i remember the days when we had the first evidence of the aids epidemic and the people that brought home the reform in fda to get some of these therapies out quickly were the groups of the gay community. they studied the law of the fda and argued you don't need to take so long. you don't have to wait until the end result to show that a therapy is safe and effective. you can have markets and you can get these products out more quickly. i think the collaboration between the private sector where the market forces were pushed to move forward and we want government not to stand in their way by undermining them with less stability for their work. the private sector and the disease groups and most

representatives of disease groups know more about the diseases than anybody else. they have worked so hard to try to understand what's at stake. pressing the government to be as flexible as possible. i think it's important for the infrastructure for the 21st century cures. i want to say i would be a little cautious about thinking we can solve big problems with legislation with all the unforeseen consequences that can sit inn at a panel here ten years from now and bemoan. i guess that's not a question, but comments. i thank the witnesses and particularly, my good friend and constituent mike milken for all that he has done. >> thank you, mr. chairman for convening this roundtable and thank you to the expert witnesses for your insights.

every time we have one of these hearings or roundtables, we learn a lot. we had an excellent roundtable with dr. collins, dr. hamburg, our chairman, dr. burgess, frank blum were there. it was very important and meaningful. dr. collins, you've forcefully made the case that it's imperative for congress to prioritize funding for nih. while i understand the importance of ensuring that fund rg for nih remains stable and predictable, congress is at a crossroads where federal dollars are already committed, particularly as they relate to federal entitlement and safety net programs. if we are going to find resources to stabilize and or potentially increase nih funding, congress is going to have to work hard at prioritizing resources that are

focused on advancing science and research to spur the next generation of cures. this is the question -- are there existing sources of research funding? that congress should examine as it attempts to find federal dollars to help advance the next generation of cures. your thoughts? >> i don't envy the position all of you members of congress are in with our nation in a very difficult fiscal deficit. circumstance trying to figure out how to balance the needs to support important government activities and i would submit that medical research is a very important government activity which, if not supported by the u.s. government, the basic science that nih done simply won't get done. at the same time i know you have to figure out how not to have a circumstance where we bury our

heads in the sand as the deficit grows, so you're faced with many difficult choices. one of the things we have been trying to do, and it has helped a bit, is to try to identify other ways to support medical research and other than the traditional nih appropriation. one that got started about six months ago is a partnership between nih and ten large pharmaceutical companies called the accelerating medicines partnership which is really unprecedented in its scope. the goal here is to try to identify that next generation of drug therapies that we know is waiting to be discovered given all of tbreakthroughs that have happened in fields like genomics. by putting they will together, academic researchers and companies could be pretty exciting. the companies recognizing that, and much to their credit, are

willing to engage in a partnership with nih where all of the data is immediately made accessible. it is not one of those where it is hid behind a curtain and we would have a hard time participating if it were. this partnership which is being equally supported financially by both the companies and the nih, 50-50 split in an unprecedented way is moving forward on diabetes, on alzheimer's disease and on rheumatoid arthritis and lupus. my colleagues in big pharma and i watching personally over this closely wanting to be sure this doesn't run off the rails i think are quite gratified by seeing how far it's come in six months. that's an example of creative ways to try to do things. we are working in every way we can to identify partnerships in other parts of the governments. we have a number of very exciting initiatives including some that aim to put cells on a chip to allow you to investigate their behavior. i have a kidney here on the chip, by the way.

i got a lung over here. these are basically amazing technologies, bringing together the engineering skills with the biology skills of our nih investigators to move things forward in a fashion that could be great for identifying drug toxicities as well as effectiveness. you're asking about other places to go and look. i'm probably not in a great position to be able to say of all the various parts of government support of where are there opportunities. the board of governor includes the nih director. the patient-centered outcomes research institute is what that is. they are working hard to try to identify in a research/evidence based way what are the actual interventions that work and which ones don't work for patients in the real world. obviously issues that we really do need to know about. it is a hard working organization that's only been around for two or three years. i don't know how to balance those particular kinds of decisions that people are struggling to make.

i want to promise the group that we are not just at nih saying give us money and we will keep doing things the way we have. i get it. we have to be creative and make reforms in the way in which we administer our own funds that we through the public give to us. we are looking at every nook and cranny to come up with ways to be more efficient. i promise you this is not just researchers with their hands out saying leave us alone. we understand the obligation to be incredibly efficient and creative about what we do. and productive. we are willing to put ourselves under the microscope. >> mr. chairman, can i suggest a couple? one, i would say scoring. when we look at how things are scored, we need to totally re-evaluate that. i will quickly cite one example. fellow board member of mine and close friend for many years,

ward tripp cosells, was identified 13 years ago with advanced cancer and given a short period of time to live. he engaged in every known clinical trial, in this case for prostate cancer. he recovered and over 11 years, i would say ten extremely productive. he led two tours of duty to iraq where he led our medical efforts in iraq. one in afghanistan while he was taking chemotherapy. became the assistant secretary of defense in charge of the health of everyone in the dod. when we had issues at walter reed, he was called on to solve the problems at walter reed. founded two bioscience companies. was previously the doctor for both president bush as a card arologist, and hired 2,000 employees. in the scoring, everything he

accomplished in the 11 years, not the least of which was 11 years more that his young children had with him who were very young -- 3, 4, 6 at the time. all of them will remember their father and their lives will be different and children's lives will be different. his score was zero. of any benefits of those treatments that he got. so we just count the cost, we don't count the benefits of this great american patriot. in the 11 additional years, he got every person and cancer dies approximately 16 years before their life span. i would say scorning. two international lives. the first gulf war supported by henry kissinger and others' efforts, the united states put up 20% of the money. other countries put up 80% of the money and the u.s. managed 100% of the money.

there is an enormous opportunity to drive research if we focus as part of the state department and other international efforts. other countries on a per capita basis are far wealthier than the united states today. norway, for example, many years ago set up a fund for the north sea. it's kind of a rainy day fund. their goal -- $500 million u.s. that fund today approaches $900 billion. they overshot that fund. in the united states, that would be like if you had a fund of $60 trillion sitting there. they can play as many other nations can an active role in activities if we had the structure here to get financial support from them today. third is the young scientists. many things have been created to encourage young people to work

in the field of teaching. and if you go and you get teaching degrees from universities, if you work in inner cities or difficult areas, we forgive their student loans that they've had. almost all nobel prizes have been issued for ideas within five years of school. you might have been 60 years old when you received the nobel prize, but the idea was generated when you are 25 and 30. today the average age i'm assuming is in the low 40s. 42, 43. of the first time an individual has received a grant. how discouraging can that be for a person with new ideas? today all of us who had children grow up and go to college and leave are intellectually challenged when our teenagers leave the house and go away to college as to how something works. this is the same technology

that's available if science today, but we haven't found a way to encourage people to stay in science, to stay in research, to stay with the nih. one of them might be easily to forgive their student loans that they've accrued being a doctor, a scientist, et cetera, if they work in these fields. there is benefit the same as a teacher in the inner cities. lastly matching to challenge the american public. challenge philanthropies. we have funded over 500 young scientists. it's amazing how little the money. 1 hub you 100 young sign ties for the fda. 100 young scientists for the nih and others around the country. let's challenge the american public where you need matching grants for those young scientists and i think we could accrue billions of dollars in matching grants here to keep

young people and further their careers. >> thank you. i have seven people on my list. >> thank you all again for those of us who serve on the step committee, it's easy to have these exchanges. for those of us who serve on the health subchit, it is easy for us to have these kind of exchanges. doctor, thank you what you've done with our gain act that we passed last session. we have a follow-up -- the adapt act -- that would give some more authority and for the future of antibiotics and hopefully we'll do that. my main question, july 30th and 31st joint nih/fda meeting, you mentioned that the u.s.

