extent is the issue actually when senator blumenthal was speaking -- that the operational and transparency can be handed gloves. so that the operation of this is more consistent with the constitution? those,ink it's both of for the american public to have confidence this program is abiding by the constitution. knowing how many americans are being collected, it also would eliminate the question of clearing that information. report has also been helpful for europeans as well. i was evolved recently in the privacy shield of a lot of these locations.

as a report pointed out at the targeted program. there are a lot of people out there with valuable information to think that was helpful to ultimately resolve the negotiations with the european union's to understand it does that have legal structure, it does have oversight and there is a targeting process. up. franken: my time is i am way over. >> i more or less agree with everything that they said. thenhave one question and senator feinstein has some questions that she would like to ask and when i am done with my one question, i will go and senator feinstein or senator franken will finish the meeting. i want to thank of you for purchase -- think all of you for participating. i'm sure you will continue to be

resources for us as you get around to working reauthorization. i hope you will not do like a lot of people wait for us to call you. if you of something you need to know that you will talk to me or other members of the committee. thank you all for participating in this hearing. always believe it transparency in the government leads to increased accountability. i noticed that one of the privacy and civil liberties oversight board recommendations was to provide additional transparency surrounding the frequency of incidental collection of u.s. persons communications. i also understand that february 2016, the board described this recommendation as being implemented. the question is, can you walk through the specifics of what the board recommended and provide us with more detail

regarding the status of the fermentation of the executive branch? >> thank you, this was one of the important recommendations that the club made in terms of amending the way the program was operated. i agree with what some of my fellow witnesses just said about the importance of transparency in the program. it is hard to judge without knowing the extent to which communications are selected. government has had an ongoing dialogue with the administration about how to get more information in the public about this. difficult if not impossible to come up with an exact number because when a foreign target is communicating with other people, the government does not necessarily know the nationality with whom these people investigate. it would be potentially more privacy intrusive than not investigating. we did think that there were

some aspects of the program that could be measured its of a recommended five. there were a number of telephone committee occasions in which one color is located in the u.s.. the number of internet numberions upstream, the of internet collections on the usa dust in a supposedly identifies as being a member of committee occasions. number of instances in which the nsa disseminates a report with u.s. person information in it. the last two measures are the ones the government has published some information on. before0 the saturday last, the issue their transparency report which it was required to do where his previous is some of that information was provided only to congress and now is public. we are in an ongoing dialogue with the administration about how it can release information in response to our other three

recommendations. they are doing very hard to do that. we're just in contact with the nsa last week. we are going to continue to press on that a we expect them to make more progress. >> >> thank you very much mr. chairman. because of some of the discussions, i wanted to bring to everybody's attention two documents. the first is a joint unclassified statement of bob lit, the general counsel for the office of the director of national intelligence, stuart evans's deputy assistant and mike steinbach, the assistant director for counterterrorism, division of the fbi. discussedree, they targeting procedures. i would just like to read a short part. to ensure compliance with these

provisions that make set up a number of steps in the preceding paragraph. section 702 requires targeting procedures minimization procedures and acquisition guidelines. these are designed to ensure that the government targets non-us person outside the united states. and also that does not intentionally acquire domestic medications more over the targeting procedures ensure that indiscriminate. instead, targeted at non-us persons outside the united states who are assessed, possessed, expected to receive, or are likely to communicate foreign intelligence information. because congress understood when targeted the faa a non-us person may communicate

with or discuss information concerning a u.s. person, congress required that all collection be governed by mimosa nation procedures that would restrict how the intelligence community treats any person. to the best of my knowledge the fisa court has reviewed these minimization procedures annually and approve them along with the recertification of the program. this is page three of that. it's interesting for everybody to read. the second thing that i wanted to cite was the director of national intelligence's april 30 letter with an addendum that is a response to the p club recommendations. i want to read that because there are some interesting first time i have seen these figures. .his is from page six of that the nsa's minimization procedures expressly prohibit

dissemination of information about u.s. persons and any nsa report unless that information is necessary to understand foreign intelligence information or assess its importance, contains evidence of a crime or indicates a threat of death or serious bodily injury. even if one of these conditions apply nsa will often mask the information. mask the information including no more than the minimum amount of her's and information necessary to understand the foreign intelligence, or to describe the crime or threat. in certain instances, the nsa makes a determination prior to releasing the original report. that the u.s. person's identity is appropriate to disseminate in the first instance using the

same standards mentioned above. here are the numbers. disseminatednsa 4290 faa section 702 intelligence reports that included u.s. person information. those, 4290 reports, the u.s. person information was masked in 3180 reports of those and unmasked in 1122 reports. i know that this went to the p club and it seems to me this is very responsive to the concern.

would anyone like to comment on her comments? i would appreciate a response. the board has that address it as a board but it is exactly the kind of information the board was seeking in terms of greater transparency on how many u.s. person identities were disseminated. that a lot off times that information is masked and ultimately unmasked down the road. you said the focus of the program is on non-americans. misconception of after the leaks about what this program was about and some people even thought you only had to be 51% sure it was not an american to conduct surveillance which would have meant a lot of american surveillance was intentionally captured. the board concluded it is about

a 99% less chance to non-americans because it's a rigorous process to determine who is or isn't an american. the other thing we looked at was whether this suspected in foreign intelligence value we did feel there was a need for improvement because the government has documented sufficiently why there were looking at this information without it was important to put down on paper. that's the recommendation they accepted and implement it to make sure there was a greater rationale. >> i would like you to know that i was on this committee when the wall was discussed and whatever year it was. there was tremendous concern preventingall really the kind of committee occasions necessary. i made the amendment on the definition at the time that resulted in the reduction of the law. to this day i think it's a very important change that was made

that enables information to be constituted. often hadcern, we because i guess i can see the , you get a sense that there is plotting and conspiracy going on. and the fbi is investigating ongoing cases we've even had unclassified numbers. 1000 investigations going on today in this country so, we shouldn't let down our guard because to do so is to invite disaster. i think i actually believe from the time we begin looking at this, with their help and the information you have provided and the response to it that there is renewed transparency going on and there is discussion that is helpful.

program ist the 702 really important. and it would be most unfortunate and it would expose this country if that program were made ineffective. can andis to do what we i think the faa has done that to present -- provide the masking in the unmasking and out everybody has numbers with respect to that for the year 2015. i wanted to make those comments -- if anybody has a comment, >> i want to respond to one thing you said. the opposition is not call to rebuild the

well. in the search is an unmet demise form. wroughtand fbi get data. that is what i am referring to as beck toward data. trying to address a u.s. person's clearance is not calling to rebuild the wall. any agency that comes across threat information should share that information. together tould work address the threat. what the fourth amendment can mining information for use in criminal cases against americans. feinstein: i think all of the data collected lawfully. i do not believe it is collect red unlawfully. if you have a case where the

data is collected unlawfully, i would sure like to see it. >> unfortunately it is not that simple. islection and how the data used is both parts of the same scheme. what makes the collection at the front end lawful, what makes it lawful to collect without a warrant is in part restrictions on how the data can be used on the back end. senator feinstein: let's have somebody respond for top >> may i respond? i think you are on to something important when you say that imitation. there are important roles. nsa for example, the pclob went to extensive trouble to say how they may conduct what ms. clay steen refers to as a backdoor search. the board recommended improvements which the agencies

are implementing and there is extensive oversight after the fact. fbi, the fbito the does not track u.s. person query separately from non-us person where is. the person collecting them is documented. where the productions come in is any use of information so in the extremely unlikely there: event at 702 information was responsive in a regular criminal information, the information could not be viewed by the analyst who collects information unless they are trained on collecting fisa information and it would have to be approved to use that information which would include something like a wiretap if i understand it correctly and if 702 shoes to get them in a criminal proceeding they have to be at rise den we know that happens because there was a case

in colorado where a defendant did a motion to suppress information collected under 702 after the government notified him it had been collected said the policy change was late in coming but it is now happening. so it is important to keep that in mind. mr. olson: if i could make a broader point which is, the targeting procedures you identified in the first document , the transparency figures in the report i think really highlight along with miss brand and most of the discussion today, the success that the fisa amendment act and 702 represent. this is a law which reflected a careful balance and has been an balance to tweak that in careful ways. a report unprecedented in terms , the pclobness report leading to the changes. we have a very carefully calibrated law that has been a

major success from in intelligence to appoint and i search backdoor, it is a misnomer to call searches of a lawful nature and judges have up when having a chance to review, that is how it was meant to be used under the careful limitations of the minimization procedures. i think this is a very good news story addendum the day. senator feinstein: we have looked at this and there are a number of opinions from some of your colleagues on the subject that have an studied and i think it is lawful and well-balanced and you know, i hate to say it, but very necessary. to -- it iswe have only intelligence, lawfully collected -- that has enabled us to prevent another attack in

