They dont do that to every single healthcare organization. So what often happens, an organization will save your hipaa certified but that basically means they believe they are complying with hipaa the way that they interpret it. Another myth out there, if the consumer upload their medical record into a health app, that information isnt protected by hipaa. Wrong. Theres no such thing as a Health Certified or a hipaa Certified Health app. Its not out there. If the Company Offers a direct consumer outcome you could download an app directly from an organization and its not provide a bit of a covered entity, its not subject to hipaa. I just two and a word that might confuse you, covered entity. This is what we get a little bit confusing and people start to, their eyes glaze over a little bit and they get a little bit, start to fall asleep a little. Lets talk about what that means. Theres a couple of key questions around apps and whether or not they fall underneath hipaa. It all depends how an app is branded. It depends how the consumer gets to the app. It depends how the data flows between the app and may be the hospital a doctors office. It depends whether not its coming from there. These are all a lot of Little Things that can really determine whether or not a health app is covered underneath hipaa and has to follow hipaa regulation. Generally, hipaa covers data thats in health plans, with Healthcare Providers that are conducting transactions like claims transactions, billing, clearing houses and business associates. Another term thats probably a little bit confusing which will talk about. So who counts as a business associate . Im not going to make you read this. Im going to tell you. Lets give you guys an example. Say weve got sally, okay . Sally goes to her doctor. Her doctor says, you know what, you have diabetes, i got this really great at this would help you manage your condition and you get some counseling along with it. I heard about it from this great app company, so her physician gives her the app. She goes home and she uses the app. That out is covered by hipaa, because it came from the provider. The provider recommended it. The providers name might be on it. So it is in effect coming from the provider. That app is now supposed to comply with hipaa, which means it should protect all of your healthcare data in there. Now, this is what it gets a little bit tricky. Say we havent sally, saying sally. Sally picks up a newspaper or picks up her phone and reads about this really new cool health app that apple has. She downloads the same exact app directly, puts the same kind of data in it. That app is not covered by hipaa because it was direct to the consumer. So you see, you can have the same app with information in it that is supposed to comply with hipaa, and then you can have one thats not, even though its the same information from the same company. This is what makes hipaa a little bit tricky to figure out. It doesnt quite make sense, and thats just one of the reasons we have to really think about where this is all going. Theres also a kind of this healthyish type of data, i like call it, thats not covered under hipaa. Things like he joined a Disease Network to talk about your cancer care, or a Counseling Network online, you purchase pregnancy tests, you purchase information about a sexually transmitted disease, he joined an hiv group. Gps data that shows you go to your psychiatrist every thursday. Gps data that shows you were in a rehab center for six months. All of that information is healthyish kind of data. It says a lot about your current condition and could reveal a lot about you. Thats not covered as well. A lot of people would be a lot more concerned about all the items they purchase of walgreens or cbs or on amazon going public than they might about their medical record. Everybody is using these thirdparty apps, or third parties as they call them. Even cvs, i would on last night and has a list of thirdparty apps be used if you go to the site you can see all of the different organizations that cms issuing your information with. You can link to them. In some cases you can opt out. This isnt just happen in the private sector. This is happening in the government as well. Its important to know that when youre thinking about hipaa. So we spent all this time and effort worried about our healthcare data and making sure its protected underneath hipaa crybaby learning is not protected underneath hipaa. We dont want to reveal it but what so amazing to me is that so much of this data that were trying to protect so carefully, we are actually giving it away. You ask him how we giving this data away . Has anybody read the fine print . I mean, i just pulled this down from own personal health plan and some of the doctors offices that a go to. This is my personal information. But if you actually read that, and i encourage all of you to actually read the fine print, you will see in many cases the policy says that they dont have to agree to do what it says theyre going to do. In many cases it says that they will share this information with contractors and authorized partners, but they dont tell you those people are. It says able use for normal routine health care operations. Im not sure what a normal routine healthcare operation is. Doesnt mean a Web Developer who happens to be in the office that they could still look at my medical records . Maybe. Or the guy whos working on the xerox machine . I dont know. Its important to understand what it is you are signing