but on the production of history, what do we use at a given period in place at incredible ability to change the direction of a given society. >> call in to talk with david barber about the social movements of the 60s leading up to woodstock and its legacy woodstock, 50 years. sunday 9 am eastern on washington journal. also live on american history key on the sentry. >> bi request facing the healthcare industry. cyber security pockets are about risks and possible solutions. topics included insider threats, read somewhere tax hospitals, medical devices and privacy challenges healthcare. this is an hour.>> good

afternoon everyone, thanks for joining us. my name is greg mathis, i felt policy advisor to senator mark warner and again for joining us for this cyber security office briefing today, is company on cyber security and healthcare area as many of you may know, underwater along with cory gardner the bipartisan adversary task force in 2016, this goal of shedding light on some of the most pressing issues are kind when it comes to cyber security threats and how theyimpact our nation . for today's briefing i think pacifically we seem a number of very high profile extensive and quite frankly potentially dangerous cyber security attacks in our nation's health care sector. we brought in to individual today that have a wealth of knowledge in this area will robert lord who is chief strategy officer at protenus. protenus, i'm sorry about that and so you'll be here to give a presentation talk about this important topic as well as we have an who is ceo

of dhi and so without further, i'll let the first presentation get started. >> thanks so much greg and thanks to everyone. i rarely thought that our standing room only so i really appreciate your guide today. as greg mentioned on robert lord, cofounder and president and chief he officer of protenus and a fellow at new america's security policy program. while a lot of information today comes from research that we got protenus and some of the work that we are currently a new america, i'm not speaking on behalf of either of those organizations today. i'm just talking from experience and a little bit of perspective on the challenges we see in the space. >> i just to contextualize this a little bit because

when we talk about cyber spirit itcan be a little too much and by and people inputs . the first thing that i would not when you think about healthcare cyber story is the patient that i had when i was at school. i was fortunate to work in a clinic that focused on treating hiv-positive patients in baltimore when i was in school and one of the things you learn quicklyabout this population , other than there and absolutely wonderful, complex, rewarding population to work with his have ordinary concern around the privacy andsecurity of their information . they will go to extremely make sure that people do not find out about their diagnosis, treatment or that their coworkers, their community and so many others that might use this information against them, this extremely vulnerable community and one of the things that i began to think about treating the patients was what are we doing to defend their health data and information, these workers. and the more thatyou think that question , this is back

in 2013 and 2014 when i started, more hard the answer is. the reality is the challenges that we face in health data are extraordinarily cool and say i'll try and give you a case not only of the important" and stories the color the salad and also the data behind all of that. >> so i think makes sense to start with the average back in 2015. this was really for many people and i show of hands, who got one of those at the notification letter from our idea to. this was about half of the us population more or less, a third area on the 40 million medical records free, will never know the exact number but for many, this was a massive wake up call the fact that health data was centralized in many cases, i vulnerable and highly valuable certain parties as well. unfortunately, the story did not end with the average.

we keep on coming. so we just had a brief, a lab or an mca breach. with about 20 million medical records or patient data, individual patient data is identified, not sure what the final numbers are back in 2016 we had a major read somewhere that that reduce the entire hospital system the pencil and paper. so imagine all the electronic health records, all electronic systems, i can't think back to my days, and now you're using pencil and paper and one does not connect electronic system, it's scary. and this isn't just a couple of active either. if you look scale it out, recent report really back not too long ago showed that 70 percent of health systems reportedexperiencing a major debris and a third of those experienced one in the last year . so if you think about this

entire picture together, we are in a terrifying statement now and one not necessarily always talking about but i can tell you health systems are aware of it all the time . so i'm not a person on speculation but also always makes sense proactively. there's also the significant possibility raise recently in a bloomberg article on the ability of whether state actors or individual or other types of criminals to engage in medical blackmail. typically these incidents are highly behind-the-scenes. there are some great area reports but most of the time these are not reported if it is the case tracking. >> ..