this country and i hope there will be more declassified examples before the year turns and we are in 2017 and faced with the reauthorization. so thank you. senator franken, would you take over and ask your questions and adjourn the meeting please. senator franken: i would be delighted. thank you, senator from california whose work on intelligence is so important and for her thoughtful questions. i am going to adjourn in a second. -- what is want to interesting -- i thought about this line of questioning. this is sort of the core of that we have had some very important information from 702 that has thwarted

terrorist attacks and so this is absolutely crucial. large, with and -- ourceptions, that the intelligence community has acted in good faith. the question here really is going back to the framers and aboutback to their fear what happens when a government as it acting in good faith think our intelligence community, by and large, has. informationse of that we get from 702 can you miss used -- can be misused. mentioned, paralleled

construction, which is -- and again, this is -- the framers wrote the constitution because they did not like the british at the time. that,k everyone knows right? i don't have to go through that history? so, they were worried about thee some people running executive branch of the government that were not as trustworthy as others in so -- and so that is the reason we look at how 702 information --ch is collect did about collected about people who are not targets intel are americans how that information -- what the

rules are. so that is not misused. that is my understanding of this . i say you reach for the button. -- i saw you reach for the button. >> i have to tame this finger a little bit because i keep reaching for the right in. i do think situations that have rules and policies, all of those things, there are cases where that is absolutely vital. about a are talking warrant and the basic requirements of getting a warrant to access american's communications, you cannot access procedures. in the riley case, which required a warrant to search phones, it was not cited as a warrant for government articles. >> can we and on that? i am a little late.

i volunteered to do this and i am going to now. we are going to keep the record open for another seven days. is that right? and we are now adjourned. out] ing [laughter] [background conversation]

announcer: coming up, security experts on efforts to protect health care data. and legislative and fundraising campaign legislation by members of congress. c-span's washington journal live every day with news

and policy issues that impact you. congressman from colorado joins us to discuss the latest move i the obama administration to stop bathroom laws like the one signed in north carolina as well as efforts to elect more algae bt people to congress -- more lgbt people to congress. and discussing the elements of mr. trumps tax plan as well as those of other candidates. be sure to watch washington journal coming up at 7:00 this morning. join the discussion. thehe u.s. house takes up programs and policy bills starting today. $610 authorization bill passed out of committee. legislative business begins at at 12:00 -- begins

p.m. eastern. deal and theuclear white house messaging strategy on the agreement are the focus of a house oversight meeting today. live coverage begins at 10:00 a.m. eastern on c-span3. >> a c-span.org is a video-rich complement to your c-span viewing. most of our government related programs like the house, senate, and congressional hearing stream live on the station. you can watch on your desktop, laptop, phone, or tablet. if you miss an episode of tv, orton journal, but any program, you can find it online and watch it at your convenience. the video library contains more than 3000 hours of programs and

its powerful search engine hope you find and search programs going to many years. c-span publishes its on-air schedule online. c-span.org is a public service of your cable or satellite provider. if you are a c-span watcher, check it out. it is on the web at c-span.org. >> with the current supreme court turning today, moving forward on the health care if mandate. we are taught by washington post correspondent -- supreme court respondent robert barnes. what did they say? said itthe court appears there is a compromise that is possible in which these groups would not the offended by what the administration was trying to do it providing contraceptive care to the e-mail

employees. and, that there was sort of a workaround that was in play. but the court said that all of that should be accomplished in the lower courts, not at supreme court. so it sent all of these cases back with hopes that a compromise could be reached. >> remind our viewers and listeners what the underlying issue was the plaintiffs took to the court. robert: the issue was the affordable care act, commonly called and -- obamacare, was provided withe contraceptive coverage and churches and places of worship are exempted from that, but religious groups such as universities or charities or hospitals are not exempted. the administration made an accommodation for them and said

if they objected to providing the coverage and told the government that, then the government would make other arrangements to have the insurance company pay for it without any kind of involvement by the groups but the group said that was not enough that even notifying their insurance companies or the federal government of such a -- an objection sort of set in motion the fact that these women would still get the contraceptive coverage the groups disagreed with so it was a bit of a standoff that all but one appeals court around the country ruled for the obama administration and said the competition was enough. the supreme court today though throughout all of those decisions and basically said to start over. to leavethey decided the current decisions alone, those decisions would have stood into you would have different rulings in different parts of the country, correct? robert: that is right.

there is only one appeals court so far that had ruled the accommodation was not enough but it would still have meant the law was interpreted differently in different parts of the country. tweet about this says, a shorthanded supreme court sends obamacare contraceptive case in hopes ofourts compromise. what does this say about the current status of missing one justice? robert: you can sense there was clearly not a majority on either side in this days and the court was looking for a way out of it. opinion was only three pages and it was unanimous and the court went out of its way to say it was not deciding anything on the merits of the case, it was just sending it back will or-four, asad split you say, all of the rulings would have stood and the role would have been interpreted differently across the country.

so the court is doing some very unusual things to try to avoid those 4-4 ties. case, it floated its own idea of a compromise in march in then asked both sides to respond to it and that is what today's ruling is based upon. >> in the headline of washington post.com, it says it sent it back to lower courts. in idea of the road forward terms of what the plaintiffs can do and what the courts may do in the coming months or year? robert: it is unclear i have to tell you in and i think it is unclear to the groups, too. the courts seem to think there will be some kind of negotiation between the policies, the at illustration into these groups that have been objecting to this. court the same time, the made it clear it expected the law to be fulfilled so that women got this coverage and in infected said that with the

parties in this case, which range from, you know, the diocese of pittsburgh to small colleges across the country to a group of nuns called the little sisters of the poor, it says the government can go ahead and take this as notification these groups object to providing this coverage and the government can go ahead and try to find a way to provide it on their own. therobert barnes covers supreme court and writes about it for the washington post. you can read more about it at the washington post.com and read war about it at scotus reporter. >> a conversation about health care. talking to health care data security experts about protecting information from cyberattacks including recent ransoming of files and computer systems at hospitals and medical facilities. this is one hour and 15 minutes.

♪ >> ladies and gentlemen, please welcome executive editor for health care, joann kenan. [applause] ms. kenan: good afternoon, everyone. i am one of the executive editor for health care and i would like to thank you all for joining us and those of you on the live stream, too. outside in is our event series focusing on health care and technology and being political we look at health care through politics and policy. outside in was a way to conceived in a way to bring out outsiders with washington insiders.

this is the first event this year. we've taken the idea one step further this year and created a forum of health care tech industry insiders who have a list of their names on your seat. and we've been doing surveys and interviews and events and this group is helping us better understand the new opportunities and challenges that technology innovation is bringing to the health care policy world. today some of the panelists will have, we'll have two panels. and some of the advisers will help us dig into medical privacy in the age of cyber attacks and we are going to ask questions like, is greater health care information exchange going to lead to more dangerous and increased hacks? can health care providers afford security? what kind of congressional or regulatory action, if any, is needed to keep medical records safe? we'll have the conversation in two parts. first, politico's e-health editor allen and i will talk to

the policymakers and policy experts about medical cyber security and the second panel, dan diamond, a new colleague is writing pulse for us now and he's just begun the pulse check podcast that all you have to subscribe to as soon as this is over. and he is also helped us create and moderate this advisory panel, this forum and he will continue the conversation with experts who were on the forum. and you'll find stories from today, the story written based on what these outside people are telling us, and this theme of that story shows how health care cyber security is getting worse and how the government's role is a mixed blessing. and we have a bar, for those of you who are here noticed. so stick around because the conversation could continue afterwards. those of you in the live stream, you can just start right now. [laughter] ms. kenan: before i introduce the panel to the stage, i want take this time to say thank you

to our partner phillips for their support of this event and the entire outside event series this year and all 3 years. here to say a few words is artie arthur, vice president of health care government solutions group for phyllis. ms. arthur: thank you. thanks, everyone, for coming to this event. we're really excited to be here. thank you to politico for sponsoring the first installment of outside-in. this is phillips third year here. and just to give you a little bit of an understanding of what we did last year and how it is really going to integrate into how health care and technology meet each other for this series. last year, we focused on areas such as digital medicine, aging and a technology world and also population health. why does that matter today? well, you know what? health care transformation is continuing on, right. and what we need to do is ensure that that data is meaningful and actionable. but the worst part about it, and the reason why we're here today, is because we don't always know if it is safe, right. you don't know what you're going to get. and you guys have that sheet of paper, i just read it real briefly on how expensive health data is.

