His visit to capitol hill and how it is being interpreted. Of then the director National Museum of American History will discuss his book. Be sure to watch cspans washington journal on sunday. Join the discussion. Now a form forum on the cost of keeping health care safe. This is hosted by politico. It is one hour and 15 minutes. Ladies and gentlemen, please welcome executive editor for kenan. Care, joann ms. Kenan good afternoon, everyone. I am one of the executive editor for health care and i would like to thank you all for joining us and those of you on the live stream, too. Outside in is our event series focusing on health care and technology and being political we look at health care through politics and policy. Outside in was a way to conceived in a way to bring out outsiders with washington insiders. This is the first event this year. Weve taken the idea one step further this year and created a forum of Health Care Tech industry insiders who have a list of their names on your seat. And weve been doing surveys and interviews and events and this group is helping us better understand the new opportunities and challenges that Technology Innovation is bringing to the Health Care Policy world. Today some of the panelists will have, well have two panels. And some of the advisers will help us dig into medical privacy in the age of Cyber Attacks and we are going to ask questions like is Greater Health care , Information Exchange going to lead to more dangerous and increased hacks . Can Health Care Providers afford security . What kind of congressional or regulatory action, if any, is needed to keep medical records safe . Well have the conversation in two parts. Ehealth editor allen and i will first, talk to the policymakers and policy experts about medical Cyber Security and the second panel, dan diamond, a new colleague is writing pulse for us now and hes just begun the pulse check podcast that all you have to subscribe to as soon as this is over. And he is also helped us create and moderate this advisory panel, this forum and he will continue the conversation with experts who were on the forum. And youll find stories from today, the story written based on what these outside people are telling us, and this theme of that story shows how health care Cyber Security is getting worse and how the governments role is a mixed blessing. And we have a bar, for those of you who are here noticed. So stick around because the conversation could continue afterwards. Those of you in the live stream, you can just start right now. [laughter] ms. Kenan before i introduce the panel to the stage, i want take this time to say thank you to our partner phillips for their support of this event and the entire outside event series this year and all 3 years. Here to say a few words is artie arthur, Vice President of Health Care GovernmentSolutions Group for phyllis. Ms. Arthur thank you. Thanks, everyone, for coming to this event. Were really excited to be here. Thank you to politico for sponsoring the first installment of outsidein. This is phillips third year here. And just to give you a little bit of an understanding of what we did last year and how it is really going to integrate into how health care and Technology Meet each other for this series. Last year, we focused on areas such as digital medicine, aging and a Technology World and also population health. Why does that matter today . Well, you know what . Health care transformation is continuing on, right. And what we need to do is ensure that that data is meaningful and actionable. But the worst part about it, and the reason why were here today, is because we dont always know if it is safe, right. You dont know what youre going to get. And you guys have that sheet of paper, i just read it real briefly on how Expensive Health data is. So were here today to talk about how important it is to ensure that our health data is secure. Hackers dont care. They dont discriminate at all, amongst health data. If you think about what is happening today, you have seen a lot of articles on the health care ecosystem. Large Health Care Systems, as well as Insurance Companies, have had their data attacked. Whether it is by a hacker or any type of outside threat. And that is important. And it is scary. I think the really cool thing about working for phillips and why im so proud to be here tonight is that we take this very seriously. In fact, my group in the Health Care Space for the federal market, weve done a lot of work with d. O. D. In fact, most of our products today are, have been certified by the department of defense for Cyber Security and were really proud of that. We have more Cyber Security certifications than any other entity today. Additionally, we get to be an adviser on the task force for hhs. And so this is really empowering what we do in health care today. I cant, i cant tell you how excited and thankful i am for the panel that we have tonight and for politico to partner with us in this forwardthinking, thoughtprovoking series of 2016. And with that, i think id like to introduce your panel. Ms. Kenan ok. Thank you. And thank you phillips for your partnership. For those of you in the room and on live cast, our conversation on twitter, we use the the outsidein. That is one word. I have a tablet on stage and will take questions from those of you who tweet them in. A reminder our events are live , streamed and all on the record and they are recorded so people can watch them later on through our website. Without any further delay, i would like to welcome our panelists and my comoderator to the stage. First, we have representative will hurd from texas. He is the chairman of the i. T. Subcommittee for oversight and government reform and a former cia undercover officer. And then in the private sector he was a Cyber Security expert. He came to congress in 2015 and he swiftly has emerged as an important voice on this topic on privacy and security and looking at where the government is not doing a good enough job. Leslie krigstein from affairs at crime which is a management executive. She brings the concern of Health Care Ceos to the hill and to the agencies. Devin mcgraw is from the Health Information privacy from the hhs office of civil rights and the point person for concerns about privacy and she helps inform hippa, enforce hippa so you all have to behave. Clinton michael, from the ehealth Interest Group at the American Bar Association health law section. And he is one of the top National Experts in legal issues that barely existed a couple of years ago. And we hope he can help us understand what is still needed in the legislative and Regulatory Framework to protect Health Care Privacy because every day we are reminded that it is a problem. And of course, arthur allen, and my friend and colleague and ehealth editor and they call him big data, and im little data. [laughter] thank you. Arthur, you are going to start it. Mr. Allen so, welcome, everyone. So i represent, im the ceo of a small hospital chain. And ive been busy taking care of meaningful youth and dealing use and dealing with macro and a million other things and Somebody Just came to me and said there is some issue called Cyber Security. Like a, a problem with people attacking the Health Care System. And im going to just ask our distinguished guests here to explain some of these things. Congressman hurd, who is attacking the Health Care System and what are they after . The majority of it is going to be organized crime. A lot of it is russian organized crime. They are the ones that are trying to leverage the data they are collecting for monetary gain. A health care record gets more on the black market on the Digital Black market than a financial record. And some estimate that medicare record is in the couple of hundreds of dollars per record. So its lucrative financially. To give some context, in 2012, alone, fbi had data there was 414 million worth of thefts in the united states. And the estimates in the cyber realm, it was over 100 billion. Right. So in impact to our economy. So it is a big issue. Mr. Allen it is a good field to be in, obviously. Leslie, tell me about the experience that hospitals, cios are having dealing with this problem. Are you spending, are hospitals systems spending a lot more money and what are they doing to adjust to this new reality . Ms. Mcgraw and youre right, it is the reality. There is only so many fingers to plug the holes and the reality is we can find every possible vulnerability and try to block it and they only have to find one. And so when you are looking at this as a fraction of the budget, Something Like 3. 