the campaign 2016 bus

continues its travels to honor winners from this you're's student camp competition. the bus stopped in new jersey to recognize madeline balm for her second prize video on when the house becomes a home. she was honored in front of her classmates and family and before having a chance to visit the bus. bus travelled to west scranton intermediate school in pennsylvania to honor other students for national immigration issues. they donated $500 of the $1,500 to the local charity of scranton. the bus drove to clinton township middle school to celebrate a second prize winning video, the next big problem. over 250 classmates and teachers and family members and elected officials, including congressman leonard lance joined in the ceremony for zachary. a special thanks to comcast for helping to coordinate the community visits. and view all of the winning documentaries at student

cam.org. c-span washington journal live every day with news and policy issues that impact you. coming up on thursday morning, washington post national political reporter robert costa will join us to preview the meetings tomorrow between donald trump and congressional public leadership. and darrell issa will discuss civil asset forfeiture laws that allow police to seize property as long as they believe the assets are connected to criminal activity. and democrat congressman joe cord knee is talking about addressing the opioid crisis including a bill he sponsored which would provide $600 million in emergency funding. also dom defrank, editor for national journal will talk about his coverage of the presidency of george h.w. bush and george w. bush. and he'll discuss the bush family's strong dislike of donald trump. watch the c-span washington

journal. join the discussion. the importance of cyber security in medical facilities around the country was the focus of an event hosted by politico yesterday. this is about an hour and 15 minutes. ladies and gentlemen, please welcome executive editor for health care, girard cannon. [ applause ] >> good afternoon, everyone. i'm joann canyon, one of the executive editor for health care and i would like to thank you all for joining us and those of you on the live stream, too. outside in is our event series focusing on health care and technology and being political we look at health care through politics and policy. outside in was a way to conceived in a way to bring out

outsiders with washington insiders. this is the first event this year. we've taken the idea one step further this year and created a forum of health care tech industry insiders who have a list of their names on your seat. and we've been doing surveys and interviews and events and this group is helping us better understand the new opportunities and challenges that technology innovation is bringing to the health care policy world. today some of the panelists will have -- we'll have two panels. and some of the advisers will help us dig into medical privacy in the age of cyber attacks and ask questions like is greater health care information exchange going to lead to more dangerous and increased hacks. can health care providers afford security? what kind of congressional or regulatory action, if any, is needed to keep medical records safe. we'll have the conversation in two parts. first e-health editor allen and i will talk to the policymakers and policy experts about medical cyber security and the second panel, dan diamond, a new colleague is writing pulse for

us now and he's just begun the pulse check podcast that all you have to subscribe to as soon as this is over and he is also helped us create and moderate this advisory panel, this forum and he will continue the conversation with experts who were on the forum. and you'll find stories from today, the story written based on what these outside people are telling us, and this theme of that story shows how health care cyber security is getting worse and how the government's role is a mixed blessing. and we have a bar, for those of you who are here noticed. so stick around because the conversation could continue afterwards those of you in the live stream, could just start right now. before i introduce the panel to the stage, i want to take a minute to thank our partner phillips for their support of this event and the entire outside event series this year and all three years. here to say a few words is artie arthur, vice president of health care government solutions group for phyllis. >> thank you. [ applause ]

>> thanks, everyone, for coming to this event. we're really excited to be here. thank you to politico for sponsoring the first installment of outside-in. this is phillips third year here. and just to give you a little bit of an understanding of what we did last year and how it is really going to integrate into how health care and technology meet each other for this series. last year, we focused on areas such as digital medicine, aging and a technology world and also population health. why does that matter today? well, you know what? health care transformation is continuing on, right. and what we need to do is ensure that that data is meaningful and actionable. but the worse part about it, and the reason why we're here today, is because we don't always know if it is safe, right. you don't know what you're going to get. and you guys have that sheet of paper, i just read it real

briefly on how expensive health data is. so we're here today to talk about how important it is to ensure that our health data is secure. hackers don't care. they don't discriminate at all, amongst health data. if you think about what is happening today, you have seen a lot of articles on the health care eco-system. large health care systems, as well as insurance companies, have had their data attacked. whether it is by a hacker or any type of outside threat. and that is important. and it is scary. i think the really cool thing about working for phillips and why i'm so proud to be here tonight is that we take this very seriously. in fact, my group in the health care space for the federal market, we've done a lot of work with d.o.d. in fact, most of our products today are -- have been certified by the department of defense for cyber security and we're really

proud of that. we have more cyber security certifications than any other entity today. additionally, we get to be an adviser on the task force for hhs. and so this is really empowering what we do in health care today. i can't -- i can't tell you how excited and thankful i am for the panel that we have tonight and for politico to partner with us in this forward-thinking, thought-provoking series of 2016. and with that, i think i'd like to introduce your panel. >> okay. thank you. and thank you phillips for your partnership. for those of you in the room and on live cast, our conversation on twitter, we use th the #outsidein. that is one word. i have a tablet on stage and will take questions from those of you who tweet them in. our events are live streamed and all on the record and they are recorded so people could watch them later on through our

website. without any further delay, i would like to welcome our panelists and my comoderator to the stage. first we have representative will hurd from texas. he is the chairman of the i.t. sub-committee for oversight and government reform and a former cia undercover officer. and then in the private sector he was a cyber security expert. he came to congress in 2015 and he swiftly has emerged as an important voice on this topic on privacy and security and looking at where the government is not doing a good just snob. leslie cigstein from affairs at crime which is a management executive. she brings the concern of health care ceo's to the hill and to the agencies. devin mcgraw is from the health information privacy from the hhs office of civil rights and the point person for concerns about privacy and she helps inform hippa -- enforce hippa so you all have to behave.

clinton michael, from the e-health interest group at the american bar association health law section. and he is one of the top national experts in legal issues that barely existed a couple of years ago. and we hope he can help us understand what is still needed in the legislative and regulatory framework to protect health care privacy because every day we are reminded that it is a problem. and of course, arthur allen, and my friend and colleague and e-health editor and they call him big data, and i'm little data. [ laughter ] thank you arthur. you are going to start it. >> so, welcome, everyone. so i represent -- i'm the ceo of a small hospital chain. and i've been busy taking care of meaningful youth and dealing with macro and a million other things and somebody just came to me and said there is some issue called cyber security. like a -- a problem with people

attacking the health care system. and i'm going to just ask our distinguished guests here to explain some of these things. congressman hurd, who is attacking the health care system and what are they after? >> the majority of it is going to be organized crime. a lot of it is russian organized crime. they are the ones that are trying to leverage the data they are collecting for monetary gain. a health care record gets more on the black market on the digital black market than a financial record. and some estimate that medicare record is in the couple of hundreds of dollars per record. so it's lucrative financially. to give some context, in 2012, alone, fbi had data there was $414 million worth of thefts in the united states. and the estimates in the cyber realm, it was over $100 billion. right. so impact to our economy. so it is a big issue. >> it is a good field to be in,

obviously. leslie, tell me about the experience that hospitals, cios are having dealing with this problem. are you spending -- are hospitals systems spending a lot more money and what are they doing to adjust to this new reality? >> and you're right, it is the reality. there is only so many fingers to plug the holes and the reality is we can find every possible vulnerability and try to block it and they only have to find one. and so when you are looking at hedge it as a fraction of the budget, something like 3.5% to 4%, a subset is security. so it is something that you are not necessarily getting reimbursed for but it is absolutely necessary for the public good. but it is tough. resources are hard to come by. whether it be financial or even

personnel. and you're only as strong as your weakest link and in this day and age, we're sharing data with more and more partners, we're sharing data directly with patients and you're just opening up the door. and so it is incumbent to train your work force and work with your boards. but it is definitely a tough fight that the odds are stacked against us. >> deven, so you are the cop on this beat in a way. how much do you blame -- how do you figure out how much or how does the legal structure share the blame -- decide who is going to be punished, how much you punish people who are really in a way the victims of the crime? because hospital health care systems, to be sure, they are the custodians of the record but also the ones who are directly being attacked.

