[House Hearing, 115 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY IN THE HEALTHCARE SECTOR: STRENGTHENING PUBLIC-PRIVATE
PARTNERSHIPS
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED FIFTEENTH CONGRESS
FIRST SESSION
__________
APRIL 4, 2017
__________
Serial No. 115-24
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
25-828 PDF WASHINGTON : 2017
----------------------------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
GREG WALDEN, Oregon
Chairman
JOE BARTON, Texas FRANK PALLONE, Jr., New Jersey
Vice Chairman Ranking Member
FRED UPTON, Michigan BOBBY L. RUSH, Illinois
JOHN SHIMKUS, Illinois ANNA G. ESHOO, California
TIM MURPHY, Pennsylvania ELIOT L. ENGEL, New York
MICHAEL C. BURGESS, Texas GENE GREEN, Texas
MARSHA BLACKBURN, Tennessee DIANA DeGETTE, Colorado
STEVE SCALISE, Louisiana MICHAEL F. DOYLE, Pennsylvania
ROBERT E. LATTA, Ohio JANICE D. SCHAKOWSKY, Illinois
CATHY McMORRIS RODGERS, Washington G.K. BUTTERFIELD, North Carolina
GREGG HARPER, Mississippi DORIS O. MATSUI, California
LEONARD LANCE, New Jersey KATHY CASTOR, Florida
BRETT GUTHRIE, Kentucky JOHN P. SARBANES, Maryland
PETE OLSON, Texas JERRY McNERNEY, California
DAVID B. McKINLEY, West Virginia PETER WELCH, Vermont
ADAM KINZINGER, Illinois BEN RAY LUJAN, New Mexico
H. MORGAN GRIFFITH, Virginia PAUL TONKO, New York
GUS M. BILIRAKIS, Florida YVETTE D. CLARKE, New York
BILL JOHNSON, Ohio DAVID LOEBSACK, Iowa
BILLY LONG, Missouri KURT SCHRADER, Oregon
LARRY BUCSHON, Indiana JOSEPH P. KENNEDY, III,
BILL FLORES, Texas Massachusetts
SUSAN W. BROOKS, Indiana TONY CARDENAS, California
MARKWAYNE MULLIN, Oklahoma RAUL RUIZ, California
RICHARD HUDSON, North Carolina SCOTT H. PETERS, California
CHRIS COLLINS, New York DEBBIE DINGELL, Michigan
KEVIN CRAMER, North Dakota
TIM WALBERG, Michigan
MIMI WALTERS, California
RYAN A. COSTELLO, Pennsylvania
EARL L. ``BUDDY'' CARTER, Georgia
7_____
Subcommittee on Oversight and Investigations
TIM MURPHY, Pennsylvania
Chairman
H. MORGAN GRIFFITH, Virginia DIANA DeGETTE, Colorado
Vice Chairman Ranking Member
JOE BARTON, Texas JANICE D. SCHAKOWSKY, Illinois
MICHAEL C. BURGESS, Texas KATHY CASTOR, Florida
SUSAN W. BROOKS, Indiana PAUL TONKO, New York
CHRIS COLLINS, New York YVETTE D. CLARKE, New York
TIM WALBERG, Michigan RAUL RUIZ, California
MIMI WALTERS, California SCOTT H. PETERS, California
RYAN A. COSTELLO, Pennsylvania FRANK PALLONE, Jr., New Jersey (ex
EARL L. ``BUDDY'' CARTER, Georgia officio)
GREG WALDEN, Oregon (ex officio)
(ii)
C O N T E N T S
----------
Page
Hon. Tim Murphy, a Representative in Congress from the
Commonwealth of Pennsylvania, opening statement................ 1
Prepared statement........................................... 3
Hon. Diana DeGette, a Representative in Congress from the State
of Colorado, opening statement................................. 4
Hon. Greg Walden, a Representative in Congress from the State of
Oregon, opening statement...................................... 6
Prepared statement........................................... 7
Hon. Frank Pallone, Jr., a Representative in Congress from the
State of New Jersey, opening statement......................... 7
Prepared statement........................................... 8
Witnesses
Denise Anderson, President, National Health Information Sharing
and Analysis Center............................................ 10
Prepared statement........................................... 13
Answers to submitted questions............................... 81
Michael C. McNeil, Global Product Security and Services Officer,
Philips Healthcare, and Chairman, Cybersecurity Working Group,
AdvaMed........................................................ 28
Prepared statement........................................... 30
Answers to submitted questions............................... 90
Terence M. Rice, Vice President and Chief Information Security
Officer, Merck & Company, Inc.................................. 34
Prepared statement........................................... 36
Answers to submitted questions............................... 109
Submitted Material
Subcommittee memorandum.......................................... 74
Letter of November 3, 2016, from Ms. DeGette and Mrs. Brooks to
Robert M. Califf, Commissioner, Food and Drug Administration,
and Jeffrey Shuren, Director, Center for Devices and
Radiological Health, Food and Drug Administration, submitted by
Mrs. Brooks.................................................... 79
CYBERSECURITY IN THE HEALTHCARE SECTOR: STRENGTHENING PUBLIC-PRIVATE
PARTNERSHIPS
----------
TUESDAY, APRIL 4, 2017
House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Energy and Commerce,
Washington, DC.
The subcommittee met, pursuant to call, at 10:17 a.m., in
Room 2322 Rayburn House Office Building, Hon. Tim Murphy
(chairman of the subcommittee) presiding.
Members present: Representatives Murphy, Griffith, Burgess,
Brooks, Collins, Walberg, Walters, Costello, Carter, Walden (ex
officio), DeGette, Schakowsky, Clarke, Ruiz, and Pallone (ex
officio).
Staff present: Jennifer Barblan, Chief Counsel, Oversight
and Investigations; Elena Brennan, Legislative Clerk, Oversight
and Investigations; David DeMarco, Deputy Information
Technology Director; Blair Ellis, Press Secretary/Digital
Coordinator; Adam Fromm, Director of Outreach and Coalitions;
John Ohly, Professional Staff Member, Oversight and
Investigations; Jennifer Sherman, Press Secretary; Hamlin Wade,
Special Advisor for External Affairs; Jessica Wilkerson,
Professional Staff Member, Oversight and Investigations; Jeff
Carroll, Minority Staff Director; Christopher Knauer, Minority
Oversight Staff Director; Miles Lichtman, Minority Staff
Assistant; Kevin McAloon, Minority Professional Staff Member;
Jon Monger, Minority Counsel; Dino Papanastasiou, Minority GAO
Detailee; and C.J. Young, Minority Press Secretary.
OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN
CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA
Mr. Murphy. Good morning, and welcome to our Oversight and
Investigations hearing on Cybersecurity in the Healthcare
Sector: Strengthening Public-Private Partnerships. We are here
today to talk about cybersecurity in the healthcare sector.
Strong cybersecurity practices are essential in this industry.
This isn't just about protecting data or information, this is
about patient safety.
For nearly two decades, a cornerstone of the Nation's
efforts to combat cyber threats have been public-private
partnerships designed to facilitate engagement and
collaboration between the Government and private sector. Over
time, this model has evolved, but the objective remains the
same, the unity of effort between those responsible for
protecting the Nation and those who own and operate the
infrastructure that is critical to that mission.
The focal point of these efforts are 16 critical
infrastructure sectors, one of which is the healthcare sector.
Each sector is organized around several key institutions: a
Sector-Specific Agency, that is SSA; Government Coordinating
Council, GCC; Sector Coordinating Council, SCC; and Information
Sharing and Analysis Center. I hope you all have that. Each of
these institutions plays an important role in ensuring
participation, collaboration, and unity of effort of the
Government and private-sector participants within each sector.
Despite a number of efforts to improve this model over the
years, it has achieved mixed results across the various
sectors. Some sectors have succeeded in developing robust
support and engagement with both Government and industry
participants. The gold standard to date has been the financial
sector. This sector enjoys a strong collaborative relationship
with our Government partner, the Department of the Treasury,
which is noteworthy because Treasury is also the regulator.
In addition, despite having a very diverse sector, they
have succeeded in encouraging support and participation from a
wide variety of institutions from small community banks to
large multinational financial institutions. This extensive
membership has helped the sector to establish the Nation's most
sophisticated and well-resourced ISAC, which improves its value
to the entire sector.
Another more recent success story has been the electricity
sector. This sector of energy has improved collaboration and
engagement both with Government partners at the Department of
Energy and across private industry through senior executive
participation on the Sector Coordinating Council. In addition
to elevating the priority for industry partners, it has
improved coordination and unity of effort with the Government.
Despite the relative success of these and several others,
every sector has unique characteristics and challenges that
influence the pace of adoption and engagement in these
institutions. What works for one sector may not work for
others, and as each sector figures out what works best for
their participants, however, the lessons from others should not
be overlooked or ignored especially for those sectors that
continue to evolve.
What brings us to today's hearing, the healthcare sector
focus--this sector has long struggled to coalesce around the
public-private partnership model especially with respect to
cybersecurity. This may be partially attributable to the fact
that cybersecurity is a relatively new challenge for much of
this sector. However, as health care becomes increasingly
digitized, the need to improve cybersecurity must be a
priority.
Gaining the acceptance and support necessary to overcome
historical obstacles will not be easy for this sector. To
start, health care is an incredibly diverse and complex sector,
with a wide range of industries and institutions of various
sizes, technological sophistication, and resources. It is also
a sector where cybersecurity often becomes conflated with
privacy or compliance, complicating the discussion. This, in
turn, is exacerbated by the fact that a successful public-
private partnership depends on collaboration and trust with
HHS, an understandable challenge given the many participants in
this sector who are regulated by various entities within the
Department.
These and other challenges are understandable and daunting.
If I am a small, rural healthcare institution where
cybersecurity falls to one employee who is also responsible for
managing IT systems and, well, fixing copiers among other
duties, what value do I get for the cost of joining the ISAC or
listening to guidance from the Sector Coordinating Council? At
present, it is hard to answer that question, especially for
those institutions already operating on negative margins.
These challenges, however, must be overcome. The cost of
failure for patients, as well as healthcare institutions, is
too great. Cybersecurity incidents can result in life or death
situations if a medical device is hacked or an attack shuts
down a hospital's computer systems. And cybersecurity is a
collective responsibility and that is why it is imperative that
this sector find a way to come together to find a sustainable
path forward.
I look forward to hearing more from our witnesses today
about the challenges of this sector and what is needed to bring
unity and commitment from all participants. These are the folks
working in the trenches, and while the sector has shown signs
of progress, what we will find out today is that much work
needs to be done.
[The statement of Mr. Murphy follows:]
Prepared statement of Hon. Tim Murphy
We are here today to talk about cybersecurity in the
healthcare sector. Strong cybersecurity practices are essential
in this industry. This isn't just about protecting patient data
or information--this is about patient safety.
For nearly two decades, a cornerstone of the Nation's
efforts to combat cyber threats have been public-private
partnerships designed to facilitate engagement and
collaboration between the Government and private sector. Over
time this model has evolved, but the objective remains the
same--unity of effort between those responsible for protecting
the Nation and those who own and operate the infrastructure
that is critical to that mission.
The focal point of these efforts are 16 critical
infrastructure sectors--one of which is the healthcare sector.
Each sector is organized around several key institutions--a
Sector-Specific Agency, Government Coordinating Council, Sector
Coordinating Council, and Information Sharing and Analysis
Center. Each of these institutions plays an important role in
ensuring participation, collaboration, and unity of effort of
the Government and private-sector participants within each
sector.
Despite a number of efforts to improve this model over the
years, it has achieved mixed results across the various
sectors. Some sectors have succeeded in developing robust
support and engagement with both Government and industry
participants.
The gold standard, to date, has been the financial sector.