5 to 4 , a subset is security. So it is something that you are not necessarily getting reimbursed for but it is absolutely necessary for the public good. But it is tough. Resources are hard to come by. Whether it be financial or even personnel. And youre only as strong as your weakest link and in this day and age, were sharing data with more and more partners, were sharing data directly with patients and youre just opening up the door. And so it is incumbent to train your work force and work with your boards. But it is definitely a tough fight that the odds are stacked against us. Mr. Allen so you are the cop on this beat in a way. How much do you blame, how do you figure out how much or how does the legal structure share the blame, decide who is going to be punished, how much you punish people who are really in a way the victims of the show crime . Because hospital Health Care Systems, to be sure, they are the custodians of the record but also the ones who are directly being attacked. So how do you, at the same time punish and at the same time try to improve the system to make it more secure . Well, so we have a set of expectations with respect to security and health care and they are absolutely critical. It is a cost of doing business. If you are going to be out there collecting health data, it is valuable, not only is it valuable to criminal, it should be valuable to you. It is one of the most critical business assets. So protecting the data from the threats out there is really sort of, it should be expected and frankly from a Public Policy perspective, it is important for patients to be able to trust their data is safeguarded. Not necessarily perfectly safeguarded, but safeguarded. We do not expect perfection. If you take a look at the cases that we have pursued, those entities in our view, based on our investigations, had significant deficiencies in their security policies, processes. They were not doing enterprisewide risk assessments or maybe they did one like, 10 years ago and they have not been updated. The adoption of basic security safeguards is, is slow. So im not suggesting that we have a right to demand perfection in terms of accountability, but we do expect entities to devote resources to security. We do expect them to be aware of security resources. And you as the ceo of that hospital, if they are coming to you and you dont know what several security is, that is a big problem. Mr. Allen clinton, what do you think . Are they exercising their role appropriately or being too harsh or too lenient and do you think that the regulatory and Legal Framework needs to change in order to deal with this problem thats rather quickly kind of arisen in health care . Mr. Mikel no, i think ocr is doing a really good job. You are not in a good seat, are you . Mr. Mikel no, im not. [laughter] so as a client, i think ocr is doing a great job. And one of the stated purposes they have is to essentially teach. And they have a really strained budget for their teaching. But you will see them issuing Technical Assistance as opposed to being punitive. We have a lot of agencies in the government that are punitive in the health care sector. Ocr is not one of them, thankfully. And theyve done a good job, i think, with splashing out their Enforcement Actions and pursuing big dollars so people in the industry see it as a deterrednt effect and they have hit Business Associates, hospitals, laboratories and physician practices. So i think theyve done a great job. As far as the Regulatory Framework, ive really only seen one truly bipartisan proposal so far. And i think it is workable. So we take the servers and we in the bathroom closet and build a wall around them and we make the hackers pay for it. [laughter] so. Mikel very good. Were looking for solutions, so im glad,. But to pile on there, if you are the ceo of a hospital and youre looking to ocr for guidance, you are already behind the curve, right. Absolutely. You need to be, and no offense to ocr. You need to be following the best practices in good digital system hygiene. And if you are not doing that, the Regulatory Environment is not going to save you. And the fact that the ceo should know about these things, because this is an integral part of your business and you need to make sure you have a cio that knows what they are doing in order to protect that infrastructure. Because that is your responsibility to protect the information of the people that you have in your systems, right. Ms. Kenan how, when there is a rand somewhere and a headline that makes news, five or six years ago when there was a breach, it was a breach that the public heard about and it was somebody spying on a movie star in hollywood. And im not sharon and im not having Plastic Surgery so i dont have to worry. But i think that is how a lot of us came across it. It was nosiness and internal, lack of in ternal controls. And now we have organized crime and cyber kriekcrime because the health data is on so many sources. But the things in the paper, with the bit coins and the hacks, is it occasional or happening all of the time and we dont know with it, about it . To pipe up in it talking to cios, a small hospital in a rural area was a victim or attempted 3500 attacks on sunday, on mothers day. They faced 90 of them internal from the u. S. 10 were external from countries from china to costa rica. Do we know they are internal . From the u. S. , i should say. Ms. Kenan were they able, they are able to track where the threats are coming from. But that is a 300bed hospital in Rural America and if they are facing it, think about a Academy Medical center with ip and as we are starting to exchange and the number of opportunities for intrusion. So you may have, or to give you another example, there is a Large Health System on the east coast, 10 billion health system. They faced, they turned away a million ran some ware emails in the month of march. So the attempts are regular. They are happening to providers large and small across the country and it is a matter of making sure that youve trained your staff properly to say no to them. But there are also times where, as long as youve got your Incident Response plan in place, you should have those systems backed up. And so if they hit one computer, hopefully, that computer is useless and you have your systems back up. There is no need to even consider the ransom. So it is a matter of having best practices. Ms. Kenan and how common is it they have the best practices in place . It is a work in progress. It is very definitely a learning curve. Ms. Kenan she is shaking her head. Sorry. They are trying, is the reality. Our understand is rapidly becoming more digital. And we are trying to keep pace with the progression that everyone is making, while meeting patient expectations. But the reality is, the threats are real. They are regular. And it is a matter of being up to snuff and working with ocr and looking at the Cyber Security framework and sharing threat indicators across the industry. , today, it isn not as regular as it could be as other industries. And so i think weve seen some very significant progress, particularly in what the hill did last year in setting up the cyber task force. And setting up the framework to share threat intelligence. Because that is the only way that the small critical access hospital in Rural America is going to be able to leverage their Lessons Learned from their colleagues. Ms. Kenan what are you hearing as a lawmaker that has access to information . Mr. Hurd well, there are more attacks than what were aware of and more people are paying the ransom than what it out there for public consumption. Ms. Kenan widespread more or a little more . Mr. Hurd more than, it is more than a little bitty. Ms. Kenan and a lot of bitty. Mr. Hurd somewhere in between. All right. And so folks need to recognize that and understand that the threat is real, that everybody is potentially a target. And if you dont have, and as an attacker, you are looking for the person in the lowest hanging fruit. The person that hasnt had their information backed up, that are using outofdate software for their infrastructure. And that is who you are going after. And