away. And that a lot of these will say we can change the rights, you know, we reserve the right to change the terms of this policy at any time we want. And if you want to learn about that, you can come pick up a copy of the changes. So a lot of the fine print we are really just getting a lot of this information away. So weve heard a lot about healthcare data and how valuable it is. I think everyone in this room can probably attest to the fact that we need this data to find fiercer catsa come to discover new drugs, to save lives. Its valuable data but refining bad actors want this data as well. We are finding guess who else wants your data. I was pretty naive when i i started in cyberspace. I thought the reason everybody wanted this date was because they wanted to break into medical records and find that about Britney Spears or salena or somebody in rehab or what was the medical condition, was somewhat pregnant . All the celebrity things you hear about. Or that they wanted to bribe people. Dont fool yourself. Its naive to think this is just about bribery or understanding celebrities, or someone even trying to steal your credit card. This is happening right now. There is a new space race, and its around healthcare data. This is the Fastest Growing business globally. Chinese investors right now are pouring in, just in the first nine months of 2018, 43 of all their investments went into biotech, in 2018. Companies globally are involved in economic espionage, and companies that handle patient data are really particularly at greater risk. They are taking this data. This is really a space race. Whoever has the most data wins. Think about it. Think about the amount of profit that could be made by the next influenza vaccine, the ebola vaccine. Think about the potential bioterrorism could take place if you discover a certain population susceptible to a certain germ or a drug. Im really grateful to supervisory special agent at the fbi, i dont know if anyone heard him talk before. Hes from the weapons of mass destruction directorate here, and thats all he does is study these Different Countries that are basically, not just hacking our information, but taking our information when we give it to them. And thats with generally happening. The data that theyre taking can be used to exploit us. They can discriminate against certain groups. They can create bio weapons. They can target it. But most important they can get economic advantage. Look in the news. All of these companies are working with Chinese Companies in this case. Its not just china but i but t many examples here from china, where u. S. Corporations are sharing their data chinese owned organizations. So basically our information is in many cases being given to the chinese. There is a clear certified, that in cms consent for medicaid and Medicare Services allows you to work with organizations outside of the u. S. And share data with them. So imagine youre a health plan in the u. S. And you direct all your labs, all your dna testing, whatever it might be, to be handled by a Chinese Company. That doesnt have our best interests at heart. If you look in the news, sometimes you hear about the chinese hacking data, but more often than not we are actually giving them the data. There was a report released this year february 2019 by oig and the fbi that identify nationals could risks related to sharing genomic data. This is happening right now. It identify china as the primary source of those risks. There are concerns right now because nih has given access of u. S. Genomic data to forprofit companies in china. And these companies have ties to the chinese government. Now, this is not reciprocal. So in healthcare we like to think everybody is sharing data for the greater good, and thats how i always believed that things were. But thats not the case. In fact, in china they have longer their data doesnt go outside of the boundaries. They dont share any of their data. They get our data but they dont share any data. In fact, theres a new law there. You can even use any biomaterials from china unless theres a a chinese collaborate or an organization involved. So its really important to understand what the National Security risks are for sharing health of data with china and other countries. Its important to understand what regulations we have in place for sharing our u. S. Genomic data. Its important for us to understand what payments we are making through cms, what payments our federal government and the cms is making to other countries to hold and handle our data. And its really important for cms and for private companies to consider what are the National Security risks that we need to think about before we do business with these companies. These are things we havent really worked about before, right . I mean, weve been worrying about people hacking in to take celebrities information or blackmail an individual person, but thats not whats happening. We are actually at a different point right now. Senators grassley and rubio actually drafted a letter just a couple months ago is anyone here from their offices . Around asking for cms to put a plan together and asking to kind of understand better nih and other sharing that, and to be clear about what payments are going there and what the rules are going to be. Thats just the beginning expiration around that but this is something i think is really important for people to keep asking about. Because this is going to sneak up on us very quickly. Once that gate is gone its not coming