can go for a on the black market. they suspended latest more medical records of come on the black market in these numbers have come way down but there's a lot of value in there's a lot of value for a lot of reasons. they can be used for insurance fraud, fraudulent claim. you can steal someone's idea and you can do it very confidential anything about the information that medical record. pretty much the entire medical history of someone's past illnesses, their family members that location their financial information is all in there the only thing that has more information on an individual is a comprehensive. -- copy. the insurance or bank accounts as you mentioned medical black male. you can also unfortunately people use it for monday in personal attacks for courtroom litigation and messy divorce cases. we have seen it all in there and of course you can run false

fraudulent medicaid billing mills as well. so a lot of unfortunately really terrible and really deeply devastating crimes can be committed with medical records that obviously have impact that can go on for years and years. recently there was a cbs this morning report that featured some debate i'm going to show you today that showcased an individual who basically while he was in the service yet his medical identity stolen and he was resolving those challenges for 15 years afterwards. a wonderful guy and he's been dealt quite a hard blow. so what i'm going to show you next is physically the data we collect on a regular basis. protenus data focuses on health care but i'm not here to talk about my company. we also have a research group that works with third parties to identify trends and identified

data breaches and help cybersecurity in general. what i'm going to show use to show used use the information collected from public sources as well as in the end interest in proprietary data that will add color you want normally see in this kind of thing. one thing to start out is that in 2010 and i don't show up away back here but in 2010 there is the systematic increase in the number of data breaches that occur every single year without fail, without exception. we see this since we have been tracking the data specifically. we have seen it every year and already we are projected to have another record year. this number you see here the 285 is just a half year estimate from a recent analysis so we will continue along the strand and we both beat out 2018 unfortunately. we also want to look at the number of records preached so including the 2015. where if you go to 170 million records that year and 2015.

in 2016 we had a banner year with big big breaches so that was almost 30 million. in 2017 we thought it would normalize a little bit. i was just a couple of the breaches and we will get better and of course a tripled in 2018 and in 2019. that estimate means 32 million. that's just a half year estimate that is not a full year but we are once again on track to break another record when it comes to another record breached. importantly you may want to know where this reaching is occurring. of course packing information concerns what people think about when they think about these types of challenges and that breaks down and i can go into more detail but that's a mix of what we have seen from a phishing perspective with malware and miscellaneous threats and i won't go into all the details that we provide a break down of the switch by the way you can download.

it's totally free. just google protenus data and you can find it. this is relatively consistent. between 25 and 40% of breaches are due to insiders. that's an individual thread of some legit mall -- legitimate access entities that. when i was the lowest of the low medical student in my white coat that could access any medical record of any individual who ever passed through my institution and that was not because my institution was unique in this respect. that is true of virtually every single health institute in the world. the reason emergency access you need to be able to get access very quickly. you also have to have extremely complex of armed with where practically using access control as i'm sure somebody in the audience have been thinking about is too complex to tackle with that type of threat.

this insider threats served as insider threats served as one week underappreciate that leads to a huge proportion of the breaches we see all the time. as far as who is the most vulnerable this may come as no surprise but obviously the lion's share his hospitals themselves. this is not because hospitals do not care about this problem. quite the contrary. they care an extraordinary amount but keep in mind hospitals are often running on and let laser then margin and their technology is not always what they want to be. when they look at their list of priorities there's a lot going on that they have to be thoughtful of and of course behalf to make sure that the most people have access to these records. how can you make sure that all of those individuals are not committing a violation. so major challenge in a giant threat do the phishing problem. if you have a 99 .973 of

attacking systems there will be a lot of breaches and that's a big problem. questions. [inaudible] it's hard for me to comment as a member of the earth on a lot of the state-based activities that occurs in these places. i'm not the person to necessarily talk about it because that information is not our money available to me however what we see as the lion's share people who are not some sort of espionage type of situation. just a hospital employee that might be using it for criminal gangs for abusing their access for a pack of colleagues to look up the vip. it seemed people look up local

sports stars for fantasy football edge so it happens. it is a pretty scary situation out there. so i'm going to tell you a nice story as well. this is like the one good use of data you will see feared what this is is the average time for an individual health system to report a breach to health and human services which they are required to do within 60 days. they are really good about this. hospitals are extremely responsible and thought all. they want to know something they do report it so they are doing a pretty good job. he seen a little bit of a trend lately on reporting but most of the time everyone falls in line which is good however this time to detect a breach is not so good it's oftentimes we will be inside health systems for weeks, for months, for years. we have seen 10 years plus of bad actors inside of health