government should launch a public-private partnership. that would be to facilitate antibiotic representment that would work to establish a master clinical trial and protocol for antibiotics. they indicated that they have new drugs for bad bugs. in europe they like acronyms there, too. nd4bb were crucial to bringing together key stakeholders from the government, academia, industry to tackle the significant scientific challenges facing antibiotic development. ther they feel more about the u.s. public-private partnerships and the master trial protocol. >> certainly can and thank you for the question, congressman. the fda and nih and industry all

got together at that meeting july 31-31, peggy hamburg and i worked closely through our joint leadership council to plan for this. it's a very important issue, because when you see the way in which increasingly infections, particularly in hospitals, particularly in patients who are very sick if icus turn out to be from organisms that resist all known antibiotics, we are on a trajectory that's really quite frightening. the delivery of new antibiotics through the pipeline has been quite slow, for mostly financial reasons. that is the development of new antibiotic is not seen by most pharmaceutical companies as necessarily something that's going to be very profitable. you may have a small market, a short time the drug is delivered. a lot of liability concerns. here we are in a circumstance where the bacteria are increasingly through evolutionary processes after being exposed to way too much

drug prescribing which is going on both in hospitals and in agriculture, are developing these resistances and we don't have at the present time a fully effective strategy. one of the things that we need as part of that strategy -- this was the main topic of that meeting -- was to have a pre-existing network of clinical trial sites so that if a company says we now have a promising new antibiotic, you want to use that on people who are infected with these highly resistant organisms but you have to find them. fortunately, right now you don't find them everywhere. they tend to happen in outbreaks. when you don't have already a pre-existing network with staff on the ground, with consent forms, with irb approvals, then the company has their drug but there is no way to check it out and see if it works in less than many, many months. the idea is to have a master clinical proetle kol. nih, through our national institute of allergy and infectious disease is already invested already in making this

happen in order to provide industry with that kind of a platform. it is a great example of a partnership where we all have a lot in common, a lot of needs here. there will be, by the way, in the relatively near future a lot more information about plans that we've been cooking up over many months now about how to take a systematic look at this problem of antimicrobial resistance, perhaps even in the next week or two, there's going to be more about this coming from the president's council advisors and from a bunch of the rest of us. >> we hear a lot about ebola and the only two doctors who were able to get something. but mrsa is in every hospital in the country. hopefully we can move forward. >> 30 seconds.

>> i had the opportunity to go through your wonderful facility a number of times this last year and see the advances of what you have done as it relates to animal testing that can help the drug industry. tell us a little bit about -- as we think about trains traveling at the same speed but the tracks are the same, let's talk about what you've been able do with those tracks and the science to improve the testing and expedite the approvals of what you are able to do. >> you were there, fred, when we launched or molecular imaging capabilities in prelynn cal work. while imaging is not new, its broad use is gaining momentum daily.

in many cases on a regular tear basis, the regulations haven't kept up with this science. that's not a criticism. believe me. it's not a krit sicriticism at . no, but this isn't one. for example, there's no fda imaging approved for biomarkers for early stage. and yet when our clients and our sponsors go for approval, the fda in a great way talks about the old archaic ways of working through toxicology and whatnot and even some efficacy work. and then says we know that are you not required to do imaging, but do you have? of course we do. what that says to me it's our fault that we're not keeping pace with changing technology. and so i think in the case of the regulatory environment within which we live, that it's so hard for regulations to keep track -- keep pace. it's so hard for regulations to really help allow for if you

innovative methods to be tested and used that maybe there's some way to have an emerging issues task force or something along those lines. i'm sure you've thought of this before where when new technologies are available or being used, perhaps not in the mainstream of regulatory approval but are being used to supplement insight into drugs and imaging in particular for clinical trials. it's incredible what kind of insight has been achieved as a result of looking again at biomarkers and absorption, et cetera. so if there were emerging issues task force where in this case in a very collaborative way the sponsors in this case, researchers, innovators, could work with the regulators, could work with academia, the specialists, the subject matter experts, so that we could quickly allow some of this to happen. i know this is a litigious world that we live in but we're breaking new science and risk is part of it.

you saw what you saw there is what is -- it's not -- there's a lot more advanced technology an science than just imaging but it is coming of age today. it can clearly add significant insight, reduce costs, improve speed, as you saw and you know. and i would encourage that part of your legislation would allow us in a collaborative way to be able to work together to be able to allow to experiment and allow to work -- let these new technologies help us meet the goals and objectives that you define. >> just a quick comment about it. very important point. it raises sort of two different issues in my mind. one really speaks to i think a broader opportunity that built on this notion of the importance of public/private partnership and collaborative research in critical areas. there are things, biomarkers, various kinds of computer models or simulations, or other kinds

of approaches where no one company is necessarily going to want to take the risk of trying to develop it and characterize it and get it validated because there is a lot of risk and a lot of cost. but if these activities could be undertaken and we could identify these new research and regulatory review tools, whole classes of products would benefit and many companies would benefit and so we really need to be able to find ways to take some of those research dollars and make sure that they are targeted to these critical areas that are gaps in current research funding that require some of the kinds of new public-private partnership models as well so you get the best minds around the table working on these projects that often are really complicated and involve emerging technologies and how best to use them.

we've seen the benefit already in the biomarkers area, for example, and the biomarkers consortium. these are really underdeveloped models for public-private partnership and so-called precompetitive collaborative research and they're really underresourced in terms of research funding at present time. so i think there is a critical need and it is one where we know that if we develop it, it will make a huge difference. the other thing is that the regulatory process is really cumbersome and congressman waxman noted that congress recently gave us some new strategies and authorities to be more nimble and flexible. but putting regulations into place takes years and the notice and comments process is an important one for getting input. but it's lengthy, et cetera. so thinking about what are some

of the models for how to work in more responsive, more collaborative and more flexible ways in these kinds of situations where an emerging technology and an emerging opportunity is there i think is a challenge. i don't know if it could be fixed by legislation per se at the present time but i think it is an area that we need to delve more deeply into because it really matters. >> and in the end i know if my early years in the pharmaceutical industry that one of the major concerns was we have to do everything ourselves. it's our proprietary information. we're not going to share it with others. you don't see that anymore. there's not a drug that gets developed today that hasn't been developed by somebody, cross licensed with somebody else. there is that collaboration. so i think the movement is under foot. we just have to provide the framework that encourages it to happen so that we can indeed get these 21st century gears to the

public much sooner than we currently do. i think it is all there, but collaboration is clearly the key. >> thank you. good morning. thank you congressman upton and all might have colleagues focused on 21st century cures efforts. and to our expert panel, thank you for taking the time to be here. since this effort was launched, i've been hearing a great deal from academic research institutes across the state of florida, our great researchers at the moffitt cancer center, the robust and growing biomedical field in florida. and their top issue is congress provides sustained funding to the nih. that is the number one. when you begin to talk about what the congress should be doing. that is number one. it is followed closely on the shortage of physician residents and these young scientists. i've heard some great ideas here

today but we have this issue, as well, with how medicare pays for physician residents and there is a shortage in a number of states. we were supposed to go and look at nationwide the health workforce an we haven't done that yet. i think hopefully it could be incorporated into what we're doing. i'd like to follow on the last exchange on the biomarkers. because what i'm hearing at home after mapping of the human genome is that, boy, here comes some very cost-effective tests through biomarkers and others that would be -- they would give folks quicker information that they need on their health, they would be a substitute for a very expensive invasive type of test, and the folks want to know, well, why when we get these

approved do i have to go back to cms and start all over again to get something approved for medicare to pay for or, is this a problem that you all are hearing about? maybe you can talk about that. there seems to be these emerging cost-effective tests out there that would help us save money down the road and give patients quicker answers. >> well, thank you very much for that question. i think it is a really important issue and i think we're in the middle of three revolutions. when the genomics revolution, et cetera, when the big data revolution and then we're in the middle of a health care revolution. so i think i like to answer your question with two sort of two

answers. one is that i think in terms of public and private partnerships, i think we need to enhance the richness and the potential and the attractiveness of the data that the federal government provides to farm suit cpharmace partnerships by providing a coalesce data set of all clinical trials that are federally supported. that will make mining that day is adata set by companies and in the examples that dr. collins made would make the cooperation with the federal government a lot more attractive. that's how we can enhance things in terms of basically biomarker work, as well as industry government partnerships. the other issue that would facilitate these biomarkers is, as i was saying earlier, is to support often the smaller companies that cannot really afford to do clinical trials with biomarkers by expanding the

coverage with evidence developed by the cd program and hhs. that's a good way to potentially cover some of these biomarkers as we're gaining the knowledge through registries to see if they're effective. and also, as you probably know, moffitt has the concept total cancer care. we are about to launch a joint venture with them. so the concept that moving those kind of biomarkers through the orion system or the total cancer care where there is these large consortium that we'll all push together for the discovery markers, then the validation of that in these large data set. it comes down to really managing and lefb rveraging big data acr multiple institutions to not only develop new biomarkers but also to volume date them.

