comparemela.com

You have everyones bio, i dont think i need to reintroduce the panebut it is a way to look at the year in a context of cyber and healthcare and give us a different way to look at the efforts to get the vaccine to the public. Have news that we will get to later, the new rk times reported cyberattacks related to cold storage of the vaccine have been gog on since august and it is unclear whether this is about ran somewhere or sothing more sinister but we will get to that in minute. What i thought we would do is divide the discussion into three parts, going to look at thbroader issue, attacks on for healthcare sector as we wrestle through a pandemic, ok at the security and protection of intellecal property related to the vaccine and finay is related to news about hacking the cold cin we will talk about Security Protection and defense of the supply chain for the vaccine. What i would like to do if you have questions i will field those as we along and we may have questions at the end as well, if theres a q and a fution, the team at aspen will explain how we put those questions in. With that i want to start with meredith. At eli lil, having to deal with all we are dealing withn a Laboratory Setting with Laboratory People beg paused or working remotely are you dealing with more attack surfaces than you ever have before . People usi the same network and all spread out . The answer is yes. We do have an increased footprint as it relates to tha because we made a decision eay in the pandemic from the marc8th timeframe, to send our team members globally home toork. There was a subset of those individuals that needed to toucspecific equipment in our lab or places like that, and to protect their safety while they were interacting with the specific lab equipme we take to someones home so we did have an opportunity to have a small poion of our team going into physical location but it was few and far tween, 16, 17,000 team members deciding to work from home. The attack surface now is incrementally grown over that period of time a we continuously as an organizatn ensure that when our team was at home working, there are security principleand practice even sitting in their home offices. We can get a little lax at home and think the sameay in our physical Work Locations but youve done a eat job with robust education awarene program how to protect spaces in your home environment. Weve seen an increa in that surface and attacks as well. It goes beyond dont doublecli on that weird fishing email. May have to do with authentication records. All of that. We put together a packet to give our team members. Here are the technical controls we recommend you have in pla to operate and carry out the business, we have a vpn to connect that offer, that it is still acti, the data you need to perform your role witho putting that information on your local device or this of that nature. Thquestions you may be asking, heres the recommendation how to deal with that and work through those things together to make sure we are not seeing increased exposure. One of the other things we talked about that we initially didnthink through at the beginning was around the idea of printing, we get so comfortable printing and physical locations at work but now you are srting to print things that may be confidential at home. How do you secure prinuts or destroy them appropriately, we try to think what a coworker needs to know to make sure they fit themselves, their devices and data and things they print are protected. You were sending out shredders and things. We didnt do that we gave them an opportunity, a home shredder, here are the ones we recommend. One of the other things we did which i really appreciated our leadership going down, peoe work in theshome environments and gave each team member th opportunity to say i need to outfit my workspace dierently now that im working 100 from home but that gets a recommended shredder so you destroy documentatn appropriately. If you even need to get a new chair, especially comfortable you work every day there was an allowance offered to every team member who needed to take justments so we offer recommendations, gave them options and you chose at you needed to bring to your workspace to makit comfortable. And pr ga us chairs so that iclearly different. I will get to the otr panelists as well but have your concerns changed since march . Are you seeinghings, we think about ran somewhere, phishing attacks. Are you seeing things, i this progressing or even evolving . We had thesconversations befo. Some of the activity, the mo activity we see a standard for us, what we typicallsee in terms of eosure attacks, interest in our organization, those things are happening everday. What i have found, the use of social engineering, footholds into an organization by way of prudential stealg of things of that nature. Weve seen more of those types of attacks, a little more sophisticated than we have seen in the past, but that doesnt mean the volume of what we are seeing is shocking to us, but there is this turn up on the sophistication of it all. We are n Training Team members to look for those indications what doesnt look quite right with the message we can find oselves in a world of hurt, we focus on the training and awareness of team members during this time and as it relat to development and Research Base because we know they are a target, the ones who are working on our response to covid19 so from that perspective using training awareness on those attacks. Do you think the social engineering isorking better now because people are lonely or by themselves . Dont know if it is loneliness that makes them 6 up double sceptible to it. I suspect i am working me now that i am at home being able to disconnect a little harder, i am sitting in my office and get things done but becse we are moving back, to pick those things off of our list, we c move a little too quick and expose the organization that way. I to be leave we are moving quicker in some instances which creates more exposure for us. Journalists get lonely. Let me ask you, let me move to you. One of the things we know from a public repor is there were a number of different medical or Healthcare Companies including Johnson Johnson but north korea and these reports came earlier this month, trying to steal allegedly sensitiv covid19 information from Johnson Johnson and others, wa us through what that experience is like . Thank you for the questio but i would say