so how do you -- at the same time punish and at the same time try to improve the system to make it more secure. >> well, so we have a set of expectations with respect to security and health care and they are absolutely critical. it is a cost of doing business. if you are going to be out there collecting health data, it is valuable, not only is it valuable to criminals and to you. it is one of the most critical business assets. so protecting the data from the threats out there is really sort of -- it should be expected and frankly from a public policy perspective, it is important for patients to be able to trust their data is safeguarded. not necessarily perfectly safeguarded, but safeguarded. we do not expect perfection. if you take a look at the cases that we have pursued, those entities in our view, based on our investigations, had significant deficiencies in their security policies,

processes. they were not doing enterprise-wide risk assessments or maybe they did one ten years ago and hadn't been updated. the adoption of basic security safeguards is -- is slow. so i'm not suggesting that we have a right to demand perfection in terms of accountability, but we do expect entities to devote resources to security. we do expect them to be aware of security resources. and you as the ceo of that hospital, if they are coming to you and you don't know what cyber security is, that's a big problem. >> okay. clinton, what do you think? are they exercising their role appropriately or being too harsh or too lenient and do you think that the regulatory and legal framework needs to change in order to deal with this problem that's rather quickly kind of arisen in health care. >> no, i think ocr is doing a

really good job. >> you are not in a good seat, are you? >> no, i'm not. [ laughter ] >> so as a client, deven, i think ocr is doing a great job. and one of the stated purposes they have is to essentially teach. and they have a really strained budget for their teaching. but you will see them issuing technical assistance as opposed to being punitive. we have a lot of agencies in the government that are punitive in the health care sector. ocr is not one of them, thankfully. and they've done a good job, i think, with splashing out their enforcement actions and pursuing big dollars so people in the industry see it as a deterrent effect and they have hit socials, hospitals, laboratories and physician practices. so i think they've done a great job. as far as the regulatory

framework, i've really only seen one truly bipartisan proposal so far. and i think it is workable. so we take the servers and we put them in the bathroom closet and build a wall around them and we make the hackers pay for it. >> i see. >> very good. >> we're looking for solutions, so i'm glad -- >> but to pile on there -- if you are the ceo of a hospital and you're looking to ocr for guidance, you are already behind the curve, right. >> absolutely. >> you need to be -- and no offense to ocr. you need to be following the best practices in good digital system hygiene. and if you are not doing that, the regulatory environment is not going to save you. and the fact that the ceo should know about these things, because this is an integral part of your business and you need to make sure you have a cio that knows what they are doing in order to protect that infrastructure. because that is your responsibility to protect the

information of the people that you have in your systems. >> right. >> how -- when there is a rand somewhere and a headline that makes news -- five or six years ago when there was a breach, it was a breach that the public heard about and it was somebody spying on a movie star in hollywood. and i'm not sharon and i'm not having plastic surgery so i don't have to worry. but i think that is how a lot of us came across it. it was nosiness and internal -- lack of in ternal controls. and now we have organized crime and cyber kricrime because the health data is on so many sources. but the things in the paper, with the bit cones and the hacks, is it occasional or happening all of the time and we don't know with b -- about it? >> to pipe up in it talking to cios, a small hospital in a

rural area was a victim or attempted 3500 attacks on sunday, on mother's day. they faced 90% of them internal from the u.s. 10% were external from countries from china to costa rica. >> do we know they are internal. >> from the u.s., i should say. >> were they able -- >> they are able to track where the threats are coming from. but that is a 300-bed hospital in rural america and if they are facing it, think about a academy medical center with ip and as we are starting to exchange and the number of opportunities for intrusion. so you may have -- or to give you another example, there is a large health system on the east coast, $10 billion health system. they faced -- they turned away a million ran some ware e-mails in the month of march. so the attempts are regular.

they are happening to providers large and small across the country and it is a matter of making sure that you've trained your staff properly to say no to them. but there is also times where, as long as you've got your incident response plan in place, you should have those systems backed up. and so if they hit one computer, that is useless and you have your systems back up. there is no need to even consider the ransom. >> and how common is it they have the best practices in place. >> it is a work in progress. it is very definitely a learning curve. >> she is shaking her head. >> sorry. they are trying, is the reality. our understand is rapidly becoming more digital. and we are trying to keep pace with the progression that everyone is making, while meeting patient expectations. but the reality is, the threats are real. they are regular. and it is a matter of being up to snuff and working with ocr and looking at the cyber security framework and sharing threat indicators across the

industry. which to modern -- to date it is not as regular as it could be as other industries. and so i think we've seen some very significant progress, particularly in what the hill did last year in setting up the cyber task force. and setting up the framework to share threat intelligence. because that is the only way that the small critical access hospital in rural america is going to be able to leverage their lessoned learned from their colleagues. >> and ceos -- >> what are you hearing as a lawmaker that has access to information. >> well, there are more attacks than what we're aware of and more people are paying the ransom than what it out there for public consumption. >> widespread more or a little bitty more. >> more than -- it is more than a little bitty. >> and a lot of bitty. >> somewhere in between. all right. and so folks need to recognize that and understand that the threat is real, that everybody is potentially a target. and if you don't have -- and as

an attacker, you are looking for the person in the lowest hanging fruit. the person that hasn't had their information backed up, that are using out-of-date software for their infrastructure. and that is who you are going after. and you think you are the right one, you are the person that will probably get targeted. >> i'm comfortable giving it a widespread. and it is widespread and underreported and a lot of folks are paying the ransom. >> and are these ransom attacks, from the looks of it, some of them are random. in other words, somebody is sending out bugs and they happen to land in a hospital. are any of them -- are people -- have the ransom ware-ists figure out how to target a hospital. because they must realize the hospital is kind of -- got to pay if they want to -- >> well, if you look at the studies an the reports out there, 2016 is really predicted to be the tipping point for

ransom ware becoming mainstream in the health care industry. because folks are seeing that, yes, the hospitals will pay good money, more so than your individual, or a law firm that gets hit with it. and a lot of it is random. but i think it will become more targeted. and it is not just our organized crime. there was a hospital in flint, michigan, that was hit somewhat related to the water crisis. and it was a hacked type scenario. >> i see. >> did -- the way this appears to be playing out is very much a crime of opportunity. and so the health care industry, there is clearly vulnerabilities that the hackers have perceived and they are going for it. and i think that leslie put her finger right on it when she said, the lack of contingency planning and data back-up, has always been part of the hippa security rule but to the extent

people didn't realize how important that was, they sure should know that now. >> but so deven, are you saying that if people are reading a few rules and they are reading your guidelines and looked at hippa security guidelines, that some person in the middle of nebraska with 300 beds is as ready to deal with this threat as partners -- a loaded question. >> the lawyer is advising you. >> can you really defend yourself if you are a small player and you don't have a lot of resources? >> well look, we've also put out there that entities need to do contingency planning and disaster planning. in fact, if you are in the middle of rural america, your systems could be hit by a tornado and disabled. so already we have an expectation out there and haulz have is there is -- and always have is there is contingency planning. hippa is scaleable and doesn't have the expectations for larger

facilities that are larger and larger resourced. but this is a threat now that everyone should be aware of. and if you don't have the contingency planning in place, you're a target if you are not already being targeted and having that in place will arm you so much better to be able to resist something like this. you are either going to pay for security, or you might be paying for ransom. but you don't get out of this without put something resources at this problem. >> and is this security something -- a lot of the small rural hospitals, they've had a lot of demands on them. >> yes. >> and it is not -- not blamed on obama care. there is real issues -- many complicated issues facing rural hospitals and the health i.t. is one -- i don't want to use the word burden, financially it is a burden, it is hard. is the security so expensive that they are going to go under, they are going to have to consolidate and lose their independence? is it sort of a straw that broke

the camels back for the smaller pra hospitals or -- or the category that has a lot of trouble. can do you this and fix this if you are not a giant? >> no, i don't think it is limited to the small rural hospitals or the small hospitals. hospitals are financially taxed. and i.t. security is hard. and it is ever-evolving. like leslie said, they only have to find one hole and we have -- we have a world to deal with. so i think absolutely hospitals are under a great financial strain these days. and there is not really good money allocated towards securing this. so, so i think if you peer into the dark minds of a lot of hospital executives, they're rolling the dice with where they allocate their budget.