part of that is the coverage with evidence development. if that could be expanded, that would help a lot. as well as supporting a central repository for all federally funded clinical trials. that would also be a boon to industry partnerships and making those very attractive. thank you. >> bill cassidy. >> first, let me just thank you all for your good work. i am struck though, i think it is a little ironic because i think congress has created a lot of problems that we have here, at least the federal government has. i'm struck, the 3% tax you speak of is obviously part of the affordable care act. an example. now i guess i have two questions. but along that theme. i'm a fellow that formerly did clinical research. i have gone through those 40-page documents. we wrote ours at 6th grade, not 8th grade. i was always told it was the

office of human research protection which is part of hhs that required this. whenever i asked about centralized irb, i was always told, no, wait a second, we're required to have a local representative. although i know there is a central irb in denver, for whatever reason, my institution did not allow that because they felt like the federal government required. i'm looking at you, dr. hamburg, even though it is not under your office, fda is still involved with that. the first question, that 40-page document i've always been told is because washington, d.c. said you had to have it. secondly, dr. collins, you and i have spoken about this in committee but there is a report coming out of -- we've spoken out about nih needs more funding but there is an article out of ucsf, claire born jospeaking ab is a very poor correlation in nih funding between disease burden, however defined, and

where nih puts its money. now this fellow wrote -- and he said ten years ago this was a critique but as he reviewed data ten years after that, there had been no change. i think your interpretation has a little bit of wiggle room if terms of moving dollars around but what i'm most familiar with at cdc, at one point they were spending a billion on hiv and like $60,000 on hepatitis. even though the number of deaths related to liver disease was at least as great as that of hiv and disease burden was even greater. so there seems to be a really lousy correlation between where we're spending our dollar and disease burden. so two questions. one, have we met the enemy and he is us when it comes to the complexity of getting clinical trials approved. and secondly, to what degree is our federal agencies not taking this scarce dollar we have and moving it to things like

alzheimer's dementia, neurologic diseases when that is our balloon note, if you will, away from things that, frankly, we've had a lot of success with. >> first, i think that you have raised a set of really important issues that we're all working on and certainly frances and i have spent a lot of time discussing the value of central irbs and, more broadly, the importance of reducing the time, cost and cumbersomeness of doing clinical trials in this country. anything we can do to reduce that and make clinical trials more accessible to patients -- because that is another barrier to advancing clinical trials and ultimately the delivery of opportunity in science into a real world product. so i think that this is a really important issue. i think it is one that ultimately this effort, the 21st century cures, will likely take on in some way or another.

i applaud that. i think that it is an area where it has to be done right but where there are things that congress can do to actually make the situation better, not worse. big picture. there are many others than fda that need to be engaged in that discussion and you're right that there is a critical office in hhs that's involved in this. but work has been done. work needs to continue to be done but i think we're ready to do some things that will make a difference. on a much smaller scale with respect to fda, there's something that congress could do very quickly that i think would enable clinical trials in the device area to be more efficient and effective, and that is that the food, drug and cosmetic act actually has a requirement in it right now that mandates review of a clinical trial on a device by a local irb.

and we think that if that could be amended and i think it is a pretty simple fix, we could do some good. >> done. done. >> congressman, appreciate both of those questions. about what peggy said about human subjects review, there has been an effort under way now for about five years to revise the common rule and particularly to emphasize the need for central irbs instead of having every institution in a multi-site trial have their own i rcht b tinkering with the consent form, adding another paragraph, changing the tense of the verb and all of that stuff that ends up costing you oftentimes a year of time and a lot of pages that get generated along the way. it is irrational. we need to stop in whole approach. actually nci, the cancer institute, for their large-scale cancer clinical trials is now using central irbs. there were some objections to that from institutions who were

afraid they would be liable if their irb hadn't approved it, but those had been largely overcome. we can do this and i appreciate you raising the issue. in terms of the correlation between funding support and specific diseases, we look at that a lot. that's certainly one of the jobs that i and the 27 institute and center directors at nih talk about almost every week when we gather around the table. actually, if you look at the current plot -- i'd be glad to send it to you -- it is not that wildly out of whack from what you might think. if you look at various measures of disease, whether you're talking about deaths or whether you're talking about such things as dailies and eququalis, quali of life and disability, actually that curve is a reasonable approximatation to what you might think would make sense from a public health perspective with a couple of outliers like aids.think would make sense fro

public health perspective with a couple of outliers like aids. [ inaudible ] >> i'm saying aids is an outlier in that graph. but i think there's scientific reasons why that has been the case, namely that this is not just a disease of this country, it is a threat to the entire global circumstance. [ inaudible ] >> thank you. your relative funding of alzheimer's relative to that is miniscule. again, pie dad dies of it. we all have a parent. i got to say, when i look at your funding for alzheimer's, it seems miniscule relative to the disease burden and the future expense, the near future expense to medicare, medicaid, et cetera. >> i'm deeply concerned about alzheim alzheimer's, congressman. actually i spent some of my own personal efforts in an

adjustment in the way our current portfolio supports that research because this is clearly a major threat to the future of our nation and the world and an enor pus burden upon individuals and their families who are stricken with this disease. there's probably nobody in this room that has not been touched by that. i take your point that we need to see that as a particularly high priority right now and that has been in fact what we have been trying to do at nih over the last two or three years. the other thing that i want to say without taking up too much more time, we have to be careful with the way in which science has developed over the last four or five years, particularly coming from the insights from the genome. we discover there are connections between diseases that we never knew about. it would not surprise me if the next breakthrough we are really waiting for in alzheimer's disease came from a resejer who at present time we would not say is working on that disease but is working on some other area. these connections between pathways continually surprise us so i think we do have to be careful not to be so targeted that we miss out on the unexpected where somebody working in one field actually

comes up with -- >> except the billion dollars spent on aids has paid great dividends. targeted research cannot be replaced with sir derendipity. some of us were hoping for serendipity. >> i think targeted research is critical when we can see a pathway toward finding a cure for a disease. but serendipity is one of the reasons america has been so successful for past 50 years. >> i want to thank all the members of the panel. you've done a fantastic job. i do apologize for coming in a little bit late an missing an important aspect of it. this 21st century cures

initiative and these roundtable discussions i think have been absolutely invaluable. there are a number of physicians of course on our committee. there are a number of people on our committee that have knowledge far beyond my limited medical knowledge, but it has been a great effort as we go forward in the 21st century. dr. hamburg, i'm going to address my question to you. representative green, my colleague on the committee from texas, and the co-author of the gain act, we are now, of course, as you know, working on the adapt act to take that a step further for limited population and antibacterial drugs. he diverted his question back to dr. collins so you didn't get a chance to discuss that but i would like you to spend a little bit of time talking about the

adapt act and what that model maybe can be an example for other efforts in bringing other drugs to market and medical devices in these highly specialized need areas, resistant antibiotics, limited populations. >> well, thank you for the question and thank you for your leadership on the critical issue of how can we ensure an adequate pipeline in terms of new drug development in the antibiotic arena which is ever more important as we are see ing see distance spread. i think dr. collins did address a significant part of why the gain act was important in terms of needing to create new focus and incentives for drug development in this area. it has been a hard area in terms of companies wanting to really

invest because market forces don't make it just irresistible in terms of return on investment, especially when you have to take risks. i have to be honest and say that fda didn't make it irresistible either because we were really asking for very elaborate, large clinical trials that were timely, costly, and hard to recruit patients for all the reasons that we talk -- that dr. collins mentioned in terms of the complexity of doing these studies and being able to have the clinical trial ready to go when the patient appears sometimes deathly little with an infection that needs to be treated. so i think what we're trying to think about now is how especially in the context of antimicrobial resistance which is such an urgent problem. how can we really design regulatory pathways that enable

us to get meaningful answers as quickly as possible and reduce the risk for developers. a sort of special population approach enables us to sort of look at the highest risk end of a spectrum of patients that might be treated and really narrow the focus so that we can ask and answer questions where the risk/benefit falls out as quickly as possible and enables us to move forward more clearly, more swiftly. i think that's what we're really thinking about there. it applies in antimicrobial resistance in new microbial -- antimicrobial development. it applies in other areas that are important to public health as well, including a very heterogeneous disease category like obesity where if you can sort of narrow the indication, the development process can

actually be sped. >> i didn't think we had enough firepower here with the head of nih and hhs and one of the billionaires who's put a lot of money into medical research. so i brought my own -- this is my volunteer staff assistant. dr. imoto, vice chancellor for research at university of california san francisco who calls dr. hamburg peggy. he said oh, peggy's down there. i want to go say hi to peggy. we were meeting -- >> you can call me peggy, too. >> but i am very impressed, mr. chairman, with the panel you've put together today. obviously to have these eminences here is just amazing. my question is going to be very

similar to mr. pitts' but with a little different twist. we brought the deficit down from $1.5 trillion to $.5 trillion, but it is still $.5 trillion. with all the good intentions in the world -- i've introduced nih reform bills and doubled the funding of nih back in the gingrich era. i introduced authorization bill that increased funding for nih every year. but the reality is that you're going to get what you get, plus a little bit. that's just -- so given that, i want to ask mr. milken, is there anything we can do to insent advi incentivize the private sector to spend on research or perhaps a government match if the private sector puts upincentivi to spend on research or perhaps a government match if the private sector puts up so much,