you think you are the right one, you are the person that will probably get targeted. Mr. Mikel im comfortable giving it a widespread. And it is widespread and underreported and a lot of folks are paying the ransom. Mr. Allen and are these ransom attacks, from the looks of it, some of them are random. In other words, somebody is sending out bugs and they happen to land in a hospital. Are any of them are people, have , the ransom wareists figure out how to target a hospital . Because they must realize the hospital is kind of, got to pay if they want to. Mr. Mikel well, if you look at the studies an the reports out there, 2016 is really predicted to be the Tipping Point for ransom ware becoming mainstream in the health care industry. Because folks are seeing that, yes, the hospitals will pay good money, more so than your individual, or a law firm that gets hit with it. And a lot of it is random. But i think it will become more targeted. And it is not just our organized crime. There was a hospital in flint, michigan, that was hit somewhat related to the water crisis. And it was a hacked type scenario. Mr. Allen i see. Ms. Mcgraw the way this appears to be playing out is very much a crime of opportunity. And so the health care industry, there is clearly vulnerabilities that the hackers have perceived and they are going for it. And i think that leslie put her finger right on it when she said, the lack of Contingency Planning and data backup, has always been part of the hippa security rule but to the extent people didnt realize how important that was, they sure should know that now. Mr. Allen are you saying that if people are reading a few rules and they are reading your guidelines and looked at hippa security guidelines, that some person in the middle of nebraska with 300 beds is as ready to deal with this threat as partners . Mr. Mikel a loaded question. The lawyer is advising you. Mr. Allen can you really defend yourself if you are a small player and you dont have a lot of resources . Ms. Mcgraw well look, weve also put out there that entities need to do Contingency Planning and disaster planning. In fact, if you are in the middle of Rural America, your systems could be hit by a tornado and disabled. So already we have an expectation out there and haulz have is there is, and always have is there is Contingency Planning. Hippa is scaleable and doesnt have the expectations for larger facilities that are larger and larger resourced. But this is a threat now that everyone should be aware of. And if you dont have the Contingency Planning in place, youre a target if you are not already being targeted and having that in place will arm you so much better to be able to resist Something Like this. You are either going to pay for security, or you might be paying for ransom. But you dont get out of this without putting resources at this problem. Ms. Kenan and is this security something, a lot of the small rural hospitals, theyve had a lot of demands on them. Ms. Mcgraw yes. Ms. Kenan and it is not, not blamed on obama care. There is real issues, many complicated issues facing rural hospitals and health i. T. Is i one. Dont want to use the word burden, financially it is a burden, it is hard. Is the security so expensive that they are going to go under, they are going to have to consolidate and lose their independence . Is it sort of a straw that broke camelsl possible back for the smaller hospitals or, or the category that has a lot of trouble. Can do you this and fix this if you are not a giant . Mr. Mikel no, i dont think it is limited to the small rural hospitals or the small hospitals. Hospitals are financially taxed. And i. T. Security is hard. And it is everevolving. Like leslie said, they only have to find one hole and we have, we have a world to deal with. So i think absolutely hospitals are under a great financial strain these days. And there is not really good money allocated towards securing this. So, so i think if you peer into the dark minds of a lot of hospital executives, theyre rolling the dice with where they allocate their budget. And it is a matter of surviving as a hospital. Mr. Allen leslie, what is your take on that . Ms. Krigstein youre right. It is something that your budget is finite and you will get incentive payments or take penalties from the federal government for any number of reasons. That is your market basket, how you will dictate getting paid. And security is not a line item on there. But the reality is, we dont have a choice. Were going to scrape together every penny. It might mean you dont get a new mri system, it might mean you dont hire as many nurses or doctors. The reality is the fines that , you will take or, it is not, you are not willing to risk your reputation or your business. Because as arthur, you asked, are they targeting Health Systems . Yes, they are. First it was just the data but now they recognized, if we disrupt their operations, we could put them out of business. They have to turn away patients. And then their name is all over the headlines. And so there really is inevitability you have to address this, regardless of what your budget looks like. So it is working with the board and creating security teams. If you are a small practice you , are scraping together with your colleagues and hiring consultants to help. It is just the world were living in today. Ms. Kenan what are you hearing as a Government Official . You want to just scream . Ms. Arthur if you have a mr. Hurd if you have a network that could be attacked, then you need to allay your network properly. If you take the financial incentive away from the attackers, or where your data is not all in one place, that can be captured and held to pay the ransom, then you take the financial motivation away from the attacker, the attackers to go after it. There is a building this nice building, that is somewhere in moscow that has hundreds of hackers developing the next software and they are learning from the attacks that theyve done and they look for targets of opportunities. They get a pretty good payoff. So they are going to learn more and how many other people fit that mold and then they are going to be more targeted and instead of doing phishing, they will do spear fishing which is targeting an individual. And so if you have the network, make sure that you are doing the very basics to protect yourself. And, and sometimes it will cost more. But if you are relying on the government to defend yourself, you have a much larger problem. Mr. Allen cant we expect the government to do more to defend us . We cant defend against, you know Nuclear Attack by , ourselves. Sorry. Terrible comparison. But is there, is there more than the pentagon could do to interfere with some of this stuff . Mr. Hurd one of the things that the federal government could do is sharing techniques and procedures with entities or with the information sharing groups that could get that out to the rest of the community. And that is an area where, if you know what the attack over the horizon is or other industries are being focused, understanding what that is so you can array your limited resources against the most immediate threats. And so i think that can happen. Ms. Kenan were all in the Health Care World and that is what we focus on but if we were a bunch of bankers would we be having this conversation or have they solved it . It is the same problem. Ms. Kenan is health care worse or those of us in the room are paying more attention to it. Ms. Mcgraw we talked about this before. There is a perceived vulnerability out there. And the haerks are go, the hackers are going for it. And we know this now, if we didnt know it before. I suspect emily has been hearing about it for a long time. The vulnerability of the Health Care System is not necessarily news to us either. So there is work to do to shore up what is an Important National asset, which is this data that really is critical to the Health Care System. We have a role to play with respect to hippa. We are, we put out guidance for small providers to help them with the basic security expectations. Were currently working on some Additional Guidance on ransom ware to help entities to get ahead of this. It is going to focus on the Contingency Planning issue that leslie raised, but also some of the tips that have come out about how you might be able to detect it before it happens. But nevertheless, it is, it