and it is a matter of surviving as a hospital. >> leslie, what is your take on that? >> you're right. it is something that your budget is finite and you will get incentive payments or take penalties from the federal government for any number of reasons. that is your market basket, how you will dictate getting paid. and security is not a line item on there. but the reality is, we don't have a choice. we're going to scrape together every penny. it might mean you don't get a new mri system, it might mean you don't hire as many nurses or doctors. the fines that you will take or -- it is not -- you are not willing to risk your reputation or your business. because as arthur, you asked, are they targeting health systems? yes, they are. first it was just the data but now they recognized, if we disrupt their operations, we could put them out of business. they have to turn away patients.

and then their name is all over the headlines. and so there really is inevitability you have to address this, regardless of what your budget looks like. so it is working with the board and creating security teams. fur a small practice, you are scraping together with your colleagues and hiring consultants to help. it is just the world we're living in today. >> what are you hearing as a government official? you want to just scream? >> if you have a network that could be attacked, then you need to allay your network properly. if you take the financial incentive away from the attackers, or where your data is not all in one place, that can be captured and held to pay the ransom, then you take the financial motivation away from the tacker -- the attackers to go after it. there is a building this nice somewhere in moscow that has hundreds of hackers developing the next software and they are learning from the attacks that they've done and they look for targets of opportunities. they get a pretty good payoff.

so they are going to learn more and be how many other people fit that mold and then they are going to be more targeted and instead of doing phishing, they will do spear fishing which is targeting an individual. and so if you have the network, make sure you are doing the very basics to protect yourself. and -- and sometimes it will cost more. but if you are relying on the government to defend yourself, you have a much larger problem. >> can't we expect the government to do more to defend us? we can't defend against, you know, nuclear attack by ourselves. >> fair. >> sorry. terrible comparison. but is there -- is there more than the pentagon could do to interfere with some of this stuff. >> one of the things that the federal government could do is sharing techniques and procedures with entities or with the information sharing groups that could get that out to the rest of the community. and that is an area where, if

you know what the attack over the horizon is or other industries are being focused, understanding what that is so you could array your limited resources against the most immediate threats. and so i think that can happen. >> we're all in the health care world and that is what we focus on but if we were a bunch of bankers would we be having this conversation or have they solved it. >> it is the same problem. >> is health care worse or those of us in the room are paying more attention to it. >> we talked about this before. there is a perceived vulnerability out there. and the haerks are go -- the hackers are going for it. and we know this now, if we didn't know it before. i suspect emily has been hearing about it for a long time. the vulnerability of the health care system is not necessarily news to us either. so there is work to do to shore up what is an important national asset, which is this data that really is critical to the health care system. we have a role to play with respect to hippa. we are -- we put out guidance

for a small provider to help them with the basic security expectations. we're currently working on some additional guidance on ransom ware to help entities to get ahead of this. it is going to focus on the contingency planning issue that leslie raised but also some of the tips that have come out about how you might be able to detect it before it happens. but nevertheless, it is -- it is absolutely not an issue that we can ignore. we don't deal with punishing criminal behavior. so we're doing what -- what we can to try to help the entities who we regulate to try to meet this threat and creating a set of expectations with respect to how they meet the threat. but i do think there could be more that we could be doing on a national level on the criminal aspect of all of this. easy for me to say because i don't do that work. but this is criminal behavior with respect to the hacking

piece. >> and is that on the agenda adequately with law enforcement? >> is it on the agenda adequately. so law enforcement is looking into everything it can to help the private sector, no matter what the industry is, to defend themselves. does law enforcement, whether it is a department of homeland security or fbi or secret service have enough resources to help everybody across these industries? no. but that is why the important of the isacs, where you have industries come together to share and the legislation we passed last year is going to help facilitate that but we have to make sure the federal government is passing and sharing information. one thing that i hear a lot from health care providers is that there is a bunch of -- of old and antiquated rules and regulations that is confusing and they don't know what they are supposed to do and what is meaningful use men and all of this kind of stuff. so these are -- these are some

issues that need to be streamlined as well so that health care providers know exactly what they should be protecting. >> and i think there was an element as well, in this part -- this is part of sisa, we heard from members in terms of looking at hhs and not just law enforcement, but just within hhs, there are so many different entities that have different responsibilities in this space. so the fda approved medical devices. are they clear. ocr covers hippa. how does hippa intervene with the interagency coordination and you are looking at onc and they are certified electronic health certifies, are they certified with enough security from the beginning? and so as we're looking kind of even within hhs and something that we asked and we're really pleased that ended up being included was a directive for hhs to line up who is running point on this issue. and how can we look to the agency and get a singular answer?

and i would say more than that, we've noticed this shift traditionally -- we were looking at privacy and security and unfortunately as two separate things in health care and i think until we recognize that the privacy of the data absolutely is an element of security and patients have the right to know their data is secure. that is going to be a game-changer, i think. >> so do you think we need to appoint a -- like a health cyber security czar who runs the whole -- no. >> i think hhs was given a year to put forth this interagency plan and i think that when we see the results of that, i think it will really help in terms of knowing who to go to within the agency. but i think that was a great addition that i'm not sure if the rest of the world caught. but it was -- it was in the range of things that were health care specific that passed with sissa. >> we're all thinking about this in terms of our personal information and the threat to -- many of us in this room have had our information hacked, whether

we know it or not. maybe everybody. but this is a big data question. but i'll -- we're also at the brink of -- we're talking about using data in lots of really interesting potentially really helpful ways, right. we're talking about patient generated data. all of the things that we've been talking about after two years there are cool things happening. the patients, the way we participate in clinical trials and patient engagement and pushing data and arthur could talk about the cohort from precision medicine. there is so much going on that requires use of health care i.t., way more than just turning your paper chart on to a computer chart. >> so how are we going to let that data sort of -- how will it flow. >> when we can't protect it, yeah. >> well, getting away from the data flow part -- >> which doesn't flow all that well right now. >> and deven will have something to say about that.

or not. >> there is interoperability issue. but there is also the -- say we have the magic wand and we get everything interoperable tomorrow and there is lock issues and we have in the next few years we are supposed to be able to exchange and produce data in ways that we couldn't do before and it has an amazing amount of potential but is the private or the security thing, since you just said they are two different things, how much in the way is that going to be. >> i think this illustrates why health care is actually a much scarier place to be in than the financial industry. which is much further ahead than hospitals, health systems, anyone in the health care industry. because when we're talking about ransom ware, we're talking about data. we're talking about patient safety. what keeps a lot of us up at night, especially on the i.t.

subcommittee is not necessarily the known quantity of stealing patient data, but it is all of the other inputs that go into that. it's the network medical devices. it is the network anesthesia machine. it is the temperature and the air saturation in the o.r. >> so the dick cheney scenario. >> absolutely. he got widely mocked for that, but he was on to something. >> has it happened already? >> i don't think it has. >> not that we've heard. >> somebody's actual pacemaker hasn't been hacked but there have been many demonstrations of how to hack a pacemaker. some people talked about the attack on our -- on the utility grid was philosophical, but that happened recently, the russians attacking the grid in the ukraine. and it is possible. outside of the theoretical. but those fears shouldn't prevent us from moving toward

interoperability. i own that data. and that is my data. and i want to pull it up on a dashboard and figure out what happened in the last couple of doctor visits and i want to make sure my future doctor has access to this stuff. and let's say -- we can anonymous that data and protect privacy to make sure that we have truin operability to detect zika faster and make sure that medicine is being developed on a quicker basis. and when we do, we increase the surface area of attack. >> and that is one of the reasons why the hippa rules are not just about security. it is also about availability and data integrity. because always those regulations have presumed that the data has no value until it is used. appropriately. and as often as necessary and needed. and that is why the rules are built the way they are. so it is never -- it is never going to be, well, we can have this or have that. it is, we have to figure out how

to have both. >> if you are a provider, don't you think the instinct is going to be to shut down and not send your information through a health information exchange because you are not sure that they -- that all of the players there are -- have good security. >> so something, if you are talking to a cio or chief security officer, there is no set rules of the road. in terms of security. so the framework is a great starting point and we've heard there is a health care-specific guidance coming which we're excited about, but in reality it is optional. we are not saying we want more man dates but the reality is if there is an industry-led effort or someplace to look for standards, it is really valuable to know that if you are engaging with another provider or with the health care information exchange, that they've got a set level of security that then you could deem, okay, they follow this or they've done that. so i know that i can share with them and i should be okay.

