when it comes to cyber security threats and the way it affects our nation. and we have seen high profile hacks in our health care sector and we've brought it two individuals, robert lord chief at protenus. and he'll give a presentation to us and talk about this important topic as well as jen, the ceo of ehi. without further ado i'll let the first presentation get started. started. >> thanks, greg and thanks so much to everyone. i fairly give talks that are standing room only, so, really appreciate your guy's interest today. as greg mentioned i'm robert lord co-founder and president and chief officer of protenus. a lot of the information is from protenus and i'm not speaking on behalf of organizations today. ... to work in a clinic that focused on treating hiv-positive patients in baltimore when i was in med school. one of the things you and click the about this population other than their an absolutely wonderful, really complex, rewarding population to work with is they have extraordinary concerns about the privacy and security of their information. they will go to extreme lengths to make sure people do not find out about their diagnosis, the treatment or that their coworkers or team communities o many others that might use this information against them, this extremely vulnerable unity. one of the things i begin to think about treating these patients was what are we doing to defend their health of data and information, these extremely sensitive records? the more you dig into that question, this is back in 2013, 2014 what i started, the more horrifying the answer is. the reality is the challenges that we face in protecting health data are extraordinarily difficult. today i'll try to give you taste not only of the important anecdote stories but the data behind all of them. i think it makes sense to start with the anthem breach back in 2015. this was really are many people, i don't ask for a show of hands. who here got one of those anthem notification letters? i did, too. this was about half of the u.s. population more or less, a third or half, 149 million records breach. we will never know the exact number of patients affected. for many of us this was a massive wake-up call to the fact healthcare data was highly centralized, , highly vulnerable and highly valuable to certain parties as well. unfortunately this story did not end with the anthem breach in 2015. that hits keep on coming. we decided a recent breach, lab core amc a breach about 20 million medical records or patient data individual patient data pieces that were identified and that we'll see what the finl numbers are. of course back in 2060 with a major ransomware attack the reduced and without hospital system to pencil and paper. imagine all the electronic health records, all the electronic systems that use, i can thinking back to my days, and now you're pencil and paper and what is conducted -- not connected to an electronic system. pretty scary. this isn't just a couple of anecdote either. if you look and scale out, a recent report back not too long ago showed 70% of health systems reported experiencing a major data breach, and the third experienced one in the last year. so if you think about this entire picture together we are in a pretty terrifying state right now and it's one where we are not necessarily talking about but health systems are very aware of it all the time. i'm not a big person on speculation but also it always makes sense to think proactively. there's also this significant possibility raised recently and a bloomberg article of the ability of whether it state actors or individuals are other types of criminals to engage in medical blackmail. typically these types of incidents are highly behind the scenes. there are some great area reports that this does happen but most of the time these are not reported if it isn't the case. these are the stories, the anecdotes, but it don't want a focus about what could be. i want to show you the data for the rest of my presentation that shows you what we're facing right now and what the trends are. for some of you in the audience you're going to do everything i'm talking about really clearly. for others i do want to contextualize what health data is so valuable. so why some reports, and you think these are exaggerated but the give you a sense of what these records can be worth, a single individual medical record can go for upwards of $1000 on the black market. these event appointed as more medical records have come on the black market. there's a lot of value to them and a lot of value to them for a lot of reasons. they can be used for insurance fraud, roger claims. you can steal someone's id and you can do it very comprehensively when to think about the information in the medical record. it's pretty much the entire history of someone's past illnesses, their family members, their location, financial information, it's all ended. the only thing that has more information on individual is probably like it comprehensive top-secret clearance document in the united states. you could use to open financial accounts because of the richness of that data. insurance or bank accounts, medical blackmail that could be criminal or state-based. you can also unfortunately people use for monday personal attacks or courtroom litigation a messy divorce cases, we stand at all. you can run fraudulent medicare, medicaid billing mills as well be seen that basically open up, create synthetic patients and built of his patients. a lot of unfortunately really terrible and really deeply devastating crimes that can be committed with medical records that have impacts that can go on for years and years. recently there was a cbs this morning report that he could some of the data on going to show today that showcased an individual who basically, while he was in the service he had his medical identity stolen and he was resolving those challenges for, 15 or so afterwards and still suffers from challenges. wonderful guy and he's been dealt quite a hard blow. what i'm going to show you next is specifically for data that we collect on a regular basis. so pretentious as a world healthcare leading platform folks at detecting dangerous activity and health care but i'll let you to talk about my company on that side. we also had a research group that works with third parties to identify trends and health data breaches and help cybersecurity june. what i'm going to shoot this information we collected both from public sources as well as at the end some interesting proprietary data i think we'll add, you're not, can see in this space. so one thing to start out is that since 2010, at item to all the way back, but since 2010 there is been a systematic increase in the number of eta breaches that occur every single year without fail. without exception -- data breaches. we see the sense we been tracking the data specifically we seen every year and already we projected to have another record you come this number you see here, 285, as a half your have to estimate from a recent analysis and so it will continue along this trend we will be at 2018 unfortunately. this is the number of incidents. you want to look at the number of records breached. we are excluding the 2015 anthem breach or if you added that column, who up to about 170 million records that year or something and 2015. in 2060 we had a banner year banner year with big, big breaches so that was almost 30,000,000. 