is absolutely not an issue that we can ignore. We dont deal with punishing criminal behavior. So were doing what, what we can to try to help the entities who we regulate to try to meet this threat and creating a set of expectations with respect to how they meet the threat. But i do think there could be some more that we could be doing on a National Level on the criminal aspect of all of this. Easy for me to say because i dont do that work. But this is criminal behavior , with respect to the hacking piece. Ms. Kenan and is that on the agenda adequately with Law Enforcement . Mr. Hurd is it on the agenda adequately . So Law Enforcement is looking into everything it can to help the private sector, no matter what the industry is, to defend themselves. Does Law Enforcement, whether it is a department of Homeland Security or fbi or secret service have enough resources to help everybody across these industries . No. But that is why the important of importance of the isacs, where you have Industries Come together to share and the legislation we passed last year is going to help facilitate that but we have to make sure the , federal government is passing and sharing information. One thing that i hear a lot from Health Care Providers is that there is a bunch of, of old and antiquated rules and regulations that is confusing and they dont know what they are supposed to means, and that kind of stuff. So these are, these are some issues that need to be streamlined as well so that Health Care Providers know exactly what they should be protecting. Ms. Krigstein and i think there was an element as well, in this part, this is part of sisa, we heard from members in terms of looking at hhs and not just Law Enforcement, but just within hhs, there are so many different entities that have different responsibilities in this space. So the fda approved medical devices. Are they secure . Ocr covers hippa. How does hippa intervene with the nest framework, that requires interagency coordination. And you are looking at onc and they are Certified Electronic Health certifies, are they certified with enough security from the beginning . And so as were looking kind of even within hhs and something that we asked and were really pleased that ended up being included was a directive for hhs , to line up who is running point on this issue. And how can we look to the agency and get a singular answer . And i would say more than that, weve noticed this shift traditionally, we were looking at privacy and security and unfortunately as two separate things in health care and i think until we recognize that the privacy of the data absolutely is an element of security and patients have the right to know their data is secure, that is going to be a gamechanger, i think. Mr. Allen so you think we need , to appoint a, like a health Cyber Security czar who runs the whole thing, no . I think hhs was given a year to put forth this interagency plan and i think that when we see the results of that, i think it will really help in terms of knowing who to go to within the agency. But i think that was a great addition that im not sure if the rest of the world caught. But it was, it was in the range of things that were health care specific that passed with sissa. Ms. Kenan were all thinking about this in terms of our personal information and the threat to, many of us in this room have had our information hacked, whether we know it or not. Maybe everybody. But this is a big data question. But ill, were also at the brink of, were talking about using data in lots of really interesting potentially really helpful ways, right. Were talking about patient generated data. All of the things that weve been talking about after two years, there are cool things happening. The patients, the way we participate in Clinical Trials and Patient Engagement and pushing data and arthur could talk about the cohort from precision medicine. There is so much going on that requires use of health care i. T. , way more than just turning your paper chart on to a computer chart. Mr. Allen so how are we going to let that data sort of, how will it flow . When we cant protect it, yeah. Mr. Mikel well, getting away from the data flow, which does not flow at all. And deven will have something to say about that. Or not. Ms. Kenan there is interoperability issue. But there is also the, say we have the magic wand and we get everything interoperable tomorrow and there is lock issues and we have in the next few years we are supposed to be able to exchange and produce data in ways that we couldnt do before and it has an amazing amount of potential but is the private or the security thing, since you just said they are two different things, how much in the way is that going to be. Mr. Mikel i think this illustrates why health care is actually a much scarier place to be in than the financial industry. Which is much further ahead than hospitals, Health Systems, anyone in the health care industry. Because when were talking about ransom ware, were talking about data. Were talking about patient safety. What keeps a lot of us up at night, especially on the i. T. Subcommittee, is not necessarily the known quantity of stealing patient data, but it is all of the other inputs that go into that. Its the Network Medical devices. It is the network anesthesia machine. It is the temperature and the air saturation in the or. Mr. Allen so the dick cheney scenario. Mr. Mikel absolutely. He got widely mocked for that, but he was on to something. Ms. Kenan has it happened already . Mr. Allen i dont think it has. Not that weve heard. Mr. Hurd somebodys actual pacemaker hasnt been hacked but there have been many demonstrations of how to hack a pacemaker. Some people talked about the attack on our, on the utility grid was philosophical, but that happened recently, the russians attacking the grid in the ukraine. And it is possible. Outside of the theoretical. But those fears shouldnt prevent us from moving toward interoperability. I own that data. And that is my data. And i want to pull it up on a dashboard and figure out what happened in the last couple of doctor visits and i want to make sure my future doctor has access to this stuff. And lets say, we can anonymous make that anonymous, that data and protect privacy show to make sure that we have truein operability to detect zika faster and make sure that medicine is being developed on a quicker basis. And when we do, we increase the surface area of attack. Ms. Mcgraw and that is one of the reasons why the hippa rules are not just about security. It is also about availability and data integrity. Because always those regulations have presumed that the data has no value until it is used. Appropriately. And as often as necessary and that is why the rules are built the way they are. So it is never, it is never going to be, well, we can have this or have that. It is, we have to figure out how to have both. Mr. Allen you are a provider, dont you think the instinct is going to be to shut down and not send your information through a health Information Exchange because you are not sure that they, that all of the players there have good security . So something, if you are talking to a cio or chief security officer, there is no set rules of the road. In terms of security. So the framework is a great starting point and weve heard there is a health carespecific guidance coming which were excited about, but in reality it is optional. We are not saying we want more mandates, but the reality is if there is an industryled effort or someplace to look for standards, it is really valuable to know that if you are engaging with another provider or with the health care Information Exchange, that theyve got a set level of security that then you can deem, ok, they follow this or theyve done that. So i know that i can share with them and i should be ok. And so i think were coming together as an industry and starting those conversations. But if you ask, there is a desire for a minimum set of requirements that you could build on top of. But the expectation, hopefully, someday that we will all be at one point, that we have some level of confidence to embark on that sharing. Ms. Kenan we are going to be able to take a couple of questions before we go to the other panel. And want to start, darious is, where are you . We have a reporter. Darious is in the room and probably standing, where are you . Ok. He is one of