and so i think we're coming together as an industry and starting those conversations. but if you ask, there is a desire for a minimum set of requirements that you could build on top of. but the expectation, hopefully, some day we'll all be at one point, that we have some level of confidence to embark on that sharing. >> we are going to be able to take a couple of questions before we go to the other panel. and want to start -- darious is -- where are you? we have a reporter. darious is in the room and probably standing -- where are you? okay. he is one of our reporters and he shouldn't -- >> oh, dear. >> so what we always hear in the cyber security discussions is how valuable the stolen records are. i was wondering if there are any efforts to track what these records are being used for and how extensively they might be used for being leveraged for financial gain? >> anybody want to take that on.

>> well, i think, the only thing i will say, it isn't part of our purview to track where it goes after -- after we get a breach report. for example, in our investigation, we'll take a look at what happened during the breach and do we have some significant issues of lack of compliance with the rules that we have to pay attention to. but one of the things that i've definitely seen is a connection between -- between medical identity theft and fraud. and the increase in health care fraud that is out there and the ties between security and strengthening health care security and helping to combat fraud. >> so we've been able to track this record was stolen in this anthem hack and later that same number that was stolen on that record ended up in this fraud case. has that been done? because it -- that is -- that is

the cause and effect would be -- >> you need to put a tracer on data so we could figure out where it goes, right. >> well the fraud units that -- that are involved in whether it is -- a big insurance company or the government are the ones that would see the impact that it is having and they should be keeping track of that data. and think that is something that would be interesting to see, within the health sector isac on the kinds of things they are seeing where that data is going. >> there was a question over here. could we bring -- >> should i wait for the mike. >> over here in the front row. >> i could project, that is fine. >> no. >> okay. steve luckin. i work and study in the city. at the outset, thank you to the politico team. alexis, mike and rodney shooting photographs here in the city. i guess first to the congressman, three quick ones. how do you deem your efforts or the efforts by your colleagues

in bringing forth a cyber security protocol? the second is have you received either from capital police or fbi any of the other organizations notice about having your own or your peer's medical information hacked? and the elephant in the room is casualty. so what about the insurance companies that -- to the extent that a lot of their patients get hacked could face a serious, massive class-action suit. and thanks. >> the first -- the first question -- look, the oversight rule of congress to make sure we are providing performance standards rather than trying to bake something in, into a law, is important. because the reality is as soon as we say this is a best practice, it will change in six months. and so we have to create legislation that is flexible and grows with the times. and that is when you talk about performance.

what should -- what should the outcomes be. i'm not aware of anything dealing with individual members being -- their health information being targeted. and the last one? >> liability of in surers. >> oh, absolutely. i think this is something that everybody is looking at. this is a question that insurance companies are looking at, at major breaches, whether at retailers or banks, what is the insurance aspect to a major breach and when it comes to -- when could t comes to the -- when it comes to the health industry, it is huge and i don't think there is any answers on how to deal with that yet. >> and when we planned this panel and we thought, maybe the american bar association has somebody looking at this. so we went to the website and we found not only do they have somebody looking at it, they have an entire new section on e-health and data and all of this. and you tell me there are what -- 1800 or 1400 -- >> 14 -- >> 1400 lawyers already in

something that didn't exist -- when did you start this? >> about six or seven years ago. >> so that is -- i think that sort of tells you something about the magnitude and the growing magnitude. a couple of quick takeawaysba we need to get -- because we need to get through with this panel to start the other one. dan will be out here in a minute. before we wrap up, arthur and i will think of a quick takeaway. this is a bigger problem than most people realize and a bigger problem than i realize coming in, that it is massive and pervasive and that we're not going to have -- none of us as individuals can protect ourselves. and -- it is not solved within the next year. arthur? >> yeah. and i think that it is also -- it is just another -- i think we've heard here that this is just going to be sort of another pressure on the health care sector, which parts of which have a lot of financial and other strains. and unfortunately this was an

unforeseen consequence of i think -- unforeseen by most of the meaningful use program and the effort to get the -- the needed effort to get computers into medical offices. and so -- >> and it was such a push to get the adoption of the electronic health record that there wasn't enough -- >> i think most people didn't foresee that suddenly they were going to be -- it was going to make the health care system vulnerable in a new way. >> a whole new bag of cards. >> i think there were probably some who did. but any other closing thoughts? >> i think one thing that -- one thing that bears repeating is we hear a lot about how you need the board to get involved. and you need senior leadership on this. one important thing to remember about health care and specifically hospitals in our country, is the board of even a

large hospital is not necessarily the type of board that you would think would exist for an entity of that size. about 59% of the hospitals in this country are nonprofits. so you have donors. you have political influence. 23% of them are state and local entities. so, it's hard sometimes just with the dynamics of the board leadership. >> interesting. >> a different industry. >> i don't want to say that hacking isn't -- and cyber crime isn't worth singularly paying attention to. it absolutely is. but i think we're -- we risk getting attracted to the shiny object when good, basic security should be the platform upon which all of this gets built and we're not even really there yet, for many ebtsintities. and we have to figure out a way to get there. >> i need to wrap up a conversation.

>> a quick point. >> yeah, yeah, you have to talk as fast as me. >> don't click on links in suspicious e-mails. >> there you go. [ applause ] >> that is why my husband doesn't answer mine. it is time to wrap up the conversation. thank you for being here and sharing your insights and i'm going to welcome andiamond from pulse who will -- he's helped us put together the forum and the next panel will take over. and then stay afterwards and continue talking and drink. [ applause ] >> welcome, everyone. thank you for coming. thank you. i'm excited to join the team. my role here, in addition to writing pulse and doing the pulse check podcast is moderating the outside-in forum. and you see on your seats, the first story we published as part of the forum. i have it here if you haven't seen. polling insiders on what they are the biggest cyber security challenges an the role that government can and should play.

i do want to welcome our three panelists, as i sit on this high chair. first, a man who needs no introduction, i'm going to give him one any, anice chopra, co-founder of hunch analytics and spent years providing leadership on i.t. issues in the white house and worked on the advisory board company. and nick dawson, executive director of sibley hospital innovation hub, better known as the innovation czar. as long as i've known nick, which is ten years, he's the most thoughtful thinks of sharing health care information on line. and last but not least, neo more augy. he studied this issue very closely and it is timely to have you, because you just did a report thursday -- last week -- >> uh-huh. >> on cyber security and some of the biggest issues plaguing the sector. i have questions for the three of you but i wanted to start by take the temperature of the

room. simple question. show of hands. is cyber security getting worse in health care? show of hands. okay. only about half of the room. is he getting better? is cyber security safer than it was? i'm going to turn you guys. aneesh, is cyber security worse than it used to be? >> so i'm going to answer this question with the typical caveat, which is yes, in the following context. we were in manila folders five years ago, eight years ago. and so when you've increased the -- the spread of digital records, by definition, you've created more of an attack vector on which there could be more -- more risk. so relative to manila federoldei would say the cyber security risk is higher. on flip side, if you take a look at the preponderance of the data on where the cyber security risks have come from the non-certified