so we're here today to talk about how important it is to ensure that our health data is secure. hackers don't care. they don't discriminate at all, amongst health data. if you think about what is happening today, you have seen a lot of articles on the health care eco-system. large health care systems, as well as insurance companies, have had their data attacked. whether it is by a hacker or any type of outside threat. and that is important. and it is scary. i think the really cool thing about working for phillips and why i'm so proud to be here tonight is that we take this very seriously. in fact, my group in the health care space for the federal market, we've done a lot of work with d.o.d. in fact, most of our products today are, have been certified by the department of defense for cyber security and we're really proud of that. we have more cyber security

certifications than any other entity today. additionally, we get to be an adviser on the task force for hhs. and so this is really empowering what we do in health care today. i can't, i can't tell you how excited and thankful i am for the panel that we have tonight and for politico to partner with us in this forward-thinking, thought-provoking series of 2016. and with that, i think i'd like to introduce your panel. ms. kenan: ok. thank you. and thank you phillips for your partnership. for those of you in the room and on live cast, our conversation on twitter, we use the the #outsidein. that is one word. i have a tablet on stage and will take questions from those of you who tweet them in. a reminder, our events are live streamed and all on the record and they are recorded so people can watch them later on through our website. without any further delay, i would like to welcome our panelists and my comoderator to

the stage. first, we have representative will hurd from texas. he is the chairman of the i.t. sub-committee for oversight and government reform and a former cia undercover officer. and then in the private sector he was a cyber security expert. he came to congress in 2015 and he swiftly has emerged as an important voice on this topic on privacy and security and looking at where the government is not doing a good enough job. leslie krigstein from affairs at crime which is a management executive. she brings the concern of health care ceo's to the hill and to the agencies. devin mcgraw is from the health information privacy from the hhs office of civil rights and the point person for concerns about privacy and she helps inform hippa, enforce hippa so you all have to behave. clinton michael, from the e-health interest group at the american bar association health law section.

and he is one of the top national experts in legal issues that barely existed a couple of years ago. and we hope he can help us understand what is still needed in the legislative and regulatory framework to protect health care privacy because every day we are reminded that it is a problem. and of course, arthur allen, and my friend and colleague and e-health editor and they call him big data, and i'm little data. [laughter] ms. kenan: thank you. arthur, you are going to start it. mr. allen: so, welcome, everyone. so i represent, i'm the ceo of a small hospital chain. and i've been busy taking care of meaningful youth and dealing -- use and dealing with macro and a million other things and somebody just came to me and said there is some issue called cyber security. like a, a problem with people attacking the health care system. and i'm going to just ask our

distinguished guests here to explain some of these things. congressman hurd, who is attacking the health care system and what are they after? mr. hurd: the majority of it is going to be organized crime. a lot of it is russian organized crime. they are the ones that are trying to leverage the data they are collecting for monetary gain. a health care record gets more on the black market on the digital black market than a financial record. and some estimate that medicare record is in the couple of hundreds of dollars per record. so it's lucrative financially. to give some context, in 2012, alone, fbi had data there was $414 million worth of thefts in the united states. and the estimates in the cyber realm, it was over $100 billion. right. so in impact to our economy. so it is a big issue.

mr. allen: it is a good field to be in, obviously. leslie, tell me about the experience that hospitals, cios are having dealing with this problem. are you spending, are hospitals systems spending a lot more money and what are they doing to adjust to this new reality? ms. mcgraw: and you're right, it is the reality. there is only so many fingers to plug the holes and the reality is we can find every possible vulnerability and try to block it and they only have to find one. and so when you are looking at this as a fraction of the budget, something like 3.5% to 4%, a subset is security. so it is something that you are not necessarily getting reimbursed for but it is absolutely necessary for the public good. but it is tough. resources are hard to come by. whether it be financial or even personnel.

and you're only as strong as your weakest link and in this day and age, we're sharing data with more and more partners, we're sharing data directly with patients and you're just opening up the door. and so it is incumbent to train your work force and work with your boards. but it is definitely a tough fight that the odds are stacked against us. mr. allen: so you are the cop on this beat in a way. how much do you blame, how do you figure out how much or how does the legal structure share the blame, decide who is going to be punished, how much you punish people who are really in a way the victims of the crime? because hospital health care systems, to be sure, they are

the custodians of the record but also the ones who are directly being attacked. so how do you, at the same time punish and at the same time try to improve the system to make it more secure? >> well, so we have a set of expectations with respect to security and health care and they are absolutely critical. it is a cost of doing business. if you are going to be out there collecting health data, it is valuable, not only is it valuable to criminal, it should be valuable to you. it is one of the most critical business assets. so protecting the data from the threats out there is really sort of, it should be expected and frankly from a public policy perspective, it is important for patients to be able to trust their data is safeguarded. not necessarily perfectly safeguarded, but safeguarded. we do not expect perfection. if you take a look at the cases that we have pursued, those entities in our view, based on our investigations, had significant deficiencies in their security policies, processes. they were not doing enterprise-wide risk assessments

or maybe they did one like, 10 years ago and they have not been updated. the adoption of basic security safeguards is, is slow. so i'm not suggesting that we have a right to demand perfection in terms of accountability, but we do expect entities to devote resources to security. we do expect them to be aware of security resources. and you as the ceo of that hospital, if they are coming to you and you don't know what several security is, that is a big problem. mr. allen: clinton, what do you think? are they exercising their role appropriately or being too harsh or too lenient and do you think that the regulatory and legal framework needs to change in order to deal with this problem that's rather quickly kind of arisen in health care? mr. mikel: no, i think ocr is

doing a really good job. >> you are not in a good seat, are you? mr. mikel: no, i'm not. [laughter] mr. mikel: so as a client, i think ocr is doing a great job. and one of the stated purposes they have is to essentially teach. and they have a really strained budget for their teaching. but you will see them issuing technical assistance as opposed to being punitive. we have a lot of agencies in the government that are punitive in the health care sector. ocr is not one of them, thankfully. and they've done a good job, i think, with splashing out their enforcement actions and pursuing

big dollars so people in the industry see it as a deterrednt effect and they have hit business associates, hospitals, laboratories and physician practices. so i think they've done a great job. as far as the regulatory framework, i've really only seen one truly bipartisan proposal so far. and i think it is workable. so we take the servers and we in the bathroom closet and build a wall around them and we make the hackers pay for it. [laughter] mr. mikel: so. mr. allen: very good. >> we're looking for solutions, so i'm glad, . but to pile on there, if you are the ceo of a hospital and you're looking to ocr for guidance, you are already behind the curve, right. >> absolutely.

>> you need to be, and no offense to ocr. you need to be following the best practices in good digital system hygiene. and if you are not doing that, the regulatory environment is not going to save you. and the fact that the ceo should know about these things, because this is an integral part of your business and you need to make sure you have a cio that knows what they are doing in order to protect that infrastructure. because that is your responsibility to protect the information of the people that you have in your systems, right. ms. kenan: how, when there is a rand somewhere and a headline that makes news, five or six years ago when there was a breach, it was a breach that the public heard about and it was somebody spying on a movie star in hollywood. and i'm not sharon and i'm not having plastic surgery so i don't have to worry. but i think that is how a lot of us came across it. it was nosiness and internal, lack of in ternal controls. and now we have organized crime and cyber kriekcrime because the health data is on so many sources. but the things in the paper, with the bit coins and the hacks, is it occasional or happening all of the time and we don't know with it, about it? >> to pipe up in it talking to cios, a small hospital in a rural area was a victim or attempted 3500 attacks on sunday, on mother's day.

they faced 90% of them internal from the u.s. 10% were external from countries from china to costa rica. ms. kenan: do we know they are internal? >> from the u.s., i should say. ms. kenan: were they able, they are able to track where the threats are coming from.

