host: welcome. i'm joined by greg garcia, ther director for the health care sector coordinating council. welcome to the prra guest: thank you. host: can you tell us me what your organization does? guest: it's an organized ing to the government and rest of the sector. to identifyd mitigate systemic threats to the health sector and in this case cyber can you tell us what's happening in the news that makes this discussion so relevant guest: this one is a and exis i may say, cyber attack on the

health system. it's exposed a major choke point in the infrastructure of health care that is how we get our prescriptions fil he get prior authorizations from our insurance companies. how hospitals and doctors get reimbursed. that has all been cut off by what is known as a ransom ware attack where attackers are able to get in and shut down major systems, the network, software, data, until the victim pays a ransom to the criminal group. and this is rampant now across the health sector because it's 9 easy money for the criminals. host: a bit more information. here's a story in the "washington post". health care hack spread pain across hospitals andoctors nationwide.

can you talk about who exactly is affected by this and how it's showing up in the industry? guest: any health care system that uses the change health care

system is going to be ades the o are receiving requests for claims and reimbursement■cital submitting those claims and to the patients who are waiting for their prescriptions. but that article brought up somethingid this didn't affect direct patient care but ransom ware attacks do affect, stories in the past where patients are actually affected, where a major health system in san diego, for example, wasttd suchc that their data was locked up, their scheduling systems, their reimbursement, all of this was shut down. so ambulances on the way to the hospital had to be diverse the to another hospital down the street and there's aiehospital. so this is, when i say

existential, that's not hyperbole. attacks like this can affect patient safety. it is a threat to life. host: the "washington post" hah a little bit more. ■7

so united health care group said earlier this week that a well-known russian-backed ransom ware group black cat was responsible for this. i want to play a audio from the biden administration's deputy national security adviser for cyber who spoke at an event here washington last fall and was asked about efforts to combat ransom ware attacks. here is a clip othat. >> what's actually work sng is it arrests, disruption, crypto currency? how are we doing■ now this is te third year numbers are still going up or goij down? give us a sense of how we're doing on ransomware. >> by the numbers, the numbers are going up. i refrpsed a couple of statistics in the opening

remarks. that is despite concerted effort. we kicked off the international counter ransom initiative to get the energy flowing with success stories, soe the department of justice, f.b.i., and the dutch and german colleagues brief on a number of takedowns, specifically the hyde, the genesis marketplace take down. lots of related arrests. there have been focused efforts to infrastructure, arrest the attackers. and efforts to improve resilience. one of the key take aways is in the u.s. system, the leader of the office of director of national convened a discussion with key ransom ware negotiaters. and one of the things we learned had good back-ups were able to recover more quickly in days versus the weeks for companies

that paid a ransom. so the resilience efforts are paying fruit as well. however, the data shows the number of attacks are going up and frankly the disruptive impact. in any given month i'll get a late-night call about a hospital system prospect th, sl hospitals across four states still working to recover from a disruptive attack. we saw the impact of color ox manufacturing process. certainly we saw the impact on other companies, two major casinos operations as well although some would talk about that. in any event, and i think the core reason is because of the reason david rernsed as well which is it pays when in the united states we paid in a one year's time 1.3 billion in ransom, with everyone's efforts on disruption and improvements made on resilience it still remains a problem. host: what's your reaction to that?

the sector coordinating council has been working with the white house, with the u.s. department of health and human services, with the department ofeland security's cyber security and infrastructure security agency. and this is a public/private partnership. we need to exchange that kind of information as to what are the best ways that we can first prepare ourselves against those and then secondly she mentioned resiliency. how do operational continuity? so that is a collaborative effort between industry and government and law enforcement as to what the best way to protect ourselves and how do we respond when it happens? and that's a matter of operational cooperation but also policy. so h.h.s. and the white house and others are of basic fundame

