Shedding light on some of the most pressing issues of our time when it comes to threats have te impact our nation. For todays briefing, we have seen a number of very highprofile, expensive, and potentially dangerous cybersecurity attacks in our Nations Health care sector. We brought in two individuals who have a wealth of knowledge in this area. Robert lorde, who is the chief Strategy Officer at potenzas. Risenl be here to give a patient and talk about this topic. We also have the ceo dhi. I am not speaking on behalf of either of those organizations. Really just talking from my experience and providing a little perspective on the challenges we see in this space. To contextualize this, sometimes when we talk about cybersecurity, it can be a little bit too much. Aboutrst thing i think when i think about Health Care Cybersecurity is the patients i patients i had in medical school. Learn the things you about hiv patients, other than that they are a complex and rewarding population is that they have assured mary concerns around the privacy and security of their information. They have they will go to extreme lengths to make sure people do not find out about their diagnosis and that there whorkers and communities might use this information against them. One of the things i began to think about, what are we actually doing to defend their information . The more you dig into the question, this is back in 2013 and 2014 more horrifying the answer is. The reality is, the challenges we face in protecting health data are extraordinary difficult. Try to give you a taste of not only the important anecdotes and stories but also the data behind. I think it makes start make sense to start with the breach in 2015. This was for many people i will ask for a show of hands, who got one of the anthem letters . I did too. This was about half of the u. S. Population. About 140 million medical records breached. We will never know the exact number. For many, this was a massive wakeup call to the fact that health data was centralized, highly vulnerable, and highly valued. The story did not end with anthem breach in 2015. The hits keep on coming. Breach withent about 20 million medical records or patient data individual patient data that were identified. In 2016, we had a major Ransomware Attack that reduced an entire Hospital Systems a pencil and paper system to pencil and paper. ,ll of the electronic records and now you are using pencil and paper. Pretty scary. This is not just a couple of anecdotes. If you look and scale it out, a recent report not too long ago shows that 70 of Health Systems reported experiencing a major data breach and one third of them experienced one in the last year. If you think about this entire picture, we are in terrifying state. It is one we are not necessarily talking about. Health systems are aware of it all the time. I am not a big person on speculation. It makes sense to think proactively. There is also the possibility raised in bloomberg article about the ability of whether it is state actors or individuals or other types of criminals to engage in types of blackmail. There are some gray area reports this does happen. Most of the time, these are not reported. These are the anecdotes. I do not want to focus on what could be. I want to show you the data for the rest of my presentation that shows you what we are facing right now. For some of you in the audience, youre going to know everything i am talking about. For others, i want to contextualize why health data is so valuable. By some reports, and i think ,hese are little exaggerated but a single individual medical record can go for upwards of 1000 on the black market. There is a lot of value to them for a lot of reasons. They can be used for Insurance Fraud and fraudulent claims. You can steal someones id. You can do it comprehensively when you think about the information in a medical record. Illnesses,nes past financial information, it is all in there. The only thing that has more information on an individual is a comprehensive security document. Medical blackmail, that can be state based. People use it for courtroom litigation. We have seen it all. You can run fraudulent medicare and medicaid billing that we have seen. Can create synthetic patients and bill to those patients. A lot of really terrible and devastating crimes that can be created with medical records that have impacts that can go on for years and years. Recently, there was a cbs this Morning Report that featured some of the data i am going to show you today that showcased an individual who basically while he was in the service, he had his medical identity stolen. He was resolving those challenges for 15 years. He has been deltoid a hard blow. He has been dealt quite a hard blow. Leading health care analytic platform. I am not here to talk about my company on that side. We also have a Research Group that works with thirdparty starred in i trends and identify thirdparty group that helps to identify trends. Im going to show you some interesting proprietary data that will add some color you do not normally see in this space. One thing to start out is that since 2010, and in and i do not show all the way back here, there has been a significant increase in the number of data breaches that occur without fail. We have seen this since we have been tracking the data. We have seen every year. We are predicted to have another record year. This number, the 285, that is just a half estimate. We are going to be down in 2018 unfortunately. You want to look at the number of records breached. We are excluding the 2015 anthem breach where if you added that column, it would go up to 170 million records in 2015. In 2016, we had a banner year with some big breaches that was almost. 