>> but that is a 300-bed hospital in rural america and if they are facing it, think about a academy medical center with ip and as we are starting to exchange and the number of opportunities for intrusion. so you may have, or to give you another example, there is a large health system on the east coast, $10 billion health system. they faced, they turned away a million ransomware e-mails in the month of march. so the attempts are regular. they are happening to providers large and small across the country and it is a matter of making sure that you've trained your staff properly to say no to them. but there are also times where, as long as you've got your incident response plan in place, you should have those systems backed up. and so if they hit one computer, hopefully, that computer is useless and you have your systems back up. there is no need to even consider the ransom. so it is a matter of having best practices. ms. kenan: and how common is it they have the best practices in place? >> it is a work in progress. it is very definitely a learning curve. ms. kenan: she is shaking her head. >> sorry. they are trying, is the reality. our understand is rapidly becoming more digital. and we are trying to keep pace with the progression that everyone is making, while meeting patient expectations. but the reality is, the threats

are real. they are regular. and it is a matter of being up to snuff and working with ocr and looking at the cyber security framework and sharing threat indicators across the industry. which in modern, today, it is not as regular as it could be as other industries. and so i think we've seen some very significant progress, particularly in what the hill did last year in setting up the cyber task force. and setting up the framework to share threat intelligence. because that is the only way that the small critical access hospital in rural america is going to be able to leverage their lessons learned from their colleagues. ms. kenan: what are you hearing as a lawmaker that has access to information? mr. hurd: well, there are more attacks than what we're aware of and more people are paying the ransom than what it out there for public consumption. ms. kenan: widespread more or a little more? mr. hurd: more than, it is more than a little bitty. ms. kenan: and a lot of bitty. mr. hurd: somewhere in between. all right. and so folks need to recognize that and understand that the threat is real, that everybody is potentially a target. and if you don't have, and as an attacker, you are looking for the person in the lowest hanging fruit.

the person that hasn't had their information backed up, that are using out-of-date software for their infrastructure. and that is who you are going after. and you think you are the right one, you are the person that will probably get targeted. mr. mikel: i'm comfortable giving it a widespread. and it is widespread and underreported and a lot of folks are paying the ransom. mr. allen: and are these ransom attacks, from the looks of it, some of them are random. in other words, somebody is sending out bugs and they happen to land in a hospital. are any of them, are people, have the ransom ware-ists figure out how to target a hospital? because they must realize the hospital is kind of, got to pay if they want to. mr. mikel: well, if you look at the studies an the reports out there, 2016 is really predicted to be the tipping point for ransom ware becoming mainstream in the health care industry. because folks are seeing that,

yes, the hospitals will pay good money, more so than your individual, or a law firm that gets hit with it. and a lot of it is random. but i think it will become more targeted. and it is not just our organized crime. there was a hospital in flint, michigan, that was hit somewhat related to the water crisis. and it was a hacked type scenario. mr. allen: i see. ms. mcgraw: the way this appears to be playing out is very much a crime of opportunity. and so the health care industry, there is clearly vulnerabilities that the hackers have perceived and they are going for it. and i think that leslie put her finger right on it when she said, the lack of contingency planning and data back-up, has always been part of the hippa security rule but to the extent people didn't realize how important that was, they sure should know that now. mr. allen: are you saying that if people are reading a few rules and they are reading your guidelines and looked at hippa

security guidelines, that some person in the middle of nebraska with 300 beds is as ready to deal with this threat as partners? mr. mikel: a loaded question. >> the lawyer is advising you. mr. allen: can you really defend yourself if you are a small player and you don't have a lot of resources? ms. mcgraw: well look, we've also put out there that entities need to do contingency planning and disaster planning. in fact, if you are in the middle of rural america, your systems could be hit by a tornado and disabled. so already we have an expectation out there and haulz have is there is, and always have is there is contingency planning. hippa is scaleable and doesn't have the expectations for larger facilities that are larger and larger resourced. but this is a threat now that

everyone should be aware of. and if you don't have the contingency planning in place, you're a target if you are not already being targeted and having that in place will arm you so much better to be able to resist something like this. you are either going to pay for security, or you might be paying for ransom. but you don't get out of this without putting resources at this problem. ms. kenan: and is this security something, a lot of the small rural hospitals, they've had a lot of demands on them. ms. mcgraw: yes. ms. kenan: and it is not, not blamed on obama care. there is real issues, many complicated issues facing rural hospitals and health i.t. is one. i don't want to use the word burden, financially it is a burden, it is hard. is the security so expensive that they are going to go under, they are going to have to consolidate and lose their independence? is it sort of a straw that broke the camel possible -- camel's back for the smaller hospitals or, or the category that has a

lot of trouble. can do you this and fix this if you are not a giant? mr. mikel: no, i don't think it is limited to the small rural hospitals or the small hospitals. hospitals are financially taxed. and i.t. security is hard. and it is ever-evolving. like leslie said, they only have to find one hole and we have, we have a world to deal with. so i think absolutely hospitals are under a great financial strain these days. and there is not really good money allocated towards securing this. so, so i think if you peer into the dark minds of a lot of hospital executives, they're rolling the dice with where they allocate their budget. and it is a matter of surviving as a hospital.

mr. allen: leslie, what is your take on that? ms. krigstein: you're right. it is something that your budget is finite and you will get incentive payments or take penalties from the federal government for any number of reasons. that is your market basket, how you will dictate getting paid. and security is not a line item on there. but the reality is, we don't have a choice. we're going to scrape together every penny. it might mean you don't get a new mri system, it might mean you don't hire as many nurses or doctors. the reality is, the fines that you will take or, it is not, you are not willing to risk your reputation or your business. because as arthur, you asked, are they targeting health systems? yes, they are. first it was just the data but now they recognized, if we disrupt their operations, we could put them out of business. they have to turn away patients. and then their name is all over the headlines.

and so there really is inevitability you have to address this, regardless of what your budget looks like. so it is working with the board and creating security teams. if you are a small practice, you are scraping together with your colleagues and hiring consultants to help. it is just the world we're living in today. ms. kenan: what are you hearing as a government official? you want to just scream? ms. arthur: if you have a -- mr. hurd: if you have a network that could be attacked, then you need to allay your network properly. if you take the financial incentive away from the attackers, or where your data is not all in one place, that can be captured and held to pay the ransom, then you take the financial motivation away from the attacker, the attackers to go after it. there is a building this nice -- building, that is somewhere in moscow that has hundreds of hackers developing the next software and they are learning from the attacks that they've done and they look for targets of opportunities. they get a pretty good payoff. so they are going to learn more and how many other people fit

that mold and then they are going to be more targeted and instead of doing phishing, they will do spear fishing which is targeting an individual. and so if you have the network, make sure that you are doing the very basics to protect yourself. and, and sometimes it will cost more. but if you are relying on the government to defend yourself, you have a much larger problem. mr. allen: can't we expect the government to do more to defend us? we can't defend against, you know, nuclear attack by ourselves. sorry. terrible comparison. but is there, is there more than the pentagon could do to interfere with some of this stuff? mr. hurd: one of the things that the federal government could do is sharing techniques and procedures with entities or with the information sharing groups that could get that out to the rest of the community. and that is an area where, if you know what the attack over the horizon is or other industries are being focused, understanding what that is so you can array your limited resources against the most immediate threats. and so i think that can happen.

ms. kenan: we're all in the health care world and that is what we focus on but if we were a bunch of bankers would we be having this conversation or have they solved it? >> it is the same problem. ms. kenan: is health care worse or those of us in the room are paying more attention to it. ms. mcgraw: we talked about this before. there is a perceived vulnerability out there. and the haerks are go, the hackers are going for it. and we know this now, if we didn't know it before. i suspect emily has been hearing about it for a long time. the vulnerability of the health care system is not necessarily news to us either. so there is work to do to shore up what is an important national asset, which is this data that really is critical to the health care system. we have a role to play with respect to hippa. we are, we put out guidance for small providers to help them with the basic security expectations.

we're currently working on some additional guidance on ransom ware to help entities to get ahead of this. it is going to focus on the contingency planning issue that leslie raised, but also some of the tips that have come out about how you might be able to detect it before it happens. but nevertheless, it is, it is absolutely not an issue that we can ignore. we don't deal with punishing criminal behavior. so we're doing what, what we can to try to help the entities who we regulate to try to meet this threat and creating a set of expectations with respect to how they meet the threat. but i do think there could be some more that we could be doing on a national level on the criminal aspect of all of this. easy for me to say because i don't do that work. but, this is criminal behavior with respect to the hacking piece. ms. kenan: and is that on the agenda adequately with law enforcement? mr. hurd: is it on the agenda adequately? so law enforcement is looking into everything it can to help the private sector, no matter

what the industry is, to defend themselves. does law enforcement, whether it is a department of homeland security or fbi or secret service have enough resources to help everybody across these industries? no. but that is why the important of -- importance of the isacs, where you have industries come together to share and the legislation we passed last year is going to help facilitate that, but we have to make sure the federal government is passing and sharing information. one thing that i hear a lot from health care providers is that there is a bunch of, of old and antiquated rules and regulations that is confusing and they don't know what they are supposed to do and was this means, and that kind of stuff.