This sector enjoys a strong, collaborative relationship with
their Government partner--the Department of the Treasury--which
is noteworthy because Treasury is also their regulator. In
addition, despite having a very diverse sector, they have
succeeded in encouraging support and participation from a wide
variety of institutions--from small community banks to large
multinational financial institutions. This extensive membership
has helped the sector to establish the Nation's most
sophisticated and well-resourced ISAC, which improves its value
to the entire sector.
Another, more recent, success story has been the
electricity sector. This sector has improved collaboration and
engagement--both with Government partners at the Department of
Energy and across private industry--through senior executive
participation on the Sector Coordinating Council. In addition
to elevating the priority for industry partners, it has
improved coordination and unity of effort with the Government.
Despite the relative success of these and several others,
every sector has unique characteristics and challenges that
influence the pace of adoption and engagement in these
institutions. What works for one sector may not work for
others. As each sector figures out what works best for their
participants, however, the lessons from others should not be
overlooked or ignored--especially for those sectors that
continue to evolve.
Which brings us to the focus of today's hearing--the
healthcare sector. This sector has long struggled to coalesce
around the public-private partnership model, especially with
respect to cybersecurity. This may be partially attributable to
the fact that cybersecurity is a relatively new challenge for
much of this sector. However, as health care becomes
increasingly digitized, the need to improve cybersecurity must
be a priority.
Gaining the acceptance and support necessary to overcome
historical obstacles will not be easy for this sector. To
start, health care is an incredibly diverse and complex sector,
with a wide range of industries and institutions of varying
sizes, technological sophistication, and resources. It is also
a sector where cybersecurity often becomes conflated with
privacy or compliance, complicating the discussion. This, in
turn, is exacerbated by the fact that a successful
publicprivate partnership depends on collaboration and trust
with HHS--an understandable challenge given the many
participants in the sector who are regulated by various
entities within the Department.
These and other challenges are understandable and daunting.
If I am a small, rural healthcare institution--where
cybersecurity falls to one employee who is also responsible for
managing IT systems and fixing copiers, among other duties--
what value do I get for the cost of joining the ISAC or
listening to guidance from the Sector Coordinating Council? At
present, it is hard to answer that question, especially for
those institutions already operating on negative margins.
These challenges, however, must be overcome. The cost of
failure--for patients, as well as healthcare institutions--is
too great. Cybersecurity incidents can result in life or death
situations if a medical device is hacked, or an attack shuts
down a hospital's computer systems. Cybersecurity is a
collective responsibility and that is why it is imperative that
this sector find a way to come together to find a sustainable
path forward.
I look forward to hearing more from our witnesses about the
challenges of this sector and what is needed to bring unity and
commitment from all participants. These are the folks working
in the trenches and while the sector has shown signs of
progress, much work remains to be done.
Mr. Murphy. Now I would like to recognize for 5 minutes Ms.
DeGette of Colorado.
OPENING STATEMENT OF HON. DIANA DEGETTE, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF COLORADO
Ms. DeGette. Thank you very much, Mr. Chairman. Every day,
our infrastructure is under attack by those with malicious
intent. We are constantly seeing new headlines about
vulnerabilities and cyber attacks against our systems which are
becoming more frequent and more sophisticated. Cyber threats
are a reality we must face. Information systems connected to
the internet are integral to the operation of our economy and
our Government.
While this interconnection is essential, it also brings
vulnerabilities that bring serious challenges. They have
affected companies from various industries like retail and
banking, and now, as the chairman said, we are seeing
increasing vulnerability in the health sector. For example, in
2015, more than 113 million medical records were reportedly
compromised in cyber attacks. In one wildly publicized case, a
cybersecurity breach at Anthem compromised the personal
information of nearly 79 million people.
These attacks are a stark reminder that all industries are
vulnerable and neither the private sector nor the Government is
safe from cyber attacks. I am particularly concerned about
these vulnerabilities faced by the healthcare sector as more
and more Americans suffer the loss of personally identifiable
information and private medical records.
Defending our Nation's healthcare sector against a wide
range of cyber threats will require a coordinated effort
involving many players and approaches. I am very interested to
hear today about the information sharing and analysis center,
or ISAC. Several industries have established ISACs to encourage
private companies to share information about cyber
vulnerabilities and attacks. These ISACs have provided valuable
assistance to industry in their efforts to bolster
cybersecurity.
Federal agencies also collaborate with these ISACs to
facilitate the sharing of important information about cyber
threats and incidents. I am so happy to have before us today
the new head of the National Health ISAC, which is the ISAC
that coordinates information sharing among our Nation's
healthcare industry. The National Health ISAC shares
information on vulnerabilities relating to healthcare
providers, health IT companies, insurers, medical device
manufacturers, and pharmaceutical organizations.
I should note though that the National Health ISAC is a
relatively new player. I am still interested though in learning
about how it can leverage the experience of ISACs in other
industries to assist us in the healthcare sector. I am also
interested to hear how the National Health ISAC is helping its
members in the healthcare sector prevent the kind of breaches
that we have been seeing.
I look forward to hearing the witnesses' perspectives on
what challenges and vulnerabilities we face, and what is being
done, and how we can improve. Alongside that is the question of
the appropriate role of Government in encouraging and
supporting these efforts. Because this is such an important
area, I also hope in general we can continue to look for ways
to strengthen our cybersecurity systems. Particularly as it
relates to health care, I hope we can have more hearings about
solutions to the threats that we face, including ransomware,
hospital cyber attacks, and the theft of millions of Americans'
medical information.
Finally, Mr. Chairman, I want to remind the committee that
I along with my fellow committee member Susan Brooks, sitting
right over there, sent a letter to the FDA last year asking
about cyber vulnerabilities in medical devices. As these
devices become more advanced and integrated into our networks,
they are increasingly vulnerable to dangerous cyber attacks.
Because of the urgency of this issue, Mr. Chairman, I hope that
we can expand in future hearings how the FDA will address
emerging threats to medical devices.
While there is certainly no silver bullet when it comes to
solving cybersecurity threats, I am looking forward to hearing
from our witnesses about the role that the National Health ISAC
can play. I would like to see us take any steps we can to
improve healthcare cybersecurity and this may be a valuable
piece of that approach.
Thanks again, Mr. Chairman, for having this hearing. I
think this is another bipartisan issue that we can all agree
that we need to work together to address and to strengthen the
integrity of our medical records. I yield back.
Mr. Murphy. The gentlewoman yields back, and now the
chairman of the full committee, Mr. Walden.
OPENING STATEMENT OF HON. GREG WALDEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF OREGON
Mr. Walden. I thank the gentleman, and I thank our
witnesses for your testimony.
We are well aware of the threats posed by our increasingly
connected society, but nowhere do these risks hit closer to
home than on the very technology we rely upon for our own
health care. The threats range from ransomware, breaches of
patient data at healthcare organizations, to the
vulnerabilities of pacemakers and other medical devices. Taken
in isolation, these and other threats pose serious challenges
to healthcare organizations. Collectively, they demonstrate the
breadth, complexity, and unavoidable nature of cyber threats in
modern society both now and for the foreseeable future.
You know, as technology becomes increasingly integrated
with all levels of our health care, cyber threats pose a
challenge to the entire sector. Everyone from the smallest
rural hospitals to large providers and device manufacturers
face some level of exposure and risk. Breaches, exploits, and
vulnerabilities are inevitable realities of modern society even
for the most well-resourced and sophisticated organizations.
But this does not mean doom and gloom for everyone with an
internet connection. It simply is reality and must serve as the
baseline for any discussion about cybersecurity. We may not be
able to stop every attack, but as the threats continue to
escalate, we must do more to minimize the risk. Improving
security is a collective responsibility. When we work together,
Government and private sector, large companies and small, we
can do more to improve security than if we attempt to solve it
on our own.
An attack on one organization may be prevented elsewhere if
we have the infrastructure and mechanisms necessary to
communicate effectively with others across the sector. Further,
if an event has widespread or national implications, we need to
coordinate an effective and efficient response with unity of
effort not confusion over roles and responsibilities. That is
why for almost two decades the United States has worked to
establish public-private partnerships to coordinate security
planning and information sharing within and across our 16
critical infrastructure sectors which include health care.
Effective collaboration between Government and the private
sector is vital to elevating our security posture. These
partnerships provide a vital link between those responsible for
the safety and security of the Nation and those who own and
operate the infrastructure critical to those objectives.
To date, these public-private partnerships have experienced
mixed results. Some sectors have been more successful than
others in coming together both with private-sector and
Government partners. The healthcare sector in particular has
struggled to coalesce around these public-private partnerships
for cybersecurity. It is this shared goal and that brings us
together today.
This hearing marks the important opportunity to hear from
our distinguished panelists about what is necessary to bring
the healthcare sector together and continue building momentum
in the right direction. Simply put, the cost of inaction is too
great. As the threats continue to escalate, so do our
cybersecurity challenges. We have seen the headlines, we know
the attacks will continue, but today is about what improvements
can be made so we can be better prepared for the inevitable.
With that Mr. Chairman, unless anybody wants the remainder
of my time I would yield it back.
Prepared statement of Hon. Greg Walden
We are well aware of the threats posed by our increasingly
connected society, but nowhere do these risks hit closer to
home than on the very technology we rely on for our own health
care. The threats range from ransomware, breaches of patient
data at heath care organizations, to the vulnerabilities in
pacemakers and other medical devices. Taken in isolation, these
and other threats pose serious challenges to healthcare
organizations. Collectively, they demonstrate the breadth,
complexity, and unavoidable nature of cyber threats in modern
society--both now and for the foreseeable future.
As technology becomes increasingly integrated with all
levels of our health care, cyber threats pose a challenge to
the entire sector. Everyone--from the smallest rural hospitals,
to large providers and device manufacturers--faces some level
of exposure and risk.
Breaches, exploits, and vulnerabilities are inevitable
realities of modern society, even for the most well-resourced
and sophisticated organizations. But this does not mean doom-
and-gloom for everyone with an internet connection. It is
simply reality and must serve as the baseline for any
discussion about cybersecurity. We may not be able to stop
every attack, but as the threats continue to escalate, we must
do more to minimize the risk.
Improving security is a collective responsibility. When we
work together--Government and private sector, large companies
and small--we can do more to improve security than if we
attempt to solve it on our own.
An attack on one organization may be prevented elsewhere if
we have the infrastructure and mechanisms necessary to
communicate effectively with others across the sector. Further,
if an event has widespread or national implications, we need to
coordinate an effective and efficient response--with unity of
effort, not confusion over roles and responsibilities.
That is why, for almost two decades, the U.S. has worked to
establish public-private partnerships to coordinate security
planning and information sharing within and across our 16
critical infrastructure sectors, which includes health care.
Effective collaboration between Government and the private
sector is vital to elevating our security posture,. These
partnerships provide a vital link between those responsible for
the safety and security of the Nation with those who own and
operate the infrastructure critical to those objectives.
To date, these public private partnerships have experienced
mixed results. Some sectors have been more successful than
others in coming together--both with private-sector and
Government partners. The healthcare sector, in particular, has
struggled to coalesce around these publicprivate partnerships
for cybersecurity. It is this shared, goal that brings us
together today.
This hearing marks an important opportunity to hear from
our distinguished panelists about what is necessary to bring
the healthcare sector together and continue building momentum
in the right direction. Simply put, the cost of inaction is too
great. As the threats continue to escalate, so too do our
cybersecurity challenges. We've seen the headlines--we know the
attacks will continue. But today is about what improvements can
be made so we can be prepared for the inevitable.
Mr. Murphy. The Chairman yields back. I now recognize the
ranking member of the full committee, the gentleman from New
Jersey, for 5 minutes.
OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF NEW JERSEY
Mr. Pallone. Thank you, Mr. Chairman, for convening this
hearing today.
This committee has a long history of examining
cybersecurity and, while we have made progress, it is clear
that we still have a lot of work to do. We continue to see
increasingly frequent and severe cyber attacks in both the
public and private sectors, and yet our dependence on the
internet and interconnected information systems only continues
to grow. Faced with these realities we must find ways to
bolster our defenses.