government will maf tch it a dollar for a dollar, maybe one for two. we obviously -- i think the chairman is with me on this. in a perfect world, we'd want an increase across the board. but in the real world, we're going to have to find ways to do better with what we have right now. so are there some things we could do next year in terms of giving incentives to the private sector that might actually result in measurable increases in private funding in these areas? >> thank you. i want to thank you for your work that you do. i'm excited to see my good friend, keith yamamoto with you today. as he is aware, there are a number of efforts right now on the potential for match. where you would go to private citizens, foundations, corporations, and the government

would challenge them by offering to put up a dollar if they were matched for a dollar in the philanthropy standpoint. one of the things, there are other countries in the world that allow you to have a higher deduction if you give money to medical research or bioscience. in the united states today, you are limited on your deductions to 30. you can use 30% of your income for public foundations and 20% for private.%. you can use 30% of your income for public foundations and 20% for private. in some countries they allow you to have a tax deduction of 50% if it is for medical research, science, et cetera. so i think as we saw in the efforts in acid rain and so2, that you can create incentives that would direct funds accordingly. one of the risks we run, i think we're all aware of, is that a number of the people who have

accumulated grant wealth are not as focused on inheritance taxes because they're planning to give their money when they pass away to foundations. and the opportunity to accelerate that. one example i might give you is, iras and 401(k)s, but particularly iras today when you're 70 1/2 you begin to drawn money out of those iras and are potentially taxed. i think many people, if forded t the opportunity to give money to charity now, instead of wasting 20 years or 10 years, would give the money in their iras and 401(k)s. there was an experiment that was tried a few years ago where you could give up to $100,000 without tax out of your iras. it ran for two years and i think $140 million was given. but if you took the limit of

$100,000 off and tried it for a couple years, you might be surprised how much of private sector money is willing to go. and if you decided it needed to go into a medical philanthropy or whatever the decisions were, i think you could tap that. third, i think today the issue of young scientists. i think if we had a formal program initiated, you would have a lot of funding from individuals, whether it's through their own academic institutions that they felt loyalty or they went to, to support these young scientists. we have spoken to dr. collins and also commissioner hamburg about the possibility through their private foundations could we help augment the funding. many years ago, i was touring

the nih and saw a young scientist. there wasn't going to be funding for the scientist and sent a collection to the nih to cover the funding for that scientist. nine months later, they out how to cash the check but told us not to ever do that again. and i told them there was another agency, the irs, that -- >> it's no good, it bounced. >> but they're getting better as dr. collins said. but i think we have not appealed to the american public enough to incentivize them. we see initiatives such as recently with als, and putting an ice bucket on your head, they raised $100 million and they used to raise two. in the area of men's cancers, the growing of a mustache in november, called movember worldwide now raises $150 million a year. so how do you communicate?

and one of the challenges has been how do you get small amounts of money from larges numbers of people? and this has been a challenge and companies like safeway through their checkout program probably have raised a half a billion dollars for different diseases, breast cancer, prostate cancer, muscular dystrophy and others. average donation, $2. if you sent a check in to a medical research fountain, it probably costs us $15 to process it. notify it, et cetera. and so these other mechanisms which safeway did at the check out counter, rounding up, allow you to get millions of people involved with small contributions. and i think you can through some policy changes, run some tests here and maybe run them for a year or two and see what happens. i think the risk is in an area i

spoke of early, scoring. they're going to tell you that it's going to cost, you know, billions of dollars in future taxes in the next 40 years. but i come back to the statement that 50% of all economic growth has come from advances in extension of life and increasing the quality of live. and i think by accelerating the giving, we have young people in our country today that are in their 20s, that are worth $30 billion. should they wait until they're 70 or 80 years old? or should we try to tap in to both their intellect and their funds today by incentivizing it on a present value basis to support it today. so i think there's a number of areas that we could test. there's trillions of dollars in these iras.

should we wait, if you wait until you pass away, you can give it to your foundation tax free. no estate tax. why don't we encourage them today to participate? so i think there's a number of things we can do with private industry. i think there's another factor. we have surveyed cancer patients, we have set up so many regulations, and collection of data and accessing of data. we are protecting people that don't want to be protected. 600 million people on this planet go to facebook every day. they put information and secrets up online that anyone in the world can access that you can't even believe that they're saying that or putting it up on their website. more than 70% of all cancer survivors would be willing to make all their data public, all their tests public, so that any graduate, ph.d. m.d. student,

could access that data. how do you waive hipaa? how do you give up these rights to protect information you don't want to protect? i think there's a lot of work that could be done in data collection. when i was at berkeley in the 1960s and was focused on how do we access capital for small and medium businesses, as a student with little to no money, i was able to access free, the chris tapes which summarized financial transactions and markets, under the guidance of the university of chicago covering the previous 50 years at no cost. to try to create these data sets sometimes could cost $100 million. who has access to this data? we could provide enormous data, but i do think one of the elements is, how do you waive your privacy rights if you don't want that privacy?

>> that buzzer means that's 12:00. we're going to have a hard stop at 12:00 so we are. i want to really thank, you know, it's really thank everybody here that was involved in the thoughtful discussion. not only today, but in recent months as well. your ideas have in fact triggered us to move. i want to commend our staff. that's really -- [ applause ] but we're not done. this is the last formal meeting, you know, this month. we have another session, i think, next week, but during the next couple of weeks, i know this weekend i'm going to oregon and washington state and we're going to have an event in kalamazoo. i think there's going to be an event or two in texas and florida and other states. i encourage our members to reach

out and to continue to listen because when we do come back, we're going to start writing, we're going to try to do our best to do it right. as i said at the beginning, our goal is to move this early next year. have a draft proposal done early next year, and in all likelihood it won't be done this year. i don't want to set that. so we'll miss you dr. gingrich, because he's retiring from the congress. and some others, mr. waxman and others, but the ideas need to come in because we really do want to do this right. and lots of shoulders, we're going to be leaning on to make sure that it happens and we're most grateful for the administration's support too. peggy, you've done a good job, you realize constructively where we need to go. silva burwell today, again, confirmed that the administration's support for this, reaching out to the

senate, dr. collins has been a superstar not only in this room but traveling in different parts of the country, as well. and michael, your work again, we stole a lot from you over the last couple of years and just outstanding work that you have done and committed in the foundation and the organization that you have has truly helped us. great entrepreneurs bill parfitt and dean cameron, thank you for your work and two weeks ago in colorado, but now, we're very grateful for that assistance and we're going to turn the green light on in this green room. thank you.

in 2012, democrat cheri

bustos defeated incumbent republican congressman bobby schilling in the 17th district of illinois. this year he's challenging her to win the seat back. the two debated last week. here's a few minutes. >> congress as we start to close this debate we're starting with you cheri bustos. congress is to face more fiscal cliffs in the coming months. do you support an increase in the debt limit? and should sequestration cuts be permanent? >> my very first act in congress, my very first bill that i introduced is -- attacks government waste and abuse. and not in a small way. it identified $200 billion in wasteful government spending. i think that's the place we need to start before we do anything. my opponent voted not once, but twice, to end the medicare guarantee. that -- so that's looking at balancing the budget on the backs of seniors in my opinion. where would cost seniors each