so these are, these are some issues that need to be streamlined as well so that health care providers know exactly what they should be protecting. ms. krigstein: and i think there was an element as well, in this part, this is part of sisa, we heard from members in terms of looking at hhs and not just law enforcement, but just within hhs, there are so many different entities that have different responsibilities in this space. so the fda approved medical devices. are they secure? ocr covers hippa. how does hippa intervene with the nest framework, that requires interagency coordination. and you are looking at onc and they are certified electronic health certifies, are they certified with enough security from the beginning? and so as we're looking kind of even within hhs and something that we asked and we're really pleased that ended up being included, was a directive for hhs to line up who is running point on this issue. and how can we look to the agency and get a singular answer? and i would say more than that,

we've noticed this shift traditionally, we were looking at privacy and security and unfortunately as two separate things in health care and i think until we recognize that the privacy of the data absolutely is an element of security and patients have the right to know their data is secure, that is going to be a game-changer, i think. mr. allen: so, you think we need to appoint a, like a health cyber security czar who runs the whole thing, no? ms. krigstein: i think hhs was given a year to put forth this interagency plan and i think that when we see the results of that, i think it will really help in terms of knowing who to go to within the agency. but i think that was a great addition that i'm not sure if the rest of the world caught. but it was, it was in the range of things that were health care specific that passed with sissa. ms. kenan: we're all thinking about this in terms of our personal information and the threat to, many of us in this

room have had our information hacked, whether we know it or not. maybe everybody. but this is a big data question. but i'll, we're also at the brink of, we're talking about using data in lots of really interesting potentially really helpful ways, right. we're talking about patient generated data. all of the things that we've been talking about after two years, there are cool things happening. the patients, the way we participate in clinical trials and patient engagement and pushing data and arthur could talk about the cohort from precision medicine. there is so much going on that requires use of health care i.t., way more than just turning your paper chart on to a computer chart. mr. allen: so how are we going to let that data sort of, how will it flow? ms. kenan: when we can't protect it, yeah. mr. mikel: well, getting away from the data flow, which does not flow at all. and deven will have something to say about that. or not. ms. kenan: there is

interoperability issue. but there is also the, say we have the magic wand and we get everything interoperable tomorrow and there is lock issues and we have in the next few years we are supposed to be able to exchange and produce data in ways that we couldn't do before and it has an amazing amount of potential but is the private or the security thing, since you just said they are two different things, how much in the way is that going to be. mr. mikel: i think this illustrates why health care is actually a much scarier place to be in than the financial industry. which is much further ahead than hospitals, health systems, anyone in the health care industry. because when we're talking about ransom ware, we're talking about data. we're talking about patient safety. what keeps a lot of us up at night, especially on the i.t. subcommittee, is not necessarily the known quantity of stealing patient data, but it is all of the other inputs that go into that.

it's the network medical devices. it is the network anesthesia machine. it is the temperature and the air saturation in the or. mr. allen: so the dick cheney scenario. mr. mikel: absolutely. he got widely mocked for that, but he was on to something. ms. kenan: has it happened already? mr. allen: i don't think it has. not that we've heard. mr. hurd: somebody's actual pacemaker hasn't been hacked but there have been many demonstrations of how to hack a pacemaker. some people talked about the attack on our, on the utility grid was philosophical, but that happened recently, the russians attacking the grid in the ukraine. and it is possible. outside of the theoretical. but those fears shouldn't prevent us from moving toward interoperability. i own that data. and that is my data.

and i want to pull it up on a dashboard and figure out what happened in the last couple of doctor visits and i want to make sure my future doctor has access to this stuff. and let's say, we can anonymous -- make that anonymous, that data and protect privacy to make sure that we have truein operability to detect zika faster and make sure that medicine is being developed on a quicker basis. and when we do, we increase the surface area of attack. ms. mcgraw: and that is one of the reasons why the hippa rules are not just about security. it is also about availability and data integrity. right? because always those regulations have presumed that the data has no value until it is used. appropriately. and as often as necessary and that is why the rules are built the way they are. so it is never, it is never going to be, well, we can have

this or have that. it is, we have to figure out how to have both. mr. allen: you are a provider, don't you think the instinct is going to be to shut down and not send your information through a health information exchange because you are not sure that they, that all of the players there have good security? ms. krigstein: so something, if you are talking to a cio or chief security officer, there is no set rules of the road. in terms of security. so the framework is a great starting point and we've heard there is a health care-specific guidance coming which we're excited about, but in reality it is optional. we are not saying we want more mandates, but the reality is if there is an industry-led effort or someplace to look for standards, it is really valuable to know that if you are engaging with another provider or with the health care information exchange, that they've got a set level of security that then you can deem, ok, they follow this or they've done that. so i know that i can share with them and i should be ok.

and so i think we're coming together as an industry and starting those conversations. but if you ask, there is a desire for a minimum set of requirements that you could build on top of. but the expectation, hopefully, someday that we will all be at one point, that we have some level of confidence to embark on that sharing. ms. kenan: we are going to be able to take a couple of questions before we go to the other panel. and want to start, darious is, where are you? we have a reporter. darious is in the room and probably standing, where are you? ok. he is one of our reporters and should not -- >> so what we always hear in the cyber security discussions is how valuable the stolen records are. i was wondering if there are any efforts to track what these records are being used for and how extensively they might be used for being leveraged for financial gain? >> anybody want to take that on? ms. mcgraw: well i, i think, the

only thing i will say, it isn't part of our purview to track where it goes after, after we get a breach report. for example, in our investigation, we'll take a look at what happened during the breach and do we have some significant issues of lack of compliance with the rules that we have to pay attention to. but one of the things that i've definitely seen is a connection between medical identity theft and fraud. and the increase in health care fraud that is out there and the ties between security and strengthening health care security and helping to combat fraud. mr. allen: so we've been able to track this record was stolen in this anthem hack, and later that same number that was stolen on that record ended up in this fraud case. has that been done? because it, that is, that is the cause and effect would be --

mr. hurd: you need to put a tracer on data so we could figure out where it goes, right. the fraud units that, that are involved in whether it is, a big insurance company or the government are the ones that sothing that would be interesting to see, within the health sector isac on the kinds of things they are seeing where that data is going. ms. kenan: there was a question over here. >> steve ck i s t herotocol?

the second is, have you received either from capital police or fbi any of the other organizations, notice about having your own or your peer's medical information hacked? and the elephant in the room is casualty. so what about the insurance companies that, to the extent that a lot of their patients get hacked could face a serious, massive class-action suit? and thanks. mr. hurd: the first, the first question, look, the oversight rule of congress to make sure we are providing performance standards rather than trying to bake something in, into a law, is important. because the reality is as soon as we say this is a best practice, it will change in six months. and so we have to create

legislation that is flexible and grows with the times. and that is when you talk about performance. what should, what should the outcomes be. i'm not aware of anything dealing with individual members being, their health information being targeted. and the last one? >> liability of ensure -- insurers. ms. kenan: oh, absolutely. i think this is something that everybody is looking at. this is a question that insurance companies are looking at, at major breaches, whether at retailers or banks, what is the insurance aspect to a major breach and when it comes to, when it comes to the health industry, it is huge and i don't think there is any answers on how to deal with that yet.

ms. kenan: and when we planned this panel and we thought, maybe the american bar association has somebody looking at this. so we went to the website and we found not only do they have somebody looking at it, they have an entire new section on e-health and data and all of this. and you tell me there are what, 1800 or 1400. mr. mikel: 1400. ms. kenan: 1400 lawyers already in something that didn't exist, when did you start this? mr. mikel: about six or seven years ago. ms. kenan: so that is, i think that sort of tells you something about the magnitude and the

growing magnitude. a couple of quick takeaways. we need to get through this panel to start the other one. dan will be out here in a minute. before we wrap up, arthur and i will think of a quick takeaway. this is a bigger problem than most people realize and a bigger problem than i realize coming in, that it is a massive and pervasive and that we're not going to have, none of us as individuals can protect ourselves. and, it is not solved within the next year. arthur? mr. allen: yeah. and i think that it is also, it is just another, i think we've heard here that this is just going to be sort of another pressure on the health care sector, which parts of which have a lot of financial and other strains. and unfortunately this was an unforeseen consequence of i think, unforeseen by most of the meaningful use program and the effort to get the, the needed effort to get computers into medical offices. and so. that is it. ms. kenan: and it was such a push to get the adoption of the electronic health record that there was not enough. mr. allen: i think most people did not foresee that suddenly they were going to be, it was going to make the health care system vulnerable in a new way. ms. kenan: a whole new bag of cards. mr. allen: i think there were probably some who did. but any other closing thoughts? mr. mikel: i think one thing that, one thing that bears repeating is we hear a lot about how you need the board to get involved. and you need senior leadership on this. one important thing to remember about health care and specifically hospitals in our country, is the board of even a large hospital is not necessarily the type of board

that you would think would exist for an entity of that size. about 59% of the hospitals in this country are nonprofits. so you have donors. you have political influence. 22% of them are state and local entities. so, it's hard sometimes just with the dynamics of the board leadership. mr. allen: interesting. mr. mikel: a different industry. ms. mcgraw: i don't want to say that hacking isn't, and cyber crime isn't worth singularly paying attention to. it absolutely is. but i think we're, we risk getting attracted to the shiny object when good, basic security should be the platform upon which all of this gets built and we're not even really there yet, for many entities. and we have to figure out a way to get there. ms. kenan: i need to wrap up a conversation.