attempted hack is not a back. In the cybersecurity organization in that arena those are clearly different items, Healthcare Companies have seen an onslaught since march of 2010,hat is the day the chinese started a hard knock of most of the healthcare in the United States and there was a lot of talk at the time, those who knew they had seen attacks or and scenes that stand by a nationstate and there was outreach and uring out working with groups like the fbi and Homeland Security from what this was all about, discussions in healthcare, what was needed. Meredith a i are seeg attempted penetration by naonstate actors, not just north korea every sile minute of every single day. We have four primary threats in healthcare, just one of them is nationstates. The oer is a criminal element looking for anything to monetize. Peop who are trying through social media aempt to sway Pharma Companies on what the pricing should be a writer that ther items that occur as well as insider threat. With the vcine in development and therapeutics what we he seen is we are on a grander stage, people e wait a minute. That is a company, what can i do there. Weve seen that rise. What we dont know, many different attempts at assertion, jt ne is going to try to put it on the Network Things like email, social media and to get someone in my company to click on it and bring it into my house, my boots coming in the door. In the hlthcare industry the department of Homeland Security we work close to gather so that we provide in formation. I dont have the resources to know where it came from or what they are going after and working with our federal agencies, govement agencies we provide tt information which tells us that came from north korea and warnings are going out. They have thskills and cybersecurity organization to detect the code and protect against it. Unfortunately not everyone has that in the Healthcare Industry. Any indication there is a focus on getting something covid19 related because everybody wants it right now . Is there bigger appetite for it . There are only so many people who get information and turn it into a vaccine. Then we will have a group of people who just decide i dont want the world to have a vaccine. Not much of a difference so we have the Protection Capabilities we have built and in this instance looking at vaccine production, there was a plant in china, we were able to see what was happening all along. With the virus, 30 health pick in criminal type activity trying to monetize anything they could. Some people were out of work, decided they would be hackers on the side and try to come in and see what they could monetize. Large companies have defenses against the but again in general, 30 was specific. Most of it wasnt going for a virus or it would be hard to tell because people come and on one side and move across the company, the ability to detect it is what helped us. We took a concerted effort, anyone working on vaccine production or intellectual property, to lock them down, provide minimum necessary access. The term we use in the security industry, then we did that and the social media, the june timeframe we saw one of the other companies that we talked about at the Board Meeting and one of the things that happened, informed our people to be aware of it. Shut off social media, dont click on anything on linked in and give some guidelines to make sure they are secure. You have a little cybersecurity mode or is it everything . We have we create most. It sounds like we close ourselves off. In reality what reality is is we provide ability for the business to operate in an insecure environment. That was excellent but one of the things we found on our end was our third party we partner with in order to do that we see an increase in terms of third parties being impacted, ran somewhere or things of that nature so when our third parties who are close in the Development Research arm of the work when it becomes a problem for lily and we spring into action to assist those third parties to ensure our value chain is protected and we are able to deliver those in the lifesaving medicines we see an increase in that, this year we have done way more than ive seen in the last couple years. They are coming in through some other vector. That is why i asked you about routers. I dont forget they are here. I know you are there somewhere. I wanted to bring you in, nice to see you and talk a little bit about the security components of operation warp speed and eli lilly and Johnson Johnson are among the players and that and dont know much about the cybersecurity side of for peace, what it looks like because people ask those questions, how that works. As you alluded to, across the federal government, industry and healthcare sectors made it so strong. From the fbi perspective we have the unique role of being domestic Law Enforcement so what that helps us to do protecting the Vaccine Research on these threats, having access to classified intelligence to understands what adversary plans and intentions they are, to see the threats as performing, to use broad domestic prisons, hundreds of other satellite agencies, really embedded in communities and have these enduring partnerships with research institutions, universities, at a level we can share ideally before something occurs and as an Operational Agency we can act on what we see, the direct engagement with these organizations is so important, at the university sees this type of threatening cyberactivity, not only to investigate but to share that in formation with the Intelligence Community with Network Defenders to help everyone strengthen the network. It is most effective when operated at Different Levels. Are you getting more back and forth than you were in the past . Somewhere more reticent. They may have been compromised. Extremely proactive outreach with a combined network and maturation in the federal government over the past few years. Some of that was in response, the welldeserved feedback, multiple federal agencies with threat information, increasingly that is a partnership exemplified by warp speed and months before warp speed started. As early as march when we were starting to see cyber criminals but nationstates targeting covid19 research, quickly formed up with the department of health and Human Services on a couple different fronts, one, to warn those being directly targeted and 2, to do some research and expand the circle to say we know these types of entities are being targeted