2017 some of the start to think now it's what denormalized a little bit. maybe that was just a couple of big breaches and it would get better. then of course it triple in 2018. 2018. and in 2019 that estimate of almost 32 million is just a half your estimate. that is not yet annualized to the full year. where once again on trend to break yet another record when it comes to the number of records breached. importantly you may want to know all while the region is occurring. of course hacking is a major concern. it's what people usually think about when you think of these challenges. that breaks down and i could go into more detail but that's a mix of what we've seen of a phishing perspective, malware, miscellanies threats and i won't go into all that deep details that we provide a breakdown of this in the breach barometer which you can download and subscribe to and it's totally free. just google protenus and you can find it. but huge proportion, this is relatively consistent, between 25-40% of breaches are due to insiders. that is individuals with some legitimate level of access to electronic health record and abuse that access. i for instance, when i i was at the lowest of the low medical student like dorky little white coat, i could access any medical record of any individual who ever passed through the walls of my institution. that was not because the institution was unique in this respect. that is to basically everything health system in the world. the reason is because for emergency access you need to be able to get access to the er quickly. you've extremely complex environments where proactively using access control as i'm sure some of you in the audience may be thinking about is really a failed paradigm. too complex to tackle. this insider threat surface one we often underappreciated but one we see all the time. as far as who is most vulnerable, this may come as no surprise, but obviously the lion's share is hospitals themselves. i want to note this is not because hospitals are lazy or do not care about this problem. quite the contrary they care and exploit -- export them at the house was a running on razor thin margins, their technology investment in the space is not what the others wanted to be and have to take your patience. when you look at priorities there's a lot going on they have to be thoughtful of and, of course, be on the front lines. the most beloved access to this information, a large health systems will have 30,000 employees who have access to medical records. how do you make sure all those individuals are not committing privacy violations? a giant threat surface flyfishing attack. if you had 99.9% rate of preventing phishing attacks at your institution injured 100,000 employees in one of these mega-systems you will stop a lot of the breaches and that's a big problem. question? [inaudible] >> so it's hard for me to comment, as i'm a member of the private sector on about that the state-based activity that occurs in these spaces. i'm not really a person to necessary talk about specifics just because that information is not normally available to me. what we see is the lion's share is people who are not some sort of foreign espionage type of situation. it's just a hospitals own employees that might be using it for criminal gain, for abusing their access to maybe attack a call to come to look up a vip. i've even seen people look up local sports stars for fantasy football edge. so it happens. yeah, yeah. it is some pretty scary situations out there. i'm going to chile a nice story as well. this is like the one good piece of data you will see here, and what this is it is the average time for an individual health system to report a breach to health and human services which they are required to do within 60 days. they really good about this. hospitals are extremely responsible and thoughtful about one thing -- once they know about something figure reported. they're doing a pretty good job. we seem a bit of a trend outwardly underreporting but most of the time everyone is falling inside these lines, which is good. however, the time to detect a breach is not so good. oftentimes malicious actors will be insight health systems for weeks, months, years. we've seen ten year plus bad actors occur inside health systems and they just keep on going. the problem is not in the reporting rapidly that it is in the detecting rapidly. here's a number you will not necessarily see a lot, but an important one. we've done analysis at protenus to understand how many privacy violations typically occur in a given month based on the size of an institution. what we see is that for every 300 individuals you can expect about one privacy violation to a patient's data per month. if you have 30,000 employees at health system, you're talking about 100 privacy violations of month, and 1200 per year. if you think about what is being reported, you can only get this once you get comprehensive analysis of the system and understand how many violations are happening but he gives you a sense of the size and scope of these threats we are seeing across the whole spectrum. in addition, there's a great opportunity to focus on education and remediation. another thing we see is that the majority of events that we are detecting our repeat offenses, which means someone has already violated patient privacy in some way and we haven't caught them and educate them. they will do it again and again and again. we see this pattern over and over again. it means we can reduce by half the number of violations that occur if we were proactively taking these threat century that individual is educated on appropriate sanction for that activity. this looks bad but at some of a hopefuls that because it means we can predict and prevent