systems and they just keep on going. the problem is not reporting it rapidly but it certainly is in detecting it rapidly. here's a number you won't necessarily see a lot. we have done some analysis at protenus to understand how many violations physically occur in a given month based on institution we have seen for every branded individuals you can expect about one privacy violation to the patient's data per month. that means if you have 30,000 employees in the health system you are talking about 100 or visit violations and 1200 per year. if you think about what's being reported you can only get this want to get a conference of analysis in the system to understand how many violations are happening. it's the scope of the threat we are seeing got the whole system. in addition is a great

opportunity here to focus on education and remediation because another thing we see is the majority of the fence we are detecting a repeat offense which means someone is already violated patient privacy and we haven't educated them so we are going to do it again and again we see this pattern over and over. often we can reduce by half the number of violations that occur if we are proactively protecting these threats and ensuring the individuals appropriately sanction for that activity. this is somewhat of a whole because it means to a certain extent we can predict and prevent these defense through thoughtful workforce management. so i want to be brief in this next section and note very briefly that my work at new america is on a white paper which should be released next month that addresses three core areas of challenge and i will be thoughtful of the time because i'm running over here but the areas are essentially culture, workforce and technology. when we look at culture is all

about how do we create accountability quest that we appropriately fund hospital so they can make sure they are getting the job done and how to work with existing regulatory structures to be more effective and more forward-thinking? our workforce is how we build the future workforce and had we retained the available workforce that we haven't had we prevent burn out or making sure we are not having people do continuous repetitive low value attacks. finally from a technology perspective it's about getting a lot of legacy junk out of the system. we know there's a lot of legacy technology. there areas where we can clarify when it comes to guidance and then finally it's about whether its devices or software lifecycle when comes to creating these abusive software devices that are ultimately treated. at the end of the day it's all

about patient safety. we do all of these things in the end to protect patients and defend them from these threats and make sure we do. it's with the hippocratic oath in a way and that's what we do here for privacy and security. i will now wrap things up and hopefully we can take a look at this in september and there'll be a much more interesting speaker talking to you then. thank you very much everyone. [applause] >> it's true. i haven't been affirmed as crowded. it's been a while. my name is jennifer bordenick and robert to set up a really nice framework for us. a kind of give you basic overview in terms of where the

data is on breaches and where we are going. i'm going to spend a few minutes talking a little bit about some of the misperceptions around pippa policy and cyber policy and talk about current policies and practices and how we are actually evolving into what could be a national security threat around cybersecurity and health. cybersecurity has nothing to do with health care. e-health initiative has been around for about 19 years and we are group of influential executives from across a spectrum of health care. we bring together leaders from all different groups, payers providers vendors pharmacies etc. to work on really tough issues and our belief is that you can't just talk to hospitals about health care. you can't just talk to providers and clinicians about health care. health care is a continuum so we need to join with pharmacies, patients and vendors. this is a problem, an

interconnected network problem that we need to sit down together to figure out how to solve it. we have done a lot of research, education and policy work around cybersecurity. we have a new white paper out. we have some fact sheets surrounded but which are available for you and many more and our web site. we really need to stop looking at cyber and privacy policies and stop thinking about health care data in terms of what welding it belongs to or what about the should it be and great health care data doesn't stop at the door. your hospital data shouldn't only be within the hospital. you should be able to access it from your home, from your phone. it's all over the place so in terms of thinking about rolls around cybersecurity and secure data doesn't make sense to think about it within an institution

always. new to think about it in terms of the greater spectrum. i just want to be frank with you here. we have done a horrendous job in health care and technology talking about hipaa. privacy policies, would health care data is, where it lives, why it's important all of those things. when people think about cybersecurity they generally think about elections whatever the latest story on the news is right now. they are not thinking about their health care data. part of the issue is we have made it so technical and confusing and we throw these acronyms that use of people just understand it and it sounds really overwhelming and i will be honest with you when i started in health care two decades ago i felt silly asking questions. i felt like i had to be a lawyer or legal analyst to ask questions they were so