health i.t. services are where the predond rance of the attacks seem to be. so if you kind of take the practical nature of this, data in many databases that have been sold in the commercial sector, banking sector, health care sector, databases that people can log into and have access to that someone that does convince me to click on a malicious link might expose, but the system that's are regulated the certified system that's were subsidized under the meaningful use program, for some reason have been less prevalent among the list of sites -- that doesn't mean they're perfect and they're safe. just if you look at the evidence, the overwhelming share of attacks have been in the uncertified area. worse but in context. >> let's come back to the certified point but maybe move down the line. nick, seibel cyber security, th have gotten better or worse? >> i was ready to take a contrarian view. i was given a beer and shown a

comfortable chair in the back, if i take that view means i can't come back, i can adjust my point of view. >> how much alcohol have you had? we were hoping you would go full throat throttle. >> it's a bell curve. i would virtue those sentiments. we've become digital very quickly, it increases the attack surface. there's also the pragmatic reality that threats have been there for networks for years an years and years and this is a hot topic and a timely one for our industry for some well-known examples. things we just heard of i don't necessarily think that means the sky is falling per se. i think from a provider organization standpoint we're wrestling with a reality of is this really the business we want to be in and know how to be in? do we know how to staff for it do we know how to fight these kinds of things? we've kind of convinced ourself that's we have to be all things to all people, we have to be a

food service delivery and an ak teshg tur firm and a leasing organization and research organization and provider organization. but this may be an area that we're significantly focused on so we think it's a hot pressing topic but we might want to reexamine that. >> nian? >> i think i agree with the panel. the frequency of these cyber attacks are becoming lower primarily because health care is becoming more secure in i.t., just like any other industry. when you're younger you're more likely to have accidents while driving. a oolz you get used to it and you lesch how to life, the accidents are less important. >> you think we actually might be trending in the right direction as health care matures. things are getting safer. >> correct. and the other thing is, i think the recent ransom attacks are the best thing that could happen for health care security because

they now let people know about the importance of cyber security in the medical domain. for the hospital managers, it has now become an integral part of their services. now, they have realized if they don't investigate enough on cyber security and i.t. it's going to hurt their main core operational businesses. so i think now that these recent attacks have created this awareness, health care providers would have much more business incentives to invest on a cyber security and insuring patient privacy just like other businesses do. >> so one of those ransom ware attacks we heard about it on the first panel. probably everyone in the room knows the medstar attack where hackers held hostage asking for

bitcoins to release the information back. hospital executives basically had to cancel patient visits. nick, you are not at medstar, but you are at a med stair rival. i'm curious, as an executive of a hospital watching this happen, what were the meetings like in the boardrooms to make sure that you are not the next medstar? >> i don't know if it's a direct quote, i think it was probably a conversation that started with, what's a bitcoin? and that's not -- i think that's probably a conversation anyone would have. my point there is, the notion is really esoteric. there's a whole set of education we need to have. what is the threat versus reality? that's the case where there was actual reality, not just a threat. so the first part of it starts with unpacking what's really happening, what's our real risk what's the mitigation of that risk meaning like time to figure

it tout ourselves to restore from backup if it's a possibility to come up with a different solution versus the cost of just paying it. sometimes that cost of paying it is cheaper than waiting to try to figure out another plan if there is another plan. i think that's part of it. i think for us and instead of pontificating on what happened in the boardroom, i've not been privy to to conversation, but i'll tell you what the innovation team starts to talk about, is how do we think about this in a different way so not in the sense that although there was a suggestion we should start mining bitcoin, have a stockpile. >> another business for hospitals. architecture firm and the footd service. >> we made our margin on bitcoin this year. i think instead it's how do we not have a single point of failure? so our team got together and said, what's going on here? we said, well, it seexs like the i.t. infrastructure really the emr because it is the piece that

does the billing and medication delivery and admit and discharge is the operating system of the hospital. how do we not have that become a single point of failure? so we started talking about different types of mitigations. and that was kind of where we took it. >> i feel like that plays into what aneesh was saying initially. >> i'm not suggesting that one is particularly better than the other, but i would say the certified systems have at least embodied a lot more of the best practices into the regulatory framework. so there's actually a fairly basic understanding of how do you encrypt information at rest and in motion and how do you ensure there's a user awe thint occasi thent occasion so dan diamond logs in, i know it's him and not a machine pretending to be dan diamond. so we've got more of these testing capabilities to make sure the software sold to the organizations can meet a certain

bar. and that bar gets better every cycle, whereas the broader system that's are just available that you can buy anywhere really haven't gone through that level of review. so as a consumer protection matter, if you're the head of purchasing, you may not know that this particular outsourced vendor that does your billing and collections that gets the entire patient file to make sure that the co-pays are collected for the $20 that are missed, that that entity has some cyber security best practices and hygiene to the standards that are seen among the certified technology piece that's are made available. so my perspective is we're getting better. it's an interesting point about health care. i'm make this observation about getting better. the whole framework for cyber security was we'd have a learning industry model that is to say there's more disclosure of breaches, which would then inform root cause analysis to say, now we know where the vulnerabilities are.

let's close the loop in the next round and we'd have this much more transparent system, collaborative system. health care is actually further ahead than the rest of the industry verticals because part of the high tech act was to create a framework that required that breach notification abdz that disclosure. so we're actually -- wow, a lot of attacks in health care. it's one of the few that requires reports of breaches. not all sectors do. so we're benefitting in many ways because we're bringing to light, we're shining light on these holes, which leads to a loop where we get better and better over time. that's at least my perspective on how the systems evolve. >> i like that learning system per se. i want to go back to one quick point and get kind of nerdy about it for a second. i think what i'm hearing and i'm -- >> this is a good crowd by the way to get nerdy. >> cool. >> i give you the blessing. >> this is a marginally informed comment. i want to preface it with that. what i'm hearing is that the specific attack vectors are often unpatched microsoft ser r

servers. that's i well-known huge vendor. that's not a small -- >> i'm sorry, nick. i probably know the least on this panel so help me understand. are we talking about microsoft office? like what specifically in microsoft? >> i'll get out of my depth really quickly, too. but microsoft has a server platform that at love the infrastructure sits on. it might be the part of the application layer that runs part of the mr. it could be part of the database layer though increasingly they sit on a unix platform. imagine we all have xp or windows 10 on our laptop. there's -- that has to be kept up to date pretty regularly. so that underlying operating system is what seems to have a lot of the vulnerability. >> aneesh just said we see many more attacks in health care only because health care is required to report them as opposed to other industries that are not required to report them.

and it's zpiened like this in order to let people learn about the sflurfailures whaxt happense only learn about the incidents not the root causes of the incidents much you go to ocr's wall of shame, so many attacks that happened. i haven't learned anything from this. i don't know if you have learned anything from the failure of medstar. i think to use the potential of that learning curve and industry informing itself, both ocr and also the health care organizations and other entities in the health care system which are not limited to health care organizations and their emrs, there are business associates and insurance companies who have many times access to much larger volumes of patient data and are not using certified or uncertified emrs to learn from

these breaches, to learn the lessons they learn from these breaches. but the other end unfortunately it is not happening at the moment. >> one thing i was struck by on that first panel, congressman herd says the hackers are learning from each other, russian hackers. the victims in the united states, they don't have the same information sharing. how do we fix that? >> well, we're getting -- let me be precise about this. we do have a framework under the commerce department agency that is really the switzerland for a lot of this information flow to establish these industry vertical that's are sharing. one of the big problems is, are y what are you sharing? are you going to release personally identifiable information to share? hey, i got this e-mail from dan diamond, man, he sent me some crazy things. >> you keep saying my name. is someone sharing my information with you? >> i get this stuff, hey, ane h

aneesh, i'm preparing for the panel today. i click the link. that was an infected -- that e-mail contained a link that had malicious -- installed malicious software on my computer. how do i share that e-mail with others without violating your privacy in order to learn, how did that particular piece of malware get onto your spoofed e mayhle? so getting the privacy right has been the central debate in information sharing which congress now has moved forward on this framework for the goal is to minimize pii while maximizes the sharing and learning across many industry verticals. so we're not perfect in health care, but we have at least a model to say, how do we ensure that these threat factors are shared? now, in the first term we were at a cloud first policy in part because patching is a human failure, right? it's not microsoft's fault you