these threat through just really thoughtful workforce management. i want to be brief in this next section and just note briefly that my work at new america is now focusing on a white paper which should be released next month that addresses three core areas of challenge in this space, and i will be thoughtful of the type because i'm running over but the entries are essentially culture, workforce, and technology. when we look at culture it's all about how to re-create accountability from the board level on down. how do we fund hospital so they can make sure they're getting the job done? and how it would work with existing regulatory structures to be more effective and more forward thinking? our workforce is how do we build a future workforce at effective. it's how do we retain the valuable workforce we have and how do we prevent workforce burnout through making sure we are not having people to continuous, repetitive load value task and focusing on what is strategically important. finally from a technology perspective it's about getting a lot of legacy junk out of the system. we know there's a lot of legacy technology. it needs to be remediated. there's areas we can clarify when it comes to guidance. and finally it's about baking and and two and whether devices were sought for a secure development lifecycle when it comes to creating these software devices that they can ultimately treating and serving patients. at the end of the day it's all about patient safety. we do all these things to the end of protecting patients to defend them from these threats and to making sure we're keeping them safe. that's what the hippocratic oath is all about and and in a way s we've got to do from cybersecurity and privacy perspective. i will now wrap things up. hopefully you can take a look at this in september and now it would be a much more interesting speaker talking to you. thanks so much, everyone. [applause] >> will well, it's true, the last time i was in a this crowded it's been a while. good afternoon, guys. my name is jen covich bordenick and i'm on the ehealth initiatives foundation in washington. robert set up a nice supreme court for. to get basic overview in terms of where the data is on breaches and we are recording. i'm to spend a few minutes talking about some of the misperceptions around federal aviation administration policy and cyber policy and talk about current policies and practices -- hipaa -- and how we're involving into what could be a national security threat around cybersecurity and health. and cybersecurity has nothing to do with elections which is just healthcare. the health initiative has been around about 19 years and we are a group of influential executives from across a spectrum of health care. we bring together leaders from all different groups, payers, providers compare discount pharmacies, et cetera to work on really tough issues. our belief is that you can't just talk to hospitals about health care. you can't talk to providers and clinicians about health give her healthcare is a continuum. we need join with pharmacies, patients, consumers, thinkers. this is a problem, and interconnected problem, and network problem. we need to sit down together to figure out how to solve it. we've done a lot of research, education and policy work around cybersecurity. i think we passed out your today, we've got a new white paper out on risky business. we have fact sheets on myths surrounding hipaa which are available for you and many more on a website. we really need to stop looking at cyber and privacy policy, and stop thinking about healthcare data in terms of what building it belongs into, or what office should it be in. healthcare data doesn't stop at the door. the hospital data shouldn't only be within the hospital. you to be able to access it from home, from your phone. it's all over the place. in terms of thinking about rules around cybersecurity and healthcare data it doesn't make sense to think about it with an institution always. we need to think about in terms of greater spectrum. i just want to be frank with you here. we have done a tremendous job in healthcare and technology, talking about hipaa, privacy policy, what healthcare data is, where it lives, why it's important, all of those things. when people think about cybersecurity they generally think about elections and banks, whatever the latest story on the news is right now. they are not thinking about the healthcare data. part of the issue is that we have made it so technical and confusing and restore these acronyms out at you. so people just don't understand it. it sounds really overwhelming, and i'll be honest with you, when i started in healthcare two decades ago, i felt silly asking questions that hipaa. i felt i had to be a lawyer or a legal analysts to ask questions because it was so complicated and technical at that point. how many of you have been in a doctor's office, you are filling out a form and you said why do i need to do this again? and they said to you, because of hipaa. right? hipaa is the big bad wolf of healthcare, okay? whenever you can't get something done, a lot of times that excuse will be given to you is it's because of hipaa. so your doctor can't talk to your loved one about your condition because of hipaa. that's a myth. your doctor needs a written authorization, or they can't share your health information. that's another myth. doctors are not allowed to e-mail patients. that's another myth. hipaa protects all of your healthcare data. another myth. and i'm going to go into these last two because these are really, drive me nuts. if an organization is hipaa certified, it's okay to share information with them. there is no such thing as a hipaa certified organization. i'll sit say that again. there is no such thing as a hipaa certified organization. hhs does not go around and certified organizations and say, you are completely in compliance. they don't do that to every single healthcare organization. so what often happens, an organization will save your hipaa certified but that basically means they believe they are complying with hipaa the way that they interpret it. another myth out there, if the consumer upload their medical record into a health app, that information isn't protected by hipaa. wrong. there's no such thing as a health certified or a hipaa certified health app. it's not out there. if the company offers a direct consumer outcome you could download an app directly from an organization and its not provide a bit of a covered entity, it's not subject to hipaa. i just two and a word that might confuse