30 million. Some big breaches. That was almost 30 million. Then, it tripled in 2018. In 2019, the estimate you see of 32 million, that is just a half year estimate. I can go into a little more detail, but that is a mix of what we have seen from a phishing perspective. We provide a breakdown of this in a breach barometer, which you can download and subscribe to. Breachogle protenus barometer. Breaches5 and 40 of are due to insiders. That is individuals who have some legitimate level of access to the Electronic Health record and abuse that. When i was a medical student with my white coat, i could access any medical record of any individual who passed through the walls of my institution. That is not because my institution was unique. That is true of basically any Health System in the world. For emergency access, you need to be able to get access very quickly. You also have complex environments where proactively using rolebased Access Control is a failed paradigm. It is too complex to tackle with that kind of a threat. This Insider Threat is one we often underappreciated, but it is one that leads to a huge proportion of the breaches. Who is most vulnerable . Hospitals share is themselves. This is not because hospitals are lazy we do not care about the problem. They care an extraordinary amount. Hospitals are often running on razor thin margins. Their Technology Investment is not always what they want it to be. They have to take care of patients. When they look at their list of priorities, there is a lot going on they have to be thoughtful of. Goinge Health System is to have 30,000 employees who all have access to the medical records. How do you ensure they are not committing privacy violations . Rate ofad a 99. 9 youenting phishing attacks, are still going to have a lot of breaches. Question . [indiscernible] being breached versus a more people based operations with foreign actors compromising someone in some way. Comment hard for me to as a member of the private sector on a lot of the state based activity. I am not the person to talk about specifics because the information is not normally available to me. We see as the lions share, people who are not in some Foreign Espionage situation. It is the hospitals on employees who might be using it for criminal gain, to attack a colleague. I have seen people look up locals stars for fantasy football edge. It happens. Yeah. It is some pretty scary situations out there. I am going to tell you a nice story as well. This is the one good piece of data you will see. This is the average time for an individual Health System to report a breach to health and human services, which is what they are required to do in 60 days. Hospitals are extremely responsible and thoughtful. Once they know about something, they reported. They report it. Most of the time, everyone has fallen inside these lines, which is good. However, the time to detect a breach is not good. Oftentimes, militias actors will be inside Health System malicious actors will be inside Health Systems from months, years. We have sane we have seen 10 years plus. The problem is not in the reporting, but it is in the detecting. Heres a number you will not see a lot. We have done some analysis to understand how many privacy violations typically occur in a given month based on the size of an institution. For every 300 individuals, you can ask one privacy you can expect when privacy violation to a patients data per month. Youre talking about 100 privacy violations per month and 1200 per year. You can really only get this when she get comprehensive analysis of these once you get comprehensive analysis. Addition, there is a great opportunity to focus on education and remediation. Another thing we see is that the majority of events we are detecting our repeat offenses detecting are repeat offenses. They are going to do it again and again. We see this pattern over and over. It means we can reduce by half the number of violations if we are proactive if we are proactively dictating these threats and making sure that individual is appropriately sanctioned. To me, that is somewhat of a hopeful stat because it means we can prevent these threats through thoughtful workforce management. Nextt to be brief in this section and note that my work is now focusing on a paper that addresses three core areas of challenges in this space. I will be thoughtful of the time because im running over. The areas are culture, workforce, and technology. When we look at culture, how do we create accountability from the board level down . To do we find the hospitals ensure they are getting the job done . Workforce, how do we build a future workforce that is effective . How do we retain the valuable workforce we have . How do we prevent Workforce Burnout through making sure we are not having people do repetitive low value tasks and they are focusing on what is strategically important . From a technology perspective, it is about getting a lot of legacy junk out of the system. Remediated. Be there are some areas we can clarify when it comes to guidance. Ends about baking in end to a lifecycle when it comes to creating these Software Devices that are ultimately treating and serving patients. At the end of the day, it is all about Patient Safety. We do all of these things to protect patients and make sure we are keeping them safe. That is what we have to do from a cybersecurity and privacy perspective. I will now wrap things up. Hopefully you can take a look at this in september. There will be a much more interesting speaker talking to you. Thank you so much, everyone. [applause] it is true. I think the last time i was in a room this crowded it has been a well. Good afternoon. Ehealth ceo of the initiative and foundation in washington, d. C. Robert set up a nice springboard for us. Kind of give you a basic overview of where the breaches are and where we are going. Im going to talk about the misperceptions around hipaa policy and cyber policy and talk about the current policies and practices and how we are involving how we are