back. You cant get it back. So in summary, you know, this healthcare data is valuable. It saves lives. I would want to emphasize that. It is important to share this data, be identified so we can do the research we need to do to find years and better treatments, find appropriate treatment for alzheimers als. We need vast amounts of data to do that. So we dont want to stipend that, but we need to make some how much they want to share and in what form, we want to share it with, and to date i have seen a lot of discussion about that. But the time to have that discussion is now before its too late. Thats it. I want to thank you for listening, and im happy to take any questions. [applause] thank you again to jen and robert for those presentations. They were able to cover what i would consider an enormous amount of information and condense it into those slides, but im sure theres tons of questions and want to drill down a bit deeper and certain subjects. Our kick us off with maybe a first question. I think we definitely not a good understanding of the risk of our data being out there and how can be shared and that we dont know it is being shared. And some of the inherent risk with that. One question i would like to start with is, is there a concern or should there be a greater concern that beyond the inherent risk and the jeopardy of Patient Safety with the data being shared, is there a direct threat to Patient Safety from malicious actors . Are there other avenues we might want to be worried about . And if we could talk about that for a bit as well. Anyway, you guys could probably here. We certainly see this all the time. This one . Does at work . So one of the things that i mentioned was the potential Ransomware Attack. This is what essentially you have a form of malware that encrypts all of the data any Health System and makes it inaccessible to anyone using the systems, effectively shutting got anything that runs on any form of data. Thats everything. Well, there are still some things in hospitals that probably should but the door. That means the Patient Safety effect can be huge because suddenly youve lost access to critical systems. Another big concern that is been proven time and time again at least in the Theoretical Research and we dont know if its happen in the wild yet, his potential if i shredded hacking. You can imagine an insulin pump or an implanted defibrillator could readily be compromised and then can be used easily given the function of those devices to kill a patient or seriously injure them. Those are just two really present examples that that they are very serious, very possible, and they are either actually out there or ive been proven to be completely plausible and deployable. Let me piggyback on that a little bit. Right now there is malicious ware that is attacking microsoft and other widely used software. A lot of the medical devices sit on top of software. It could be the that are not necessarily attacking the medical device itself, but the software its connected to and thats happening right now. A lot of people dont recognize when their machine or the device or hospitals dont know that the device is connected to something thats been attacked maliciously. It is happening right now, jut not in what you think about. I think of what he homeland episode with the pacemaker getting attacked. When it seemed that so much right now, but definitely we are seeing a lot of attacks on General Software thats connected to those things. We dont have a good way right now to notify people and reached out there, because if you think about medical devices, once they are out there, we would need to know exactly where the manufacturer sold them, what providers bob demko which patients they were given two. Think about the chain of events in terms of where medical Devices Company its a pretty long chain. So in terms of the notification that are specific guidelines about how the notification is supposed to take place but its a real concern. The more that this happens i think the more dangerous it is going to get. Could you remind me about like where the sources source a coming from of these attacks him hacking for insiders . Was set based on instances or the proportion of number of patients attacked . That is based on incident number, those percentages. Its number of incidents. Obviously you have a bit of a skew towards hacking when you look at it from of records compromised. Because those will tend to be the biggest types of breach events. That being said, but sometimes can be the most damaging Health Systems are sometimes a oneoff types of attacks because they can be very public, very personal and they make the oneonone vendettas or legal action. When you look at the total risk to the system, you could make an argument it either way but to your point is a good one. If you look at total number of records compromise you would probably get more hacks. This in sometimes it is an insider type of air. Good question. We are going to go in the blue tie back there. Appreciates comments i want to echo what you said earlier. So we see and back to Patient Safety in Ransomware Attacks specifically because the in net effect, surgeries canceled. Ambulances possibly diverted and we seen that from our members, and we seem to adversaries go after smaller hospitals most recently in increasing the rants of attacks. And using attack of going into the backups first, which is very troubling because thats the normal defense against ransomware. Very concerned about that and appreciate