you, covered entity. this is what we get a little bit confusing and people start to, their eyes glaze over a little bit and they get a little bit, start to fall asleep a little. let's talk about what that means. there's a couple of key questions around apps and whether or not they fall underneath hipaa. it all depends how an app is branded. it depends how the consumer gets to the app. it depends how the data flows between the app and may be the hospital a doctor's office. it depends whether not it's coming from there. these are all a lot of little things that can really determine whether or not a health app is covered underneath hipaa and has to follow hipaa regulation. generally, hipaa covers data that's in health plans, with healthcare providers that are conducting transactions like claims transactions, billing, clearing houses and business associates. another term that's probably a little bit confusing which will talk about. so who counts as a business associate? i'm not going to make you read this. i'm going to tell you. let's give you guys an example. say we've got sally, okay? sally goes to her doctor. her doctor says, you know what, you have diabetes, i got this really great at this would help you manage your condition and you get some counseling along with it. i heard about it from this great app company, so her physician gives her the app. she goes home and she uses the app. that out is covered by hipaa, because it came from the provider. the provider recommended it. the providers name might be on it. so it is in effect coming from the provider. that app is now supposed to comply with hipaa, which means it should protect all of your healthcare data in there. now, this is what it gets a little bit tricky. say we haven't sally, saying sally. sally picks up a newspaper or picks up her phone and reads about this really new cool health app that apple has. she downloads the same exact app directly, puts the same kind of data in it. that app is not covered by hipaa because it was direct to the consumer. so you see, you can have the same app with information in it that is supposed to comply with hipaa, and then you can have one that's not, even though it's the same information from the same company. this is what makes hipaa a little bit tricky to figure out. it doesn't quite make sense, and that's just one of the reasons we have to really think about where this is all going. there's also a kind of this healthy-ish type of data, i like call it, that's not covered under hipaa. things like he joined a disease network to talk about your cancer care, or a counseling network online, you purchase pregnancy tests, you purchase information about a sexually transmitted disease, he joined an hiv group. gps data that shows you go to your psychiatrist every thursday. gps data that shows you were in a rehab center for six months. all of that information is healthy-ish kind of data. it says a lot about your current condition and could reveal a lot about you. that's not covered as well. a lot of people would be a lot more concerned about all the items they purchase of walgreens or cbs or on amazon going public than they might about their medical record. everybody is using these third-party apps, or third parties as they call them. even cvs, i would on last night and has a list of third-party apps be used if you go to the site you can see all of the different organizations that cms issuing your information with. you can link to them. in some cases you can opt out. this isn't just happen in the private sector. this is happening in the government as well. it's important to know that when you're thinking about hipaa. so we spent all this time and effort worried about our healthcare data and making sure it's protected underneath hipaa crybaby learning is not protected underneath hipaa. we don't want to reveal it but what so amazing to me is that so much of this data that we're trying to protect so carefully, we are actually giving it away. you ask him how we giving this data away? has anybody read the fine print? i mean, i just pulled this down from own personal health plan and some of the doctors offices that a go to. this is my personal information. but if you actually read that, and i encourage all of you to actually read the fine print, you will see in many cases the policy says that they don't have to agree to do what it says they're going to do. in many cases it says that they will share this information with contractors and authorized partners, but they don't tell you those people are. it says able use for normal routine health care operations. i'm not sure what a normal routine healthcare operation is. doesn't mean a web developer who happens to be in the office that they could still look at my medical records? maybe. or the guy who's working on the xerox machine? i don't know. it's important to understand what it is you are signing away. and that a lot of these will say we can change the rights, you know, we reserve the right to change the terms of this policy at any time we want. and if you want to learn about that, you can come pick up a copy of the changes. so a lot of the fine print we are really just getting a lot of this information away. so we've heard a lot about healthcare data and how valuable it is. i think everyone in this room can probably attest to the fact that we need this data to find fiercer catsa come to discover new drugs, to save lives. it's valuable data but refining bad actors want this data as well. -- we are finding -- guess who else wants your data. i was pretty naïve when i i started in cyberspace. i thought the reason everybody wanted this date was because they wanted to break into medical records and find that about britney spears or salena or somebody in rehab or what was the medical condition, was somewhat pregnant? all the celebrity things you hear about. or that they wanted to bribe people. don't fool yourself. it's naïve to think this is just about bribery or understanding celebrities, or someone even trying to steal your credit card. this is happening right now. there is a new space race, and it's around healthcare data. this is the fastest growing business globally. chinese investors right now are pouring in, just in the first nine months of 2018, 43% of all their investments went into biotech, in 2018. companies globally are involved in economic espionage, and companies that handle patient data are really particularly at greater risk. they are taking this data. this is really a space race. whoever has the most data wins. think about it. think about the amount of profit that could be