And this is especially true in the critical sector of
health care. Reports of cyber breaches such as the Anthem case
highlight the need for all industry members to come together
and find solutions. With the interconnection of health records
and now with network-connected medical devices, this problem is
becoming more urgent.
While there is no single solution to guarantee that
sensitive data will not be compromised, it appears that the
Information Sharing and Analysis Centers, ISACs, may play an
important role in our overall cyber defense strategy. Other
industries have used the ISAC model to encourage private
companies to share information about cyber threats, and today
we will hear about similar efforts at the National Health ISAC.
Personal information and medical records are increasingly
at risk of cyber attack and therefore it is crucial for members
of the healthcare sector to have access to information about
threats and vulnerabilities. If the National Health ISAC can
leverage and share that information, it may be able to help
strengthen the cybersecurity of the healthcare community.
I am also interested in hearing about what capabilities the
National Health ISAC can offer the health industry and what
challenges it faces. I am pleased to welcome Merck, which has a
major presence in my district and in New Jersey, at the hearing
today, represented by Mr. Terry Rice, who is vice president for
IT Risk Management at Merck. An effective national strategy for
security depends on a close partnership between Government and
the private sector, so I look forward to hearing the
perspectives of Merck, Philips and other companies in the
health sector.
We are faced with increasing threats in the healthcare
sector and that requires us to continue to identify effective
ways to strengthen our cybersecurity. And Mr. Chairman, these
problems do not have easy solutions. In order to prevent and
defend against a growing number of cyber attacks, we will need
long-term commitments from many players, and I look forward to
hearing from our witnesses about how the National Health ISAC
can enhance our cybersecurity and how this committee can
support those efforts.
And unless somebody else wants my time I yield back.
[The statement of Mr. Pallone follows:]
Prepared statement of Hon. Frank Pallone, Jr.
Mr. Chairman, thank you for convening this hearing today.
This committee has a long history of examining cybersecurity,
and while we have made progress, it is clear we still have work
to do.
We continue to see increasingly frequent and severe
cyberattacks in both the public and private sectors. And yet,
our dependence on the Internet and interconnected information
systems only continues to grow. Faced with these realities, we
must find ways to bolster our defenses.
This is especially true in the critical sector of health
care. Reports of cyber breaches such as the Anthem case
highlight the need for all industry members to come together
and find solutions. With the interconnection of health records-
and now with network-connected medical devices-this problem is
becoming more urgent.
While there is no single solution to guarantee that
sensitive data will not be compromised, it appears that the
Information Sharing and Analysis Centers (ISAC) may play an
important role in our overall cyber-defense strategy.
Other industries have used the ISAC model to encourage
private companies to share information about cyber threats, and
today we will hear about similar efforts at the National Health
ISAC.
Personal information and medical records are increasingly
at risk of cyberattack, and therefore it is crucial for members
of the healthcare sector to have access to information about
threats and vulnerabilities. If the National Health ISAC can
leverage and share that information, it may be able to help
strengthen the cybersecurity of the healthcare community.
I am interested in hearing about what capabilities the
National Health ISAC can offer the health industry, and what
challenges it faces.
I am also pleased to welcome Merck to the hearing today,
represented by Mr. Terry Rice, Vice President for IT Risk
Management at Merck. An effective national strategy for
cybersecurity depends on a close partnership between Government
and the private sector, so I look forward to hearing the
perspectives of Merck, Philips, and other companies in the
health sector.
We are faced with increasing threats in the healthcare
sector, and that requires us to continue to identify effective
ways to strengthen our cybersecurity.
These problems do not have easy solutions. In order to
prevent and defend against a growing number of cyberattacks, we
will need long-term commitments from many players. I look
forward to hearing from our witnesses about how the National
Health ISAC can enhance our cybersecurity, and how this
committee can support those efforts.
Thank you, and I yield back.
Mr. Murphy. All right, the gentleman yields back, and so
now let's begin here. I ask unanimous consent that the Members'
written opening statements be introduced into the record and,
without objection, the documents will be entered into the
record.
So now I would like to introduce our panelists of security
and privacy experts for today's hearing. First, we welcome Ms.
Denise Anderson, who serves as president of the National Health
Information Sharing and Analysis Center, NH-ISAC, as well as
chair of the National Council of Information Sharing and
Analysis Centers. Prior to this appointment, Ms. Anderson
served as vice president of the Financial Services ISAC.
Next, we welcome Mr. Michael McNeil, who serves as the
global product security and services officer for Philips. In
this role, Mr. McNeil is responsible for leading the global
product security program for the company and ensuring
consistent, repeatable processes that are deployed throughout
their products and services in the healthcare market. Mr.
McNeil is also here today representing AdvaMed, the Advanced
Medical Technology Association, as chair of AdvaMed's
cybersecurity working group. Welcome.
And lastly, we would like to welcome Mr. Terry Rice, vice
president of IT risk management and chief information security
officer at Merck. Mr. Rice is also a member of the board of
directors for the National Health ISAC.
I want to thank all of our witnesses for providing
testimony today and sharing your insights on the current state
of public-private partnerships and coordinating with
cybersecurity in the healthcare arena. Now you are all aware
that the committee is holding an investigative hearing and when
doing so has the practice of taking testimony under oath. Do
any of you have any objection to taking testimony under an
oath?
Seeing none, the Chair then advises you that, under the
rules of the House and rules of the committee, you are entitled
to be advised by counsel. Do any of you desire to be advised by
counsel during today's hearing? And seeing none, in that case
will you all please rise, raise your right hand, and I will
swear you in.
[Witnesses sworn.]
Mr. Murphy. Thank you. You are now duly sworn in and are
under oath and subject to the penalties set forth in Title 18
Section 1001 of the United States Code. Let's have you each
begin with a 5-minute summary of your written statement, and we
will begin with you, Ms. Anderson. Make sure your microphone is
on and pulled close to you.
STATEMENT OF DENISE ANDERSON, PRESIDENT, NATIONAL HEALTH
INFORMATION SHARING AND ANALYSIS CENTER; MICHAEL C. McNEIL,
GLOBAL PRODUCT SECURITY AND SERVICES OFFICER, PHILIPS
HEALTHCARE, AND CHAIRMAN, CYBERSECURITY WORKING GROUP, ADVAMED;
AND TERENCE M. RICE, VICE PRESIDENT AND CHIEF INFORMATION
SECURITY OFFICER, MERCK & COMPANY, INC.
STATEMENT OF DENISE ANDERSON
Ms. Anderson. Good morning, Chairman Murphy and members of
the subcommittee. I want to thank you for this opportunity to
address this subcommittee.
ISACs are primarily all-hazard, trusted communities that
promote the sharing of timely, actionable, and relevant
information and provide forums for sharing around threats,
incidents, vulnerabilities, best practices, and mitigation
strategies. ISACs gather and disseminate information quickly
and efficiently. Numerous incidents have shown that effective
information sharing works.
The ISACs collaborate and coordinate on a daily basis
through the National Council of ISACs and work with the Sector
Coordinating Councils. ISACs also work very closely with
various Government agencies. In partnership with DHS, several
ISACs participate in the National Cybersecurity and
Communications Integration Center, the NCCIC, as well as the
National Infrastructure Coordinating Center, the NICC, where
they play a vital role in incident response and collaboration.
The NH-ISAC is a global, nonprofit organization and its
members represent approximately one-third of the U.S. health
and public health GDP. In addition to its many services, the
NH-ISAC has a representative on the NCCIC floor and fosters a
robust machine-to-machine or automated sharing environment. The
NH-ISAC is also engaged in two groundbreaking initiatives. The
first is the CyberFit suite of services that allows members to
leverage the NH-ISAC community to realize cost savings and
efficiencies. The second is the Medical Device Security
Information Sharing Council, a forum for manufacturers and
hospitals to interact and collaborate in order to advance
medical device security and safety.
Under an MOU between the NH-ISAC, the Medical Device
Innovation, Safety and Security Consortium, MDISS, and the FDA,
a number of initiatives are underway including a program for
coordinated medical device vulnerability disclosure and a
program for medical device assessments. The highly collaborated
partnership with FDA, NH-ISAC, and MDISS, is a great example of
how industry and Government can come together to address
cybersecurity issues.
Today, because of advances in technology and the
efficiencies of connecting devices by the internet, the cyber
threat surface in health care has ballooned and the threat
actors have followed. The stakes are very high. The focus has
traditionally been on data and privacy, but if organizations
cannot deliver services, as was seen in ransomware attacks
recently, or data is manipulated or destroyed, patient lives
are at risk.
Congress can help meet this challenge by focusing on four
key areas: Education and facilitation of the importance of
information sharing. One of the great challenges for the ISAC
and all ISACs is the lack of awareness among the owners and
operators that the ISACs exist and are a valuable tool.
Government should regularly and consistently encourage owner-
operators especially at the board and CEO level to join their
respective ISACs.
A policy statement that provides explicit guidance to SSAs
and their sector constituents to integrate into their cyber
risk management and preparedness programs their participation
in and collaboration in ISACs is key. Another way to facilitate
sharing is providing financial incentives through tax breaks or
other means to organizations that join their respective ISACs.
Two, protect information sharing. Recently, the Automotive
ISAC was served a subpoena to furnish all documentation related
to communications between the ISAC and one of its members.
While the subpoena was quashed, the concern is that if courts
were to allow broad sweeps for information and using ISACs as
one-stop shops to accomplish it, such actions would effectively
kill information sharing. The confidential information shared
amongst the members of an ISAC should be protected and not
subject to disclosure.
Three, eliminate the confusion with the terms ISAC and
ISAO. The February 15th, 2015 executive order called on the
formation of Information Sharing and Analysis Organizations, or
ISAOs. ISACs were the original ISAOs. However, ISACs are much
more than ISAOs. It is absolutely essential that the successful
efforts ISACs have established over the years not be disrupted.
The EO and prominent coverage of ISAOs has led to much
confusion within industry regarding ISACs.
We have seen this clearly in the health sector. When FDA
announced the need for manufacturers to participate in an ISAO,
confusion ensued. The NH-ISAC is effectively serving as the
ISAO, but the FDA guidance by using the term ISAO resulted in a
lot of confusion that is still being sorted out. Government
needs to call out, recognize, and support the unique role ISACs
play and not apply ISAO as a blanket term for information
sharing.
Four, establish cybersecurity professionals as SSA
liaisons. It has become increasingly apparent that industry
needs an experienced Government representative at the SSA level
who understands cybersecurity issues, threats, vulnerabilities,
and impacts, as well as the blended threats between physical
and cybersecurity. Having an established, clear go-to lead in
this area is imperative.
Thank you. This concludes my testimony and I thank you for
the opportunity and I look forward to your questions.
[The prepared statement of Ms. Anderson follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. Thank you. Mr. McNeil, you are recognized for 5
minutes.
STATEMENT OF MICHAEL C. McNEIL
Mr. McNeil. Thank you, Chairman Murphy, Ranking Member
DeGette, and members of the committee for the opportunity to
testify today.
It is critical to both patient well-being and the medical
technology industry that medical devices are safe and that
risk, including cybersecurity threats, are appropriately
managed. AdvaMed, the world's largest trade association
representing medical technology manufacturers and its member
companies, including Philips, are committed to a robust
cybersecurity framework as part of the development and
postmarket management of medical technologies.
Our strategies include not just staying on top of emerging
software-based vulnerabilities and potential external threats
while anticipating how they might affect our products and
solutions, it also includes collaborating with regulatory
agencies, industry partners, and healthcare providers to close
security loopholes. This includes participation in the
Healthcare Industry Cybersecurity Task Force sponsored by
Health and Human Services, HHS.
I'd like to emphasize, one, medical device development and
security risk management. Medical device manufacturers must
address cybersecurity throughout the product lifecycle. This
includes the design, development, production, distribution,
deployment, maintenance, and disposal of devices and associated
data. Second, system level security. AdvaMed member companies
have developed foundational principles for the management of
medical device cybersecurity and believe that medical
technology cybersecurity is a shared responsibility among all
stakeholders within the healthcare community including
manufacturers, hospitals, physicians, and our patients.