mr. hurd: a quick point. ms. kenan: yeah, yeah, you have to talk as fast as me. mr. hurd: don't click on links in suspicious e-mails. ms. kenan: there you go. it is time to wrap up the conversation. thank you for being here and sharing your insights and i'm going to welcome andiamond from -- dan diamond from pulse who will, he's helped us put together the forum and the next panel will take over. and then stay afterwards and continue talking and drink. [applause] mr. diamond: welcome, everyone. thank you for coming. i'm excited to join the team. my role here, in addition to writing pulse and doing the pulse check podcast is moderating the outside-in forum. and you see on your seats, the first story we published as part of the forum. i even have it here, if you haven't seen. polling insiders on what they -- on what our the biggest cyber security challenges an the role that government can and should play. i do want to welcome our 3

panelists, as i sit on this high chair. first, a man who needs no introduction, i'm going to give him one anyway. anice chopra, co-founder of hunch analytics and spent years providing leadership on i.t. issues i.t. issues in the white house and worked on the advisory board company. and nick dawson, executive director of sibley hospital innovation hub, better known as the innovation czar. as long as i've known nick, which is 10 years, he's the most thoughtful thinks of sharing health care information on line. and our last panelists. he studied this issue very closely and it is timely to have you, because you just did a report thursday, last week. it was on cyber security and some of the biggest issues plaguing the sector. i have questions for the 3 of you but i wanted to start by take the temperature of the room.

simple question. show of hands. is cyber security getting worse in health care? show of hands. ok. only about half of the room. is it getting better? is cyber security safer than it was? i'm going to turn you guys. aneesh, is cyber security worse than it used to be? >> so i'm going to answer this question with the typical caveat, which is yes, in the following context. we were in manila folders five years ago, eight years ago. and so when you've increased the, the spread of digital records, by definition, you've created more of an attack vector on which there could be more, more risk. so relative to manila folders, i would say the cyber security risk is higher. on flip side, if you take a look at the preponderance of the data on where the cyber security risks have come from the noncertified health i.t. services are where the attacks seem to be.

so if you kind of take the practical nature of this, data in many databases that have been sold in the commercial sector, banking sector, health care sector, databases that people can log into and have access to, that someone that does convince me to click on a malicious link might expose, but the systems that are regulated, the certified systems that were subsidized under the meaningful use program, for some reason have been less prevalent among the list of sites. that is not mean that they are perfect or that they are safe. just if you look at the evidence, the overwhelming share of attacks have been in the uncertified area. worse but in context. mr. diamond: let's come back to the certified point but maybe move down the line. nick, said the security, have things have gotten better or worse? >> i was ready to take a contrarian view. i was given a beer and shown a comfortable chair in the back,

if i take that view means i can't come back, i can adjust my point of view. >> how much alcohol have you had? we were hoping you would go full throat elthrottle. >> it's a bell curve. i would virtue those sentiments. we've become digital very quickly, it increases the attack surface. there's also the pragmatic reality that threats have been there for networks for years and years and years and this is a hot topic and a timely one for our industry for some well-known examples. things we have just heard of. i do not think it necessarily means that the sky is falling per se. i think from a provider organization standpoint we're wrestling with a reality of is this really the business we want to be in and know how to be in? do we know how to staff for it, do we know how to fight these kinds of things? we've kind of convinced ourselves that we need to be all

things to all people, we have to be a food service delivery, and we need to be a leasing organization and a research organization and provider organization. but this may be an area that we're significantly focused on, so we think it's a hot pressing topic but we might want to reexamine that. >> nian? >> i think i agree with the panel. the frequency of these cyber attacks are becomeing lower, primarily because health care is becoming more secure in i.t., just like any other industry. when you're younger you're more likely to have accidents while driving. as you get used to it, and you learn how to drive, the accidents are less important. host: you think we actually might be trending in the right direction as health care matures. things are getting safer. >> correct. and the other thing is, i think the recent ransom attacks are the best thing that could happen for health care security because they now let people know about the importance of cyber security in the medical domain. several security and health i.t.

are no longer an overhead for the hospital managers, it has now become an integral part of their services. now they realize that if they do not investigate enough on cyber security and i.t., it is going to hurt their main core operational businesses. so i think now that these recent attacks have created this awareness and health care providers will have much more business incentives to invest on a cyber security and insuring patient privacy just like other businesses do. host: so one of those ransom ware attacks we heard about it on the first panel. probably everyone in the room knows the medstar attack where hackers held hostage asking for

bitcoins to release the information back. hospital executives basically had to cancel patient visits. nick, you are not at medstar, but you are at a med star rival. i'm curious, as an executive of a hospital watching this happen, what were the meetings like in the boardrooms to make sure that you are not the next medstar? >> i don't know if it's a direct quote, i think it was probably a conversation that started with, what's a bitcoin? [laughter] >> and that's not, i think that's probably a conversation anyone would have. my point there is, the notion is really esoteric. the notion of being held crypto ransom. there's a whole set of education we need to have. what is the threat versus reality? that's the case where there was actual reality, not just a threat. so the first part of it starts with unpacking what's really happening, what's our real risk, what's the mitigation of that risk, meaning like time to figure it out for ourselves to restore from backup if it's a possibility to come up with a different solution versus the

cost of just paying it. sometimes that cost of paying it is cheaper than waiting to try to figure out another plan if there is another plan. i think that's part of it. i think for us and instead of pontificating on what happened in the boardroom, i've not been privy to to conversation, but i'll tell you what the innovation team starts to talk about, is how do we think about this in a different way so not in the sense that although there was a suggestion we should start mining bitcoin, have a stockpile. but the -- >> another business for hospitals. architecture firm. >> we made our margin on bitcoin this year. i think instead it's how do we not have a single point of failure? so our team got together and said, what's going on here? we said, it seems like the i.t. infrastructure really the emr because it is the piece that does the bilgeling and medication delivery and admit and discharge is the operating system of the hospital.

and had we not have that become a single point of failure? so we started talking about different types of mitigations. and that was kind of where we took it. host: i feel like that plays into what aneesh was saying initially. which is more vulnerable? >> i'm not suggesting that one is particularly better than the other, but i would say the certified systems have at least embodied a lot more of the best practices into the regulatory framework. so there's actually a fairly basic understanding of how do you encrypt information at rest and in motion and how do you ensure there's a user authentication process so when dan diamond logs in, i know it's him and not a machine pretending to be dan diamond. so we've got more of these testing capabilities to make

sure the software sold to the organizations can meet a certain bar. and that bar gets better every cycle. where as the broader systems that are available everywhere, they really have not gone through that level of review. so as a consumer protection matter, if you're the head of purchasing, you may not know that this particular outsourced vendor that does your billing and collections that gets the entire patient file to make sure that the co-pays are collected for the $20 that are missed, that that entity has some cyber security best practices and hygiene to the standards that are seen among the certified technology that is made available. so my perspective is we're getting better. it's an interesting point about health care. i'm make this observation about getting better. the whole framework for cyber security was we'd have a learning industry model that is to say there's more disclosure of breaches, which would then inform root cause analysis to say, now we know where the

vulnerabilities are. let's close the loop in the next round. and that we would have this much more transparent system, collaborative system. health care is actually further ahead than the rest of the industry verticals, because part of the high tech act was to create a framework that required that breach notification and that disclosure. so we're actually, wow, a lot of attacks in health care. it's one of the few that requires reports. not all sectors do. so we're benefitting in many ways because we're bringing to light, we're shining light on these holes, which leads to a loop where we get better and better over time. that's at least my perspective on how the systems evolve. host: i like that learning system per se. i want to go back to one quick point and get kind of nerdy about it for a second. i think what i'm hearing and -- >> this is a good crowd by the way to get nerdy. host: cool. >> i give you the blessing. host: this is a marginally informed comment. i want to preface it with that.