made by the next influenza vaccine, the ebola vaccine. think about the potential bioterrorism could take place if you discover a certain population susceptible to a certain germ or a drug. i'm really grateful to supervisory special agent at the fbi, i don't know if anyone heard him talk before. he's from the weapons of mass destruction directorate here, and that's all he does is study these different countries that are basically, not just hacking our information, but taking our information when we give it to them. and that's with generally happening. the data that they're taking can be used to exploit us. they can discriminate against certain groups. they can create bio weapons. they can target it. but most important they can get economic advantage. look in the news. all of these companies are working with chinese companies in this case. it's not just china but i but t many examples here from china, where u.s. corporations are sharing their data chinese owned organizations. so basically our information is in many cases being given to the chinese. there is a clear certified, that in cms consent for medicaid and medicare services allows you to work with organizations outside of the u.s. and share data with them. so imagine you're a health plan in the u.s. and you direct all your labs, all your dna testing, whatever it might be, to be handled by a chinese company. that doesn't have our best interests at heart. if you look in the news, sometimes you hear about the chinese hacking data, but more often than not we are actually giving them the data. there was a report released this year february 2019 by oig and the fbi that identify nationals could risks related to sharing genomic data. this is happening right now. it identify china as the primary source of those risks. there are concerns right now because nih has given access of u.s. genomic data to for-profit companies in china. and these companies have ties to the chinese government. now, this is not reciprocal. so in healthcare we like to think everybody is sharing data for the greater good, and that's how i always believed that things were. but that's not the case. in fact, in china they have longer their data doesn't go outside of the boundaries. they don't share any of their data. they get our data but they don't share any data. in fact, there's a new law there. you can even use any biomaterials from china unless there's a a chinese collaborate or an organization involved. so it's really important to understand what the national security risks are for sharing health of data with china and other countries. it's important to understand what regulations we have in place for sharing our u.s. genomic data. it's important for us to understand what payments we are making through cms, what payments our federal government and the cms is making to other countries to hold and handle our data. and it's really important for cms and for private companies to consider what are the national security risks that we need to think about before we do business with these companies. these are things we haven't really worked about before, right? i mean, we've been worrying about people hacking in to take celebrities information or blackmail an individual person, but that's not what's happening. we are actually at a different point right now. senators grassley and rubio actually drafted a letter just a couple months ago -- is anyone here from their offices? around asking for cms to put a plan together and asking to kind of understand better nih and other sharing that, and to be clear about what payments are going there and what the rules are going to be. that's just the beginning expiration around that but this is something i think is really important for people to keep asking about. because this is going to sneak up on us very quickly. once that gate is gone it's not coming back. you can't get it back. so in summary, you know, this healthcare data is valuable. it saves lives. i would want to emphasize that. it is important to share this data, be identified so we can do the research we need to do to find years and better treatments, find appropriate treatment for alzheimer's als. we need vast amounts of data to do that. so we don't want to stipend that, but we need to make some -- how much they want to share and in what form, we want to share it with, and to date i have seen a lot of discussion about that. but the time to have that discussion is now before it's too late. that's it. i want to thank you for listening, and i'm happy to take any questions. [applause] >> thank you again to jen and robert for those presentations. they were able to cover what i would consider an enormous amount of information and condense it into those slides,, but i'm sure there's tons of questions and want to drill down a bit deeper and certain subjects. our kick us off with maybe a first question. i think we definitely not a good understanding of the risk of our data being out there and how can be shared and that we don't know it is being shared. and some of the inherent risk with that. one question i would like to start with is, is there a concern or should there be a greater concern that beyond the inherent risk and the jeopardy of patient safety with the data being shared, is there a direct threat to patient safety from malicious actors? are there other avenues we might want to be worried about? and if we could talk about that for a bit as well. >> anyway, , you guys could probably here. we certainly see this all the time. this one? does at work? so one of the things that i mentioned was the potential ransomware attack. this is what essentially you have a form of malware that encrypts all of the data any health system and makes it inaccessible to anyone using the systems, effectively shutting got anything that runs on any form of data. that's everything. well, there are still some things in hospitals that probably should but the door. that means the patient safety effect can be huge because suddenly you've lost access to critical systems. another big concern that is been proven time and time again at least in the theoretical research and we don't know if it's happen in the wild yet, his potential if i shredded hacking. you can imagine an insulin pump or an implanted defibrillator could readily be compromised and then can be used easily given the function of those devices to kill a patient or seriously injure them. those are just two really present examples that that they are very serious, very possible, and they are either actually out there or i've been proven to be completely plausible and