Third, we need to have coordinated disclosure. Medical
device manufacturers should deploy a coordinated disclosure
process that provides a pathway for researchers and others to
submit information including potential vulnerabilities.
Coordinated disclosure processes should define the
responsibilities of both the manufacturers and researchers.
Whenever potential vulnerabilities involving a medical device
are discovered, findings should first be brought to the
attention of the manufacturer and/or the FDA for review,
analysis, and possible remediation.
Third, information sharing. The industry should share
threat and vulnerability information to assist manufacturers in
continuously managing their devices' cybersecurity throughout
the product's lifecycle. And then fourth, a consensus around
our standards, regulatory requirements, and education. The
development of cybersecurity-related consensus standards and
regulations should be accomplished collaboratively among the
regulators, medical device manufacturers, independent security
experts, academia, and healthcare delivery organizations.
The U.S. Food and Drug Administration, the FDA, should be
commended for leadership in medical device cybersecurity. The
FDA and its cybersecurity staff have worked closely with the
medical technology industry and the broader healthcare
ecosystem to ensure medical device cybersecurity is considered
and addressed throughout all stages of the product design and
use.
AdvaMed and Philips are among the organizations that look
forward to continuing to work with Congress and the
administration to ensure that the medical technology industry
maintains a forward-leaning approach to cybersecurity and the
devices that they produce are safe for our patients.
Thank you very much for this opportunity.
[The prepared statement of Mr. McNeil follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. Thank you, Mr. McNeil. Mr. Rice, you are
recognized for 5 minutes.
STATEMENT OF TERENCE M. RICE
Mr. Rice. Thank you. Chairman Murphy, Ranking Member
DeGette, and members of the subcommittee, my name is Terry Rice
and I have been involved in healthcare cybersecurity for 15
years. I also participate in a number of public-private
partnerships that are working diligently to improve the
cybersecurity across the healthcare sector and I appreciate the
opportunity to testify on this important matter.
Nowhere is the cybersecurity challenge more acute today
than in the healthcare industry. In just the last few years, as
has already been mentioned, we've seen more than a hundred
million health records of American citizens in a couple of
well-publicized incidents. We have seen how software
vulnerabilities in insulin pumps and pacemakers can be
exploited to cause potentially lethal attacks. And we have
witnessed entire hospitals in the United States and the U.K.
shutting down for multiple days to combat ransomware infections
in critical systems.
Unfortunately, I believe these incidents underrepresent the
risk we are facing in the industry and I make this statement
based on five observations. First, the total number of
cybersecurity incidents is significantly underreported due to
current disclosure laws. Number two, electronic evidence
gathered through normal security monitoring suggests there are
a lot more breaches and incidents than what is currently
reported. Three, the healthcare industry consists of many small
to midsized businesses that lack the capital and personnel to
deal effectively with all but the most basic cybersecurity
issues.
Fourth, in our industry, the need for portability of health
information to adequately care for patients increases the risk
unlike many other sectors. Five, recent advances in healthcare
technology along with the proliferation of electronic health
records and healthcare applications has opened up a much wider
array of cybersecurity risks and exposures. The combination of
these observations leads me and many of my peers to believe
that the cybersecurity situation in the healthcare industry is
far worse than what current reporting indicates.
Neither the private sector nor the Government can solve
this problem alone. We must work collaboratively and
transparently to reduce this risk. As a participant and user of
services provided through multiple public-private partnerships
identified in my written submission, I feel each provides
tremendous value and has become an integral and essential part
of the defense of my organization.
We consume intelligence from the NH-ISAC on a 24 by 7 basis
to update our defenses, we utilize digital identities from the
SAFE BioPharma Association to protect sensitive data, and we
participate in the Sector Coordinating Council meetings to
discuss emerging topics in the cybersecurity area.
But I think there's a lot of opportunity to do more and
I'll cover five of the observations, or five of the items that
I hit in my written testimony.
First, HHS should appoint a senior cybersecurity
professional with healthcare-sector experience as the primary
liaison to industry. Today, there are multiple offices within
the Department that have some responsibility for cybersecurity
outreach, but none of them have it as their primary task.
Furthermore, few organizations have the detailed cybersecurity
knowledge and experience to engage with their private industry
peers. This new role would be the focal point for all
cybersecurity interactions with the private sector and would
serve as the Government lead on the rest of the opportunities.
Number two, HHS should work with the Sector Coordinating
Council and private sector to develop a more comprehensive
cybersecurity protection plan for the industry. While the high-
level cybersecurity plans were captured in the latest iteration
of the Healthcare and Public Health Sector Specific Plan dated
May 2016, a more thorough and detailed plan should be
developed. The current plan is only two pages. Third, HHS and
the NH-ISAC should work with DHS, law enforcement, and the
intelligence community to increase the quality of intelligence
and the speed with which it is shared to the private industry.
Fourth, HHS and the Sector Coordinating Council, the NH-
ISAC, should work with the private sector to schedule and
execute tabletop exercises and other simulations to assess the
effectiveness of the cybersecurity plan within the healthcare
environment. These events would be similar to the Hamilton
series of exercises conducted by the Department of Treasury and
the financial services sector that led to the creation of
capabilities such as the Sheltered Harbor concept that is
scheduled to go operational this year.
Fifth and finally, HHS, DHS, and the Sector Coordinating
Council should collaborate with global agencies and
institutions to share intelligence best practices and emerging
concerns. This is a global problem. Thank you.
[The prepared statement of Mr. Rice follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Murphy. Thank you. I will now recognize myself for 5
minutes of questions. So let's start off in identifying what
this is, because this gets into a lot of weeds and pretty
technical for us.
So what is the worst-case scenario? What happens if these
problems aren't fixed? What happens in the healthcare sector
with everything from medical devices to medical records to
pharmaceuticals, all these things, what problems? I mean what
is the problem that emerges here, Ms. Anderson?
Ms. Anderson. I think one of the big problems would be if
manipulation of data. So if, for example, if a threat actor
went in and said I'm going to, if you have a hundred medical
records I'm only going to change two or three of them and you
have to figure out which ones were manipulated that could
actually have a huge impact on patient care and safety, because
if someone were a diabetic, for example, and that was taken
from their record, or allergic to a particular medicine that
could be, you know, very detrimental.
Mr. Murphy. So that would be someone who just for malicious
intent, they just wanted to cause problems or they would want
to----
Ms. Anderson. Maybe to----
Mr. Murphy. Ransom.
Ms. Anderson [continuing]. Ransomware as well, yes. So we
have seen that as, you know, where people have held things for
a ransom, ransomware attacks obviously, or even access to their
Web sites or access to information. So that would be a criminal
motivation as well.
Mr. Murphy. Mr. McNeil?
Mr. McNeil. So I would build upon the information that
Denise just stated and elaborate that, if you do manipulate
some of the information, at least as it pertains to the medical
devices, that could lead to patient safety directly with the
patient's health in terms of either misinformation that is used
in diagnosis and treatment as well as the manipulation of how
those devices can function.
Mr. Murphy. So real life-and-death harm, or certainly
causing complications in the hospital. Expensive difficulties
emerge from this if we don't fix this.
Mr. McNeil. Correct.
Mr. Murphy. Mr. Rice, do you have anything to add to that?
Mr. Rice. Sure. The patient safety issue is top of mind,
but that also would further break down trust and potentially
the adoption of new medical technology which could have
ramifications on healthcare delivery. There's also the issue of
continuity of service as we've seen with the ransomware issues
that have come up in hospitals and not able to provide critical
care. And then, finally, the loss of intellectual property and
trade secret information, which could have long lasting
economic impacts.
Mr. Murphy. Thank you. We will see if we can take care of
the technical problems of our sound system. I apologize for
that.
So, Ms. Anderson, I understand that NH-ISAC and--it is
being held ransom--has historically struggled to be effective
and a reliable resource for the sector. So, based upon your
previous experience with the financial-sector ISAC, which is
often considered to be the gold standard among these
organizations, what is necessary for NH-ISAC to succeed and are
there any unique aspects of the healthcare sector that are
particular challenges for you and your organization?
Ms. Anderson. Absolutely. So, you know, with health care,
for example, the smaller--there are many, many smaller
organizations that--you know, your small physician practices.
If you go down the street, you'll see a chiropractor's
practice, a dentist's office, these are all very vulnerable to
cyber attacks or incidents, and they are probably the lowest-
hanging fruit and don't have the cybersecurity practices in
place.
So being able to encourage those smaller practices, being
able make them cyber savvy, being able to educate them on their
staff and why it's important to be aware of cybersecurity and
things that they can do to protect themselves against it is
important. With the Financial Services ISAC, we're actually now
with the National Health ISAC delivering many of the services
if not more that the Financial Services ISAC has been able to
do for their members. But they have been able to grow over time
and they have a successful community of sharing and that's
something that we need to build within the NH-ISAC.
Mr. Murphy. Well, let me ask that maybe Mr. McNeil and Mr.
Rice can weigh in this. So, when we talk about the membership
involved, that information flows two ways. It flows down to the
members, the doctor's office, the medical supply companies, the
hospital, but it also flows upwards, and does that help? Does a
membership size affect this?
Mr. Rice. It actually flows also a third direction, which
is laterally, and that actually is the greatest volume today.
So, when one member of the 200-plus companies that are in the
ISAC today sees something that is hitting their network, they
take the information and rapidly pass it to other individual
companies that are members of the ISAC. That allows us to take
that information, update our defenses before that same actor is
able to attack us, almost like a neighborhood watch program.
Mr. Murphy. But with this, and we saw this in the
financial sector, many banks were hesitant to share information
laterally because it made them look more vulnerable, it affects
their stock, et cetera, et cetera. So is this lateral sharing
working out OK, Mr. McNeil?
Mr. McNeil. I believe that the lateral sharing will
continue to grow. I think it's still in its infancy, to be
quite honest, for our particular industry. I think that we're
putting in the appropriate mechanisms, one being the postmarket
guidance from the medical device sector with the FDA, so that
it affords us much more ability for that sharing as a part of
the process of us reporting our vulnerabilities to the
Government and to our constituents.
Mr. Murphy. Thank you. My time has expired. I recognize Ms.
DeGette for 5 minutes.
Ms. DeGette. I have several questions, but I want to ask
something that I have been wondering about. We keep talking
about vulnerabilities of medical devices, and I am the co-chair
of the Diabetes Caucus in Congress so that kind of worries me
about the insulin pumps, but there is lots of other kinds of
medical devices that can be vulnerable too. And I know that
Johnson & Johnson warned customers about a security bug in one
of its insulin pumps last fall, and then St. Jude dealt with
some vulnerabilities in defibrillators, pacemakers, other
medical electronics.
I don't know, Mr. Rice, maybe Mr. McNeil, have we actually
had examples of these pumps being, or these various medical
devices actually people taking them over or is it just an
identification of a threat? Have we actually had attacks?
Mr. McNeil. So I'll speak first.
Ms. DeGette. Yes.
Mr. McNeil. There has not been a direct communicated
reportable hack of a device. It has been in demonstration that
those activities could be taking place. At this point in time
we don't----
Ms. DeGette. And is the risk of these attacks an individual
or is it a whole class of devices?
Mr. McNeil. So the actual devices and what has been
communicated are individual in terms of those attacks that have
been demonstrated. But ideally, as you can know, if you have
multiple devices that have the same types of vulnerabilities
and defects then potentially those same issues would take
place.
Ms. DeGette. That is why it is so urgent that we try to----
Mr. McNeil. Correct.
Ms. DeGette. OK. Ms. Anderson, I wanted to ask you a little
bit about the ISACs. The purpose of an ISAC is to help private-
sector entities share cyber-related threat information with one
another; is that right?