who is likely next and try to get ahead of that threat and thirdly, something unusual for us that we issued a Public Service announcement particularly about the chinese cyberactors targeting covid19 research, one, to warn but also to alert china the we have visibility and understanding of what they were doing and let them know their would be rescanned consequences for that activity. By virtue of that sustained engagement we are seeing great collaboration with the healthcare sector even on issues not specifically related to covid19 research for example the recent credible threat we want with ran somewhere against hospitals and other providers, weve got tremendous feedback from the healthcare sector organizations like the American Healthcare organization in response to that because we very quickly put out those indicators to watch for. We had video calls and ways of engaging directly with those who might be affected to let them know we were taking this seriously and as a result advising they do two and keeping up that contact because we know that is a real resource drain when we are advising a threat like that and it requires a shift in resources and that is only sustainable for so long and that continued communication is important to keep them updated on what we are seeing. One of the strategies used by doj is to bring charges against people. Thinking of hackers who brought charges against them. Did that have an effect . However long it did have a knock on effect, the Public Service announcement, did that have a knock on effect . We are aiming at a number of different audiences when we do things like that and many different tools being used by the fbi and federal government and private sector partners when doing efforts like that. That was followed by an indictment shortly thereafter that identifies chinese cyberactors targeting covid19 research but it is part of the new cyberstrategy director ray announced a few months ago. Not so much about an indictment, that is one means to a end but because of the unique partnerships i described that the fbi has we want to make sure we are sharing the information and relationships with our partners in the federal government overseas in the private sector, to do whatever steps we can whether that is fbi action, treasury sanction, publicly outing more covert action you might not see and to do that in a coordinated way to have maximum impact because we think these adversaries acted with what they think is impunity and we want to change the risk calculus. Let me talk about intellectual property and how difficult it is to be a Healthcare Company doing open and cooperative research to protect against hackers. What are you doing in that respect . Making sure we know our our it sits, we have that network and that area where we could store and how that information, protections we wrapped around where the intellectual property sits. As relates to research, collaborations with resource organizations for our organization we are ensuring we put the Security Posture of those organizations who are collaborating with us as relates to that research which will create it from there but we have controls wrapped around those repositories to ensure we are monitoring to detect any exposure to that data. Something to add to that . The other package we talked about earlier, education of what they are dealing with, once you have been handling something for some time, the importance at j and j we have a credo so we continually talk about the importance of the data to our patients and healthcare and humanity and we look at that. About the third party, one Company Creates the vaccine or drug by itself, there are multiple third parties, as well as your manufacturer and distribution you are going through. Continually looking at those third parties. One thing on the road to the covid19 did show my organization in a quick period of time, look at the data slots so when you look at the data flow for intellectual property for something specific like vaccine production we learned a lot and looking at helping the business in other ways we wouldnt have known existed if we hadnt done it during a short time. It also helped us, we worked with the fbi and special agent tammy mccue at the Newark Office who came and talked to all our intellectual property attorneys, regulatory attorneys to talk about the threat. That adjudication, using Government Entities to help us, tremendous resources for people to understand how important intellectual property is and how to affect it. An example of protection, data at rest being encrypted. That is one but you talk about data, people think about databases and big networks, i need to look at the data on my computer or i need to send it, is that encrypted, what do you do . There are a lot of elements of how things are in making sure you have appropriate repository and ability to encrypt that data from the beginning to the end. Reporter i thought i would save the news for last which is very nonjournalistic of me. For those who have not seen it, but you quickly up to date, there was an article in the New York Times today that reports on cyberhacks on vaccine distributions which seamlessly goes to our next subject which has to do with supply chains. Ibm researchers said the attacks appeared to be intended to steal the Network Credentials of Corporate Executives and officials, and these officials who were focused on cold chain which is the refrigeration process necessary to test these vaccines so let me ask this question in terms of fill and finish and supply chain, what is the thing that worries you most about the vulnerability in distribution . Sometimes there is nonawareness by those organizations that provide a critical part of the value chain and development cycle. They may not have the same level around security of their areas because they think about it, i am not delivering it, i am offering cold storage. Should i be concerned . I am just housing something. That is my biggest concern, them being aware they are targets and providing that service to us to be able to get the vaccines to where they need to be. That is my biggest concern, the awareness of the fact that they are a target and they not have the same control we having our Larger Organization because they may not have that so that exposure is real. As a general matter i assume if you have therapeutics or regulatory flu vaccine you havent had to think so much about getting it from a to b and making sure it is