our reporters and should not so what we always hear in the Cyber Security discussions is how valuable the stolen records are. I was wondering if there are any efforts to track what these records are being used for and how extensively they might be used for being leveraged for financial gain . Anybody want to take that on . Well i, i think, the only thing i will say, it isnt part of our purview to track where it goes after, after we get a breach report. For example, in our investigation, well take a look at what happened during the breach and do we have some significant issues of lack of compliance with the rules that we have to Pay Attention to. But one of the things that ive definitely seen is a connection between medical Identity Theft and fraud. And the increase in Health Care Fraud that is out there and the ties between security and strengthening Health Care Security and helping to combat fraud. Mr. Allen so weve been able to track this record was stolen in and later thatk, same number that was stolen on that record ended up in this fraud case. Has that been done . Because it, that is, that is the cause and effect would be mr. Hurd you need to put a tracer on data so we could figure out where it goes, right. The fraud units that, that are involved in whether it is, a Big Insurance Company or the government are the ones that would see the impact that it is having and they should be keeping track of that data. And i think that that is something that would be interesting to see, within the Health Sector isac on the kinds of things they are seeing where that data is going. Ms. Kenan there was a question over here. Could we bring wait for the mike. Over here in the front row. Steve luckin. I work and study in the city. At the outset, thank you to the politico team. Alexis, mike and rodney shooting photographs here in the city. I guess first to the congressman, three quick ones. What how do you deem your , efforts or the efforts by your colleagues in bringing forth a Cyber Security protocol . The second is have you received , either from Capital Police or fbi any of the other organizations notice about , having your own or your peers medical information hacked . And the elephant in the room is casualty. So what about the Insurance Companies that, to the extent that a lot of their patients get hacked could face a serious, massive classaction suit . And thanks. Mr. Hurd the first, the first question, look, the oversight rule of congress to make sure we are providing performance standards rather than trying to bake something in, into a law, is important. Because the reality is as soon as we say this is a best practice, it will change in six months. And so we have to create legislation that is flexible and grows with the times. And that is when you talk about performance. What should, what should the outcomes be. Im not aware of anything dealing with individual members being, their Health Information being targeted. And the last one . Ensure i of nsurers. Ms. Kenan oh, absolutely. I think this is something that everybody is looking at. This is a question that Insurance Companies are looking at, at major breaches, whether at retailers or banks, what is the insurance aspect to a major breach and when it comes to, comes to the health industry, it is huge and i dont think there is any answers on how to deal with that yet. Ms. Kenan and when we planned this panel and we thought, maybe the American Bar Association has somebody looking at this. So we went to the website and we found not only do they have somebody looking at it, they have an entire new section on ehealth and data and all of this. And you tell me there are what, 1800 or 1400. 1400. Kel ms. Kenan 1400 lawyers already in something that didnt exist, when did you start this . Mr. Mikel about six or seven years ago. Ms. Kenan so that is, i think that sort of tells you something about the magnitude and the growing magnitude. A couple of quick takeaways. We need to get through this panel to start the other one. Dan will be out here in a minute. Before we wrap up, arthur and i will think of a quick takeaway. This is a bigger problem than most people realize and a bigger problem than i realize coming massive andis a pervasive and that were not going to have, none of us as individuals can protect ourselves. And, it is not solved within the next year. Arthur . Mr. Allen yeah. And i think that it is also, it is just another, i think weve heard here that this is just going to be sort of another pressure on the health care sector, which parts of which have a lot of financial and other strains. And unfortunately this was an unforeseen consequence of i think, unforeseen by most of the Meaningful Use Program and the effort to get the, the needed effort to get computers into medical offices. And so. That is it. Ms. Kenan and it was such a push to get the adoption of the Electronic Health record that there was not enough. Mr. Allen i think most people suddenlyoresee that they were going to be it was , going to make the Health Care System vulnerable in a new way. Ms. Kenan a whole new bag of cards. Mr. Allen i think there were probably some who did. But any other closing thoughts . Mr. Mikel i think one thing that, one thing that bears repeating is we hear a lot about how you need the board to get involved. And you need Senior Leadership on this. One important thing to remember about health care and specifically hospitals in our country, is the board of even a large hospital is not necessarily the type of board that you would think would exist for an entity of that size. About 59 of the hospitals in this country are nonprofits. So you have donors. You have political influence. 22 of them are state and local entities. So, its hard sometimes just with the dynamics of the board leadership. Mr. Allen interesting. Mr. Mikel a different industry. Ms. Mcgraw i dont want to say that hacking isnt, and cyber crime isnt worth singularly paying attention to. It absolutely is. But i think were, we risk getting attracted to the shiny object when good, basic security should be the platform upon which all of this gets built and were not even really there yet, for many entities. And we have to figure out a way to get there. Ms. Kenan i need to wrap up a conversation. Mr. Hurd a quick point. Ms. Kenan yeah, yeah, you have to talk as fast as me. Mr. Hurd dont click on links in suspicious emails. Ms. Kenan there you go. It is time to wrap up the conversation. Thank you for being here and sharing your insights and im going to welcome andiamond from dan diamond from pulse who will, hes helped us put together the forum and the next panel will take over. And then stay afterwards and continue talking and drink. [applause] diamond welcome, everyone. Thank you for coming. Im excited to join the team. My role here, in addition to writing pulse and doing the pulse check podcast is moderating the outsidein forum. And you see on your seats, the first story we published as part of the forum. I even have it here, if you havent seen. Polling insiders on what they on what our the biggest Cyber Security challenges an the role that government can and should play. I do want to welcome our 3 panelists, as i sit on this high chair. First, a man who needs no introduction, im going to give him one anyway. Anice chopra, cofounder of Hunch Analytics and spent years providing leadership on i. T. I. T. Issues in the white house and worked on the Advisory Board company. And nick dawson, executive director of sibley hospital innovation hub, better known as the innovation czar. As long as ive known nick, which is 10 years, hes the most thoughtful thinks of sharing Health Care Information on line. And our last panelists. He studied this issue very closely and it is timely to have you, because you just did a report thursday, last week. It was on Cyber Security and some of the biggest issues plaguing the sector. I have questions for the 3 of you but i wanted to start by take the temperature of the room. Simple question. Show of hands. Is Cyber Security getting worse in health care . Show of hands. Ok. Only about half of the room. Is it Getting Better . Is Cyber Security safer than it was . Im going to turn you guys. Aneesh, is Cyber Security worse than it used to be . So im going to answer this question with the typical caveat, which is yes, in the following context. We were in manila folders five years ago, eight years ago. And