complicated and technical. how many of you have been in the doctor's office filling out a form and you say why do i need to do this again and they said to you because of hipaa, right? hipaa is the big bad wolfe of health care, okay? whenever you can't get something done a lot of times and the excuse given to you will be because of hipaa so your doctor can't talk to your loved one about your condition because of hipaa. that's a myth your doctor needs a written authorization or they can't share your health information. that's another myth. doctors aren't allowed to e-mail patients are that's another myth paper protects all of your health care data, another myth. i'm going to go into these last few because these are really drive me nuts. it's an organization is dubosar

right it's okay to share information with them. there is no such thing as a hipaa certified organization. i will say that again. there is no such thing as a hipaa certified organization. hhs does not go around and certify organizations and say you are completely in compliance. they don't do that to every single health care organization so often happens is an that organizations will say their hipaa certified that typically means they believe they are compliant with hipaa the way that they interpret it. another myth out there if the consumer uploads her medical record into a health up that bad information by hipaa. wrong. there is no such thing as a health certified or hipaa certified health act. it's not out there. if the company offers a direct consumer app or if you download

an app directly from an organization and its not provided on the behalf of a covered entity it's not covered by hipaa. it is through in a word there. this is where we get a little bit confused and people's eyes glaze over little bit and make it a little bit confused. let's talk about what that means there a couple of key questions around apps and whether or not they fall underneath the above. it all depends how and app is branded. it depends how the consumer gets the app. depends how the data flows between the app and the hospital or the doctor's office. depends whether or not it's coming from there. these are a lot of little things that can determine whether or not the healthsouth is covered underneath it then has to follow that the regulations.

generally pippa covers data that in health plans with health to providers conducting transactions like billing, clearinghouses and business associates. another term that's probably a little bit confusing which we'll talk about. who counts as a business associate? i'm not going to make you read this. let's give you an example. say we have got sally. sally goes to her doctor. her doctor says you have diabetes and i have this really great app that will help you manage your condition you'll get some counseling along with fred eckhard about a third rate app company so sally's physician gives her the app. she goes, she uses the app. that app is covered by hipaa

because they came from the provider. the provider recommended it come in the provider's name might be on it so it can affect coming directly from the provider so that app is now supposed to comply with hipaa which means it should protect all of your health care data in there. this is where it gets a little bit tricky. say we have got sally come the same sally. sally picks up a newspaper or picks phone and reads about this really new cool health app that apple has. she downloads the same exact app directly and put the same kind of data in it. that app is not covered by hipaa because he was direct to the consumer. so you see you can have the same apps with information and it that is supposed to comply with

hipaa and then you can have one that's not even with the same information from the same company and this is what makes hip a little bit tricky to figure out. it doesn't quite make sense and that's just one of the reasons we have to really think about where this is all going. there's also this healthy type of data. your concert care or network on line or were just a pregnancy test. you purchase information about a sexually-transmitted disease. you join in hiv group. gps data shows you go to a psychiatrist every thursday. gps data shows you are in rehab center for six months. all that information is healthy-ish beta. it says a lot about your current

condition and reveals a lot about you. that's not covered as well. a lot of people would be concerned about the items they purchase at walgreens or cvs or amazon going public than their medical record. everybody is using these third-party apps for third parties to call them. even same as the one on last night has a list of third-party apps that they use. if you go to the site you can see all of the different organizations that cms is sharing your information with beauty can link to them and in some cases you can opt out. this is an just happening in the private sector but this is happening in the government as well so it's important to know that when you are thinking about hipaa. so we spend all this time in effort learning about our health care data and making sure it's protected under hipaa or not protected under the pippa.