$6,000 in out-of-pocket expenses. that's not the way we need to attack the budget problems that we have. on top of that, sequestration is a very, very dangerous place to go. my opponent voted for that. here's why. that impacted this economy right here in this area by $100 million. we had workers out at our arsenal who had to take paychecks home that were less than they're used to taking home. who their take-home pay was worse, they had to take time off, forced time off. and that's the vote that he cast for our number one employer in this area. >> mr. schilling? >> i find this very interesting because, the congresswoman went to washington, d.c. said that she was going to end the gridlock, dysfunction, and the very first opportunity that she got she voted no on all six budgets. and you know, when you go to congress, you've got to be able to compromise. our congress never had a government shutdown. and the thing is that the big difference between the two of us is when i make promises to the

people of the district, i kept every single one of them. the incoming congresswoman had promised to forego her pay during the government shutdown. we did some research and found out that she didn't do that. i think the key thing what we have to do at all costs is to try to avoid sequestration. there is so much waste out there that we could go and capture and we don't need to go in and start cutting our military so far back to where we can't defend our freedom as the united states of america. >> c-span's campaign 2014 is bringing you more than 100 debates for the control of congress. stay in touch with our coverage and engage, follow us on twitter @c-span and like us @facebook.com/cspan. the house oversight committee last month looked at security and privacy on the online exchanges americans used to buy health insurance under the affordable care act. the administrator for medicare and medicaid developed that

almost 7.5 million people have used the exchanges to sign up for insurance. >> the committee will come to order. without objection the chair is authorized to declare a recess of the committee at any time. the oversight committee exists to secure two fundamental principles. first, americans have a right to know that the money washington takes from them is well spent. second, americans determine efficient effective government that works for them. our duty on the oversight and government reform committee is to protect the rights. our solemn responsibility is to hold government, government accountable to taxpayers, because taxpayers have a right to know what they get from their government. it's our job to work tirelessly in partnership with citizen watchdogs to deliver the facts to the american people, and bring genuine reform to the federal bureaucracy. over the past four years, the oversight and government reform

committee conducted vigorous oversight of the implementation of the affordable care act called obamacare including the design and launch of healthcare.gov. today the committee focuses on the interconnected issues of security of the website and accountability within the administration and most of all transparency to the american people. the government accountability office released a report this week on security of healthcare.gov. the gao found the administration failed to take appropriate and sufficient steps to protect healthcare.gov and associated systems against security and privacy risks. more importantly the gao reported strong -- report strongly asserts that security testing is not complete and security weaknesses continue to

plague the website. one of the principle authors of the gao report will testify before us today. the committee released a report detailing several break downs in both accountability within the administration and transparency to the american people during the design and implementation of healthcare.gov. it is important to understand that with private sector high profile losses of information due to hackers, there huge repercussions to the companies and the government often comes in and further victimizes the companies who have in fact been victimized by hackers. when the government fails to protect involuntarily taken personally identifiable information, there is nobody but

people on this dais to try to hold government accountable. documents obtained show factions developed within the agency in charge of implementing obamacare, the center for medicare and medicaid services or cms, these factions fought over several issues including over website security. cms offense fought to keep information from their colleagues within the larger department of health and human services and additionally the administration endeavored to keep the truth and the true nature of the website's problems out of the public eye. following the collapse of healthcare.gov, administration officials refused to admit to the public that the website was not on track to launch without significant functionality problems and substantial security risks. last month, cms denied the associated press access to security documents requested under the freedom of information act. even more recently, cms refused

to provide the government accountability office documents related to the 13 incidents that we are going to hear about in vague detail here today. i want to make something very clear. refusal to cooperate with the gao, a nonpartisan government created entity, refusal to allow access by the whistle-blowers under freedom of informationability, and refusal to cooperate with even the inspectors general, something we saw here just a few days ago, with 47 inspector generals out of 73 complaining with a lack of access, even within the executive branch, this is not the most transparent administration in history, and certainly the transparency we see here today was only done under subpoena. we will probably hear today that cms has offered to reach out on

these 13 incidents. it is not acceptable after the public scrutiny reveals that they exist, and they've been denied, on the eve of a hearing, and only after an audit is completed, to then say we'd be glad to brief you. that's unacceptable. and quite frankly, one of the most disingenuous things i've ever seen. there were five months during the audit to comply with a reasonable request by the general accountability office and it wasn't done. questions of security can no longer be easily dismissed by the administration. in late july healthcare.gov suffered a malicious attack from a hacker and it took nearly two months for cms to identify the intrusion. cms as mr. er marilyn atfener who is with us today will testify and we will discuss that in addition to the gao report. i'm sure we will hear that there was no loss of data that this was not the main site and so on.

that doesn't change the fact that security risk exists whenever you fail to secure, not just the main site, but back doors. too often back doors have been what we've discovered. in the case of another investigation to this committee, we discovered that the back doors were something as simple in one case as a stolen laptop on which those who stole it later added peer-to-peer software, which then made information on that database available to the public, potentially. the federal trade commission opened an investigation and a plaintiff's trial lawyer sued and won money on behalf of people whose information was never actually released, but in fact both the government and plaintiff's bars thoroughly enjoyed going after a nonprofit aids clinic.

i cannot and will not allow the government to put itself at a different standard of accountability. last month the center for medicare and medicaid services informed the committee that once again there were lost e-mails in response to the committee's subpoena and documents relative to healthcare.gov. this is not an uncommon pattern. this is a pattern of predictability. this administration has not complied with nor caused their key executives, including political appointees, to comply with the federal records act. administrator atfener admitted to deleting her own e-mails during the time period of obamacare implementation. madam, your actions hinder congress' investigation, and also prevent the public from accessing information under the freedom of information act. it appears as though this administration holds itself to a different level of compliance

with historic federal documents and the last administration or any administration since the passage. we are also today joined by the department of homeland security u.s. computer emergency readiness tell or sert. the committee has concerns about the team's transparency reported earlier this month. the administration has already spent a billion dollars on a website that is still not fully operational, and fully not secure. the same government officials responsible for the lack of transparency and accountability a year ago remain in the position of authority. questions of security, accountability and transparency go beyond whether or not you support the president's health care law. many of these issues are not limited to health care and mirror the transparency and accountability concerns raised again by 47 out of 73 inspector generals in an unprecedented

letter to this and other committees of congress in august. minutes before hhs announced publicly on september 4th that healthcare.gov had experienced a malicious attack in july of this year, an hhs official contacted my office to give them limited details of the successful hack. during the brief call hhs gave my staff the name and phone number of a contact at the department of homeland security, and suggested my staff contact dhs for more information about the hack itself and the government's response to the hack. my staff reached out to hhs's suggested contact at dhs on monday of last week. followed up on tuesday, and were told that dhs was running, parentheses, the request, back with hhs to see if we can all

jointly get on the phone, seeing if -- seeing if tomorrow will work. however my staff followed up on wednesday and friday and then on monday and tuesday with no response from dhs. i would like to note that despite a week of persistent e-mails from my staff, dhs was unable to make time to brief our committee even by phone. however, two days ago, the minority staff notified me that they were asking for our witness today to appear as a witness at today's hearing. i accepted it even though clearly this is a witness from an organization that has refused to answer questions or cooperate with the investigation. the minority staff reached out to see if dhs would appear as a witness.

they were able to prepare in detail testimony before this hearing today. however dhs has still not arranged to properly brief our staff or to answer questions that we will be asking here today. i would like to introduce into the record at this time the correspondence between the staff and dhs as an example of what appears to be a very different treatment from this administration to a request from the majority staff, versus a request from the minority staff. without objection it will be placed in the record. let's cut to the chase. i have with me three witnesses. two very clearly are not part of transparentsy in government. i have no doubt that your organizations have worked diligently with the minority to try to make this hearing good for you. it is not our job to try to make

the hearing bad for you, but the american people deserve the truth, not a cozy relationship between the people of your president's party in covering up the ongoing failure to secure a website that cost over a billion dollars. with that i'm pleased to recognize the ranking member for his opening statement. >> thank you very much. first of all i want to apologize for running late. the speaker asked us to be at a joint session of congress to hear the president of the ukraine. and many of us were there. one of our most important jobs in congress is to help protect the interests of the american people. they demand a government and private companies safeguard their personal information. safeguard their social security numbers. their credit cards, and their health information. nobody wants to get a call from a credit card company saying

your personal information has been compromised. it can upend your entire life and it can cause serious financial problems for years. i believe they have the potential to perform a valuable function in the area. with our extremely broad jurisdiction over multiple federal agencies and entities, you can promote robust standards across the entire government and private sector. to date, however, we have not fulfilled this potential. today's hearing is our 29th on the affordable care act, and our sixth on healthcare.gov. i completely agree that the aca website must be secure. that is why i'm so hardened that

despite all of the challenges with the roll out last year, nobody's personal information has been compromised to date as a result of a malicious attack. nobody's. personal information has been compromised to date as a result of a malicious attack. now, that could change. so we have to remain vigilant after all, this is our watch. so far no attacks have been successful in that regard. there certainly have been attempts. last week the centers for medicare and medicaid services reported that hackers uploaded malware onto a server. there are several key facts to know about the attack. first, it was not directed at healthcare.gov alone. but a much wider universe of targets. second, the server that was

attacked was a test server and had no personal information on it. third, the most important, nobody's personal information was compromised as a result. that incident was investigated by the united states computer emergency readiness team into the department of homeland security. the rest of that team entered written testimony for today and reports and i quote, there is no indication that any data was compromised as a result of this intrusion, end of quote. although our committee has spent a tremendous amount of time focusing on the affordable care act and its website, no cyber attacks have compromised anyone's personal information to date, we've been disregarding much more serious attacks that have actually compromised a massive amount of personal information. of our constituents. we are talking about hundreds of millions of people.