deployable. >> let me piggyback on that a little bit. right now there is malicious ware that is attacking microsoft and other widely used software. a lot of the medical devices sit on top of software. it could be the that are not necessarily attacking the medical device itself, but the software it's connected to and that's happening right now. a lot of people don't recognize when their machine or the device or hospitals don't know that the device is connected to something that's been attacked maliciously. it is happening right now, , jut not in what you think about. i think of what he homeland episode with the pacemaker getting attacked. when it seemed that so much right now, but definitely we are seeing a lot of attacks on general software that's connected to those things. we don't have a good way right now to notify people and reached out there, because if you think about medical devices, once they are out there, we would need to know exactly where the manufacturer sold them, what providers bob demko which patients they were given two. think about the chain of events in terms of where medical devices company it's a pretty long chain. so in terms of the notification that are specific guidelines about how the notification is supposed to take place but it's a real concern. the more that this happens i think the more dangerous it is going to get. >> could you remind me about like where the sources source a coming from of these attacks him hacking for insiders? was set based on instances or the proportion of number of patients attacked? >> that is based on incident number, those percentages. it's number of incidents. obviously you have a bit of a skew towards hacking when you look at it from% of records compromised. because those will tend to be the biggest types of breach events. that being said, but sometimes can be the most damaging health systems are sometimes a one-off types of attacks because they can be very public, very personal and they make the one-on-one vendettas or legal action. when you look at the total risk to the system, you could make an argument it either way but to your point is a good one. if you look at total number of records compromise you would probably get more hacks. this in sometimes it is an insider type of air. good question. >> we are going to go in the blue tie back there. >> appreciates comments i want to echo what you said earlier. so we see and back to patient safety in ransomware attacks specifically because the in net effect, surgeries canceled. ambulances possibly diverted and we seen that from our members, and we seem to adversaries go after smaller hospitals most recently in increasing the rants of attacks. and using attack of going into the backups first, which is very troubling because that's the normal defense against ransomware. very concerned about that and appreciate your comments there. again on your data, the majority of the records as you say is compromise of extra accuracy would you agree with that, the majority of speech i would say sometimes we need to be thoughtful about incidents versus records as her measure of risk because sometimes those incidents actually end up being some of the greatest vulnerabilities versus these bulk records which may or may not be exploited in these large dark web sales come things that might have less of an actual impact on the institution or patients. it does depend but it's a good point. i would applaud also aha for a lot of great work they doing in this work bring it to light. >> again, reinforcing your point across a lot an issue to our members become aware of the strategic threat posed by nationstates targeting medical research and innovation, so thanks for bringing that up. >> i just want to piggyback as well. i think phishing attacks are the most common. that is external but it can be, you can address that with training. a lot of companies have trained their employees on phishing attacks. they will sent in an e-mail of people that cricket have to go to training. you can address that, but that is the number one way people get in. >> we show that break and enter data if you want to look at the actual report. we have confirmed overtime phishing is by far the largest portion of the hacking section of that event. >> right there in the back. if you don't like him this gentleman will find with the mic. >> what kind of policy has been recommended or should be recommended to address this issue? >> which part of the issue? >> mainly the hospitals or insiders in the hospital leaking information that protect against companies outsourcing the data to foreign nations, like china? >> we generally have seen that. what we seen in terms of hospitals is these phishing scams. it's really a training, education instead of this larger hospital organizations and health plans, large corporations are launching large-scale efforts to train their employees to not click on things. because that's the number one way people get into your organization. is that how some folks externally and from other nations get in? yes, but it is all kind of ran for the most part they get in from an inside door. >> don't think i would add is, i think you bring up a pretty broad set of challenges that are faced, even if look at any one discrete piece, the challenges are across many different dimensions and that's a lot of what were working on indo-american particular which is a person how to change the culture of these organizations. how do we look at the technology, are we using the most modern technology, artificial intelligence, look at the development lifecycle using of any we can't and ultimate workforce. at the end of the day it's human beings that are both defending thesis as well as serving the vulnerabilities and the train at 5. we create have a strong diverse and well-trained workforce in the future, is just in kobe important. there's a lot of specific policy recommendations in this paper that will be released soon that a i'm hoping can help empower this and make more concrete recommendation. >> it's important organizations like a chick and other societies get other intuit aha is it aha is doing its educate people. people just don't know if this is a problem or that it's happening. the more that you can talk about it in your offices or with their constituents, it's really important, and bring up real-life examples with them. >> i've been seeing a lot an academic literature a real push to the idea of the internet of things because it will save us from kind of human error when were talking about niv translation pump. but i can always did have this or in the back