but what's so amazing to me is so much of this data that we are trying to access so carefully we are giving it away. who how are we giving this data away? has anybody read the fine print? i just pulled us down for my own personal health plan in the doctor's offices that i i go to. this is my personal information but if you actually read that and i encourage all of you to read the fine print you will see in many cases the policy says they don't have to agree to do what it says they are going to do. many cases it says that they will share this information with contractors and authorized partners but they don't tell you know those people are. they use normal routine health care operations. i'm not sure what i was normal

routine health care freshness. that does mean that help developer will be in the office that day and may access some of my health records may be but it's really important to understand what it is you are signing away. a lot of these will say we can change, we reserve the right to change the terms of this policy anytime we want. if you want to learn about that you can. up a copy of the changes. a lot of the fine print is really giving a lot of this information away. so, we have heard a lot about health care data and how valuable it is. i think everyone in this room can attest to the fact that we need the data to find cures for cancer, to discover new drugs, to save lives. it's valuable data but we are

finding that bad actors want this data as well. so guess who else wants your data? i was pretty naïve when i started in cybersecurity. i thought the reason everybody wanted this data was because they wanted to break into medical records and find out how britney spears or selena for somebody in rehab or what was the medical condition if someone is pregnant and all the celebrity things you hear about. or that they wanted to bribe people. don't fool yourself. it's naïve to think this is just about bribery or understanding celebrities or someone even trying to steal your credit card this is happening right now. there is a new break and it's

around health care data this is the fastest growing business globally. chinese investors right now are pouring in the first nine months of 2018, 43% of all their investments went into biotech in 2018. companies globally are involved in economic espionage and companies that handle patient data are particularly greater risk. they are taking this data. this is really a space race. whoever has the most data wins. think about it. think about the amount of profit that could be made by the next

influenza vaccine, the ebola vaccine. think about the potential bioterrorism that could take place if he discovered a certain population was susceptible to a certain germ or drugs. i am really grateful to supervisory special agent ed hew with the fbi. have any of you heard him talk before? he's from the weapons of mass destruction directorate here and that's all he does is study these different countries that are basically not just hacking our information but taking our information when we give it to them. and that is what is generally happening. the data that they are taking can be used to exploit us. they can discriminate against certain groups. they can create bioweapons and they can target us but most importantly they can get economic advantage. look in the news.

all of these companies are working with chinese companies in this case, not just china but i have many examples here from china where u.s. corporations are sharing their data with chinese owned organizations. so basically our information is in many cases being given to the chinese. there is assertive biden means cms medicare and medicaid services allow you to work with organizations outside of the u.s. and share data with them. so imagine you are a health plan in the u.s. and you direct all your labs and all your dna testo be handled via chinese company. it doesn't have our best interests at heart.

if you look in the news sometimes you hear about the chinese hacking data but more often than not we are actually giving them the data. there was a report released this year that doria of 2019 by oia cmbs the eye and identified national security risk related to genomics data. this is happening right now. it identifies china is the primary source. there are concerned right now because nih's given access to u.s. data to for-profit companies in china. ..

are there other avenues we might want to be worried about and if we could talk about that for a bit as well. >> you guys can probably hear me we certainly see this all the time. does that were? all right. so one of the things that i mentioned was the potential ransomware attack. this is what essentially you have a form of nowhere that it puts all of the data in the health system and makes it inaccessible to anyone using those systems effectively shutting down anything that runs on any form of data. there are still some things that hospitals probably should but they don't do that means it can be huge because suddenly you've lost access to critical systems. another big concern that has been proven time and time again

is we have done theoretical research and we don't know if potential device related hacking you can imagine insulin pump certain implanted defibrillator could readily be call provides a good he used the fully given the function of those devices that could kill a patient are certain -- seriously injure them. those are two brief examples but they are very serious and they are very possible and there are incidents out there that have been proven to be positive. >> right now there is malicious where that is attacking mike or soft another widely used software and a lot of the medical devices have on top of that software. so it could be dared not necessarily attacking the medical device itself at the software is connected to and that's happening right now. a lot of people don't recognize when their machine or the device or hospitals don't know if their device is connected to something that's been attacked

maliciously. it's happening right now just out of the way you think about it. everyone saw the homeland episode that the pacemaker getting attacked so we are not seeing that so much right now. but definitely we are seeing a lot of attacks on general software that's connected to those things and we don't have a good way right now to notify people and priests out. if you think about medical devices once they are out there we would need to know exactly where the manufacturer sold them, what providers bought them, which patients they were given two. think about the chain of events in terms of where medical devices go so pretty long chain. in terms of the notification there are specific guidelines were notification is supposed to take place but it's a real concern. the more this has happened the more dangerous is going to get. >> in your mind me where the