Ms. Anderson. That's correct.
Ms. DeGette. And the private sector can get this
information from the Federal Government, often from the
Department of Homeland Security; is that right?
Ms. Anderson. That's correct.
Ms. DeGette. And the Financial Service ISAC where you used
to work it was quite successful in allowing that sector to
share threat information involving the banking sector.
Ms. Anderson. Correct.
Ms. DeGette. So, turning to the healthcare sector, the
risks as we have heard today are getting greater which includes
risks on insurance companies, hospitals, medical devices, et
cetera. That is what you are looking at right now.
Ms. Anderson. Absolutely.
Ms. DeGette. And so, you know, the National Health ISAC has
not been around as long as these other ISACs like the financial
services or energy sectors, so I guess given your expertise
with financial services what more do you think needs to be done
to make the National Health ISAC meet its full potential to
serve its members effectively?
Ms. Anderson. So I think that being able to make the
constituents within the sector aware of the fact that the ISAC
exists and that----
Ms. DeGette. That is usually a fundamental----
Ms. Anderson. Yes, that's----
Ms. DeGette [continuing]. Tenet.
Ms. Anderson [continuing]. Key, right. You know, and to
make sure that they know it's a valuable tool that they can use
to help protect them, because, as Terry mentioned, one person's
defense is everybody else's offense, and that's kind of the
concept behind the ISACs. So that is key.
You know, mentioning what I mentioned in my oral testimony
and written testimony about maybe tax breaks or incentives to
get organizations to join, or any other means by through the
SSA or others to encourage those constituents to join the ISAC
is a best practice.
Ms. DeGette. Now HHS has provided some funding through
cooperative agreements to the National Health ISAC, so it looks
like they support the concept of importance. What else can HHS,
or what can we do to help achieve these goals that you are
talking about?
Ms. Anderson. I think again, you know, being able to build
into the NIST Cybersecurity Framework that one of the best
practices would be to participate in an information-sharing
organization, or ISAC if it's critical infrastructure, is
something that should be built into those standards, I believe,
and then also being able to encourage those players especially
at the CEO level.
I was recently at a conference of rural hospitals and
cybersecurity wasn't even spoken about or even on the radar. So
there needs to be a huge education made at the CEO and board
level that this is important.
Ms. DeGette. Mr. McNeil, maybe Mr. Rice and then Mr.
McNeil, you both sit on the board. Do you have any suggestions
what can be done?
Mr. Rice. Definitely. I believe as Denise was saying
getting somebody in as the sector coordinating liaison to
address at the board level. We have 200 members, which is a
pretty decent start, but the FS-ISAC has 6,000 members.
Ms. DeGette. Wow.
Mr. Rice. And so we need to reach out a lot more to get all
of those entities sharing information. And even if only a small
percentage are active sharers, if you've got a base of 6,000
that's a lot more data about attacks that are occurring across
the ecosystem than even a small percentage of 200.
One of the other challenges is as more and more attacks
take place and more information is shared, you need to have the
mechanisms to consume the data in an automated way. Humans
cannot process that data. Larger entities have the capital and
the wherewithal to be able to put in systems and capabilities
to consume and immediately respond. The small rural hospitals
are doing it manually. And so there needs to be a way where we
can put in the automated capabilities to allow this sharing to
occur more effectively.
Ms. DeGette. Thank you. I am out of time, so I don't know
if you want to let Mr. McNeil----
Mr. McNeil. The only addition would be tenfold the growth
and the education and the communication. That's what we really
need to have at this point.
Ms. DeGette. Thank you.
Mr. Murphy. Thank you. I now turn towards the vice chair of
the committee, Mr. Griffith, for 5 minutes.
Mr. Griffith. Thank you very much, Mr. Chair, and I
appreciate it. I have got to tell you, I really like these
hearings where we are learning all kinds of interesting
information and where we have to figure out how do we make the
system better from our positions in Congress.
So, Ms. Anderson, let me ask you. In your testimony you
described how the Auto ISAC was recently subpoenaed by an
entity looking for all communications between the Auto ISAC and
one of its members. While the subpoena was ultimately rejected,
you say that the incident itself was troubling.
Why was this situation problematic, and if you know can you
tell me, because I know the judge ruled that it was just a
phishing expedition, but what were they looking for?
Ms. Anderson. They were looking for any communications
between that member and the ISAC, which there were a lot of
nuances behind it because actually the ISAC didn't exist when
the alleged incident occurred, so they were just kind of
throwing spaghetti against the wall. But the concern as I
mentioned is that if there is a trend for going after ISACs for
a one-stop shop shopping for information that could be
detrimental to information sharing.
Mr. Griffith. And I do understand that. What specific
protections exist or may be necessary to limit the negative
consequences of this type of incident or subpoena?
Ms. Anderson. If there were some way that, you know,
Congress could help protect that information that gets shared
confidentially amongst the members, because as we were talking
a little bit earlier with the lateral sharing, trust is a key
factor in that. And that's the beauty of the ISACs, they are
trusted communities. So being able to protect that trust is
absolutely key.
Mr. Griffith. And I tend to agree that there ought to be
some level of protection, but then I have also heard testimony
and discussions today that make me think that maybe we ought to
put some limitation on that. So, if we have that communication
limited, but we said if there is clear or convincing evidence
that would indicate that there may have been malfeasance or
intentional tortious action, would you agree with that?
Let me explain that so folks--I know you all get it. But if
we have got a fear that insulin pumps or pacemakers or
something else may be vulnerable and researchers share that
with the ISAC and ISAC notifies the medical device production
company or the company that has made it and they take no action
and then there comes harm to some individual, obviously there
you have, you know, a knowing and understanding that they are
risking people's lives by not taking preventive actions. And I
would want that information to be able to be shared after a
judge ruled that there was some pretty good evidence that
something like that happened. Would you not agree with that?
Ms. Anderson. I would agree with it, definitely, to some
extent. I think the information that gets shared within the
ISAC probably would not even fall along those lines----
Mr. Griffith. OK.
Ms. Anderson [continuing]. Because we're sharing malicious
IP addresses and we're sharing malware and we're sharing
phishing emails and subject lines and things like that. So I
believe personally that product liability issues probably will
not be a factor in something that would want to be collected.
Mr. Griffith. I guess I was thinking in that direction
because there was an indication that some of the information
that I saw indicated that there was a device that researchers
found a vulnerability and, instead of going to the company,
they went to a hedge fund.
Ms. Anderson. Yes.
Mr. Griffith. I would want them to share that through some
mechanism with the company so the company could fix it.
Ms. Anderson. Correct.
Mr. Griffith. And then I would want to protect it up to
that point, but then if the company shows in a total disregard
for safety chose to ignore that information then I would want
that information to be available.
Ms. Anderson. Yes, I would agree with you.
Mr. Griffith. OK. And if we craft something like that you
would be all right with that, but you do think there needs to
be something that makes it clear they can't just go on phishing
expeditions every day because it makes it expensive for the
ISAC and makes it troublesome for the companies who are trying
to share info.
Ms. Anderson. Absolutely.
Mr. Griffith. All right, I appreciate that. Mr. McNeil and
Mr. Rice, on those situations that I put forward do you all
have any suggestions, comments, advice?
Mr. McNeil. Well, I think the first one is at least with
the manufacturers and the researchers with the example you
gave, if we are following the postmarket guidance which the FDA
has issued, it would allow us to have more of that coordinated
disclosure. And in the event that that coordinated disclosure
does not take the fruit that it should bear, then yes, I would
be supportive of what you've stated in terms of appropriate
requirements from the Government associated with that.
Mr. Griffith. All right. And I should note before Mr. Rice
speaks that I believe it was your testimony that said some nice
things about the FDA. And oftentimes we are only dealing with
problems in this committee so it is nice to hear some good
things too.
Mr. McNeil. Thank you.
Mr. Griffith. Mr. Rice?
Mr. Rice. The only other point I would add is that after
the computer information sharing act of 2015 that was passed we
actually did see an uptick because there was some rudimentary
liability protections that were put into that act. So I do
believe Congress has a role in helping to foster these sharing
communities.
Mr. Griffith. I appreciate that very much and with that Mr.
Chairman, I yield back.
Mr. Murphy. The gentleman yields back. I now recognize Ms.
Schakowsky for 5 minutes.
Ms. Schakowsky. Thank you, Mr. Chairman. Seems to me that
not only are we faced with cybersecurity threats targeting
hospitals, insurance companies, and providers, but also the
medical devices we use. And I wanted to quote from a 2017
article in Wired magazine that said, quote, Johnson & Johnson
warned customers about a security bug in one of its insulin
pumps last fall, and St. Jude has spent months dealing with the
fallout of vulnerabilities in some of the company's
defibrillators, pacemakers, and other medical electronics. You
would think by now medical device companies would have learned
something about security reform. Experts warn they haven't,
unquote.
The cybersecurity warning pertaining to defibrillators
manufactured by St. Jude Medical are particularly concerning to
me. Right before these concerns were made public, St. Jude
Medical and the FDA issued a voluntary recall for these devices
due to premature battery depletion. Many patients including one
of my staff were required to undergo surgery to replace the
defective device.
And I can't imagine going through that ordeal only to find
out that the new device, the new device could be vulnerable to
a cybersecurity attack. Just to say this is a young woman on my
staff that has a congenital heart condition and it is a really
big deal to have to go through an additional surgery, which by
the way St. Jude won't pay for all of it. That is another
matter.
So, Mr. McNeil, what actions are medical device
manufacturers taking to make sure medical devices are secure
from cybersecurity threats both before and after they reach the
market?
Mr. McNeil. So one of the very first areas that a medical
device manufacturer needs to maintain and be the mantra that
they think about is patient safety. And when you look at the
development and the programs that we put in place, we cannot
look at the lifecycle of the development of the solutions as we
did in the past and years before when you did not have
connected environments and you did not have the access that
currently exists with these types of products and solutions
that are in our patients and in the marketplace.
So, first and foremost, you need to make sure that through
your development lifecycle that you are doing the appropriate
testing and the risk assessments aligned to that clinical
environment and the setting that those products and the
solutions would be offered. And you have the continuous rigor
within your cybersecurity program around the monitoring and the
surveillance to ensure that those particular products are free
and as much can be of any types of vulnerabilities.
Ms. Schakowsky. Well, obviously that is what they should
do. But, you know, how do we make sure they do that? And also,
Mr. McNeil, how do medical device manufacturers alert customers
of a potential security risk to their medical device? What
policies and procedures do device manufacturers have in place
to ensure consumers' notification is timely and effective?
Mr. McNeil. So, again, I think, number one, you need to be
able to do the appropriate security program and initiatives
that are stated. Secondly, as a part of that program,
communications is one of those utmost areas of focus,
communications not only with the actual patients or consumers,
but also through the Federal drug administration, with the FDA,
because of their direct oversight and guidance over these
manufacturers in terms of the development of their products and
solutions.
And I think that if you align within those particular
frameworks, it affords us the ability to get that effective
communication in a timely manner, you know, throughout the
system both with the regulation and with directly to the
consumer.
Ms. Schakowsky. Well, I understand the U.S. Food and Drug
Administration entered into a Memorandum of Understanding with
the National Health ISAC and Medical Device Innovation, Safety
and Security Consortium to promote cybersecurity information
sharing for medical devices. In December of 2016, the FDA
released final guidance on the postmarket management of
cybersecurity and medical devices.
And further, a medical device-specific information sharing
and analysis organization, the Medical Device Vulnerability
Intelligence for Evaluation and Response, has launched a
streamlining effort to share the information regarding
cybersecurity issues. I wondered if anyone wanted to respond to
that. Mr. McNeil?
Mr. McNeil. So, as a participant, I participate directly
from a Philips perspective. We have been directly communicating
and working with the NH-ISAC and the MDISS as well as the
collaboration with the FDA, and we also have been working with
external researchers within our products and solutions to make
sure that we're communicating any identified activities from a
vulnerability perspective through that particular initiative
with NH-ISAC.