evolving into what could be a National Security threat. Cybersecurity has nothing to do with elections, just health care. Ehealth initiative has been around about 19 years. We are a group of influential executives across the spectrum of health care. We bring together leaders from different groups, payers, providers, pharmacies et cetera to work on tough issues. Our belief is you cannot just talk to hospitals about health care. You cannot just talk to providers and clinicians about health care. We need to join with pharmacies, patients, consumers, vendors. This is an interconnected problem. It is a network problem. We need to sit down together to figure out how to solve it. We have done a lot of research, education, and policy work around cybersecurity. We have a new white paper out about risky business. We have some fact sheets about some myths surrounding hepa, pa. Ch are surrounding hip we need to stop looking at cyber and Privacy Policy and stop thinking about Health Care Data in terms of what building it belongs to or what office it should be in. Health care data does not stop at the door. Dear Hospital Data should not only your Hospital Data should not only be in the hospital. You should be able to access it from your phone. It is all over. The place in terms of thinking about rules and Health Care Data, it does not make that sense it is not make sense to think about within the institution. We to think about it within the greater spectrum. I want to be frank with you. Job in done a horrendous health care and technology, talking about hippa, the Privacy Policy, what health care is, why it is important. All of these things. When people think about cybersecurity, they think about elections and thanks. Whatever the late and thanks. Whatever and banks. Part of the issue is, we have made it so technical and confusing. We throw these acronyms out at you. People do not understand it. Sounds overwhelming it sounds overwhelming. When i started in health care two decades ago, i felt silly asking questions about hippa. Andas so complicated technical at that point. How many of you have been in the doctors office, you are filling out a form, and you say why do i need to do this again . Of say to you, because hipaa. It is the big bad wolf of health care. Whenever you cannot get something done, the excuse they will give to you is it is hipaa. Of doctors are not allowed in outpatient. As another are not allowed to email patients. That is another myth. Protects all of your Health Care Data. Another myth. These last two drive mea nuts. If an organization is hipaa certified, it is ok to share information with them. There is no such thing as a hipaa certified organization. Hhs does not go around and certify organizations and say, you are completely in compliance. They do not do that to every Single Health care organization. An organization will say they are certified. That means they believe they are they believe they are paa. Lying with hi consumeryth, if a uploads their information to a health app, if a Company Offers a direct to downloadapp if you an app from an organization and it is not provided on behalf of an entity, it is not subject to hipaa. I just threw a word in that might have confused you. This is where their eyes glaze over a little bit and start to fall asleep. Lets talk about what that means. There is a couple of key questions around apps and whether or not they fall underneath hipaa. It all depends on whether an app is branded, it depends on how a consumer gets to the app on how i consumer gets to the app. These are a lot of Little Things that can determine whether or not a health app is covered underneath hipaa and has to follow regulations. Covers data ina health plans. Clearinghouses, and business associates. Another term that is probably confusing, which we will talk about. Who counts as a business associate . Im not going to make you read this. [laughter] im going to tell you. Lets give you an example. Say we have sally. Ok . Sally goes to her doctor. Her doctor says, you have diabetes. I have this great app that is going to help you manage your condition. You will get some counseling with it. I heard about it from this great app company. Her physician gives her this app. She goes home and uses of the. Pp and uses the app that app is covered by hipaa because it came from the provider. That app is supposed to comply with hipaa, which means it should protect all of your Health Care Data. This is where it gets tricky. Say we have sally. Same sally. Sally picks up the newspaper or her phone and reads about this new Health App Apple has. She downloads the same exact app directly, puts the same kind of data in it. Hipaapp is not covered by because it was direct to the consumer. Withan have the same app information that is supposed to comply with hipaa and then you can have one that is not, even though it is the same information from the same company. This is what makes hipaa a little tricky to figure out. That is one of the reasons we have to think about where this is going. There is also this healthyish type data i like to call it. That is not covered. Like you join a Disease Network to talk about your cancer care or a Counseling Network online. You purchase pregnancy tests. You purchase information about a sexually transmitted disease. You join an hiv group. Gps data that shows you go to your psychiatrist every thursday. Gps data that shows you were in rehab center. All of that data is healthyish kind of data. It says a lot of it says a lot about your current situation. That is not covered as well. A lot of people would be concerned about the items they purchased on walgreens and cvs going public than they would be about their medical record. Using these thirdparty apps. Even cms. They have a list of thirdparty apps they use. If you go to the site, you can see all of the different organizations cms is sharing your informat