didn't patch. you've got to push the button and patch. so the staff -- i mean, maybe they have sunburn, but the premise is part of the reason i was enamored with the idea of cloud is, in many ways, you auto patch in bulk so you get the threat vector at 3:00 p.m. monday afternoon. you learn a new signature. you figure it came from this domain from this apparatus. next time it shows up in the same cloud environment you stop it before it's presented to him to click. so this learning, real-time learning, i think it is the opportunity that's coming. we're going -- we're stuck in the must-have servers on premise. but then you have to bury the responsibility. if you're going to do the infrastructure, you have to do it all the way. i think it might lead to a further acceleration to the cloud. >> just want to open this back up. outside in is the hash tag. if you have questions, submit them. they'll get passed to me. i want to build off something

you just said, aneesh. we're at this balance of protecting information but also the need to share this. this is your point. how do you make sure we strike that balance in a world where we're going to benefit from sharing health data for making it easier for patients but someone on the first panel i think it was cool they said, the way to protect data is to put it all in a server in a bathtub and not let anyone see it. what is the right answer moving forward to strike the right balance? >> between i want to make sure i get the right question sharing and -- >> opening it up. >> transportability and -- so i think my answer to that is a little bit of a different tack, dan. i would say that back to what i maybe teed up at the beginning. we're going to have to invest even more than we've invested today. we've built this incredible infrastructure around i.t. security. we have -- in fact, any community that i know where

they -- where the community hospital is the largest employer it's also the most advanced i.t. shop. they tend to be an anchor for people who want careers in i.t. i think to your point, aheesh near, do we keep building if it locally, i would say we're at the pivotal juncture where we decide, do we keep investing more and starting loosh being for places where we left the door open, guard the goor door, where we realize we've left our back side totally uncovered and people are kind of flanking us that way. i think what's a question. i think the other way of looking at it is, do with we take the same amount of money and resorgss and put it into building something completely different? my version of this is maybe where i'm a little bit contrarian and i started and went before this conversation to a bunch of patient groups and said, what's your view on this? what would you want? and almost universally what i hear is i want to own my own data. i want to decide who gets access to it. i have a gmail account.

sometimes i sign up for a website and say to the website, use gmail or google as my user name and password so there's a mechanism for that. i'm adding a couple of layers of sophistication on top of the comments i heard. my version of that is, if we wanted to start share things, what if we took the money and voerss and fit something entirely different and the thing different would be putting the data back in the hands of the patients and let them be the ones to share if and having an authorize aigsz mechanism for doing that. >> right now it's so hard for some patients they may as well just hack the system if they want to get the data. anyone with a misfit youth could probably get medical records faster than way. >> we're not endorsing that. >> especially because it's too easy to hack into the software systems. >> your report touched on this, all the different hackers that are out there, liam. some of them are malicious and some are the misfit youth who are doing it on a dare or for fun. what are some of the commonal

commonalties around who is doing the hacking and what can we learn from the patterns of hacking behavior? >> well, i interviewed 22 victims, and out of those 22, only 2 railroador 3 of them wer victims of hacking attacks. the rest were just goofy people who just happened to lose a laptop or a thumb drive or something like that. so i really don't think hacking happens that much in the health care. it happens more than it should, but not jchs we think it is happening because i still cannot believe that the stories that i read in different news outlets claiming that medical data is $500 per record because if that with were true and a community hospital has easily 1 million records, if i could hack into them and sell that data 5$500 pr

record, that is $500 million, i would quit my job right now and go learn how to hack into these systems. >> i'm sensing a theme in our panel. we are not endorsing this bad behavior. but point taken. it's a little overhyped. >> yeah. but ransomwear makes all the sense because -- again, please pay attention that these ransom ware attacks they're not touching your data. it's like somebody changing the lock of your front door and doesn't let you get in. they do not touch the things this your home. they're not stealing anything. they just tell you, hey, give us $15,000, maybe $20,000 to let us get into your home. that's it. because the hackers themselves know that it's really difficult to monetize medical data. who cares about my blood test? nobody. i mean, the only thing that they are after are my social security number and home address, date of birth, my personal information part of the health record, not the medical records. and they use that in order to

create a fake identity or submit insurance claims and everything. and it is very difficult to scale that up. you know, from a hacker's perspective, he may pay you $500 for one record, but he's not going to pay you $500 million for 1 million records. it's very difficult for them to monetize. >> let me jump in. i see aneesh is nodding along. you agree with this assessment that it's not all about the medical information, it's the social security numbers and -- >> so here's the -- it's hard to get in the mind because this is not well reported. but let's just take it -- in 2010, the president said, i'm going to provide basically online access to patients in the v.a. to access their health records via blue button, loads up the blue button and a million veterans push the button and access their data. not a lot of widespread reports yet of faking they're a veteran in order to get another veteran's blue button file. not yet. cms follows suit. maybe a million people have

downloaded the blue button file. not a lot of evidence of people faking. and on and on. now we expanded the concept of buttons into different colors, green button for energy, red button i thought it was red then my data for education. then consumer financial data became the irs get transcript. all of a sudden the irs get transcript which now does have in his point the kind of stuff you would reuse for economic gain, 23 million americans downloaded their get transcript file. 200,000-plus have been publicly reported as having been spoofed hacker-like attempts. so it provides some evidence that the attack vector is for the data that has economic reuse and not so much the clinical values, and my perspective on that is following hole in our

current systems. the current hospital or doctor does not know whether a machine is logging into the portal or a human. the internet economy has figured this thing out. there's a door for the machines and a door for the humans. and you have security that's commensurate with the request if you want to get the machine door, you have to authorize it. you have one more step than if a human just logs in. the great news about where we are in health care, the obama administration in november finalize the meaningful use -- which is now part of all the other acronyms. we have a very clear view that there will now be a machine front door, a front door for machines, that will be secure and would allow for a more thoughtful way of registering. so no one has to hack the account in order to pull their health record into something that nick is describing that could make them make better decisions in the health care but rather a thoughtful front door they don't have to hack in to

get their own data. the race is on, protect the old patch willing of the old servers and the painful headache while turning on the systems that we're going to need to be successful in a value based health care world. that's the opening up while locking down conundrum which i think the opening up is going to wish. >> we have a few minutes left. if you have a question, please raise your hand and we'll try to get a mike tocrophone to you. i have a question first. we just heard from aneesh a potential solution from government on way forward. nick, niam, what is the government intervention or lack of intervention you'd like to see? the government may not always be helpful when getting into this space. >> i want to be thoughtful about that because so many of the

thought leaders and the leaders i learn from are part of our government leaders. i think from our legislative standpoint i would want to not act too quickly because my -- i don't know. i think my numbers could be wrong here. but i think very, very few people in congress identify as coming from a math and science background. this is pretty heavy in the math and science background. >> congressman herd may disagree with you. >> i think it's a fine percentage. i look at a bill that does not understand cripping to raphy at all. it would effectively ban a web browser. soo i would not want to rush down that path and found ourselves ham strung by something. this is just ad hocking on the spot. and build on your idea of a learning network and we don't understand the root cause of these things. i'm sitting here saying i think it's microsoft servers that are unpat

unpatched. >> lower case "g" convener. nist is the lower case "g" in government that convenes the industry to solve and learn in varying forms. so it was my favorite industry for collaboration because it didn't have the heavy hand of regulation nor with was it free-for-all don't do anything. it had a thoughtful method by which we could orchestrate the right answer which really is at the heart of what our government was founded on, this notion of community and commonwealth. >> i think the best of government can do is convening and bringing people together and inviting them to talk with hooech each other and work on a problem. but expecting government to help with innovation and information technology is really foolish. we have seen the results of government intervengs in health

care information technology through meaningful use programs, and with we have seen it through hipaa regulation. it has been a miserable failure in both areas so i think we should not expect government to be able -- capable of solving this information technology problem. it has not been successful. 155 million americans had their records out there that have been victims of privacy breaches and that is the lowest estimate because ocr only reports the breaches of more than 500 people for each of those large breaches there are hup hundreds of small breach that's are not even reported. so i can comfortably say that all of our records have been out there. we all have been a victim of privacy breaches. and, you know, if government couldn't help one of us protect our privacy, then i personally do not expect it to be able to do anything better.