what i'm hearing is that the specific attack vectors are often unpatched microsoft server servers. that's i well-known huge vendor. that is not small. >> i'm sorry, nick. i probably know the least on this panel so help me understand. are we talking about microsoft office? like what specifically in microsoft? >> i'll get out of my depth really quickly, too. but microsoft has a server platform that at love the infrastructure sits on. it might be the part of the application layer that runs part of the empire. it could be part of the database layer though increasingly they sit on a unix platform. imagine we all have the xp windows 10 on our laptop. there's, that has to be kept up to date pretty regularly. so that underlieying operating system is what seems to have a lot of the vulnerability. >> aneesh just said we see many more attacks in health care only because health care is required to report them as opposed to other industries that are not required to report them. and it is designed like that in order to let people learn about

the failures, but what is happening as we only learned about the incidents, not the root causes of the incidents. it makes you go to ocr's wall of shame, so many attacks that happened. i haven't learned anything from this. i don't know if you have learned anything from the failure of medstar. i think to use the potential of that learning curve and industry informing itself, both ocr and also the health care organizations and other entities in the health care system, which are not limited to health care organizations and their emrs, there are business associates and insurance companies who have many times access to much larger volumes of patient data and are not using certified or uncertified emrs to learn from these breaches, to learn the lessons they learn from these breaches. and unfortunately, it is not

happening at the moment. host: one thing i was struck by on the first panel, the congressman says the hackers are learning from each other, russian hackers. the victims in the united states, they don't have the same information sharing. how do we fix that? >> well, we're getting, let me be precise about this. we do have a framework under the commerce department agency that is really the switzerland for a lot of this information flow to establish these industry verticals that are sharing. one of the big problems is, are you what are you sharing? are you going to release personally identifiable information to share? hey, i got this e-mail from dan diamond, man, he sent me some crazy things. host: you keep saying my name. is someone sharing my information with you? >> i get this stuff, hey, aneesh, i'm preparing for the panel today. i click the link. that was an infected, that e-mail contained a link that had malicious, installed malicious software on my computer. how do i share that e-mail with others without violating your privacy in order to learn?

how did that particular piece of malware get onto your spoofed e-mail? so getting the privacy right has been the central debate in information sharing which congress now has moved forward on this framework for the goal is to minimize pii while maximizing the sharing and learning across many industry verticals. so we're not perfect in health care, but we have at least a model to say, how do we ensure that these threat factors are shared? now, in the first term we were at a cloud first policy in part because patching is a human failure, right?

it's not microsoft's fault you didn't patch. you've got to push the button and patch. so the staff -- i mean, maybe have some burden, but the premise is part of the reason i was enamored with the idea of cloud is, in many ways, you auto patch in bulk, so you get the threat vector at 3:00 p.m. on a monday afternoon. you learn a new signature. you figure it came from this domain from this apparatus. you sort of incorporate that into the feedback list. next time it shows up in the same cloud environment, you stop it before it's presented to him to click. so this learning, real-time learning, i think it is the opportunity that's coming. and we know, we're stuck in the must-have servers on premise. but then you have to bury the responsibility. if you're going to do the infrastructure, you have to do it all the way. i think it is going to, it might lead to a further acceleration to the cloud. niam yaraghi: just want to open this back up. #outsidein is the hashtag. if you have questions, submit them. they'll get passed to me. i want to build off something you just said, aneesh. we're at this balance of protecting information but also the need to share this. this is your point. how do we make sure we strike

that balance in a world where we're going to benefit from sharing health data for outcome inside, for making it easier for patients, but someone on the first panel, think it was clinton, said they said, the way to protect data is to put it all in a server in a bathtub and not let anyone see it. what is the right answer moving forward to strike the right balance? >> between -- i want to make sure i get the right question, so between sharing and -- dan diamond: opening it up. nick dawson: i would say back to what i.t. the beginning. we invest -- we built this incredible and structure around i.t. security. we have -- in fact, any community that i know where they where the community hospital is the largest employer it's also

the most advanced i.t. shop. they tend to be an anchor for people who want careers in i.t. that is an amazing thing. we continue to build in the infrastructure. so do we keep investing more locally or do we start looking for cloud-based services? doing left -- and we look where we left the door open, but a guard in front of that door, where we realize we've left our back side totally uncovered and people are kind of flanking us that way. i think that's the question. i think the other way of looking at it is, do with we take the same amount of money and resorgss and put it into building something completely different? and my version of this is maybe where i'm a little bit contrary, and i started and went before this conversation to a bunch of patient groups and said, what's your view on this? what would you want? and almost universally what i hear is, i want to own my own data. i want to decide who gets access to it. i have a gmail account. as far as i know, google does not get hacked. but sometimes i sign up for a

website and say to the website, use gmail or google as my user name and password, so there's a mechanism for that. i'm adding a couple of layers of sophistication on top of the comments i heard. but my version of that is, if we want to start sharing things, or what if we took the money and voerss and fit something entirely different, and the thing different would be putting the data back in the hands of the patients and letting them be the ones to share it and having an authorize aigsz mechanism for doing that. >> right now, it's so hard for some patients they may as well just hack the system if they want to get the data. >> anyone could get the records faster. >> we're not endorsing that. >> especially because it's too easy to hack into the software systems. >> your report touched on this, all the different hackers that are out there, liam. and some of them are malicious, and some of them are the misfit youth who are doing it on a dare or for fun. what are some of the commonalty

-- commonalties around who is doing the hacking and what can we learn from the patterns of hacking behavior? >> well, i interviewed 22 victims, and out of those 22, only to or three of them were real victims of hacking attacks. the rest were just goofy people who happen to, you know, lose a laptop or a thumb drive or something like that. i really don't think hacking happens that much in the health care. it happens more than it should, but not as much as we think it is happening. because i still cannot believe that the stories that i read in different news outlets claiming that medical data is $500 per record, because if that was true and the community hospital has easily 1 million records, if i could hack into them and sell that data $500 per record, that is $500 million, i would quit my job at brookings right now and go learn to hack into these

systems. >> i'm sensing a theme in our panel. we are not endorsing this bad behavior. but point taken. it's a little overhyped. niam yaraghi: yeah. but ransomware makes all the sense because -- again, please pay attention that these ransomware attacks they're not touching your data. it's like somebody changing the lock of your front door and doesn't let you get in. they do not touch the things this your home. they're not stealing anything. they just tell you, hey, give us $15,000, maybe $20,000 to let us get into your home. that's it. because the hackers themselves know that it's really difficult to monetize medical data. i mean, who cares about my blood test? nobody. the only thing that they are after are my social security number and home address, date of birth, my personal information part of those health records, not the medical records. and they use that in order to create a fake identity or submit insurance claims and everything.

and it is very difficult to scale that up. you know, from a hacker's perspective, he may pay you $500 for one record, but he's not going to pay you $500 million for 1 million records. it's very difficult for them to monetize. dan diamond: let me jump in. i see aneesh is nodding along. you agree with this assessment that it's not all about the medical information, it's the social security numbers and -- aneesh chopra: well, so here is -- it's hard to get in the mind because this is not well reported. but let's just take it -- in 2010, the president said, i'm going to provide basically online access to patients in the v.a. to access their health records via blue button. loads up the blue button and a million veterans push the button and access their data. not a lot of widespread reports yes of people faking they're a veteran in order to get another veteran's blue button file, not yet. cms follows suit. maybe a million people have downloaded the blue button file. not a lot of evidence or at least reported evidence of people faking. and on and on.

now we expanded the concept of buttons into different colors, green button for energy, red button -- i thought it was red -- then my data for education. then consumer financial data became the irs get transcript. all of a sudden, the irs get transcript which now does have, in his point, the kind of stuff you would reuse for economic gain, 23 million americans downloaded their get transcript file. 200,000+ have been publicly reported as having been spoofed hacker-like attempts. so it provides some evidence that the attack vector is for the data that has economic reuse, and not so much the clinical values. and my perspective on that is following whole in our current systems. the current hospital or doctor does not know whether a machine is logging into the portal or a human.