cyber security controls ought minimum mandatory types of controls? and we're talking with them about that now. >> host: if you have questions or have a story to share if you think you might have been affected by a cyber attack you can give us a call. the numbers are on the bottom we are also on media. it feels like these health care systems are stuck when it comes to these attacks, they can be completely immobilized at the same time there's a risk to paying off hackers, right? what is the impact when they doi do that? guest: it varies. sometimes most of the things when they do pay

the hackers are business people. if they impose a ransom and the the information back, they don't unlock the systems, that's bad business. they do it because it pays and they want that pay spigot to keep flowing. so impose theand give the data back. but there are sometimes where it's worse, where once they pay they give the da back but they keep it and they use that data. our personal health data for example to restore the indivial now if you'll just pay me this i will release the data back to you or i will not blackmail where they extend the reach of their hacking activities. host: is there any indication

affects patients' individual data? guest: absolutely. they can steal the datan they can sell -- what is your data? your data is your name, your address, your social security number, your credit card, your email. all of this stuff can then be used for identity theft. and that's, that's a horrible state of affairs for individuals who have tho to get their identity back when it has been used to open new cred to buy lu and that is the downstream affect of these hack attacks. host: i want to read a statement from the american hospital association related to. it says:.

what should congress or other rt federal government be doing about this? guest: well i would start on the incident response side. if you think you have been affected by this, i would first go to hhs.gov to und what's go.

h.h.s. is building its capability and its organizational struc industry a cyber threats, both on the what we call left of boom the preparedness side and the right of boom when happened how do we collectively respond? so that is the principle responsibility of h.h.s. to the primary partner to the can being industry. congress can support by making sure that they have the resources to do that, the resources to support, financial support to some of those small rural hospitals who are operating at zero to negative margins. how are they going to be able to actually prepare themselves against this and to respond after it happened? so h.h.s. is in the role of ss needs to give them the resources to do so. host: we have a comment here.

what can businesses and people do when the scale and the sophistication of these attacks is so great? guest: there's a saying we have in cyber security that to play defense, which is what we are doing in the industry against hackers, you've got to get it right 100% of the time. to play offense, that is the hacks, you just once to get into a network to wreak havoc. so its sort of the question when are we going to stop crime? well, when are we going to stop hack sng so the defense mechanisms can be very basic to

very sophisticated and costly. so for every critical infrastructure organization which is what health care is, we need to measure the risk and the threat and to develop and build a cybermal. so it's hard to do and that's why we need to have this partnership with the government. they've got a lot of classified intelligence about where some of these attacks are coming from and what their techniques and tactics are. we areand operators that are on the hook for making sure that our systems stay working, so it's a chess game that never ends. there is no checkmate. host: let's go to a couple of allen in hawaii on our independent line. go ahead. caller: hi there.

ok, well, a few things. i discovered recently that an insurance company that's very large in hawaii, that their subsidiary or whatever they were, and i think that was a ransomware and it's ve many frit parts of the u.s. who have been affected in different ways. i would be interested in knowing the line for a follow-up about the concept, what they call ransomware as a service and the fact that this business structure which has a hot line, 800 number, and customer support on how people can pay bitcoins and stuff. they also have possibly a mechanism that they pay bribes or, they pay commissions to people to go even do social network to get into these things where if they can't get in through hacking they they bribe

them these. host: let's get the response. guest: it's a great question. you're exactly right. this is organized crime. and criminals are resourceful. if there's a money-making opportunity, they're going to do it. either directly by hacking into asome or they're going to sell the capability. and it isn't just ransom ware, it'sng as a service. there's all kinds of different methods. ransom ware is simply one manifestation of what can happen when a hacker is able to get into a net work. so there's all kinds of ways that you can hack into sell tha. it's like selling anything else, any other service. host: what was caller: csia apparently was also hit and i don't think it was a ransomware but they discl.