so when youve increased the, the spread of digital records, by definition, youve created more of an attack vector on which there could be more, more risk. So relative to manila folders i would say the cyber , Security Risk is higher. On flip side, if you take a look at the preponderance of the data on where the Cyber Security risks have come from the nonCertified Health i. T. Services are where the attacks seem to be. So if you kind of take the practical nature of this, data in many databases that have been sold in the commercial sector, banking sector, health care sector, databases that people can log into and have access to that someone that does convince , me to click on a Malicious Link might expose, but the systems that are regulated, the certified systems that were subsidized under the Meaningful Use Program, for some reason have been less prevalent among the list of sites. That is not mean that they are perfect or that they are safe. Just if you look at the evidence, the overwhelming share of attacks have been in the uncertified area. Worse but in context. Mr. Diamond lets come back to the certified point but maybe move down the line. Nick, said the security, have things have gotten better or worse . I was ready to take a contrarian view. I was given a beer and shown a comfortable chair in the back, if i take that view means i cant come back, i can adjust my point of view. How much alcohol have you had . We were hoping you would go full throat elthrottle. Its a bell curve. I would virtue those sentiments. Weve become digital very quickly, it increases the attack surface. Theres also the pragmatic reality that threats have been there for networks for years an d years and years and this is a hot topic and a timely one for our industry for some wellknown examples. Things we have just heard of. I do not think it necessarily means that the sky is falling per se. I think from a Provider Organization standpoint were wrestling with a reality of is this really the business we want to be in and know how to be in . Do we know how to staff for it do we know how to fight these , kinds of things . Weve kind of convinced ourself ves that we need to be all things to all people, we have to service delivery, and we need to be a leasing organization and a Research Organization and Provider Organization. But this may be an area that were significantly focused on so we think its a hot pressing , topic but we might want to reexamine that. Nian . I think i agree with the panel. The frequency of these Cyber Attacks are becomeing lower primarily because health care is , becoming more secure in i. T. , just like any other industry. When youre younger youre more likely to have accidents while driving. And youet used to it, learn how to drive, the accident s are less important. Host you think we actually might be trending in the right direction as health care matures. Things are getting safer. Correct. And the other thing is, i think the recent ransom attacks are the best thing that could happen for Health Care Security because they now let people know about the importance of Cyber Security in the medical domain. Several security and health i. T. Are no longer an overhead for the hospital managers, it has now become an integral part of their services. Now they realize that if they do not investigate enough on Cyber Security and i. T. , it is going to hurt their main core operational businesses. So i think now that these recent attacks have created this awareness and Health Care Providers will have much more business incentives to invest on a Cyber Security and insuring patient privacy just like other businesses do. Host so one of those ransom ware attacks we heard about it on the first panel. Probably everyone in the room knows the medstar attack where hackers held hostage asking for bitcoins to release the information back. Hospital executives basically had to cancel patient visits. Nick, you are not at medstar, but you are at a med stair r rival. Im curious, as an executive of a hospital watching this happen, what were the meetings like in the boardrooms to make sure that you are not the next medstar . I dont know if its a direct quote, i think it was probably a conversation that started with, whats a bitcoin . [laughter] and thats not, i think thats probably a conversation anyone would have. My point there is, the notion is really esoteric. The notion of being held crypto ransom. Theres a whole set of education we need to have. What is the threat versus reality . Thats the case where there was actual reality, not just a threat. So the first part of it starts with unpacking whats really happening, whats our real risk whats the mitigation of that risk, meaning like time to figure it out for ourselves to restore from backup if its a possibility to come up with a different solution versus the cost of just paying it. Sometimes that cost of paying it is cheaper than waiting to try to figure out another plan if there is another plan. I think thats part of it. I think for us and instead of pontificating on what happened in the boardroom, ive not been privy to to conversation, but ill tell you what the Innovation Team starts to talk about, is how do we think about this in a different way so not in the sense that although there was a suggestion we should start mining bitcoin, have a stockpile. But the another business for hospitals. Architecture firm. We made our margin on bitcoin this year. I think instead its how do we not have a single point of failure . So our team got together and said, whats going on here . We said, it seems like the i. T. Infrastructure really the emr because it is the piece that does the bilgeling and medication delivery and admit and discharge is the operating system of the hospital. And had we not have that become a single of failure . Point so we started talking about different types of mitigations. And that was kind of where we took it. Host i feel like that plays into what aneesh was saying initially. Which is more vulnerable . Im not suggesting that one is particularly better than the other, but i would say the certified systems have at least embodied a lot more of the best practices into the Regulatory Framework. So theres actually a fairly basic understanding of how do you encrypt information at rest and in motion and how do you ensure theres a user awe thint process so when dan diamond logs in, i know its him and not a machine pretending to be dan diamond. So weve got more of these testing capabilities to make sure the software sold to the organizations can meet a certain bar. And that bar gets better every cycle. Where as the broader systems that are available everywhere, they really have not gone through that level of review. So as a Consumer Protection matter, if youre the head of purchasing, you may not know that this particular outsourced vendor that does your billing and collections that gets the entire patient file to make sure that the copays are collected for the 20 that are missed, that that entity has some Cyber Security best practices and hygiene to the standards that are seen among the Certified Technology that is made available. So my perspective is were Getting Better. Its an interesting point about health care. Im make this observation about Getting Better. The whole framework for Cyber Security was wed have a learning industry model that is to say theres more disclosure of breaches, which would then inform root cause analysis to say, now we know where the vulnerabilities are. Lets close the loop in the next round. And that we would have this much more transparent system, collaborative system. Health care is actually further ahead than the rest of the industry verticals because part , of the high tech act was to create a framework that required that breach notification abdz and that disclosure. So were actually, wow, a lot of attacks in health care. Its one of the few that requires reports. Not all sectors do. So were benefitting in many ways because were bringing to light, were shining light on these holes, which leads to a loop where we get better and better over time. Thats at least my perspective on how the systems evolve. Host i like that learning system per se. I want to go back to one quick point and get kind of nerdy about it for a second. I think what im hearing and this is a good crowd by the way to get nerdy. Host cool. I give you the blessing. Host this is a marginally