the internet economy has figured this thing out. there's a door for the machines and a door for the humans. and you have security that's commensurate with the request if you want to get the machine door, the patient has got to authorize it, consumer has to authorize it. you have one more step than if a human just logs in. the great news about where we are in health care is that the obama administration in november finalize the meaningful use -- which is now part of all the other acronyms. we have a very clear view that there will now be a machine front door, a front door for machines, that will be secure and would allow for a more thoughtful way of registering. so no one has to hack the account in order to pull their health record into something

that nick is describing that could make them make better decisions in the health care, but rather a thoughtful front door that they don't have to hack in to get their own data. and really the race is on, protect the old patch willing of -- old patching of the old servers and the painful headache while turning on the systems that we're going to need to be successful in a value based health care world. that's the opening up while locking down conundrum which i think the opening up is going to win. we will spend a lot more time doing that than this. dan diamond: we have a few minutes left. if you have a question, please raise your hand, and we'll try to get a microphone to you. i have a question first. the -- i don't have a response to that. we just heard from aneesh a potential solution from government on a way forward. nick, niam, what is the government intervention or maybe lack of intervention you'd like to see? i understand the government may not always be helpful when getting into this space. nick dawson: i want to be thoughtful about that because so many of the thought leaders and the people i learned from are

government leaders. i think from our legislative standpoint, i would want to not act too quickly because my -- i don't know. i think my numbers could be wrong here. but i think very, very few people in congress identify as coming from a math and science background. and this is pretty heavy in the math and science runt. dan diamond: congressman herd may disagree with you. nick dawson: i think it's a fine percentage. i look at a bill that does not understand cryptography at all. it would basically ban a web browser. so i would not want to rush down that path and found ourselves hamstrung by something. i want to go back and this is just ad hocking on the spot. and to go off of your idea of a learning network, we do not understand the root cause of

these things. i think it is my server unpatched. i would like is it a government connect this. dan diamond: lower case "g" convener. i like that. you like that? would you copyright that? this is the lower case "g" in government that convenes the industry to solve and learn in varying forms. so it was my favorite industry for collaboration because it didn't have the heavy hand of regulation, nor with was it free-for-all don't do anything. but it had a thoughtful method by which we could orchestrate the right answer which really is at the heart of what our government was founded on, this notion of community and commonwealth. niam yaraghi: i think the best of government can do is convening and bringing people together and inviting them to talk with each other and work on a problem. but expecting government to help with innovation and information

technology is really foolish. we have seen the results of government intervention in health care information technology through meaningful use programs, and with we have seen it through hipaa regulation. it has been a miserable failure in both faces -- in both areas, so i think we should not expect government to be able -- capable, you know, of solving this information technology problem. it has not been successful. 155 million americans had their records out there that have been victims of privacy breaches and that is the lowest estimate, because ocr only reports the breaches of more than 500 people for each of those large breaches there are hups -- there are hundreds of smaller breaches that's are not even reported. so i can comfortably say that all of our records have been out there. we all have been a victim of privacy breaches. and, you know, if government couldn't help one of us protect our privacy, then i personally do not expect it to be able to do anything better. so let the market do its job. in my last report, i lay out how

cyber insurance market could potentially solve all of these problems that we have in the patient privacy and cyber security and how those market-based solutions could be a long lasting approach to save the -- to solve the problem fundamentally. dan diamond: as you were talking, i noticed the first panel nodding their heads or shaking their heads no. just so you know. [speaking simultaneously] aneesh chopra i love to defend the meaningful use program. could you imagine, just a simple question, the average doctor who is caring for a couple thousand patients could not figure out which patients whose background or condition may have a heart attack or hypertension, which of them had elevated blood pressure levels so they need to be managed in a more aggressive way? we as a country could save a

million heart attacks now because of the method by which we've basically built up the program. every certified health i.t. system is capable of running a simple query, so nick and his team could say, whoo, who are the 15 patients we didn't know at risk of a heart attack? let's go call them, bring them in, counsel them, let's make it happen. so one final thing. cyber security insurance market, you can't build an insurance market unless there's a standardized data model on which they can insure against. so you needed the government to build standards to know what the root causes of the problems are on which they could then model this. there is a yen and again. i get the sentiment. i want to correct the record where i can. dan diamond: a very provocative way to end the panel. if you disagree or agree with any panelists, find them in the lobby. ununfortunately, no more time for questions. for those of you in the room, thank you very much. those watching on the live stream, thank you also.

a final thank you for philips. make sure to join us for cocktails. please drink responsibly. do not share your medical information. thank you, everyone. >> thank you. [applause] [captioning performed by the national captioning institute, which is responsible for its caption content and accuracy. visit ncicap.org] >> with the current supreme court term beginning to wind down, the court today is moving forward on the health care law contraception mandate. we are joined by washington post supreme court correspondent robert barnes. what the court say today? >> they said they will stay out of it. there is a compromise that is possible, in which these groups would not be offended by what the administration is trying to

do in providing contraceptive care to the female employees, and that there was a work around that was in play. but the government -- the court said that all of that should be accomplished in the lower courts, not at the supreme court. it sends all these cases back, with hopes that a compromise can be reached. >> remind us, for our viewers and listeners, what the underlying issue was that the plaintiffs to the court. >> the issue is that the affordable care act requires that employers provide female employees with contraceptive coverage. worship areaces of exempted from that. but religious groups such as universities or charities or hospitals are not exempted, and

the administration made an accommodation for them, saying that if they objected to providing this coverage, and told the government that, the government would make other arrangements to have the insurance company paid for it without any kind of involvement by the groups. but the groups said that wasn't enough, that even notifying their insurance companies or the federal government of such an objection set in motion the fact that these women would still get the contraceptive coverage that the groups disagreed with. there was a bit of a standoff. all but one appeals court around the country ruled for the obama administration, and said the accommodation was enough. though,eme court today, throughout all those decisions and basically said to start over. >> so if they decided to leave the current decisions alone, those decisions would have stood, and you would have different rulings in different parts of the country, correct? >> that's right.

as i said, there was only one u.s. court so far that had ruled the accommodation wasn't enough, but it still would have meant that the law was interpreted differently in different parts of the country. >> your tweet about this issue, says a shorthanded supreme court sends obamacare contraception case back to the lower courts, hopes for compromise. on that issue of a shorthanded court, what does this say about the current status of missing one justice? >> i think it says that there clearly wasn't a majority on matters in this case, and the court was looking for a way out of it. today's opinion was only three ands, and it was unanimous, the court went out of its way to say it wasn't deciding anything on the merits of the case. it was sending it back. say, had split 4-4, as you then all of those rulings would have stayed in the law would have been interpreted

differently across the country. so the court is doing some very unusual things to try and avoid those 4-4 ties. in this case, and floated some idea of the compromise in march, and then asked both sides to respond, and that is what today's ruling is based upon. headline -- supreme court sends obamacare contraception case back to lower courts. of the road forward in terms of what these plaintiffs can do, and what the courts may do in the coming months and years? unclear,it's a little and i think it is unclear to the groups, too. to think does seem that they will be some kind of negotiation between the parties, yhr administrate -- the administration in these groups that have been objecting, but at the same time, the court made it clear that it expected the law to be fulfilled, so that women got this coverage.

with thect it said, parties in this case, which range from the diocese of pittsburgh to small colleges across the country to a group of nuns called the little sisters thehe poor, it says government can go ahead and take this as notification that these object, and the government can go ahead and try to find a way to provide it on its own. >> robert barnes covers the supreme court and write about it for "the washington post." you can follow his reporting on twitter. thanks for joining us. >> you are very welcome, thank you. c-span's "washington journal," live every day with news on policy issues that impact you. coming up this morning, a democratic congressman joins us to discuss the move by the obama

administration for the bathroom law. as well as efforts to elect more lgbt people to congress. then, economist and author who wasmoore, reportedly asked by donald trump to review his tax proposal, discussing the elements of his plan. as well as plans offered by the other candidates. be sure to watch "washington journal," coming up at 7:00 a.m. eastern this morning. join the discussion. house takes up a 2017 defense department programs and policies bill, starting today. the $610 billion authorization bill passed out of committee by a 60-to vote. live coverage begins at noon eastern, here on c-span. >> democratic presidential candidate bernie sanders is in california today for a campaign rally.

i had a fat primary -- ahead of that primary. he's speaking to the campus of dominguez hills. live coverage at 11 p.m. eastern on c-span2. >> this sunday night on "q&a," michael kinsley talks about his new book, "old age: a beginner's guide on living with parkinson's." >> parkinson's is a brain disease, so it's a nonsensical question, but what i really meant, obviously, was thinking. is it going to affect my thinking? thinking is how i live, so that became pretty important, and i asked this neurologist, what's going to happen? and he says -- he's trying to tell me it wasn't a big deal. he said, you may lose your

edge, as if that was nothing. is i thought, gee, my edge how iron a living. it's why i have my friends, why i have my wife. >> summit in :00 eastern on "q&a." >> next, a discussion on the stop act, proposed legislation to ban members of congress from personally asking for campaign contributions. congressman david jolly of florida, who introduced the legislation, was joined by the cosponsor. this is an hour and 10 minutes.

>> we all know it takes money to run for political office, in some cases, a lot of money. and that equates to a lot of time politicians spent convincing donors to send cash their way. david jolly was first elected in march 2014, with a reelection bid only six months away, and he said he was shocked to hear from party elders that in the next six months he needed to raise $2 million, and that, he was told, was his first job. in february, he introduced the stop act, which would ban members of congress from personally asking for many. rick nolan was one of the first to cosponsor the legislation. he served three terms in the house in the 1970's and was later elected to congress