sources are coming from with these attacks whether it's insiders or is that proportionally the number patients attacked? >> this is based on incident number. those percentages so obviously you have a bit of a skew towards hacking when you look at it from a percentage of records compromise. because those tend to be the biggest type of breach event. that being said but sometimes can be the most damaging to health systems are one-off types of attacks because they may be very public. they may be very personal and they may be one-on-one types of vendettas or legal actions. when you look at the total risk to the system you can make an argument either way but to your point is a very good one if you look at total number of records compromised you get more hacks. there is an an cider type of fare that happens.

>> we are going to go to the man in the blue tie back there. >> i appreciate your comments and do what you said earlier tblisi impact to ransomware mpac specifically because searchers are canceled and ambulances diverted and we have seen that from our members and we have seen the adversary go after smaller hospitals. they are increasing their ransom demand and going to backups first. very troubling. so very concerned about that than i appreciate your comments. and on the data point would you

agree with the majority of the number of records compromised? >> i think sometimes we need to be thoughtful about incidents versus right or it's as a measure of risk they some -- because sometimes incidents and the in the greatest vulnerability which may or may not exploited. things that may have less of an impact on the institution and their patient. it's a really good point and i would applaud aha for the great work they have been doing in this space to bring light to it in the work you are doing john. >> reinforcing your point it helps our members become aware of the acute threat posed by nation-states targeting medical research and information. >> thank you and to piggyback as well these attacks are the most common. it is external but it you can address it with training.

a lot of companies have trained their employees so they will send it in an e-mail in the people that click it have to training. you can address that but that is the number one way that people get it. >> we have a breakdown in our data they want to look at their port. by far its the largest portion of the hacking events. >> this gentleman will find you with the mic. >> what kind of policy has been recommended or should be recommended to address this issue? >> mainly the hospitals to protect against companies to foreign nations like china. >> we generally haven't seen that but what we have seen are these phishing scams so as to training and education in the

larger hospital organizations and large corporations are launching a large-scale effort to train their employees to not click on things. that's the number one we the people get into your organization. if that helps externally and some of the nations get a guess but it does all around for the most part they get in from inside door. >> the only thing i would add is i think you bring up a pretty broad set of challenges. even if you look at one discrete challenge usually it's across many different dimensions and that's what we are working on in american particular would just understand happily change the culture of the organization around education? had we look at the technology and are we using the most modern technology artificial intelligence and looking at the developmental lifecycle and doing everything we can in at the end of the day human beings are defending the systems as

well as the vulnerabilities in the training of pipelines that we create have strong and diverse while trained workforce in the future is very important. there's a lot of policy organizations. i'm hoping it can empower poor concrete recommendations. >> organizations like aha and the other associations and societies really get out there and do what aha is doing, educating people because people don't know it's a problem that's happening. the more you can talk about in your offices or your constituents is really important to bring up real-life examples with them. >> i've been seeing a lot of academic literature real push on the internet saying it will save us from human error when we are talking about i.v. transfusion pump but i always did have this

fear in the back of my mind that these things are hackable but most of literature i'm seeing lately dealing the securities focused on the path of data collection. there really is not as much direct risk there or is that something that will be forthcoming as more of these crises become mainstream? >> a lot of these systems are very smart and there is always human error. we are finding that medical records are in many cases more secure than they were when they were paper records in many cases but you know everything is going to be hackable eventually but there's always going to be when there's no 100% guarantee that something will be safe so if someone is looking for that they are going to find it. >> for me from my perspective when i was a medical researcher in school i focused on almost entirely patients it is a topic that i worked on.

i can tell you absolutely there is a really important role in improving patient safety. one thing that i've think gets lost sometimes is you can't lock everything down and let's go back to using a scalpel and a pencil. it's not going to work. we have real gains we can make by leveraging data and leveraging modern technology and frameworks like the internet. i think sometimes we frame it as an either/or it's not in either/or. we need advanced technologies and we need to deploy technologies to protect that data and systems. when we start thinking of medicine and is antanov and/or we fundamentally shift the curve into doing it all the time. >> hi jennifer.