of my mind of these things are stackable but most of the literature lansing lately dealing with security is focus on the passive data collection. do you think that there's not really as much direct risk their employees at something that could be forthcoming as kind qa more of these devices become mainstream? >> a lot of these systems are very smart, and there is always human error. we're finding that medical records are in many cases more secure than they were when they were paper records, in many cases. but everything is going to be hackable eventually. there's always good to be awakened. there is no 100% guarantee something to be safe. if anyone is looking for that, they are not going to find. >> for me and just from my perspective, when i was in medical research in school, i focused almost entirely on patient safety as a topic that it worked on. i can tell you, , absolutely the is a really important role for the internet of things and to improving patient safety. one thing that gets lost in cybersecurity and privacy is you can't just want everything down and say there's a systems and let's go back to use a scalpel and a pencil. not going to work. we have real gains we can make a leveraging data and leveraging modern technology and leveraging conceptual frameworks like the internet of things. but i think sometimes we frame as an either/or and it's not. we both need to use these advanced technologies to help patients and we need to deploy advanced technology to protect these data and systems. until we start thinking about as an and instead of or, we are not going to find a shift this curve but it's an absolute possible thing and we see top health systems doing it all the time. >> i'm not sure how familiar are with mit has been, obvious is a big center for medical innovation but one thing left out of this conversation, robert refill was talking about it when you start but his research, like universities are a giant, are a giant hole for a lot of this hacking, but also particularly from foreign influences especially because most universities maybe want to partner with other universities, especially in china. and you're right, we should be encouraging that the we should want elaboration because that's the nature of academia, particularly and the sciences. but i would argue that especially among some of the research that's come out of mit and i we now know it leads to actively monitor leaders, especially with the genome stuff, tracking peoples dna and identify them based on ethnic heritage, and if you like to an extent it brings up the question of, should we just banned chinese investment and investors on u.s. tech industry? it's an extreme option but is it really ridiculous considering we already have american size being at least somewhat culpable in what's really going on at the moment? >> a really good question, and i don't think there's an easy answer to it. because, of course not, first of all, i mean, there were these two two chinese scientists widely were just indicted for doing exactly that, what you're talking about. and it's going to happen again. we need to share this data openly. we need more data or we're not going to find these cures, not going to discover the diseases we need. it's a real comp lex question. it could be a matter of how we share the data and in what format that it could be an needs to be reciprocal. the other issue is one of money. chinese investors are putting a lot of money into biotech in this country. so there's a financial question as well as an ethical one. i think it's a conversation that has to be had. one of the things i don't think we've asked at all of the general public and we don't know about consumers is what the consumers think. how open to people think their data should be? i mean, other people in this room going to share their data but only be identified? i don't think where the really good sense of which way the general public is going as well, and i think will be hard to make policy without even knowing that. there's no easy answers but they are all questions that need to be discussed and we need to find out what the public perception and perspective is as well. sorry i didn't answer your question. [inaudible] >> i i guess the frustration a t of us in the national security community especially comes to china have is that, frankly, when it comes to trade, when it comes to science, when it comes to stuff like the south china sea, it really seems like china gets the benefits of -- but not the responsibility of the burden of having to call any rules. even if we do set up like fine, you can have access to american health of data but you can only do through cms. cms has to be monitoring it. the reality is many of these investors don't have a choice to whether or not they want to do that because many of the copies are also owned by the chinese government. in most companies i believe a member of the chinese communist party has to sit on the board of that company. we have seen this with apple. we've seen this with several other companies. i guess the question is, because it's true, we should be having a conversation about as a general public and asking what the general public thinks about issues like this. but i guess but issue i have is is an issue a lot of people have indeed with china is how do you deal with an actor that isn't going to deal with you on even terms? should we try to make them hurt a little bit and make them understand that while relationship is one of some biosis, we rely on them for trade and investment and other things here at what point do we have to just sort of stand up and say no, not did a? >> we're starting to do that. i think the administration put a halt to a 23 and investment nosecone those good to take place here from the chinese company recently. this is already happening. their money is already here in many places, so it's a real -- i'm not sure what putting a stop to it would mean right now, what that would look like. but maybe that is the decision that policymakers have figured that out, what that looks like. but at the same time nih has gotten a lot of really important data from other nations. so we really have to balance what's important. >> that afternoon. i'm often from senator manchin's office and want to take the time to thank you all for taking the time to come to chapel hill and speak to us on this issue. i come from west virginia and while our state has incredible community health networks such as in huntington, morgantown, charleston, so much of our work is been at the local level in very small rural clinics. and the amount