hundreds of millions. for example on january 14th, more than eight months ago, i sent a letter requesting a bipartisan hearing with senior officials from target. as i wrote, up to 110 million americans were subjected to one of the most massive information technology breaches in history when their credit, debit and other personal information reportedly was compromised, end of quote. on september 9th, i sent a letter requesting a bipartisan hearing on a major data security breach at community health systems, the nation's largest for-profit hospital chain. i explained that, quote, hackers broke in to its computers and stole data on 4.5 million patients, end of quote. as i noted, this was, quote, the

largest hacking-related health information breach ever reported. end of quote. on september 11th i sent a letter requesting a bipartisan hearing to examine the recent security breach at home depot, where our constituents shop. i explained that home depot, quote, has more stores in the united states and a higher total annual sales volume than target. end of quote. and, quote, it appears to have experienced a data security breach for a longer period of time than the data security breach that occurred at target. end of quote. and just this monday i sent a letter requesting a deposition with the ceo of usis, the company that conducts more background checks for the government than any other contractor, and which had its

own breach this summer. and i wrote, and i quote, although press accounts have reported that the attack may have compromised the personal information of up to 27,000 federal employees, government cybersecurity experts now believe this number is a floor, not a ceiling. end of quote. i'm talking about the people who work on capitol hill. i'm talking about the people who work for the federal government. up to possibly 27,000. in response i received a letter back from the chairman yesterday, thanking me for my request over the past year, and acknowledging, and i quote, these serious incidents merit further review. end of quote. chairman, i thank you for that. i hope we can start on this right away. after all, these are our constituents. let me close by highlighting that this is much broader than healthcare.gov. much broader.

represented here today warn that the number of cyber attacks is increasing against target, across the federal government. obviously the same is true of the private sector. so oversight is certainly called for and i hope our committee seizes the opportunity and rises to the challenge. with that i yield back. >> i thank the gentlemen. at this time we would like to place on the record examples of state attorneys generals aprosecution and relief on private sector and even public sector entities, and the history of their going after entities for financial damages that allowed breaches. without objection, so ordered. >> mr. chairman, can i get a copy of that? >> we'll make copies available to all of you. it's all public information. and we did both include your massachusetts attorney general, vermont's attorney general, and

maryland attorney general's actions on behalf of your constituents. >> i appreciate that. thank you. >> members may have seven days in which to submit opening statements for the record. we now welcome our witnesses. mr. gregory wilshusen is the director of information security issues at the government accountability office. and the subject obviously of some frustration before he got here today. miss marilyn tavenner is the administrator for the center for medicare and medicaid services at the department of health and human services, hereafter called cms today. miss ann barron-decamillo is the director of the u.s. computer emergency readiness team at the department of homeland security. here after culled cert. according to committee rules all members are to be sworn. will you rise and raise your right hand. do you solemnly swear or affirm

that the testimony you're about to give today will be the truth, the whole truth, and nothing but the truth? please be seated. let the record reflect that all witnesses answered in the affirmative. in order to allow sufficient time for your panel and what i suspect will be a robust series of questions, i would ask that you limit your opening statement to five minutes although your entire statements including the additional information that you may want to make available will be placed in the record. mr. -- you know what happened, without my talking point it's really hard. mr. wilshusen, please continue. >> thank you, mr. chairman. chairman issa, ranking member cummings and members of the committee. i am pleased to be here as you examine the implementation of the patient protection and affordable care act. as you know the act requires the establishment of a health insurance market place to assist consumers and small businesses in comparing, selecting and enrolling in

health benefit plans offered by participating, private insurers. cms is responsible for creating a federal marketplace for states that do not establish their own. this is supported by an array of systems including healthcare.gov the website that provides the consumer portal to the marketplace. my statement today will summarize the key findings from our recently issued work on the security and privacy protections of the systems supporting healthcare.gov. but before i proceed, mr. chairman, if i may, i would like to recognize several members of my team who were instrumental in protecting and performing this work. with me today is john defer arie, marysol cruz, justin polk and mark kantor. in addition members from e-security lab also participated. lon chen, wes coyle, doug nell and michael stevens. >> could you all please stand so

that we can at least for a moment realize your contribution? thank you. you may continue. >> thank you. healthcare.gov related systems, including the core systems of the federally facilitated marketplace, and federal data services hub, represent a complex system that interconnects a broad range of federal agency systems. state agencies, and their systems, and other entities such as contractors and issuers of health plans. the complexity and interconnectivity inherently introduces risk. assuring the security of such a system poses a significant challenge. to meet that, cms has undertaken a number of activities to enhance the security and privacy of systems supporting healthcare.gov. for example cms has developed document security related policies and procedures. it's developed a process for remediating and identifying security weaknesses. cms also created interconnection security agreements with the federal agencies with which it

exchanges information. and it instituted certain required privacy protections such as notifying the public of the types of information that will be maintained in the system. however cms did not fully or effectively sim plemt key technical security controls to sufficiently safe if guard the confidentiality, integrity and availability of the federally facilitated marketplace and its information. for example, cms did not always require or enforce strong password control, did not sufficiently restrict systems from accessing the internet, and did not consistently implement patches in a timely manner. cms also had shortcomings of its information security privacy management programs. for example, system security plans for the federal facilitated marketplace and data hub generally contained most required information. but each plan was missing key security information. cms had also undertaken a series of security-related testing

activities that began in 2012. yet these control assessments did not fully identify and test all relevant controls prior to deploying the systems. in addition, cms did not fully assess privacy risk, and the privacy impact assessments, and had not fully established an alternate processing site for healthcare.gov systems to ensure that they could be recovered in the event of a disruption or disaster. to assist cms we made six recommendations addressing the shortcomings with the information security and privacy program. and 22 recommendations to resolve technical security weaknesses related to access controls and configuration management. cms concurred or partially concurred with all 28 recommendations and noted that it was taking actions to address each of them. in conclusion, while cms has taken important steps to apply security and privatesy safeguards to healthcare.gov and

its supporting systems, weaknesses remain that put these systems and the sensitive personal information they contain at an increased and unnecessary risk of compromise. mr. chairman, ranking member cummings, and members of this committee this concludes my opening statement. i'd be happy to answer your questions. >> thank you. mrs. tavenner? thank you. >> mr. chairman issa, ranking member cummings, members of the committee, thank you for the opportunity to be here today and i want to make everyone aware that cms strives to be as responsive as possible. i understand we have provided over 140,000 pages of documents to this committee. transparency is important and that's why i am pleased to be here today and have the opportunity to answer your questions, and we will continue to produce documents. in the almost five years that i've had the privilege to work at cms, my focus has been on how we can best serve our beneficiaries, including seniors

on medicare, adults and children on medicaid, and consumers enrolling in the marketplace. when i come to work each day, i work to expand coverage and competition, reduce cost, improve quality in ways that make a difference in people's lives. we are making real and important progress. as of august 15th this year, we have 7.3 million americans enrolled in the health insurance marketplace coverage. these are individuals who paid their premiums. we are encouraged by the numbers of consumers who've paid their premiums and continue to enroll in the marketplace coverage every day through special enrollment periods. this is the most recent count of people who have coverage throughout the marketplace. each month this number will change slightly as consumers transition in and out of coverage, as their life circumstances change. everything from getting a new job to moving to a new state or

becoming eligible for medicaid or medicare. there's also good news about medicare. spending for medicare beneficiary is growing slower. than the overall economy. the medicare trustees recently projected that the trust fund that finances medicare's hospital insurance coverage will remain solvent until 2030. four years beyond what was projected just one year ago. we strife to make health care safer and better. in the last five years we've seen a 9% reduction in harm in hospitals such as decreased health care associated infections. this represents over 500,000 injuries and sections and adverse events avoided. over 15,000 lives saved and approximately $4 billion in avoided costs. this adds up to better health care at a better price, and i know that makes a real difference for real people. consumers also trust us with

their personal information, and i take that trust very seriously. security and privacy are one of our highest priorities. cms has decades of experience in operating the medicare program and its supporting systems, and we successfully protect the personal information of both beneficiaries and providers. however we must continue to be vigilant and evolve our assessments and actions to keep up with ever changing threats. consumers can use the market place with confidence that the information is safe and take comfort in knowing that no personally identifiable information has been maliciously accessed from the site. our systems are designed with security in mind and our focus on security is ongoing. it did not end when the market place launched. cms conducts continuous monitoring using a 24/7, multilayer professional security team and penetration testing. our systems comply with