informed comment. I want to preface it with that. What im hearing is that the specific attack vectors are often unpatched microsoft server servers. Thats i wellknown huge vendor. That is not small. Im sorry, nick. I probably know the least on this panel so help me understand. Are we talking about Microsoft Office . Like what specifically in microsoft . Ill get out of my depth really quickly, too. But microsoft has a server platform that at love the infrastructure sits on. It might be the part of the application layer that runs part of the empire. It could be part of the database layer though increasingly they sit on a unix platform. Xpgine we all have the windows 10 on our laptop. Theres, that has to be kept up to date pretty regularly. So that underlieying operating system is what seems to have a lot of the vulnerability. Aneesh just said we see many more attacks in health care only because health care is required to report them as opposed to other industries that are not required to report them. Is designed like that in order to let people learn about the failures, but what is happening as we only learned , not the incidents root causes of the incidents. You go to ocrs wall of shame, so many attacks that happened. I havent learned anything from this. I dont know if you have learned anything from the failure of medstar. I think to use the potential of that learning curve and industry informing itself, both ocr and also the Health Care Organizations and other entities in the Health Care System, which are not limited to Health Care Organizations and their emrs, there are Business Associates and Insurance Companies who have many times access to much larger volumes of patient data and are not using certified or uncertified emrs to learn from these breaches, to learn the lessons they learn from these breaches. And unfortunately, it is not happening at the moment. Host one thing i was struck by on the first panel, the congressman says the hackers are learning from each other, russian hackers. The victims in the united states, they dont have the same information sharing. How do we fix that . Well, were getting, let me be precise about this. We do have a framework under the Commerce Department agency that is really the switzerland for a lot of this information flow to establish these industry verticals that are sharing. One of the big problems is, are you what are you sharing . Are you going to release personally identifiable information to share . Hey, i got this email from dan diamond, man, he sent me some crazy things. Host you keep saying my name. Is someone sharing my information with you . I get this stuff, hey, aneesh im preparing for the panel , today. I click the link. That was an infected, that email contained a link that had malicious, installed Malicious Software on my computer. How do i share that email with others without violating your privacy in order to learn . How did that particular piece of malware get onto your spoofed e mail . So getting the privacy right has been the central debate in information sharing which congress now has moved forward on this framework for the goal is to minimize pii while maximizing the sharing and learning across many industry verticals. So were not perfect in health care, but we have at least a model to say, how do we ensure now, in the first term we were for the Obama Administration, we were at a cloud first policy in part because patching is a human failure, right . Its not microsofts fault you didnt patch. Youve got to push the button and patch. So the staff i mean, maybe have some burden, but the premise is part of the reason i was enamored with the idea of cloud is, in many ways, you auto patch in bulk, so you get the threat vector at 3 00 p. M. On a monday afternoon. You learn a new signature. You figure it came from this domain from this apparatus. You sort of incorporate that into the feedback list. Next time it shows up in the same cloud environment, you stop it before its presented to him to click. So this learning, realtime learning, i think it is the opportunity thats coming. And we know were stuck in the , musthave servers on premise. But then you have to bury the responsibility. If youre going to do the infrastructure, you have to do it all the way. I think it is going to it might , lead to a further acceleration to the cloud. Just want to open this back up. Outside in is the hash tag. If you have questions, submit them. Theyll get passed to me. I want to build off something you just said, aneesh. Were at this balance of protecting information but also the need to share this. This is your point. How do we make sure we strike that balance in a world where were going to benefit from sharing health data for outcome inside, for making it easier for patients, but someone on the first panel, think it was clinton, said they said, the way to protect data is to put it all in a server in a bathtub and not let anyone see it. What is the right answer moving forward to strike the right balance . Between i want to make sure i get the right question, so between sharing and dan diamond opening it up. I would say back to what i. T. The beginning. We invest nick dawson we built this incredible and structure around i. T. Security. We have in fact, any community that i know where they where the Community Hospital is the largest employer its also the most advanced i. T. Shop. They tend to be an anchor for people who want careers in i. T. That is an amazing thing. We continue to build in the infrastructure. Do we keep investing more locally or do we start looking for cloudbased services . Doing left and we look where we left the door open, but a guard in front of that door, where we realize weve left our back side totally uncovered and people are kind of flanking us that way. I think whats a question. I think that is a question. I think the other way of looking at it is, do with we take the same amount of money and resorgss and put it into building something completely different . And my version of this is maybe where im a little bit contrary and i started and went , before this conversation to a bunch of patient groups and said, whats your view on this . What would you want . And almost universally what i hear is, i want to own my own data. I want to decide who gets access to it. I have a gmail account. As far as i know, google does not get hacked. But sometimes i sign up for a website and say to the website, use gmail or google as my user name and password, so theres a mechanism for that. Im adding a couple of layers of sophistication on top of the comments i heard. But my version of that is, if we want to start sharing things, or what if we took the money and voerss and fit something entirely different, and the thing different would be putting the data back in the hands of the patients and letting them be the ones to share it and having an authorize aigsz mechanism for doing that. Right now, its so hard for some patients they may as well just hack the system if they want to get the data. Anyone could get the records faster. Were not endorsing that. Especially because its too easy to hack into the software systems. Your report touched on this, all the different hackers that are out there, liam. And some of them are malicious , and some of them are the misfit youth who are doing it on a dare or for fun. What are some of the commonalty commonalties around who is doing the hacking and what can we learn from the patterns of hacking behavior . Well, i interviewed 22 victims, and out of those 22, only to or three of them were real victims of hacking attacks. The rest were just goofy people who happen to, you know lose a , laptop or a thumb drive or Something Like that. I really dont think hacking happens that much in the health care. It happens more than it should, but not as much as we think it is happening. Because i still cannot believe int the stories that i read different news outlets claiming that medical data is 500 per record, because if that with was true and the Community Hospital has easily 1 million records, if i could hack into them and sell that data per 500 record, that is 500 million, i would quit my job at brookings right now and go learn to hack into these systems. Im sensing a theme in our panel. We are not endorsing this bad behavior. But point taken. Its a little overhyped. Niam yaraghi yeah. But ransomwear makes all the sense because again, please Pay Attention