of information that they're able to retain on patients is incredible. as we talked about earlier, resources are scarce, especially money, whenever margins are so small within healthcare, but particularly and rural appalachian and west virginia, the resources are even more scarce. as with the advancements in things such as telemedicine, what advice or recommendations could you all offer to make sure that even though the resources are scarce, that we're still utilizing technology at the local level and still have the best protections in place? >> i can speak briefly today. we have a recommendation in this space that specifically relates to rural settings. as you may know, some of the barriers to protecting these facilities are often related to the existing antikickback and start lost a source with larger organization providing proactive funding to these small affiliate clinics that represent major weak links to you could put them under the security umbrella of a larger hospital and a larger hospital may want to do that and protect them, but they are not allowed to because of current legislation and current regulations. thoughtful reforms to that would be an easy move. i think also in the longer term sense is come how do we thoughtfully still using technology, the types of automation and the types of insight and proactive detection of threads that can reach out into all these immunities, that can reach up through networks of different providers and not necessarily have an individual human and every one of these sites watching it, but overall technologically enabled oversight of these organizations that are connected back to central hubs here is is all very possible and i think there's a relatively low hanging fruit that we could modify to transform the landscape and approve the care that we are delivering to our patients in rural clinics in the secured other data. >> it's reflective of the inequity we have right now between smaller, rural, maybe less resources, and his larger corporate companies that have all the resources they need to do the technology updates and have the full breadth of security. it's going to be really hard for some of the smaller places to be completely secure. and it's not going to be equitable. i think that's a real problem and forcing that across the country. it's a lot tougher. i do think aha and other organizations doing a really good job in the rural hospitals association is doing a great job with trying to share some of the resources they have, but it's tough. >> we have actually come up on the end of our time here so it looks like perfect timing, number questions remaining. i want to thank you both again. you've been very generous with your time, and thank everyone that came up today. i would like to say as you can probably tell from the context of the conversation that there is a lot of work to be done in this area. there's a lot we need to focus on voting for and look forward to a greater extent. this is the scent cybersecurity caucus will be committed to exploring in the future so we definitely invite all of your bosses to join the caucus, and we thank you once again on behalf of senator warner for coming today. [applause] >> if anyone like to reach me directly, it's just robert at protenus.com. i get the benefit of having a single name. >> the trump administration announced this morning it's moving to end long-standing federal court agreement that limits how the immigrant children can be kept in detention. congressional reaction is starting to come in. your congressman tweeted the agreement was result of 12 years of litigation and has protected immigrant children and families from inhumane and indefinite detention for 20 years. this comes as no surprise but it is still absolutely disgusting. we will fight this. >> president trump goes to kentucky this afternoon to speak at the american veterans national convention in louisville. live coverage starts at two p.m. eastern on c-span. you can find online at c-span.org or listen live with the free c-span radio app. weeknights this month are featuring booktv program showcasing what's available at the weekend on c-span2. tonight something is writing and publishing. robert caro discusses his book working with commuting a late-night talkshow host conan o'brien. enjoy booktv this week and every weekend on c-span2. >> saturday on booktv at 7 p.m. eastern in her latest book "our women on the ground," a look at the challenges female arab and middle eastern travelers face while reporting. >> all of the authors were able to push through whatever barriers they had and write really openly and also about their deepest struggles. one of essays that comes to mind, it's such a raw and honest account of grief and loss and it also reflects the state of the arab world today. this isn't an uplifting book. >> then sunday at 7:45 p.m. eastern, hansen university professor perry on race, gender and class in america. her most recent book is "breathe: a letter to my sons." >> the reality is that i have to arm them not simply what kind of a set of skills and intellectual tools that allow them to flourish in school. .. >> all modern decency is cast aside by donald trump to his opponent and from opponents to him. they call him far worse things. they do far worse to him than what is doing to them. they have no right. >> watch booktv every weekend on c-span2. >> federal highway and other transportation funds run out in 2020. congressional committees are working on a 5-year plan. the senate commerce, science and transportation committee heard from transportation policy officials on what should be on the new law as far as truck transportation including possible age restrictions on drivers of certain types of trucks and what to do about cargo carriers that legalize marijuana. [inaudible conversations] >> good morning. the committee convened to consider fast act reauthorization, transportation and safety issues. we welcome our distinct panel of witnesses and thank them for appearing today. we will hear from department of transportation officials including joel szabat, assistant secretary for aviation in international affairs ronald batory, administrator of the federal railroad administration and raymond martinez, of federal motor court carrier safety administration and heidi king of the national highway traffic safety administration. the fixing america surface transportation act on 2015 better known

Related Keywords

China , Chile , United States , Washington , Morgantown , West Virginia , America , Chinese , American , Ronald Batory , Robert Caro , Robert Lord ,