safe because theres a finite amount of vaccine, it is a hot commodity. Think of the intent behind that when you look at the hackers and the bad guys as relates to that is twofold, what is pure disruption, to disrupt the spike, a different take on that where they may want to damage or expose those vaccines or they would not be, the efficacy is not there with those delivered to the patient so you have multiple instances behind why theres interest in the chain or other supply chain for the development of it. Are you looking at this a different way because it is covid19 . The idea of supply chains . We have a robust supply chain and continuity plan around that. Im happy to say it doesnt have the extreme temperature requirements that other vaccines do. Not that it is not a big deal, what i would tell you the overall security of getting a vaccine from the point of manufacturing to someones box, and in some cases. That is all i want. But what i told one of my good friends at the company that is going to have operational warp speed to make sure the vaccines are given out and in pharmaceutical retail what i told her was because i had come from a pharmacy benefit company and we did mailorder delivery of drugs, treat the vaccine like it is two drugs, they have from the very beginning to then when it is dispensed have you have a sign off, security requirements around it, all of those things should be replicated for the vaccine and i talk to the general in charge of security for operational warp speed. Dont try to reinvent the wheel. Use what you already have. It all approved what you do, just use it. For those who are not in the Healthcare Industry explain what the drug is, what an example of one would be . Something like codeine or morphine, something highly addictive or highly controlled, a controlled substance so with a controlled substance a whole chain of how they must be dispensed and even organizations like ups or fedex we may have those types of drugs in their purview or ownership to be delivered, they have protocols already set up. When you say the general in charge, general turnoff . Hes in charge of everything but general mc curry. You didnt need to reinvent the wheel, there are systems in place. It is not as hot a commodity is covid19 but you could deal with. The pharmaceutical industry itself requiring the extreme temperature or sensitivity of how the drug might be dispensed is not something new. The protocols in healthcare are already there. It is necessary for this instance. I dont have any disability to what was done or what was going on in that area but that is my recommendation. Does that mean you feel i dont want to go all the way to the word relaxed, but you dont have huge concerns with the distribution of the vaccine . Know i dont. I have full confidence in the Healthcare Organizations in the United States have already created. I was in that industry for over 10 years. Being able to shift a large amount of see 2 drugs in the company, a tractortrailer went out every day to the warehouse to a Distribution Center and all protocols, gps, tracking, monitoring, all those things are already and have been in place, and utilizing those and leveraging them will make the job easier. They are an opportunity to provide better communication but with todays Digital Technology absolutely. I have a lot of confidence in the us healthcare system. The idea, sorry to keep harping on this but i think the average person thinks the whole distribution, always been hearing about his distribution is going to be the most enormous and complicated and bound to fail are bound to have problems, you dont think it is as complicated as people are saying, that weve done this in Different Levels in the past . Dont get me wrong. The distribution of controlled substances that require low temperature efficacy isnt complicated. It is extremely complicated. It is a problem for the us Healthcare Industry has already solved and can leverage those learning to be able to do this in a secure manner. Had there been people who tried, absolutely. Will there are likely be some type of attempt, maybe. Then the question is what do you accomplish . Thank you. Let me get you in as Law Enforcement. What are you gearing up for in terms of distribution of the vaccine . Obviously there are motivations for some of these actors who are trying to disrupt the supply chain. Our biggest concern would be a destructive attack to throw a wrench into that chain, or cyberadversaries moving to target those in order to then move into what they are trying to reach but the motivations go beyond that type of disruptive attack, stealing intellectual property for financial purposes. It could be to undermine confidence in us efforts to provide an effective vaccine. Other countries development. There could be other purposes. The other thing we try to keep in mind, the discussion is focused on related threats. The most determination state adversaries not just relying on one method to target the supply chain but the combined cyberrisk using more traditional human sources to penetrate organizations even through diplomatic means to make entreaties and create relationships that might put them in better position to disrupt or influence or steal information so our focus is combining cyber, counterintelligence programs to make sure we are looking across rather than one type of attack vector. That is something where you about the next phase . The complexity of it, thinking about it as was said. This was work they do all the time. They have the support of additional entities from the federal government focused on protecting this research so that gives me confidence. We have come to the end of our time. I try to slip in the questions i saw in the q and a channel. Thank you for talking about this. I was concerned about the cyberaspect and the distribution aspect and fascinating to know how we get this through. Those of you who are going to stay for the next session please stay tuned. We will be right back with the next session about emerging technologies in tech with fascinating people, my favorite people in this arena. Thank you for being with us for this session and stay safe and healthy. Reminder of live coverage in 45 minutes on cspan2, john e boehner talks about the transition to a biden presidency eddie 30 eastern. More from the Aspen Institute cyber institute, senator mark warner and will heard on the progress

© 2024 Vimarsana

comparemela.com © 2020. All Rights Reserved.