that these ransom ware attacks theyre not touching your data. Its like somebody changing the lock of your front door and doesnt let you get in. They do not touch the things this your home. Theyre not stealing anything. They just tell you, hey, give us 15,000, maybe 20,000 to let us get into your home. Thats it. Because the hackers themselves know that its really difficult to monetize medical data. I mean who cares about my blood , test . Nobody. The only thing that they are after are my Social Security number and home address, date of birth, my personal information part of those Health Records not , the medical records. And they use that in order to create a fake identity or submit insurance claims and everything. And it is very difficult to scale that up. You know, from a hackers perspective, he may pay you 500 for one record, but hes not going to pay you 500 million for 1 million records. Its very difficult for them to monetize. Dan diamond let me jump in. I see aneesh is nodding along. You agree with this assessment that its not all about the medical information, its the Social Security numbers and Aneesh Chopra well, so here is its hard to get in the mind because this is not well reported. But lets just take it in 2010, the president said, im going to provide basically Online Access to patients in the v. A. To access their Health Records via blue button. Loads up the blue button and a million veterans push the button and access their data. Not a lot of widespread reports yes of people faking theyre a veteran in order to get another veterans blue button file, not yet. Cms follows suit. Maybe a Million People have downloaded the blue button file. Not a lot of evidence or at least reported evidence of people faking. And on and on. Now we expanded the concept of buttons into different colors, green button for energy, red button i thought it was red then my data for education. Then Consumer Financial data became the irs get transcript. All of a sudden, the irs get transcript which now does have , in his point, the kind of stuff you would reuse for economic gain, 23 million americans downloaded their get transcript file. 200,000plus have been publicly reported as having been spoofed hackerlike attempts. So it provides some evidence that the attack vector is for the data that has economic reuse and not so much the clinical , values. And my perspective on that is following whole in our current systems. The current hospital or doctor does not know whether a machine is logging into the portal or a human. The internet economy has figured this thing out. Theres a door for the machines and a door for the humans. And you have security thats commensurate with the request if you want to get the machine door, the patient has got to authorize it, consumer has to authorize it. You have one more step than if a human just logs in. The great news about where we are in health care is that the Obama Administration in november finalize the meaningful use which is now part of all the other acronyms. We have a very clear view that there will now be a machine front door, a front door for machines, that will be secure and would allow for a more thoughtful way of registering. So no one has to hack the account in order to pull their Health Record into something that nick is describing that could make them make better decisions in the health care, but rather a thoughtful front door that they dont have to hack in to get their own data. And really the race is on, protect the old patch willing of old patching of the old servers and the painful headache while turning on the systems that were going to need to be successful in a value based Health Care World. Thats the opening up while locking down conundrum which i think the opening up is going to win. We will spend a lot more time doing that than this. Dan diamond we have a few minutes left. If you have a question, please raise your hand, and well try to get a microphone to you. I have a question first. The i dont have a response to that. We just heard from aneesh a potential solution from government on a way forward. Nick, niam, what is the Government Intervention or maybe lack of intervention youd like to see . I understand the government may not always be helpful when getting into this space. Nick dawson i want to be thoughtful about that because so many of the thought leaders and the people i learned from are government leaders. I think from our legislative standpoint, i would want to not act too quickly because my i dont know. I think my numbers could be wrong here. But i think very, very few people in congress identify as coming from a math and science background. And this is pretty heavy in the math and science runt. Dan diamond congressman herd may disagree with you. Nick dawson i think its a fine percentage. I look at a bill that does not understand cryptography at all. It would basically ban a web browser. So i would not want to rush down that path and found ourselves hamstrung by something. I want to go back and this is just ad hocking on the spot. And to go off of your idea of a learning network, we do not understand the root cause of these things. I think it is my server unpatched. I would like is it a governor government connect this. Dan diamond lower case g convener. I like that. You like that . Would you government would you copyright that . This is the lower case g in government that convenes the industry to solve and learn in varying forms. So it was my favorite industry for collaboration because it didnt have the heavy hand of regulation, nor with was it freeforall dont do anything. But it had a thoughtful method by which we could orchestrate the right answer which really is at the heart of what our government was founded on, this notion of community and commonwealth. Niam yaraghi i think the best of government can do is convening and bringing people together and inviting them to talk with each other and work on a problem. But expecting government to help with innovation and Information Technology is really foolish. We have seen the results of Government Intervention in Health Care Information technology through Meaningful Use Programs, and with we have seen it through hipaa regulation. It has been a miserable failure in both faces in both areas, so i think we should not expect government to be able capable , you know of solving this , Information Technology problem. It has not been successful. 155 million americans had their records out there that have been victims of privacy breaches and that is the lowest estimate because ocr only reports the , breaches of more than 500 people for each of those large breaches there are hups there are hundreds of smaller breaches thats are not even reported. So i can comfortably say that all of our records have been out there. We all have been a victim of privacy breaches. And, you know, if government couldnt help one of us protect our privacy, then i personally do not expect it to be able to do anything better. So let the market do its job. In my last report, i lay out how Cyber Insurance market could potentially solve all of these problems that we have in the patient privacy and Cyber Security and how those marketbased solutions could be a long lasting approach to save the to solve the problem fundamentally. Dan diamond as you were talking, i noticed the first panel nodding their heads or shaking their heads no. Just so you know. [speaking simultaneously] i love to defend the Meaningful Use Program. Could you imagine, just a simple question, the average doctor who is caring for a couple thousand patients could not figure out which patients whose background or condition may have a heart attack or hypertension, which of them had elevated Blood Pressure levels so they need to be managed in a more aggressive way . We as a country could save a million heart attacks now because of the method by which weve basically built up the program. Every Certified Health i. T. System is capable of running a simple query, so nick and his team could say, whoo, who are the 15 patients we didnt know at risk of a heart attack . Lets go call them, bring them in, counsel them, lets make it happen. So one final thing. Cyber security Insurance Market, you cant build an Insurance Market unless theres a standardized data model on which they can insure against. So you needed the government to build standards to know what the root causes of the problems are onhi