Ms. Schakowsky. I thank you. I yield back.
Mr. Murphy. The gentlelady yields back. I now recognize Dr.
Burgess for 5 minutes.
Mr. Burgess. Thank you, Mr. Chairman, and I thank you for
having this hearing. This is a timely topic and one that is, I
think, important to every member of this subcommittee. In fact,
on another subcommittee in the last Congress, I was chair of
the Commerce, Manufacturing, and Trade Subcommittee. We did a
lot of work on the ransomware issue, and it is one that
continues to trouble me as a physician in my former life.
Ms. Anderson, let me just ask you, and Chairman Murphy
asked you about the Financial Services Information Sharing and
Analysis Center. Are there lessons from the financial side that
we could incorporate into the healthcare side? And one of the
things that strikes me as you all were talking, on the
financial side, if someone uses my credit card I will
oftentimes get a call even if I give it to my staff member and
say, ``Go get us a hundred Chick-Fil-A's for lunch,'' I will
get a call that says, ``Is this really a legitimate purchase?''
So that is not necessarily a bad thing. They see unusual
activity on a financial transaction online and will call it to
your attention. Do we have anything that is analogous in the
healthcare sector where anyone is doing any kind of looking at
a predictive modeling way of notifying a physician or a patient
that there is unusual activity regarding their healthcare
transaction?
Ms. Anderson. Well, certainly, there are security vendors
that offer that service, so they're, you know, what we call
managed service providers and they're able to monitor the
network traffic that you know, if they are employing those
services they're monitoring that traffic and then alerting them
on that.
And we're also looking at some initiatives within NH-ISAC
where we'll be able to handle traffic that, network traffic for
various members as they participate and be able to alert them
on things, anomalies that we may be seeing in their
environment.
Mr. Burgess. And yet when we do hearings and we talk about
problems in the Medicaid system and the Medicare system, the
GAO will report back to us that these are high-risk entities
that are at high risk for inappropriate payments. We won't call
them fraudulent, but let's just put it in the inappropriate
payments category. And is there any way we can improve upon
what the GAO has told us for years are high-risk activities,
can we improve on those with copying the lessons say from the
financial sector?
Ms. Anderson. Oh, I would say so, yes. I mean the banks are
able, they've, over time they've been able to develop complex
algorithms where they're able to monitor traffic and behavior,
you know, so payment behavior and pattern behavior of
purchasing. So they've absolutely been able to do that, and I
think it's applicable to the Medicare and Medicaid systems.
Mr. Burgess. Do you know why we haven't done that yet?
Ms. Anderson. I'm sorry. I do not.
Mr. Burgess. OK, Mr. Chairman, there is the subject of
another hearing. Really, this is for anyone. I guess, Mr.
McNeil, it was in your testimony where you talked about the--
no, I am sorry. Mr. Rice, it was your testimony. Anecdotal
evidence suggests there is a lot more cybersecurity incidents
than what are currently reported.
You know, I have a newspaper article from a few days ago
back home in Texas, where a practice in Austin was struck with
a ransomware attack. They looked to me like they had done the
right things. They didn't pay any money. They had a back-up
system. They wiped their servers. Patient care was perhaps
interrupted briefly, but only for a period of 24 hours and they
were able to be back up and running pretty quickly.
So it almost sounds like a success story, but then further
in the article it talks about now they are on the wall of shame
from the Office of Civil Rights in Department of Health and
Human Services. And you go to the Office of Civil Rights,
Department of Health and Human Rights and look at the wall of
shame and there are indeed almost 2,000 entities, I think
1,827.
So--and I realize this was set up by a congressional
directive in the HITECH Act, and we told them to open this
portal and it goes back to 2009. But is this really serving a
good purpose, to be punitive to people who--again, you read the
first part of the article, it looks like they did everything
correctly?
And I identify another practice actually in my district in
Denton, Texas that apparently they had some computer equipment
stolen so that theft has now placed them on the wall of shame I
guess in perpetuity. Is that the best way we can go about
handling this?
Mr. Rice. I think we need to look at each case based on its
own merits. In some cases, there may be incidents that were
well handled as the example that you pointed out. I think the
Defense Industrial Base recently has moved to mandatory
disclosure, nonpublicly, where there can be incident analysis
done to determine what the threat actors were, what actions
were taken, were the actions appropriate, much in the manner
that the NTSB today investigates airline and other types of
traffic safety issues.
I think that would be a way to better understand and get a
better baseline of the incidents that are actually happening
across the board.
Mr. Burgess. But you can say we have got a problem with
people underreporting and yet we clobber them when they do
report and we put them on this list that is in perpetuity. I
just think, Mr. Chairman, I know I am way over time, but I
think probably reasonable for us to re-look.
In fairness, I did not vote for the HITECH Act. It was part
of the stimulus bill in 2009, so it would be easy for me to say
it is not my problem. But it is all of our problems and I do
think that is something that needs to be fixed. Thank you, Mr.
Chairman. I will yield back.
Mr. Murphy. Indeed, yes, good point.
Ms. Clarke, you are recognized for 5 minutes.
Ms. Clarke. I thank you, Mr. Chairman, and I thank our
ranking member. I thank our panelists for the expert testimony
here this morning.
Mr. Chairman, cybersecurity incidents continue to threaten
our critical infrastructure including the healthcare sector. A
2015 Financial Times report on health cybersecurity discussed
the Anthem breach that resulted in over 78 million people
having personal and medical information compromised. This was a
truly troubling revelation.
The report said, quote, ``Anthem's breach sent a wave of
panic through the healthcare industry. It exposed clients' most
sensitive and valuable personal information and revealed just
how unprepared the health industry was to threats from
increasingly sophisticated cyber criminals and from nation-
states,'' end quote.
It is now 2017, and I would hope that we have made strides
in preventing this type of breach from occurring at Anthem or
any other health-sector company. So, Mr. McNeil, what actions
do private-sector companies take to prevent breaches like the
one that impacted Anthem?
Mr. McNeil. I think very often companies need to make sure
that they're exercising within their own environment. As Mr.
Rice, Terry, just stated earlier in his testimony, doing
tabletop exercises so that you are exercising the rigors of
incidents and activities and measurements. That you also, as I
would do in our organization--for example, we have a group of
actually security we call the ninjas, and my team of testers
actually go out and test within our environment.
So, if you're not doing and exercising internally what
potentially could be happening to your organizations from an
external perspective, it's hard to always be able to combat
that activity.
Ms. Clarke. So to you, Mr. McNeil, and also Mr. Rice, is
there significant variation in the cyber capabilities of
companies in the healthcare sector?
Mr. McNeil. Yes, there definitely is a variation of
capabilities. Because you have very small to very large
organizations, and even within the large organizations that
doesn't mean that they have the most adequate and up-to-date
cybersecurity hygiene and discipline, it's identifying the fact
that you need to have a governance program from the top of
whatever size that the organization is down to and throughout
the organization.
Based upon that governance you put in the appropriate
acumen around doing the testing, developing your products from
a secure perspective, understanding how you are developing the
solutions, and then making sure that you're testing and
monitoring the threats within your entire environment. But yes,
I would say that there's work that needs to be done and
attention throughout the ecosystem of the organizations in
health care.
Mr. Rice. I would add that one of the things that has
helped tremendously in the last couple of years is the
publication of the NIST Cybersecurity Framework. That framework
identifies a layered defense concept in which first you
identify what are your most critical assets, then you try to
prevent bad things from happening. But we realize that even the
best protected organizations may have issues. So then you need
to detect, respond, and ultimately recover if something really
goes bad.
Inside of that cybersecurity framework, there are maturity
levels that allow organizations to start to assess themselves
against those controls, and the latest HIMSS study showed that
61 percent of healthcare companies were in the process of
adopting the NIST CSF.
One of the things that Denise mentioned that we're doing
within the ISAC is this capability called CyberFit and we are
creating a benchmarking capability to allow members to rate
themselves across the sector as well as within the subsector.
So a small healthcare provider compared to other healthcare
providers versus a large pharmaceutical company, they get a
good benchmark as to where they stand.
Ms. Clarke. So let me ask the panel, how can the National
Health ISAC help some smaller companies bolster their defenses?
Ms. Anderson. I think, you know, being able to bring them
into the fold and share information with them make them aware
of even why it's important to engage in cybersecurity
practices. I was just talking to someone that ran a medical
practice and they were not aware, you know, they were told
repeatedly by HR do these things, do these things, but they
didn't understand the consequences of the fact of when they
didn't do it. And so making people aware of the impacts and
potential consequences I think is very important especially in
these smaller organizations.
Mr. McNeil. I would agree. As a board member, that's one of
our major focus areas within NH-ISAC is looking at how we can
expand the growth and the breadth of the organizations that are
participating. And so we are looking at different tiers in
order to make sure that that outreach and that awareness, you
know, increases. And again I would say our goal is looking at
that tenfold growth which has to happen immediately.
Mr. Rice. Under Denise's leadership, we have greatly
expanded the capabilities that the ISAC brings to the table.
And one of the most recent initiatives just started was to
divide up and have each member of the ISAC create portions of a
security incident response plan or a security operations plan,
and then when that is done to donate that into the public
domain or at least into the healthcare sector.
So the small entities that don't have a security officer,
they can take that document and start to use it at least as a
bare-bones capability to deal with any incidents that they
face.
Ms. Clarke. Thank you, Mr. Chairman. I yield back.
Mr. Murphy. Mrs. Brooks, you are recognized for 5 minutes.
Mrs. Brooks. Thank you, Mr. Chairman. I do applaud the work
that the industry and Federal Government have done together to
ensure that all potential vulnerabilities for individual
medical devices and large cyber threats are addressed.
As my friend and colleague, the ranking member, Congressman
DeGette, mentioned earlier, I am the vice chair of the Diabetes
Caucus, and we did write a letter to the FDA outlining several
questions about how the agency is working with the industry to
mitigate existing vulnerabilities and prevent emerging threats.
However, we are still waiting on a response. We sent the FDA,
in November, two of the questions that we posed. At this point
I would ask unanimous consent to enter our letter into the
record.
Mr. Murphy. Without objection, so ordered.
[The information appears at the conclusion of the hearing.]
Mrs. Brooks. And with that I would like to ask your
experience with respect specifically to the FDA, and so Mr.
McNeil and Mr. Rice, how has the FDA specifically been working
with medical device manufacturers and other stakeholders to
assist them regarding potential vulnerabilities and cyber
threats in both premarket and postmarket context? Mr. McNeil?
Mr. McNeil. Yes. I would state that approximately maybe 2
1A\1/2\ years ago the fragmented system that we currently have
from medical device manufacturers specifically, also looking at
health delivery organizations that consume a lot of the product
as well as the patients, the researchers' organizations, it was
extremely fragmented.
I think that over the past 2 1A\1/2\ years, the FDA
specifically has conducted workshops and specific outreach in
order to make sure that they brought the ecosystem, as we call
it, of the stakeholders together. It was the first time that
that type of activity has truly taken place where you had all
of the participants at the same table and exercising around one
common goal.
I think also in addition to that the passing of both the
premarket guidance as well as the postmarket guidance also
helped accelerate and consolidate direction around activities
that need to take place from a medical device manufacturer in
the development of our solutions and the type of requirements
that should be included in our submissions in our 510(k) and
other documentation also was very helpful, as well as how to
manage and communicate from a postmarket perspective
specifically around the coordinated disclosure.
There was only a few of us from a company perspective over
2 years ago, Philips being one that exercised the coordinated
vulnerability disclosure to work with external researchers, now
it is something that we look at as a requirement due to the
postmarket guidance. So those are direct examples that I would
look at and have appreciated by working with the FDA.
Mrs. Brooks. And Mr. Rice, anything additional you would
like to add or could you share with us any further explanation
about the postmarket guidance on vulnerabilities that need to
be shared with patients and consumers?