so let the market do its job in my last report i lay out how cyber insurance market could potentially solve all of these problems that we have in the patient privacy and cyber security and how those market-based solutions could be a long lasting approach to save the -- to solve the problem fundamentally. >> as you were talking i noticed the first panel nodding their heads or shaking their heads no. just so you know. >> i love to defend the meaningful use program. we've done a great deal. could you imagine before you answer this thing, just a simple question, the average doctor who was caring for a couple thousand patients could not figure out which patients whose background or condition may have a heart attack or hypertension, which of them had elevated blood pressure levels so they need to be managed in a more aggressive way.

we as a country could save a million heart attacks now because of the method by which we've basically built up the program, every certified health i.t. system is capable of running a simple query so nick and his team could say, whoo, who are the 15 patients we didn't know at risk of a heart attack? let's go call them, bring them in, counsel them, let's make it happen. cyber security insurance market, you can't build an insurance market unless there's a standardized data model on which they can insure against. so you need the government to build standards to know what the root causes of the problems are against which they could model the -- there is a yin to the yang. i get the sentiment. i want to correct the record where i can. >> a very provocative way to end the panel. if you disagree or agree with any panelists, find them in the lobby. ununfortunately, no more time for questions. for those of you in the room,

thank you very much. for those of you watching, thank you again. a final thank you for philips. join us for cocktails. drink responsibly. do not share your medical information. thank you to everyone. >> thank you. >> the house oversight and government reform committee holds the second in a series of hearings on alleged misconduct at the transportation security administration. administrator peter nepen jer and general john roth take questions on the agency's personnel management practices. watch live at 9:00 a.m. eastern here on c-span3. >> this sunday night on "q&a," historian adam hoke s.h.i.e.l.d. and his book on the american involvement in the american spanish war in the 1930s. >> this coup attempt happened in

spain when all over the country right-wing army officers tried to seize power and in parts of the country succeeded in seizing power in 1936. it sent a shock waive of alarm throughout the world because here was a major country in europe, the right wing military quickly backed by hitler and mussolini who sent arms, airplanes, pilots, tanks, tank drivers and mussolini eventually sent 80,000 ground troops, here was the spanish reich making a grap for power and many thought it should be resisted. if not here, where? otherwise, we're next. >> sunday night at 8:00 eastern and pacific on c-span's "q&a." fcc chair tom wheeler defended the commission's proposed privacy rules for internet service providers at a senate judiciary subcommittee hearing. he said consumers should have

similar privacy protections on the internet while they do while using telephone networks. this is about an hour and a half. >> we're here today to discuss the federal communications commission proposed privacy rule that's are currently in the notice and comment phase. the fcc under its most recent net neutrality order have created a vacuum in privacy enforcement when reclassified broadband as a common carrier under title 2 of the communications act. previously, the ftc had successfully enforced privacy against broadband providers except for the net neutrality order, the ftc would still be doing that. over the last ten years the ftc has brought a number of

enforcement actions against broadband providers however none were a result of privacy violations. given that, many wonder what justifies the new proposed rules which are a significant deviation from the ftc's approach and more burdensome as well. there are wide pred concerns that the proposed rules are another step in the fcc's attempt to become the policemen of the internet. these rules will also have a number of problematic consequences. first and foremost, they will impose static regulations on a dynamic and innovative echo system. would we have the same internet today if these prescriptive rules were imposed a decade ago? i'm concerned that we would not. additionally, it's likely that these regulations would only confuse consumers and give them a false sense of security. finally, there are serious legal questions surrounding the proposed rules, in particular, are they consistent with the

first amendment? to discuss these issues we've assembled what i believe to be the perfect panel. we have the chairpersons and minority members of both the fcc and ftc to provide their perspective. i thank them for appearing here today. i look forward to the testimony. senator franken will give to th today's hearing on the fcc's proposed rules and the very important issue of consumer' online privacy. chairman wheeler, chairwoman ramirez, commissioners pai and o ol housen, thank you for appearing before the subcommittee. a little over a year ago the fcc voted to preserve a free and open internet. it was a very exciting moment for supporters of net neutrality. and that mean it's was a very exciting moment for a whole lot

of people. nearly 3 million consumers and business owners spoke out and urged the fcc to adopt rule that's would ensure the internet remain the platform of free expression, innovation, and economic growth that it always has been. it was a very exciting moment for me and remains one of the highlights of my career in the united states senate. many of my colleagues and i long fought for strong rules, and we argue that these rules should be be grounded in the fcc's authority under title 2 of the communications act. if they were to survive judicial scrutiny and withstand the toeflt test of time. now that very question is currently before the d.c. circuit and we could see a decision from the court any day now. but as we await that ruling, the fcc has a job to do.

since the open internet order went into effect, the fcc has had a responsibility to implement privacy rules to protect consumers, promote competition, and ensure that broadband providers are given certainty with respect to their obligations under section 222 of the communications act. so i commend the fcc for starting this necessary process. noir pa for my part, i believe americans have a fundamental right to privacy. they deserve both transparency and accountability from companies that have the capacity to trade on the details of their lives. and should they choose to leave personal information in the hands of those companies, they certainly deserve to know that their information is being safe guarded to the greatest degree possible. now, this trance perrin pairnscy and accountability should come from all the company that's have

access to americans' sensitive information. this includes telecommunications providers like comcast and at&t but also edge providers like google facebook and amazon. i have repeatedly pressed website operators and other online service providers to ensure that their customers have more information about the data being collected about them, about how the data are being used, and whether the data are being shared or sold to third parties. here the fcc has an obligation to specifically address broadband providers' collection and use of americans' personal information, and we're talking about a whole lot of personal information, isps have easy access to americans' unencrypted online communications and browsing histories as well as well as internet usage patterns which can provide a lot of

insight into people's daily lives and habits. practically speaking, this means that comcast knows exactly what ails you when you visit web m.d.'s symptom checker or that you recently experienced a major life event when your browsing maternity clothes on target.com. it also means that comcast can tell if your home internet connection which may be silent during the day suddenly starts seeing increased use between the hours of 9:00 and 5:00. combine that information with the browsing history of employment bulletins and comcast can infer that you've recently lost your job. simply put, isps know the most intimate details of our lives and, even worse, americans have no choice but to hand over this information or forgo access to broad broadband, something we have

repeatedly recognized as an essential service in today's world. currently, more than 55% of americans have just one option for broadband service. so subscribers who object to their provider's privacy policy are simply out of luck. this is unfair and unacceptable. i see today's hearing as an opportunity to think carefully about how americans' data are currently being collected and used and what we must do to ensure that consumers receive the you highest standard of protection. i look forward to the testimony of our panel. thank you, mr. chairman, again for holding this important hearinging. >> thank you, senator franken. senator hatch is here now and needs to leave somewhere else pretty soon. glad he's here and we'll allow him to make an opening statement now. >> i'm headed to the white house after this. thank you, mr. chairman, for holding this important hearing. i'm a strong proponent of free

and open internet. i recognize the need to allow the internet to continue to flourish and to drive our economy while also protecting consumers' privacy and data security. consumer privacy is an extremely important issue. however, i have significant concerns about the fc's proposed privacy rules for broadband internet service providers. and like many of my colleagues, i believe the fcc's 2015 open internet order which unilaterally reclassified broadband providers as common carriers under title 2 of the communications act was a serious overstep of the agency's statutory authority. now, this major policy shift with far-reaching implications well beyond the fcc's current jurisdiction should have been made by congress. for deck aidsed ftc has been effective in enforcing and protecting consumers on the internet. now, however, the fcc's

misguided open internet order must put the ftc of -- internet providers. why is the fcc, which has less capability and less expertise in this area, not following the ftc's well-established and effective privacy policy regime? rather, the fcc is proposing privacy rules that apply exclusively to internet service providers creating a potentially confusing and unfair set of rules for both consumers and businesses. now, i am concerned that these proposed rules which do not apply to edge providers will allow competing entities to collect the same consumer data while subjecting some but not all to a completely different system of rules and regulations. second, i am following closely the issues surrounding the so-called set top box rules proposed by the fcc.