standards promulgated by nist and the office of management and budget. there is risk inherent in any system. it is simply sadly a part of the cyber world in which we all live. we appreciate the work done by the gao to suggest additional controls to help us further protect against these risks and are already seeking to improve upon the security protections in place. as we look forward to our second enrollment period our goal is to build upon this progress, and to address outstanding challenges. we're working to make it as seamless as possible for people to re-enroll in coverage, and reinforcing our outreach to help more uninsured consumers enroll in coverage. we are making management improvements with clear accountability and committed to being transparent. this coming year will be one of visible and continued improvement, but not perfection. as problems arise, we will fix them, just as we always have. throughout my career as a

hospital executive, nurse and public servant, my focus has been on providing people with high quality health care. i'm proud of the progress we've made at cms and i hope to continue to work with congress on our efforts. thank you. >> thank you. miss barron-decamillo. is that close? okay i'll try to do better. thank you. start again? chairman issa, ranking member cummings and members of the committee. thank you for the opportunity to appear before you today. we are also making every opportunity and every effort to be transparent at dhs, to be as transparent as possible. my name is ann barron-decamillo. i'm the director of u.s. cert within the national cybersecurity integrations center. we lead the company of homeland security's efforts in cyberspace to respond to major incidents, analyze threats, and share critical cybersecurity

information with trusted partners around the world. u.s. cert is a 24/7 operations center and receives and analyzes hundreds of incidents reports a day. we work with public and private sector partner organizations and are committed to the protection of privacy and civil liberties for all americans. at u.s. cert we strive for safer, stronger internet for all americans. established in 2003 u.s. cert initially focused on securing u.s. federal systems networks. dhs's cybersecurity capabilities have grown immensely since the establishment of u.s. cert and we are working more closely than ever with partners across public and private sectors to develop a comprehensive picture of malicious activity and mitigation options. cybersecurity is a shared responsibility and a continuous process. our focus is helping our partners build a resilient and secure ecosystem in cyberspace. protecting the networks requires coordination across a cyber

community to enhance others' capabilities as we continue to mature our own. while dhs leads the effort, to secure federal civilian networks agency heads are responsible for assessing risk to their systems, and taking appropriate measures to secure their networks. u.s. cert supports agency heads and chief information officers in carrying out these responsibilities. i'm here today in a technical capacity to provide findings from our analysis of the krensed test server at health caregovern. u.s. cert was notified of an incident by cms who has the oversight responsibility of healthcare.gov. we conducted analysis of the images provided to us by cms and found evidence of malware on a test server. as stated by the ranking member, our analysis concluded. that there was no indication of personally identifiable information, also known as pii, exposure, and no indication of data exfiltration. additionally there's no evidence

of any lateral movement within the network or further infection. we provided cms a report with the findings as well as mitigation recommendations. additionally, we were able to share indicators from our analysis so agencies, partners and stakeholders could better protect their own networks. we are in discussions with hhs to provide further on-site support. dhs remains committed to working with its federal and private sector partners to create a safe, secure and resilient cyberspace. i look forward to answering any questions that you might have. >> thank you. i will start with you then. when did you find out you were going to appear here today? >> i believe i was informed on monday. >> when did you begin preparing for today's hearing? >> when i was informed on monday. >> okay. has cert done a security testing of healthcare.gov?

>> we were provided images from cms of the compromised test servers. we provided analysis -- >> i appreciate that. the question was, has cert conducted any security testing of healthcare.gov's vulnerabilities. >> no. as i stated in my opening remarks -- >> so when miss tavenner says there have been no loss of personally identifiable information, if you don't know the vulnerabilities, how do you know that -- how would she know that to be true? >> i believe that cms conducts their own scanning and testing. but i'm happy -- >> did you verify their scanning and testing to be sufficient? >> we would be happy to provide that information. >> did you? >> i haven't been provided any details. >> you don't know that? >> within the test network? >> yeah, it boils down to, you're here as an expert that i didn't expect from an organization that refused to give my staff any briefing related to it. >> i do apologize for that. i was under the impression that our staff was working with your staff to answer those questions.

>> as of yesterday afternoon, they put people who didn't have technical expertise on who told us they would get back to us. that's after more than a week of information we have put in the record where we were denied that. maybe i'll go on to gao. i'm going to ask first of all your indulgence. when this hearing is over, i would like you to accept -- pardon me? >> i wanted to hear what you had to say. >> that can happen. i would like you to accept a briefing and do a supplemental related to the 13 breaches. >> okay. >> miss tavenner, i'm going to presume you will agree you will have full access to all information related to that so that gao may develop specific additional recommendations based on the actual breaches, the 13 incidents. >> yes, sir. >> okay. that will allow us to get what we don't have here today. i appreciate that. you have gone through an

extensive amount. would you describe for the committee the level of cooperation you believe you got? we have heard what you didn't get. are there good news stories in the cooperation as you did your investigation or your audit? >> there's is some good news and some not so good news, mr. chairman. as we began our audit, and generally we do receive good cooperation from the agencies that we audit, as it relates to receiving information requests that we provide provide. and in this case initially, there were delays in providing certain documents that we had requested. in addition, there were certain -- cms attempted to put certain restrictions on the -- on some of the documents. >> did they cite why they were restricting? are you just not trustworthy? >> i think they indicated they were concerned about the security -- the sensitive security information. >> they don't trust you? >> i wouldn't say that, sir, no.

but we elevated the issue within gao and within the department. we reached an agreement to where we would be able to and they did provide the information for us to look at. >> at the end of it all, there was no reason after it was elevated there was no reason that they should have denied it to begin with? >> in my view, no. they should have provided it earlier. but at the same point, you know, they had a concern about the security of the information. so they tell us. but you know, their motivation would probably be better addressed by the administrator. >> limited time. i want to set the stage for what others on both sides of the aisle may ask here. when you looked at the robustness of how they determined with such certainty that there had been no breaches, no loss of personally identifiable information, were you satisfied that that -- all

those procedures were robust enough with the certainty that miss tavenner said that no losses had occurred, that no losses had occurred? >> well, we did not receive actual security incident reports on these incidents, at least on the 13. we did receive a written response to an interrogatory in which they indicated that -- at least for the 13, that there was certain pii that was compromised or disclosed to an individual. but it was consumer. it was through a technical glitch. >> wait. i want to understand. personally identifiable information was lost or disclosed? >> was disclosed according to their description. >> miss tavenner, others will ask additional questions. but your opening statement said none had been lost. how can we reconcile none has been lost with a sworn statement that some has been lost? >> i think what my statement

said is there were no malicious attacks. >> oh! oh, so if you just screw up and put the public's information out there, it's okay? because it wasn't a malicious attack? >> no, sir. i don't think any time we put consumer information out there it's okay. but i -- >> okay, so my time has expired. and i want the ranking member to have full time. i want to make it clear that wordsmithing of no malicious was done versus accidental just as we discovered at the time of the launch, that if i went to the section above where the url normally is. when that thing was launched, if i simply typed in a different number or a different state code i could have looked at somebody else's record. that was part of what you guys had wrong on the day of the launch. is that you could simply go to somebody else's record by changing that long streak at the top. meaning no code. that wouldn't have been malicious, i guess, except if somebody were doing it to see what they would get, that would be a little bit malicious.

so when you say no personally identifiable information was lost through malicious, what you're saying is you don't know how much was lost, you just believe that the definition of malicious wasn't met. is that right? >> i actually -- i think this relates to the personal incidents and i do think that we want to cooperate with the gao on that and we're happy to review those. >> thank you. your desire to want to cooperate after we bring you here involuntarily for a hearing is most appreciated. but quite frankly you should have cooperated with the gao beforehand. >> sir i think -- i always like to cooperate with the gao and the oig and we've had over 140 open audits under way. i think we have cooperated. i'd also like to say i came here voluntarily. >> thank you. >> danny? lacy. >> the distinguished gentleman from missouri is now recognized for five minutes. >> thank you. thank you mr. chairman.