Mr. Rice. Since we're not a medical device manufacturer,
it's probably beyond my ability to be able to really provide
any additional comment.
Mrs. Brooks. Can you share though with respect to how the
FDA has worked with your sector?
Mr. Rice. Yes. And the outreach that's been done through
the NH-ISAC particularly, we conduct semiannual summits to
attract members. We generally have somewhere in the
neighborhood of 400 or 500 people, cybersecurity professionals
from across the industry attend. The FDA, I believe, has been
at every single one of those presenting, updating, listening,
and participating actively in the dialogues and discussions.
Mrs. Brooks. Can you both share--there seem to be multiple
agencies within HHS and I was a bit disturbed quite frankly,
Mr. Rice, when you mentioned a two-page strategy. Can you
please expand on that? Where did that two-page plan come from,
and can you both talk a little bit about the various agencies
that you work with within HHS? Mr. Rice?
Mr. Rice. Each of the 16 critical infrastructures in the
United States are asked to develop sector-specific plans. The
Sector-Specific Agencies, Government agencies, are the
coordinating point for that. So, every couple of years, the
sector will develop and update its plan. Currently, the sector-
specific plan, which covers everything from pandemic flu to
healthcare delivery and natural disasters and a wide array of
other risks--it's about a 50-page document--there are 2 pages
that are devoted to cybersecurity.
I believe that while the material that's in there is
helpful, it needs to be significantly expanded particularly for
those small entities that don't have large security teams or
security professionals even in their organizations.
Mrs. Brooks. Thank you, my time is up. I yield back.
Mr. Murphy. Thanks. Now Mr. Collins, you are recognized for
5 minutes.
Mr. Collins. Thank you, Mr. Chairman. I want to thank the
witnesses today. This is certainly a timely topic. It is one
that we are going to continue to have for as long we are here.
And so I guess the question I have as an entrepreneur
myself, the problem with a lot of what is going on today it is
in the entrepreneurial world that most new medical devices are
coming, most changes when kind of electronic medical records,
these are startup companies spinning off of a university,
spinning off of some research institutions, one- and two-man
operations. Their total focus is getting their product funded,
getting their product to the market. It is not, they are in
total denial of anything related to what we are talking about
here today, data breaches, or even in the case of a device
somebody being able to access it.
So I guess it begs the question on how to--you know, this
is a start, education as you said. Is there a cost to join ISAC
and if so, is there any thought--any time an entrepreneur has
cost they are going to look at it and they are probably going
to say no versus getting in early, so just kind of curious on
that.
Ms. Anderson. So, with the medical device manufacturers we
actually, through the FDA and the partnership with MDISS as
well, have created MD-VIPER which is a community where we can
share responsibly disclosure around medical device security and
vulnerabilities, and we'll also be providing that situation
awareness around the various threats that are out there. That's
still in development; we've just launched it this year. It will
be free to people that sign up to participate.
The ISAC membership is a little bit different, but we've
gone a long way. As Michael mentioned earlier, we see it as our
mission to help everyone within the sector because a rising
tide floats all boats. And so, you know, we've reduced our
member fees, so our lowest tier right now is $1,200, which is
less than a cup of coffee a day. And----
Mr. Collins. No, it is $1,200.
Ms. Anderson. Twelve hundred dollars per year.
Mr. Collins. Entrepreneur, it is $1,200.
Ms. Anderson. Yes. But we are also working collaboratively.
We share with many organizations, other ISACs as well as
Government organizations at what we call the TLP white and
green levels, so those threats that are possible we get those
out there as broadly as we can.
One of the things that we did was, actually a great public-
private partnership story, is we worked together with two other
ISACs, the Multi-State ISAC and Financial Services ISAC as well
as FBI, Secret Service, and two providers, Symantec and Palo
Alto, and we did a series of ransomware road shows across the
country in 14 different cities, free to anybody that showed up,
where they could learn about ransomware, why it was important
to protect against it, and how they could do that.
Mr. Collins. Well, again what I would say is the earlier
you get someone in the better. If it costs anything, that is
going to be a problem especially for these entrepreneurial
companies. And clearly, some of the bigger corporations
understand it and at some point you just do your civic duty and
bring those folks alone.
When I was the subcommittee chair on Technology on small
business, we had a hearing, and part of the hearing came out if
a small company has a significant data breach, 67 percent of
the companies are bankrupt within 12 months. That piece of data
alone was eye-opening enough to a lot of small businesses
because we pushed it out, it is like, you know, that is an oh-
my-God moment.
And I just acknowledge that a lot of the products being
developed, a lot of the software being developed, the
developers would acknowledge that cybersecurity is an issue and
then they are doing absolutely nothing about it. That is the
reality. Wouldn't you agree, Mr. Rice?
Mr. Rice. Absolutely, and I think education is definitely
one of the areas that needs work. It was just a couple of years
ago that there was only one academic institution in the United
States that required people graduating with a bachelor of
science in computer science to take a course, a single course
on cybersecurity. And those stats have improved significantly
in the last couple years, but you have lots of individuals that
learn how to program and want to go off and join a startup
company and have not had any experience or exposure to security
education. And that's an area where there's plenty of
opportunity for improvements.
Mr. McNeil. Again, the education piece is definitely
critical, and as you just stated the earlier in the process
that we can bring them to the table obviously the better for
all of us.
Mr. Collins. Well, it is going to be a continued issue that
we all face and it would be naive to think we can put an end to
it. And I certainly agree with Representative Griffith that you
can't. If you continue just to punish people on a wall of shame
there ought to be some due process to get them off because the
next person might not disclose; they might look at that as the
death of their company. I wasn't even aware of that. That is
thinking in the past. That is not forward-thinking, so maybe
that is something Congress could work on.
Thank you, Mr. Chairman. I yield back.
Mr. Murphy. The gentleman yields back. I now recognize Dr.
Ruiz for 5 minutes.
Mr. Ruiz. Thank you very much, Mr. Chairman. Our Nation's
healthcare system has been classified as a critical industry
for almost 20 years, but still today we see cybersecurity
breaches that expose millions of patient medical records to the
highest bidder. The fact is our healthcare system is only just
entering the digital age, but we must be able to learn from
cyber attacks on other industries and implement the best
practices developed to respond to them.
It is critical that the healthcare sector take advantage of
the expertise developed in these other sectors to safeguard
patient data and the integrity of a hospital system. Imagine if
there was a cyber attack during a terrorist attack that took
down the 911 system. Imagine during that time they also took
down our system to communicate in a wireless form with other
members.
Imagine if they go into a large hospital network and change
the drug allergy information, which leaves doctors blind and
nurses blind to administer certain medications that may
actually hurt and kill the patient. Imagine if they change the
dosages of medications that patients say that they need for the
illness that is under their medical record. Imagine if they
made little tweaks here and there which can actually cause harm
and kill patients.
So my first question is for Denise. What metric are you
using to define success for the National Health ISAC, Ms.
Anderson?
Ms. Anderson. So I think one of the key metrics is the
membership renewals, so people join the ISAC because they find
value in it and so that our renewal level is a hundred percent.
We've not had anybody drop in the last year since I've come on
board, and we're growing. So, you know, the fact that people
are finding value in what we're doing is important.
Also, we see it in the comments. We just had some threads
shared yesterday, actually, where members were saying, ``This
ISAC is great, I'm seeing this as an extended arm to my threat
intelligence team.'' You know, so it's like they're almost
seeing it as part of their organization in helping them do what
they do.
Mr. Ruiz. How about in terms of its effectiveness, and have
there been any data that you are measuring in terms of attempts
to enter the system and a decrease more that you have
identified and those that you have prevented?
Ms. Anderson. Not at this point in time because a lot of
that comes from the members themselves. But we are doing some
initiatives where we're looking at deploying sensors onto
member networks where that network flow will come into the ISAC
and we'll be able to do some analysis on it.
Mr. Ruiz. OK.
Ms. Anderson. But we do have case studies where we're
seeing information sharing where there have been successes, one
recently where we shared with the Multi-State ISAC some stuff
that we were seeing in National Health. It was an email that
was compromised, an account in a utility in actually California
and we were able to stop that attack because of what was shared
in the National Health ISAC and then working with our partner
in the Multi-State ISAC.
Mr. Ruiz. Thank you. Mr. McNeil, I have heard that there is
a healthcare cybersecurity task force and that you are
participating in it. Can you explain what it is, how it came to
be, and what the task force is working on?
Mr. McNeil. Yes. The task force started approximately 1
year ago with the auspice of an executive order, and based upon
that executive order to be able to make recommendations around
some of the critical areas within the healthcare industry. One
of the communications was for us to take a look at other
industries and understand the roads that they have traveled and
to be able to leverage that activity in regards to the
healthcare industry.
We are right now in the process of finalizing that
particular recommendation and it will be submitted. Our
anticipated time frame here is the end of April, beginning of
May, to the Government.
Mr. Ruiz. That is great. So what is your utopian
collaborative model between industry, private, public, and just
getting everybody together to work on this? What does that
vision look like?
Mr. McNeil. I think that particular vision is for us to
make sure that there's the collaboration across the different
agencies. I think we made the comment that I am governed as a
medical device manufacturer by the FDA, which is a part of HHS.
We have the OCR which also has privacy and other implications.
The hospital organizations are also a, you know, participating
stakeholder.
Mr. Ruiz. So basically bringing everybody together.
Mr. McNeil. Right.
Mr. Ruiz. This last question is for you, Ms. Anderson. We
have a severe cybersecurity expert shortage in this country. It
is absolutely horrendous the need versus the supply that we
have. There is a program at Cal State University San Bernardino
that is training in cybersecurity. What educational pipelines
do we need to meet the high demand in our Nation for
cybersecurity?
Ms. Anderson. Absolutely I think that education system is
key to developing staff within the cyber skills area. As Mr.
Rice mentioned, you know, being able to build cybersecurity
into actual computer science programs is key. I know there's a
number of universities and educational institutions that are
starting to work on that and certainly we have ISACs that--we
have a REN-ISAC which is the Research and Education Network
devoted to universities, and they also are working with it
across the college and university level.
Mr. Ruiz. Thank you very much.
Mr. Murphy. The gentleman's time has expired. Now Mrs.
Walters, you are recognized for 5 minutes.
Mrs. Walters. I would like to thank Chairman Murphy for
holding this hearing, and the witnesses for their testimony.
We are well aware of the growing cyber threats this Nation
is facing. No industry is immune to the threat of a cyber
attack which is why it is important we examine the ways that
public and private sectors can work together to maximize our
efforts to combat these attacks. There is no question health
records contain an individual's most personal and sensitive
information. We can all agree that safeguarding confidential
health records is critical.
I would like to get some thoughts on how these efforts
might be improved. The first question I have is for the entire
panel. HHS is obviously a big organization with a diverse set
of responsibilities and cybersecurity is just one of them. That
said, I think we can all agree that cybersecurity in health
care is immensely important and should be a priority for all
stakeholders.
Are there additional actions or initiatives regarding
cybersecurity that HHS could take that you think would benefit
the sector? And we will start with you, Ms. Anderson.
Ms. Anderson. In my testimony, one of the things I pointed
to was having the SSA recognize the ISAC as a best practice for
organizations to join and to share information with each other
around the incidents and vulnerabilities and mitigation
strategies that they have in their environments, so I think
that's definitely one way. Another way is to have a clear go-to
person who is a cybersecurity professional with experience in
cybersecurity and understands the unique nuances of health care
and cyber and the blended threats between physical and cyber.
Mrs. Walters. OK. Mr. McNeil?
Mr. McNeil. It think also in addition there's an
opportunity to improve transparency from medical device
manufacturer and some of the processes that are used for the
development of our solutions. One would be an example of a
software bill of materials, which allows the manufacturers to
describe what the components are, whether or not that's open
source code or material. But if we can increase that
transparency that would also force us to have a greater
visibility around what might be potential vulnerabilities in
our solutions.