i'm not sure how familiar you wire with a theme apart but mips one thing that is left out of this conversation when you're talking about research universities are a giant, giant hole for a lot of this hacking but also particularly from foreign influence especially because most want to partner with other universities especially in china through. you should want collaboration because they nature of science is what i would argue coming out of m.i.t. and how we know it needs to be actively monitored especially with the genome stuff you are talking about earlier. identifying someone based on their ethnic heritage and it brings up the question of should

we -- investors in the tech? it's ridiculous considering we are to have american science being somewhat culpable and what's currently going on at the moment. >> it's a really good question. and i don't think there's an easy answer to it because, of course not. first of all there were those few chinese scientist who i believe were just indicted for doing exactly that, what you are talking about it's going to happen again but we need to share this data openly. we need more data or we aren't going to discover the diseases we need to set several complex question. could be a matter of how we share the data and in what format. the other issue is one of money. chinese investors are putting a

lot of money into biotech in this country. there is a financial question as well as an ethical one. i think it's a conversation that has to be had. one of the things i don't think we have asked that all of the general public and we don't know about consumers is what consumers think. how open do people actually think their data should be? there are people in this room willing to share their data. i don't think we have a good sense of which way the general public is going as well and they think it will be hard to make policy without knowing that. there are no easy answers but they are all questions that need to be discussed and we need to find out what the public perception and perspective is as well. sorry i didn't answer your question. >> i guess the frustration that a lot of us in the national security and especially when it comes to china have is that

frankly when it comes to trade and when it comes to science, when it comes to the south china sea it really seems like china gets the benefit of operating and within the international system but not the responsibility or the word of having to follow the rules. he even if you decide yeah all right find it in-app access to american health data but you can only do it through cms. cms has to be monitoring it and the reality is maybe investors don't have a choice as to whether or not they want to do that as their companies are owned by the chinese government. most companies i believe a member of the chinese communist party has to sit on the board of that company. i guess the question is because sure we should be having a conversation and asking the general public what they think about issues like this but the issue i have with it is an issue

that a lot of people have been dealing with china's how do you deal with the neck or that you would do with uneven turns? should we make them understand that while the relationship is one of symbiosis and we rely on them for trade at what point do we have to stand up and say no, not today? >> we are starting to do that. the administration put a hault to the 23andme investment that was going to take place with a chinese company most recently. this is already happening so their money as authority here in many places so it's a real, i'm not sure what putting a stop to it would mean right now and what that would look like but maybe that is a decision that policymakers have to figure out. at the same time nih has gotten a lot of really important data from other nations. you really have to balance what's important.

>> good afternoon. i'm from senator manchin's office and i want to take the time to thank you all for taking the time to come to capitol hill and deal with this issue. i'm from west virginia and while her state has incredible community health network such as in huntington morgantown charleston so much of our work is done at the local level in small rural clinics. the amount of information that they are able to retain on patients is incredible. obviously as we talked about earlier resources are scarce especially money. whenever margins are so small within health care but particularly in rural appalachian west virginia the resources are even more scarce. as we see advanced instant things such as telemedicine what recommendations could you offer

to make sure that even though the resources are scarce we are still utilizing technology at the local level and still have the best protections in place? >> i can speak to that. we had to have a recommendation that specifically relates to rural settings. as you may know some of the barriers to protecting these facilities are often related to existing laws with large organizations providing product to funding to the smaller affiliated clinics that represent major weak links. so to put them under the security umbrella at a larger hospital may want to do that but they are not allowed to because of the current legislation. thoughtful reform to that would be in the longer-term sense how do we thoughtfully scale using technology, types of automation and the types of insight in the types of proactive detection

that can reach out through networks of different providers and not necessarily have an individual human at every one of these sites watching it. ..

joining the call for help the leader back back.

[inaudible conversation] weeknights is meant in cspan to tv programs. journalists probably reports colonial activism in america. joshua talks about the rise fall in current socialists around the world. and former bush administrations offers his thoughts on how to reverse downhill slide of america's system. watch tonight on c-span two. every weekend in cspan two. next mark