your comments there. Again on your data, the majority of the records as you say is compromise of extra accuracy would you agree with that, the majority of speech i would say sometimes we need to be thoughtful about incidents versus records as her measure of risk because sometimes those incidents actually end up being some of the greatest vulnerabilities versus these bulk records which may or may not be exploited in these large dark web sales come things that might have less of an actual impact on the institution or patients. It does depend but its a good point. I would applaud also aha for a lot of great work they doing in this work bring it to light. Again, reinforcing your point across a lot an issue to our members become aware of the strategic threat posed by nationstates targeting medical research and innovation, so thanks for bringing that up. I just want to piggyback as well. I think phishing attacks are the most common. That is external but it can be, you can address that with training. A lot of companies have trained their employees on phishing attacks. They will sent in an email of people that cricket have to go to training. You can address that, but that is the number one way people get in. We show that break and enter data if you want to look at the actual report. We have confirmed overtime phishing is by far the largest portion of the hacking section of that event. Right there in the back. If you dont like him this gentleman will find with the mic. What kind of policy has been recommended or should be recommended to address this issue . Which part of the issue . Mainly the hospitals or insiders in the hospital leaking information that protect against companies outsourcing the data to foreign nations, like china . We generally have seen that. What we seen in terms of hospitals is these phishing scams. Its really a training, education instead of this larger hospital organizations and health plans, large corporations are launching largescale efforts to train their employees to not click on things. Because thats the number one way people get into your organization. Is that how some folks externally and from other nations get in . Yes, but it is all kind of ran for the most part they get in from an inside door. Dont think i would add is, i think you bring up a pretty broad set of challenges that are faced, even if look at any one discrete piece, the challenges are across many different dimensions and thats a lot of what were working on indoamerican particular which is a person how to change the culture of these organizations. How do we look at the technology, are we using the most modern technology, artificial intelligence, look at the Development Lifecycle using of any we cant and ultimate workforce. At the end of the day its human beings that are both defending thesis as well as serving the vulnerabilities and the train at 5. We create have a strong diverse and welltrained workforce in the future, is just in kobe important. Theres a lot of specific policy recommendations in this paper that will be released soon that a im hoping can help empower this and make more concrete recommendation. Its important organizations like a chick and other societies get other intuit aha is it aha is doing its educate people. People just dont know if this is a problem or that its happening. The more that you can talk about it in your offices or with their constituents, its really important, and bring up reallife examples with them. Ive been seeing a lot an academic literature a real push to the idea of the internet of things because it will save us from kind of human error when were talking about niv translation pump. But i can always did have this or in the back of my mind of these things are stackable but most of the literature lansing lately dealing with security is focus on the passive data collection. Do you think that theres not really as much direct risk their employees at something that could be forthcoming as kind qa more of these devices become mainstream . A lot of these systems are very smart, and there is always human error. Were finding that medical records are in many cases more secure than they were when they were paper records, in many cases. But everything is going to be hackable eventually. Theres always good to be awakened. There is no 100 guarantee something to be safe. If anyone is looking for that, they are not going to find. For me and just from my perspective, when i was in medical research in school, i focused almost entirely on Patient Safety as a topic that it worked on. I can tell you, absolutely the is a really Important Role for the internet of things and to improving Patient Safety. One thing that gets lost in cybersecurity and privacy is you cant just want everything down and say theres a systems and lets go back to use a scalpel and a pencil. Not going to work. We have real gains we can make a leveraging data and leveraging modern technology and leveraging conceptual frameworks like the internet of things. But i think sometimes we frame as an either or and its not. We both need to use these advanced technologies to help patients and we need to Deploy Advanced Technology to protect these data and systems. Until we start thinking about as an and instead of or, we are not going to find a shift this curve but its an absolute possible thing and we see top Health Systems doing it all the time. Im not sure how familiar are with mit has been, obvious is a big center for medical innovation but one thing left out of this conversation, robert