Mrs. Walters. OK, thank you. Mr. Rice?
Mr. Rice. I would argue that the NIST CIF which is the
cybersecurity framework that NIST published and has been
adopted by 61 percent of the healthcare industry, if we could
actually develop implementation guidelines, the NIST
cybersecurity framework tells you what you should do. If we
could develop guidelines particularly for those smaller
entities that are tailored to the healthcare specific area, I
think, would go a long way.
And I'd also like to highlight what Mr. McNeil said with
the software bill of materials. My daughter has celiac disease.
When I go shopping for foods I look at the nutrition label on
the package to see if it contains wheat or any type of gluten
and obviously avoid that. Today when I'm purchasing software I
don't know what is inside that software. I don't know what the
components are and I don't have the ability to select or
deselect software based on its ingredients.
Mrs. Walters. OK, thank you. Now that I have asked you what
HHS should be doing I am going to ask the opposite and this is
another question for the entire panel. Are there issues related
to cybersecurity that you believe are better left to industry
to address and if yes, what are they and why are they better
left to industry and if not, why not?
And let's start with Mr. Rice.
Mr. Rice. I think that the understanding of the risks
within the sector requires industry knowledge. We are a very
diverse sector. So, if you look at the payer community, they're
worried about financial criminals. If you look at the
pharmaceuticals, they're worried about patient safety and the
integrity of information and trade secret data. If you look at
the hospitals, they're worried about continuity of service and
the protection of electronic health records.
So industry is probably best at making those risk decisions
as to what is the most effective way to address in each area,
but it has to be done in collaboration with the Government.
Thank you.
Mrs. Walters. OK, thank you.
Mr. McNeil. Again I would just build upon what Terry just
stated in terms of that collaboration. Because of the diverse
and the uniqueness of the healthcare industry, we definitely
would like to see something aligned from a med-cert
perspective. Right now we have a computer, you know, emerging
response plan and a cert where we identify based upon the
severities of the vulnerabilities, but it is not developed
specifically to the healthcare industry based upon how those
devices, products, or solutions are deployed in a clinical
setting.
So, through that collaboration, which has to be both public
and private, I would want to see a reinforcement of that
particular area of focus.
Mrs. Walters. Ms. Anderson, do you have anything to add?
Ms. Anderson. Very quickly, I think that information
sharing should be encouraged but not mandated, and I think it
should come from industry because when you share because you
want to share it's different from sharing because you have to
share.
Mrs. Walters. OK. All right, thank you. I am out of time.
Thank you.
Mr. Murphy. I now recognize Mr. Costello for 5 minutes.
Mr. Costello. Thank you, Mr. Chairman, for holding this
important hearing and thank you to our witnesses today for your
insight.
My home State of Pennsylvania is indeed a hub for life
sciences and medical device manufacturing. AdvaMed companies
alone employ over 22,000 Pennsylvanians with nine member
companies located in my congressional district. These companies
are as diverse as the patients they serve. Zimmer in Exton
which specializes in joint replacements employs approximately
14 individuals, while Teleflex headquartered in nearby Wayne
focuses on vascular solutions and has a team nearly 12,000
strong.
The fact remains that, despite differences in size,
specialty, and scope, these companies and all the others in
between are prime targets for bad actors seeking to cause harm.
We all agree that we must take every reasonable action to
ensure these companies that specialize in the safeguarding of
life have the resources they need to defend themselves and the
patient end users they serve against all kinds of cybersecurity
threats.
Ms. Anderson, I would like to ask you, regarding NH-ISAC
could you describe some of the barriers to entry that do keep
small to midsize companies from becoming members and,
additionally, upon identifying those barriers to entry what can
we do to mitigate them?
Ms. Anderson. So I think first and foremost is the fact
that they don't even know that we exist.
Mr. Costello. Right.
Ms. Anderson. And that we can be a valuable tool, so that's
huge. You know, when we are able to reach out to healthcare
organizations and they see what we offer, we also are offering
now a free trial program where they can be participants within
the ISAC and get access to everything that's done over a 6-
month period. You know, the renewal rate is very high at that
point. We saw that with FS-ISAC when they did that they had a
90 percent success rate in that.
So people need to find, be even aware that it exists, then
they need to see the value so they can join. I think money, you
know, obviously money is always a factor, but the fact that
we've been able to bring it down to less than a cup of coffee a
day and we're also exploring things such as scholarship
programs and those type of things, bringing people to our
conferences, doing free workshops which we do do, as well as,
you know, maybe supplementing membership costs, are something
that I think are very key.
Mr. Costello. Thank you. For Mr. McNeil and Mr. Rice I am
going to run off a string of questions and take them as you
find appropriate. In general, what does your interaction with
NH-ISAC look like on a daily basis? Two, could you please
describe further how NH-ISAC is structured in such a way as to
facilitate information sharing even among industry competitors
who may be otherwise disinclined to share sensitive information
regarding their organization? Three, what more can be done to
help organizations feel confident using NH-ISAC to its full
potential? And the catch-all, any additional comments you would
like to offer?
Mr. McNeil. So, from a daily basis in terms of the
interaction that we have within NH-ISAC, we have, as Denise
stated, there are alerts, so there's direct emails that we
receive on a daily basis. We also have the ability to
participate in different committees and in different activities
that the NH-ISAC provides so that also allows us to have a
direct access.
We have the biannual summits that is stated, so that is
another form of participation. They also have workshops that
they conduct and that they've rotated. Specifically in my
arena, we've had these medical device workshops where myself
and other members have been able to participate. Structurally,
the NH-ISAC allows us to have a constituency of board members
and your board member opportunities go from anywhere from 1-,
2- or 3-year slots that we have in place and as well as just
our overall membership.
From a competitive perspective in terms of my discussions
there, I think the fact that we become, that the word when we
said earlier from a trust perspective when you're able to gain
the trust among the members of the NH-ISAC and the trust is
there, Terry and I will share information just as much as I
will share information with J&J, St. Jude, Medtronic, et cetera
that you'd name it.
But in order for us to get to that point we had to be able
to participate in the initiatives that I've just described in
order to help build that trust among our peer group as an
example.
Mr. Rice. As far as the NH-ISAC daily interaction, for me
it's the dozens, sometimes much more than that of emails that
come in about member companies that are seeing a phishing
attack, seeing a denial of service attack, taking that
information and then updating our own defenses.
We also see questions that come in through our list server
that can be open-ended, like what are you doing about
ransomware? And then member companies will respond back to how
they're working and operating, and the NH-ISAC staff will
collate all that information and publish it into a document
that's easily consumable by the members. And as Mr. McNeil
indicated, it's also picking up the phone and knowing that
somebody on the other side is dealing with the same issues as
you and you can provide advice back and forth on how to handle
a situation.
As far as what more needs to be done, I stressed in my
testimony the need for global engagement. The FS-ISAC is
operating in 38 countries today. Cybersecurity is an
international problem, it doesn't know boundaries. And so we
should be actively addressing and trying to bring in
multinational companies and other entities like Interpol and
the European enforcement organizations to also share
intelligence information about attacks.
Mr. Costello. Thank you.
Mr. Murphy. Thank you. I now recognize Mr. Carter for 5
minutes.
Mr. Carter. Thank you, Mr. Chairman, and thank all of you
for being here today. Gentlemen, in the State of Georgia, where
I am from, earlier this year Governor Nathan Deal, who is a
former member of this committee, as a matter of fact, he
announced $50 million in funding for a Georgia Cyber Innovation
and Training Center at Augusta University in Augusta; very
excited about that. This is something that we see as being very
progressive and very forward-looking and something that I hope
that we are going to be able to bring in private industry and
bring in, you know, Government to work together on these type
of issues.
Do you see this as being the trend to have academia
involved like this?
Mr. McNeil. Yes, I definitely believe this is the trend and
the participation. Number one, I will be at Augusta
University----
Mr. Carter. Yes.
Mr. McNeil [continuing]. To help in the next couple of
weeks meeting with the team and going over strategically some
of the key initiatives. Philips is in a long-term partner and
relationship in order to build that out. We also have worked
very closely with other academia and institutions in regards to
this space, so I believe that it definitely starts there and
you'll see that as much more of a flourishing opportunity.
Mr. Carter. Great, great.
Mr. Rice. I second the comments. We've sponsored an
exercise at NC State recently which brought in universities
from around the Southeast to participate in a series of
exercises that my staff and other cybersecurity professionals
then graded so people would get practical experience in
addition to the academic experience. I definitely think that
this is one of the many opportunities we have to help address
the shortfall in the cybersecurity work force.
Mr. Carter. Great. Mr. McNeil, I want to go back to you.
Philips is obviously a key player in this area and in many
different industries. But can you share with us just some
public/private-sector collaboration that has been most
successful with your company and with some of the private
industry?
Mr. McNeil. I think some of the most successful activities
has been, one, working with the NH-ISAC, also working with the
MDISS organization again getting the word and the education out
there. I think that when you talk about for example NH-ISAC, it
traditionally had a strong influx from the pharmaceutical and
the insurance industries. And due to a number of the
cybersecurity activities that the medical device manufacturers
are seeing, it now provides us with that type of public-private
community in terms of participation.
I think also when I look at the activities specifically
that we're doing, it has afforded us that ability to increase
our ability to grow from an information sharing as well as to
coordinated disclosures around the researchers. I think also
the partnership and the participation with the MDISS
organization has reached out directly with the manufacturers
and the researcher community. So there were researchers that
had not originally been addressed or brought to the table that
now are there.
And then, finally, the work with the FDA. From the FDA's
perspective and their outreach with their post and premarket
guidance as well as a number of the workshops that they've
hosted, they have been the catalyst to truly bring the entire
ecosystem together and work on issues.
Mr. Carter. Great. Mr. Rice, I want to ask you and I would
be remiss if I didn't point out my professional career I have
been a pharmacist so I am particularly interested in the
pharmaceutical industry and how cybersecurity really impacts
you. And I would suspect, you know, in the practice of pharmacy
we have HIPAA regulations so we pay particular attention to
cybersecurity. That is very important to us.
What about in the pharmaceutical industry? I suspect that
with research and development this is critical for your
industry.
Mr. Rice. Yes. That is one area of concern within the
pharmaceutical industry, and as you're probably aware the
healthcare sector outside of DoD is one of the largest, if not
the largest, investor in research and development, and that
includes both the Government as well as the private sector.
So research and development is one aspect. Information
about mergers and acquisitions prior to public disclosure, we
saw in the FIN4 report from FireEye, a security research
company, that there had actually been attacks. Not against the
large companies but the smaller companies that were likely to
be acquired, these actors would get in and they would be able
to get information about which they could potentially trade on.
The second area would be around manufacturing. We run
industrial control systems, SCADA systems that automate the
manufacturing line, so potential disruptions of that equipment
would also cause significant harm. And then finally, being able
to disclose financial statements, the integrity of information,
the integrity of information in the clinical trial processes
that we have, all of those are areas of concern. So it's across
almost every aspect of the industry that we see challenges.
Mr. Carter. Great, thank you. And thank you all again for
being here, and I yield back, Mr. Chairman.
Mr. Murphy. Thank you. Thank you. So, in conclusion, I want
to thank all the witnesses and Members that participated in
today's hearing. This is a pretty difficult subject but
something that we have to continue to pursue, as we heard the
complex testimony. And I am learning quite a bit myself
especially about these acronyms which are your daily breakfast,
but as we go through this certainly what we have to pursue is
ways of simplifying and making sure that all these different
departments work together, especially given what you opened up
with what the threats that are out there for life and functions
within the hospital and healthcare system.
So, again, I thank all the witnesses for participating
today. I will remind all Members they have 10 business days to
submit questions for the record. I ask all witnesses to agree
to respond promptly to the questions. With that, this hearing
is adjourned.
[Whereupon, at 11:57 a.m., the subcommittee was adjourned.]
[Material submitted for inclusion in the record follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]