the big problem is that at the level and scale this is occurring right now, what it makes medium business holders realize is that they don't have a chance because they -- even they're trying to pay insurance■+ fees for these things and the insurance companies are telling them well you know your premiums are going to be high and if you want to use this coverage and it's very limited, you know, so there's a lot of things that need to be addressed and i just don't know if anybody in the u.s. government has understanding of the scale this is going towards right now. guest: we certainly understand the scale both in industry and in government. martialing all of those differing resources. you mentioned can be a market influencer in terms of our behavior as businesses. but because of the scale and the

cost of ransom ware these days, cyber security insurance is starting to become a less■ attractive way to manage risk because they are increasing the premiums and reducing the coverage because it's becoming so costly. so it matter of how collectively organizations in the health care industry or any other criticalre working together to create a collective defense. host: there's also potential legal ramifications. i'm looking here at a story.

what is your assessment thus far of what kind of economic impact this cyber attack is having? guest: it is a cascading impac be paid, their rather low salary in a hospital as a nurse or orderly, or what have you. you know, on the legal question,

the legal ramifications, that continues, that needs to be a greater concern to class actio lawsuits for example. and the need to determine what due diligence did in organization that was hacked, did they do everything they could do and still got hacked or did they genuinely not do and that needs to be assessed. you asked earlier about what the congress can do. they did something good a few years ago as an incentive. they told h.h.s. that, which enforces hippa, thhirule, that' insurance portability and accountability act. if a hospital gets breached and i talked about a short time ago, h.h.s. should look at the extent to which that hospital has done the right thing in cyber security. they've implemented generally

recognized cyber security controls. if they did maybe take it easy on them a little bit because there's going to be fines and audits. but if they've done the right thing and still got victimized how can you punish the victim? but if you haven't done enough they should suffer the consequences because they know that there are right things to do in cyber security and they should be shielded michelle in our independent line. good morning. caller: good morning. i issue. i wanted to suggest that to address this issue that we start looking at theon from russia and eastern europe in ou coming over and getting jobs as it contractors on federal contracts. i work for a federal agency and one day was in the office and

there was a russian contractor working on an it contract at a fede he and i were in the office and i started engaging him in conversation and he basically laid out a putin agenda very definitely pro putin. and i'm an african american woman, ou know, a white person will feel free to speak to me about these issues. and i was just shocked that he would have a position at a federal agency on an it contract. and i've had that experience before, and so that's an entry way into the our systems, through our protocol and firewall. host: i wan a chance to respond to the point. the plan noted a shortage of se professionals. i wonder if you can talk about

what the industry looks like in response to the points michelle was raising. guest: that's the workforce, we continue not just in health care but across the board and in government to face a shortage of good cyber security skills and talents. not just the technical people but you and i as users of it in a large organization do we know the right things towrong things not to do when we are interacting with our laptops and other technologies. so getting the five-year strategic referenced, tries to drive towards the next five years how do we build that■l workforce capacity both as the user and the cyber security experts, and that takes more training in the workplace, it takes more education post grad in

universities for the stem disciplines, science, technology, engineering, and math, and to make cyber security cool. and it's more cool now than it has been in a long time. to the caller's point, one thing we noted is insidious about and beneficial about the internet is it respects no borders. i think we heard that in the clip with ann that you don't need to be in the united states to be waging cyber attack on the united states and on united states critical infrastructure. if you are an immigrant working in the united states presumably through the appropriate vetting process through the visa program to ensure that you are not malicious in any way, and course that system is not fool-proof. but that's where you have you he concerned. -- host: to be clear, are most of

these ransomware attacks coming from outside the united states? guest: i think■ú most of them a. criminal gangs from china, from iran, from russia and elsewhere, who do not have the same network of laws enforced about the use of internet ■(for macious purposes. host: we have a question from connie in parker, colorado. mr. garcia, would you have any sense of what kind of entities these are, for example, if they are financing terrorist groups, interference from foreign countries or e■

money. click on this site and we've got you. we computer and we have your data. so, there are any number of ways that the internet can be used to exploit people, their beliefs, and their greed and theirr. the internet has great promise and it has great peril. host: jeff is on the internet line. caller: you guys must bemy mind. i was going to ask about foreign actors and what/if we can do anything about it. it seems like we don't really have police that can go there and arrest them and, fectively, the local co. stabbed larry has to do that.