refill was talking about it when you start but his research, like universities are a giant, are a giant hole for a lot of this hacking, but also particularly from foreign influences especially because most universities maybe want to partner with other universities, especially in china. And youre right, we should be encouraging that the we should want elaboration because thats the nature of academia, particularly and the sciences. But i would argue that especially among some of the research thats come out of mit and i we now know it leads to actively monitor leaders, especially with the genome stuff, tracking peoples dna and identify them based on ethnic heritage, and if you like to an extent it brings up the question of, should we just banned Chinese Investment and investors on u. S. Tech industry . Its an extreme option but is it really ridiculous considering we already have american size being at least somewhat culpable in whats really going on at the moment . A really good question, and i dont think theres an easy answer to it. Because, of course not, first of all, i mean, there were these two two chinese scientists widely were just indicted for doing exactly that, what youre talking about. And its going to happen again. We need to share this data openly. We need more data or were not going to find these cures, not going to discover the diseases we need. Its a real comp lex question. It could be a matter of how we share the data and in what format that it could be an needs to be reciprocal. The other issue is one of money. Chinese investors are putting a lot of money into biotech in this country. So theres a financial question as well as an ethical one. I think its a conversation that has to be had. One of the things i dont think weve asked at all of the general public and we dont know about consumers is what the consumers think. How open to people think their data should be . I mean, other people in this room going to share their data but only be identified . I dont think where the really good sense of which way the general public is going as well, and i think will be hard to make policy without even knowing that. Theres no easy answers but they are all questions that need to be discussed and we need to find out what the Public Perception and perspective is as well. Sorry i didnt answer your question. [inaudible] i i guess the frustration a t of us in the National Security community especially comes to china have is that, frankly, when it comes to trade, when it comes to science, when it comes to stuff like the south china sea, it really seems like china gets the benefits of but not the responsibility of the burden of having to call any rules. Even if we do set up like fine, you can have access to American Health of data but you can only do through cms. Cms has to be monitoring it. The reality is many of these investors dont have a choice to whether or not they want to do that because many of the copies are also owned by the chinese government. In most companies i believe a member of the Chinese Communist party has to sit on the board of that company. We have seen this with apple. Weve seen this with several other companies. I guess the question is, because its true, we should be having a conversation about as a general public and asking what the general public thinks about issues like this. But i guess but issue i have is is an issue a lot of people have indeed with china is how do you deal with an actor that isnt going to deal with you on even terms . Should we try to make them hurt a little bit and make them understand that while relationship is one of some biosis, we rely on them for trade and investment and other things here at what point do we have to just sort of stand up and say no, not did a . Were starting to do that. I think the administration put a halt to a 23 and investment nosecone those good to take place here from the Chinese Company recently. This is already happening. Their money is already here in many places, so its a real im not sure what putting a stop to it would mean right now, what that would look like. But maybe that is the decision that policymakers have figured that out, what that looks like. But at the same time nih has gotten a lot of really important data from other nations. So we really have to balance whats important. That afternoon. Im often from senator manchins office and want to take the time to thank you all for taking the time to come to chapel hill and speak to us on this issue. I come from West Virginia and while our state has Incredible CommunityHealth Networks such as in huntington, morgantown, charleston, so much of our work is been at the local level in very small rural clinics. And the amount of information that theyre able to retain on patients is incredible. As we talked about earlier, resources are scarce, especially money, whenever margins are so small within healthcare, but particularly and rural appalachian and West Virginia, the resources are even more scarce. As with the advancements in things such as telemedicine, what advice or recommendations could you all offer to make sure that even though the resources are scarce, that were still utilizing technology at the local level and still have the best protections in place . I can speak briefly today. We have a recommendation in this space that specifically relates to rural settings. As you may know, some of the barriers to protecting these facilities are often related to the existing antikickback and start lost a source with Larger Organization providing