technological advancements have provided consumers with almost limitless options to watch pay per content on an array of smart tvs and other devices. now, streaming technologies have freed consumers have costly and cumbersome set top boxes. to date, the fastest growing streaming market has forced cable and internet soevs providers to be more nimble and competitive and -- this committee has exclusive jurisdiction over intellectual property rights protections. as such, i continue to be concerned about how the proposed set top box rules will impact video content. unfortunately, many believe that if it's on the internet it must be free. but producing an distributing video content is not only costly it also requires a legal

framework to license that conte content. approaches that ignore the need for licensing or undercut existing licensing agreements will, in my view, increase costs for consumers, reduce choices and discourage innovation. i strongly urge you to keep this in mind when considering the set top box issue. third, i would like to comment briefly on the charterer time warner merger which the fcc voted to approve last week with conditions. mr. pai, you dissented from the commission's decision on the ground that the conditions the commission imposed have nothing to do with the merits of this transaction. rather, you said the conditions are about the government micromanaging the internet economy. now, this is not the first time you've raised concerns that the commission is improperly used merger conditions to micromanage the internet. last summer, for example, you

dissented from the commission's decision to impose 17 pages of conditions on the at&t/directv merger saying the conditions have nothing to do with the transaction at hand and characterizing them as, quote, the force tribute that the company must offer to munullify the capital, unquote. mr. pai, i want you to know i share your concerns. in fact, i've been troubled recently by a number of commission actions that in my view have sought to extend the commission's authority beyond statutory bounds and to push administration priorities in a one-sided way. now, i'm unfortunately able to stay and ask you questions today, but i'll be submitting some for the record so i will look forward to the responses of all four of you. and i just want to express my gratitude that all of you are willing to be here today and help us to understand these issues better. i hope we can make some headway

together and of course i'm going to do everything in my power to try and make sure that we live within the framework of the laws. thanks, mr. chairman. >> thank you. thank you, senator hatch. it's custom to swear the witnesses in, if you'll stand. do you affirm that the testimony you're about to give before the committee will be the truth, the whole truth and nothing but the truth so help you god? >> i do. >> record will show they all answered in the affirmative. i'll go ahead and introduce all of you together and then turn for opening statements. chairman tom wheeler is the 31st chairman of the fcc, a position he's held since november 4, 2013. for over three deck id as chairman wheeler has been involved with tell me communications networks and services as a policy expert and advocate and businessman. prior to joining the fcc, chairman wheeler was a managing director of core capital partners, a venture capital firm investing in an early stage

internet based companies. he served as president and ceo of shiloh group llc, a strategy development and private investment company specializes in telecommunications services and co-founded smart brief, the internet's largest electronic information service for vertical markets. chairman wheeler is a graduate of the ohio state university and is recipient of its alumni medal. commissioner ajit pai has been a commissioner of the fcc since may 14, 2012, between 2007 and 2011 commissioner pai held several positions in the office of general counsel serving most predominantly as deputy general counsel. prior to being sworn in as commissioner, pai worked in the office of jenner and block where he was a partner in a communications practice. commissioner pai has served in all three branches of the

government, clerking for the u.s. district and the eastern district of louisiana serving in a number of roles in the department of justice as well as working as chief counsel on the senate judiciary committee. commissioner pai received a baxt from harvard university with honors and a j.d. from university of chicago where he was editor of the university of chicago law review. thanks for being here. chairman edith ramirez -- was designated to serve as ftc chairwoman effective march 4, 2013, prior to joining the commission, ramirez was a litigation partner in the los angeles firm of quinn emanuel iraheart and sullivan. before then, ramirez was an associate of gibson dunn and crutcher in los angeles. she clerked for the honorable alfred t. goodman in the united states court of appeals and for the ninth circuit. ramirez graduated from harvard

law school cum laude where she served as editor of the law review. she probably will get along well to the guy to my left here, my far left here. just kidding. joking. harvard jokes. commissioner -- >> i get it. >> commissioner marine olhawsen has served as a commissioner for the federal trade commission sings april 4, 2012, prior to joinings the commission she was partner at wilkinson barker where she focused on ftc issues including cyber security and data protection. she previously served on the commission for 11 years most recently as the director of policy planning from 2004 to 2008 where she led the ftc's internet task force from 1998 to 2001 she was attorney adviser for former ftc commissioner

advising him on competition and consumer protection matters before coming to the ftc, commissioner ole housing spent five years on the u.s. court of appeals for the d.c. circuit, serving as a law clerk for judge david b. seine tal as a staff attorney. commissioner olehousing graduated with distinction from george mason university of law and graduated with honors from the university of virginia. thank you all for being here. with we appreciate it. i know it's an effort to get you all here. chairman wheeler, if you'll start the testimony and if all of you will summarize your testimony to about five minutes, we'll include the longer version for the for the record. chairman wheeler. >> thank you very much, mr. chairman. it's a privilege to be here and to be with our colleagues from the federal trade commission. you know, the ftc in 2012 set forth some key privacy concepts in their report, and the money sentence, if you will, in that

report this. broadband networks are, quote, in a position to develop highly detailed and comprehensive profiles of their customers. and to do so in a manner that may be completely invisible. but this is not the first time that society has had to deal with this kind of a technological challenge to privacy. making a phone call also generates similar information about the consumer. long ago, however, society dealt with the problem through an fcc rule prohibiting nonnetwork exploitation of information created by the consumer's use of the phone network. this policy has been in effect for decades. the issues aren't new nor is the fcc's expertise. here's an example of how that

works. when the consumer picks up the phone and calls, for instance, air france, the phone company is prohibited by fcc rule from selling this information to tour services or hoteliers in france unless the consumer expressly grant s permits. it should be the same thing with the privacy of online information. going to the airline's website should be no different than going to their switchboard. now, of course, the airline may decide to do something with the consumer's information themselves. but there's long been a big difference between the information created by the consumer's transaction with a third party which is a matter of choice and the information the consumer has no choice but to provide in order for the network to connect them with that third party. thus, the proposal on which we

are currently seeking comment welcomes the innovation created by digital networks or retaining the values an the rights that have traditionally applied to network operations. and those values are simple. the information that consumer generates in order for the network to function is the property of the consumer. just because the consumer hires the network to deliver them to a service does not mean that the network can unilaterally take ownership of that information that the consumer provides. and what a trove of information it is. here's what one isp says they collect. quote, a combination of information from wireless and wi-fi locations, tv viewing, calling and text records, website browsing and mobile application usage, and and if that isn't enough, other information we have about you and other customers. now, there are two things that

jump out from that extensive list. one, nothing on that list is the network's information. it's the consumer's information that's been provided to network so the network can operate. and second, there is no choice. this is a, this is what we do, take it or leave it situation for the consumer. >> and the ftc's privacy report specifically called out this issue of take it or leave it for broadband internet access saying, quote, consumers' privacy interests ought not to be put at risk by such one-sided transactions. now, we respect the network's desire for new revenue from selling digital information created by the operation of the network. but they should not be able to redefine the responsibilities of a network simply because the network switched from analog to

digital. our proposal provides that networks can use the consumer's information, but they must first get permission from the party whose information it is, the consumer. they can't sell something that isn't theirs, nor should consumers be forced to waive their privacy to get service. the networks need to seek permission of the party whose information it is. and further adhering to well-established principles, our proposal only applies to network providers. in the air france phone call example, what the airline may do with the consumer's information is a transaction separate from the consumer's transaction with the phone company to deliver the call. we do not regulate those with whom the network terminates in the vernacular of today, the edge providers, and this by the way