whether they are interested is another story prayed i don't know if you can shed a light on what's being -- story. i don't know if you can shed a light on what's being done. guest: that is a good question. there neutral recognition agreements among countries, the united states and any other countries, that criminals or criminal groups that are culpable for attacks on the u.s. infrastructure. that can be deported, can be prosecuted as a cooperative arrangement between countries. there have been efforts a broader, multilateral scale, to develop norms of internet behavior. ■tr get some uniformity and coherence among internet laws. it doesn't work across all countries because there are different forms of government. you know, one thing that the u.s. has been working on and■

very much so on the classified level, is developing principles of deterrence. so, if cyber attacks from a nationstate, cyber attacks on critical infrastructure are e action will have a connecticut effect, such as an attack on the electric grid, which actually causes athf war. we don'that has been determined by the government. but, it is a consideration. so, at what point does a cyberattack equal dropping a bomb on the united states? host: this was brought up with nato couple of years ago. guest: yes. nato and other cybersecurity

specific multilateral agreements. enforcement is difficult and being able to actually identify who did it. because, sophisticated cyber actors, nationstates can cover their tracks. and you can't necessarily pin country, one group, if they have successfully covered their tracks. host:%x bernie is on our line fr democrats. go ahead -- ernie is on ou■on's go ahead. caller: every two or three years, i get a notice that we've been hacked. because we have been hacked and your personal identity information has been stolen, we will give you 2-3 years of identity protection. i'm asking about united health care, which i'm not a big fan

of, it's a company that strips of care dollars out of the country. the ceo makes $450 million a year. what is their obligation to the subscribers, that they should print -- provide a protection plan for each and every subscriber. let's recognize that united has one of the biggest lobbyists in the country. any penalties coming from hhs are probably going to be offset by their industrious work with the lobbies. guest: accountability is increasingly an issue that we need to be looking at. both from the industry side, as a collective, and from the government. as a health insurer, united health group hascybersecurity ul services regulations and also

because they are handling protected health, that they are responsible for complying with the hipaa privacy and hipaa security rules. whether the penalties that come from the impact of a cyber incident are persuasive for any organization to invest more, that is not something we have visibilityy as to what thek appetite is. but, we also have to note that, again, as i saidprogram, to defu have to get it right 100% of the time. they have to get it right wants to get in. -- the hacker has to get it right once to get in. you can do everything right and still getr times, you can be negligent and not be doing enough.

that is when penalties should prevail and ac should be held. host: there's a question from barbara in whiting, vermont, who says i remember when you could go to a doctor and they would have your paper file, prescriptions were written out and handed to a pharmacy. any records needeto be sent to a hospital could be fax over or hand-delivered by the individual. s the change to computerized systems which cost a fortune created just to make money for certain industri? let's go back to privatizing information and papers. guest: what a great question. we talk about digital and going electronic and it's going to save all of this paper. it doesn't always do that, does it? i think a systems will say that the emergence of health information technology and medical record technology and software has made the transmission of health care data quicker.

more easily distributed. we have not yet gotten to that nerve ana of total inte nirvana of interoperability untry. it is a mixed bag. we see the doctor looking at the computer and not looking at us and they are looking at the data that they are entering. when we no longer have that data because it has been ransomed out of commission, hospitals have to go to a paper-based system. and many young doctors coming out of medical school never actually learned how to write a prescription with a pen and a pad of paper. it's all on the computer. moving to a paper-based system , i think that cat is out of the bag. it might be very difficultback .