proactive funding to these small affiliate clinics that represent major weak links to you could put them under the security umbrella of a larger hospital and a larger hospital may want to do that and protect them, but they are not allowed to because of current legislation and current regulations. Thoughtful reforms to that would be an easy move. I think also in the longer term sense is come how do we thoughtfully still using technology, the types of automation and the types of insight and proactive detection of threads that can reach out into all these immunities, that can reach up through networks of different providers and not necessarily have an individual human and every one of these sites watching it, but overall technologically enabled oversight of these organizations that are connected back to central hubs here is is all very possible and i think theres a relatively low hanging fruit that we could modify to transform the landscape and approve the care that we are delivering to our patients in rural clinics in the secured other data. Its reflective of the inequity we have right now between smaller, rural, maybe less resources, and his larger Corporate Companies that have all the resources they need to do the Technology Updates and have the full breadth of security. Its going to be really hard for some of the smaller places to be completely secure. And its not going to be equitable. I think thats a real problem and forcing that across the country. Its a lot tougher. I do think aha and other organizations doing a really good job in the rural Hospitals Association is doing a great job with trying to share some of the resources they have, but its tough. We have actually come up on the end of our time here so it looks like perfect timing, number questions remaining. I want to thank you both again. Youve been very generous with your time, and thank everyone that came up today. I would like to say as you can probably tell from the context of the conversation that there is a lot of work to be done in this area. Theres a lot we need to focus on voting for and look forward to a greater extent. This is the scent cybersecurity caucus will be committed to exploring in the future so we definitely invite all of your bosses to join the caucus, and we thank you once again on behalf of senator warner for coming today. [applause] if anyone like to reach me directly, its just robert at protenus. Com. I get the benefit of having a single name. The Trump Administration announced this morning its moving to end longstanding federal Court Agreement that limits how the immigrant children can be kept in detention. Congressional reaction is starting to come in. Your congressman tweeted the agreement was result of 12 years of litigation and has protected immigrant children and families from inhumane and indefinite detention for 20 years. This comes as no surprise but it is still absolutely disgusting. We will fight this. President trump goes to kentucky this afternoon to speak at the American VeteransNational Convention in louisville. Live coverage starts at two p. M. Eastern on cspan. You can find online at cspan. Org or listen live with the free cspan radio app. Weeknights this month are featuring booktv program showcasing whats available at the weekend on cspan2. Tonight something is writing and publishing. Robert caro discusses his book working with commuting a latenight talkshow host conan obrien. Enjoy booktv this week and every weekend on cspan2. Saturday on booktv at 7 p. M. Eastern in her latest book our women on the ground, a look at the challenges female arab and middle eastern travelers face while reporting. All of the authors were able to push through whatever barriers they had and write really openly and also about their deepest struggles. One of essays that comes to mind, its such a raw and honest account of grief and loss and it also reflects the state of the arab world today. This isnt an uplifting book. Then sunday at 7 45 p. M. Eastern, hansen University Professor perry on race, gender and class in america. Her most recent book is breathe a letter to my sons. The reality is that i have to arm them not simply what kind of a set of skills and intellectual tools that allow them to flourish in school. All modern decency is cast aside by donald trump to his opponent and from opponents to him. They call him far worse things. They do far worse to him than what is doing to them. They have no right. Watch booktv every weekend on cspan2. Federal highway and other transportation funds run out in 2020. Congressional committees are working on a 5year plan. The senate commerce, science and Transportation Committee heard from transportation policy officials on what should be on the new law as far as truck transportation including possible age restrictions on drivers of certain types of trucks and what to do about Cargo Carriers that legalize marijuana. [inaudible conversations] good morning. The committee convened to consider fast act reauthorization, transportation and safety issues. We welcome our distinct panel of witnesses and thank them for appearing today. We will hear from department of transportation officials including joel szabat, assistant secretary for aviation in International Affairs ronald batory, administrator of the federal Railroad Administration and raymond martinez, of federal motor Court CarrierSafety Administration and heidi king of the national highway traffic Safety Administration. The fixing america surface transportation act on 2015 better known