thank the ranking member for yielding his time. mr. wilshusen, gao found that healthcare.gov had security weaknesses when it was first launched, in part because of a lack of adequate oversight of security contractors. is that right? >> we found that with respect to when it was first deployed -- recognize that our audit occurred subsequent to the initial deployment. we found that based on review of the documents that there were certain vulnerabilities in controls that had not been tested at that time. and that there were a few vulnerabilities that had been identified through testing, through which the cms had accepted in order to give -- provide an authority to operate. >> whose responsibilities were incumbent upon the contractor, correct? >> it -- well, overall responsibility, it rests with

the service -- >> with the contractor? or? >> i believe -- i think in some cases there may be incidents where we did identify weaknesses that were operated on systems operated by a contractor. but that was subsequent. >> okay, okay. >> during the course of our audit that doesn't necessarily pertain to prior to the system. or to the deployment of the system. >> sure. and gao report found that there was not a shared understanding of how security was implemented among all entities involved in the development and security testing of the website, is that correct? >> yes. that's correct. what we found, too, is that in certain instances where cms told us who was responsible, the contractor that was responsible for certain tests, such as assessing the security -- or implementing security on the firewall, it went to that

contractor. the contractor indicated it was not his responsibility, that it was another contractor and that responsibility was not identified in that contract statement of work. >> yeah. but scenarios like this obviously increase the likelihood of security risks, is that correct? >> yes, sir. >> and was there a specific cms official or group that was responsible for overseeing the security testing of healthcare.gov? is there a group? >> well, overall, the cms -- cio and cis -- i'm story chief information officer and chief information security officer has overall responsibility for reviewing and assuring the security over this system. >> now, for a project of this magnitude, shouldn't an agency official with a broad

understanding of i.t. security testing oversee contractors? >> i would say yes. >> and was that the case here? >> i would say that, you know, there is -- the cio, cis would be the individual that would have that responsibility. over all. >> okay. who would the cms official be that would have that kind of understanding of i.t. security? was there a person in place? >> yes. they had the cms ciso. in addition there's several individuals that were responsible for aspects related to security over the healthcare.gov. there is also an information system security officer that has responsibility for assuring that security controls are properly met. >> you know, the issues with i.t. security management did not start with healthcare.gov.

as a matter of fact, this is a broader government problem that needs to be addressed. don't you think? >> gao has been reporting information security and federal information security as a government-wide high risk area since 1997. so sadly, yes, it's a broad government issue. there have been weaknesses -- as an example, for fiscal year 2013, 18 out of the 24 major federal agencies covered by the chief financial officers act reported either a material weakness or significant deficiency in their information security controls for financial reported purposes. 24 out of the 24 igs, that's 21 out of the 24 agencies cited information security as a major management challenge. >> so it would be fair to say that all internet facing systems both in the federal government and the private sector, involve some risk.

is that correct? >> given the nature of the internet and the capabilities and prevalence of hackers who might try to exploit vulnerabilities, yes, the answer is there is risk in conducting online transactions. >> thank you so much for your responses. mr. chairman, i yield back. >> i thank the gentleman. we go to the gentleman from florida for five minutes. >> thank you, mr. chairman. i have a copy of your report dated september 2014. in that, you, in fact state gao found -- first of all i think you found that the testing was not complete, and that the whole program was rolled out with weaknesses in security and protection of privacy. would that be an accurate statement? okay. i also see that you say that gao report strongly asserts that

testing of the website still remains insecure. is that correct? >> i would say that the testing of healthcare.gov and supporting systems has not been comprehensive. supporting systems has not been comprehensive. >> so even today we have risks, is that correct? >> today we have risks. >> security risks, privacy information risks. okay, thank you. then the rollout, they actually rolled this out, i saw in the report, too. i guess four states had not even taken action to secure privacy. >> i would characterize as it he not met cms security requirements. >> right. security requirements. we'll have those for the record, the states. so it's incomplete testing. then i see, basically a cover-up of the failure that took place. did you see any of that? they were trying -- i went through some of these e-mails and some of the record that the committee has.

i don't know if you saw this. but it looks like quite a cover-up. or they tried to not let the public know the failure of what -- the failure of the rollout and the failure of them to protect this information. is that correct? >> i'm sorry, i could not contact -- comment on that, because i had not seen these. >> i can tell you, it's page after page. i mean, i can't even use some of the language used here, mr. chairman. i'd like to have some of this submitted -- >> without objection. the entire report will be placed in the record. >> okay. it's astounding. again, this is a blanking disaster. i mean, this is one of the hhs people, over -- who saw what was going on at cms. politico has a two-day story that talks about the issues, the most detailed explanation. but it's just stating overwhelming traffic that could have been replicated and tested.

and it's just one point after another. of what the cover-up. and i think, unfortunately, people like miss tavenner, were involved in some of the cover-up. did you ever attempt, ma'am, to -- to have any e-mails or records deleted what what was going on in the failure? >> i'm aware of the e-mails. i've not seen the e-mails you're responding to, to answer that. >> uh-huh. and i have one e-mail here, and you had asked that a fact be deleted. and i can supply you with a copy of it. but it says please delete this e-mail. and it goes on. to -- do detail what was going on the failure that was going on. first of all, there's a company

by the name of circo that was retained to employ a contract of $1.2 billion. >> we retained circo, i don't have the amount in front of me. >> again, this e-mail talks about circo and the failure of the proper processing. there were problems with processing the paper applications. congressman, i'm happy to take a look. >> and you had nothing to do with the awarding the $1.2 billion contract, you would tell the committee, too, right? >> i don't understand the question you're asking me. >> the circo contract to process paper. >> i'm actually not part of the process. >> here you're talking about circo and the problems with the paperwork. you're asking for the deleting of the information. then i looked into the sirco

candle gross. did you know that sirco had been been warded the $1.2 billion contract -- it's a british uk firm, and they were being investigated for some fraudulent activities in the uk as they were being awarded a $1.2 billion contract? >> no, sir, i don't think -- i think i stated that last year in a hearing. >> you weren't aware of any of the background. again, i think we need to put this -- mr. chairman, i'd like to put this e-mail in the record where the witness ask where we delete this particular e-mail and deal with the problems with sirco at that point. >> without objection, so ordered. >> finally, are you aware that you violate federal law when you ask to delete information like

this? again, congressman, i would need to see the e-mail. >> okay. if we could -- >> we'll pause quickly, if you'll send it down to her. i think you might as well get it quickly done. i'd ask for unanimous consent to stop the clock and give her an opportunity to read it, thank you. >> just simply is that your e-mail and did you ask at the beginning to have it deleted? states pretty clearly your intention. mr. chairman, i'll defer to you to get a response from the witness. >> this e-mail is from me, yes, sir. that's accurate. and this e-mail was written to

julie vitai who set was involved in the call center. i think this is about the call center information. i think i asked that she delete this e-mail because it involves sensitive information regarding the president's schedule. and i think that's actually the area that's redacted. but, no, it's not normally my custom be asked. sometimes, i'd ask that things been close hold or not forwarded. isn't this case, it contains the president's schedule. >> mr. chairman, i would also ask -- i want the entire e-mail in the record and the reference farther down to serco. yield back. >> briefly, if we could have indulgence why would the president's schedule after the fact, have any relevance to having to be deleted? i hear you, but the president's schedule becomes realtime in a short period of time.

>> i can't ask why the zegs was ask a decision was made to be redacted. >> you were surmising that it had to do with the president's schedule. the president's schedule is not all that secret and after the fact it has no relevance for production. >> i understand. >> and under the federal records, yours was to be reta retained. >> and it was retained. >> so deleting it doesn't change the fact that it had to be retained for the federal record, act? >> it is retained. and in fact, if you are asking about our response to nora, we did that under an abundance of caution. i didn't necessarily retain e-mails if they related to scheduling changes and this sort of thing. so going back to the issue of transparency and trying to be forthcoming about information,

we decided to notify nora. >> okay. i would hope that the unredacted versions of all of this would be made gable to the gao. and i would ask, simply, that unredacted versions be seen by the gao to see if in fact it's consistent with what we're hearing. >> mr. chairman, a unanimous request. the gentlemen -- >> i have articles that serco and people doing nothing to processing serco's checkered past. for obamacare in a forbes article, the unhealthy truth about obamacare, contractors, i'd like these -- >> without objection. so ordered. >> with that, we'll go to the gentleman from pennsylvania for five minutes. >> thank you, mr. chairman. and thank you to the witnesses for joining us here today. >> i'm good with that, i'm good,

yeah. one of the most critical features of the affordable care act is that it expands medicaid eligibility to millions of low-income american adults. prior to the aca, medicaid eligibility was restricted primarily to low-income children, their parents, people with disabilities and seniors. in most states, adults without dependent children were not eligible for medicaid. according to a study issued in april 2014 by the keiser foundation, only about 30% of poor, noneligible adults had medicaid coverage in 2012. and uninsured rates for poor adults were more than double the national average. under the aca, medicaid eligibility can be expanded to cover all nonelderly adults with incomes below 138% of the

federal poverty level. administrator tavenner, is that correct? >> yes, sir, i believe it is correct. >> all right. so the federal government pays states 100% of the costs for the first three years. and then phases that down -- phases its match down to about 90% in 2020, despite this enormous level of federal assistance. more than 20 states have decided not to participate in the expansion, leaving millions of their own citizens without health care. administrator tavenner, can you comment on the coverage gap that is resulting from these decisions not to expand medicaid in those states? >> yes, sir. i would start, first, by saying with pennsylvania's recent decision, we are now