host: a couple more calls before we have to let you go. rachel is in houston, texas on our independent line. go ahead. caller: good morning. i was wondering when hackers return the data, how do we know that that data is accurate? are they able to alter that information? guest: yes. that's a great question, rachel. they are able to. it is not necessarily in their interest to do so. their main in■uterest is in the money. there have been hacker groups who have said we are not going to do anng patient care. they present themselves as morally and to return data, that changes my blood type

or removes somebody's warning that they are allergic to penicillin, that, of course, is malicious. that would more likely be for the purpose of a direct attack on somebody. somebody prominent that you could get into a major public figures health data and change it so thatrgency, they would be administered a drug or something that would actually cause harm. ■hwe don't have any instances, y data that shows that that is happened. host: harriet is in maryland on our puine. go ahead, harriet. caller: good morning, mr. garcia. my concern is the amount of information required at the doctor's offices and medical places we go to.

i've actually been asked for my mother's maiden name, my social security number, then they want to scan my drivers license. my whole identity is required. i mean, i would show them my license and let them know who i am this is sounding like it's an open book and they assure me -- it sounds to, they tell me the federal government requires it. it sounds like it's an open book you are exactly right. it seems like you had to give themll oyo doctor's office. didn't i just give this to you last time? yes, we do need to find better ways to have a national identitd specifically on your social security number.

in most c, think it is not legal for organizations to ask for your social security number as identification. perhaps in some financial services settings. but yes, we do nd to think of more creative ways that we can manage identities on a national scale expose individuals to so much risk. host: we have a question from text message. good morning, c-span. i'm a patient at a major n.y.c. health care system. i have united health care insurance. hodo i find out if my personal data has been compromised? united health care tells me i'm fine. the half spi -- hospital tells me my information wasn't compromised. what can people do if they are worried? guest: there are laws in

pre-much eve state of the nation that requires an entity that is doing business in that state, the caller, the text■s as an example, that if they get breached, if they have been hacked to the popersonal data hs likely to have been exposed, exploited, they ha to inform everybody. we've all gotten those letters, haven't we? that says your data may have been cases, it was exposed. we advise that you change your passwords, do this and do that and you are going to get free credit rating■x protection. so, they are under obligation by law to inform their as to the possibility of breach. otherwise, you can go to the

website and they are required to report as we barbara is in bronw york on our line for democrats. go ahead, barbara. caller: yes, the first question i had when i heard this story is why does one company have such power? control all this information to get it hacked? and i think one of your callers dave me an answer. that is the lobbying. i guess we don't have anti-trusts anymore. one company keeps gobbling up every other company and we end up with just -- we make&p it so easy for the hackers. can anything be done about that? money and politics, we know is hopeless. anything be done about it? guest: you raise an interesting point. for me, less about the question

that has been -- could occupy thousands of hours of airtime. but, about that mentioned. this is something that the health industry needs to do. what we found in this■t■ changed health care company, the software program, it serves one third of the market. that is a concentration risk. as an industry, the health care center needs to look at what are all of those chokepoints? what are those critical services that are provided to the health care system that a certain part of the plumbing, that if that one service, maybe there is only two or three of those services that do business in the united states, that facilitates the function of the health system. one of those 1, 2 or three services were hacked and brought down? that shuts down the whole health

know what companies, what services, what software, what technology is indispensable to the health-care industry. and to any critical infrastructure, whether it is transportation, this is why we have this partnership with the government, to be able to collectively assess the risk about concentration, threats and risks. host: ken in richmond, virginia on our independent line. caller: yes, greg. i've been listening to the commentary and it is quite ne say. i'd like to know if you have some examples of the federal apprehending, prosecuting, convicting and punishing individuals who have engaged in

what's disrupting the health care system. i see you smiling right now. but it doesn't sound -- i want to hear some deterrence and some retribution. what can you say? guest: there is plenty of that. the fbi in particular for domestic crimes in the united states has extensive and sophisticated cyber security division. when an organizations hacked from any sector, it's fairly typical that they go to the fbi. one of the first because they are going to make is to the regional field office of the fbi, where they start an investigation. they will bring in the company. the hacked company will bring in a cyber down where did this

come from? where are the footprints and the fingerprints? the fbi is involved in that process as well. there where prosecution of the criminals is brought to bear. but, when are we going to stop crime? it's overwhelming. any local police department will tell you that. the fbi will tel that. i think they do the best they can. host:■x