Caveat 7.11.24
Ep 224 | 7.11.24

The cybersecurity prescription healthcare needs.

Transcript

Errol Weiss: In the case of Change Healthcare, we saw literally hospitals across the U.S. being impacted, patients going to pharmacies not being able to get prescriptions filled. The impact was just incredibly broad and widespread just from that incident in and of itself, and so as you can imagine, there's already a lot of activity happening, trying to figure out how we can avoid that from ever happening again.

Dave Bittner: Hello, everyone, and welcome to Caveat, N2K CyberWire's privacy, surveillance, law, and policy podcast. I'm Dave Bittner, and joining me is my co-host Ben Yellen from the University of Maryland Center for Health and Homeland Security. Hey, Ben.

Ben Yelin: Hello, Dave.

Dave Bittner: On today's show, we cover the latest rulings from the U.S. Supreme Court, and later in the show, Errol Weiss, CSO of the Health-ISAC, joins us to discuss the current threat landscape in health care and their contributions to the Cyberspace Solarium Commission's healthcare report. While this show covers legal topics, and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. [ Music ] All right, Ben, we are going to jump right in here and talk about some of the latest rulings from the U.S. Supreme Court. Of course, this has been dominating the news. I think a lot of folks are distressed, some surprised, some not surprised. Where do we begin here, Ben?

Ben Yelin: So I think the most important case for our purposes is the Loper Bright Enterprises case, and so I'll start there. That is the case that overturned Chevron USA v. Natural Resources Defense Council from 1984, and it is boring to most people because it concerns administrative law and deference to federal agencies, and I can tell people are already falling asleep. So my job is to help people understand why this is going to be very important to the world of cybersecurity.

Dave Bittner: And this is the Chevron deference issue, right?

Ben Yelin: Exactly. So Chevron deference did develop from that Chevron case in 1984. The way Chevron deference worked, until two weeks ago, is that if the statute was clear on a particular subject, then the agency was bound by the language of that statute, but if there was any ambiguity, courts would give deference to that agency's interpretation of that statute. So in essence, it took power away from our federal courts and put them into the agencies themselves, and these agencies have expertise, they have institutional knowledge. It gave the agencies leeway to interpret statutes in a way that was still permissible, that was still a permissible reading of the statute, but could kind of do its own thing, to put it colloquially, and that has all changed. In this Loper Bright Enterprises decision, a 6-3 majority, which is divided neatly upon ideological lines, the court overruled Chevron after 40 years. I was not expecting this result necessarily. I know there are a lot of critics of Chevron on the court. I thought they might go about it a little more methodically and kind of chip away at Chevron deference without doing away with it entirely. So that element of it is at least somewhat surprising to me. I think this all sounds very pie-in-the-sky, nobody really understands kind of the on-the-ground impact of this decision, and there's been some really good literature out since the decision came out on how the overturning of Chevron is going to affect, in particular, cybersecurity regulations. So I thought that would be a good place for us to kind of dive in, and the most interesting to me is SEC rules regarding cybersecurity disclosures. There's a really good piece from the Center for Cybersecurity Policy and Law that has a really good discussion of what this might mean for disclosures of cybersecurity breaches. So as probably most of our listeners know, in 2023, the SEC established requirements that public companies, the ones over which the SEC has jurisdiction, report, quote, material cyber incidents within four days of determining materiality, and there's other elements to those requirements. If you look at the security, securities and Securities Exchange Act, that statute and all of its revisions over the years do not directly reference cybersecurity at all.

Dave Bittner: It probably didn't exist when --

Ben Yelin: It certainly did not exist when the bill was first enacted into law. I believe it's been in existence since the post-New Deal era, so yeah, it's long before it was even a gleam in our eye.

Dave Bittner: Right, right. The men shall use their adding machines in a responsible way.

Ben Yelin: Yeah, that actually is a very impressive old-time video voice.

Dave Bittner: Thank you, thank you.

Ben Yelin: Yeah, that could be a good skill for you. We can get one of those newsreel music tracks.

Dave Bittner: Right.

Ben Yelin: So in a world with Chevron deference, this wouldn't be that much of a problem because the SEC is concerned generally with managing risk from these public companies and preventing what happens in the corporate world from filtering down and causing financial distress, and if you were to take a reasonable definition of "risk management" in the current climate, I think that obviously would include the risk of cybersecurity attacks, but in a post-Chevron world, that's not necessarily the case because there is nothing in the statute referencing cybersecurity. So anybody who is affected detrimentally by this regulation that was enacted in 2023 now would have standing to sue the SEC for these regulations. So let's say somebody doesn't comply with the breach requirements, they're fined by the SEC, now they would have grounds to challenge that fine and basically challenge head-on these regulations. They could go to court and say, "You are no longer required to give the agency deference in how it interprets these statutes. All you can do is look at the plain language of the statute, and by looking at the plain language of the statute, there is nothing within the SEC's jurisdiction that deals with cybersecurity." There are going to be millions of these lawsuits, not just in the cybersecurity field, but really in every sphere of federal policymaking.

Dave Bittner: Let me pause there for a second. You mean that literally, "millions"?

Ben Yelin: Yes, I do.

Dave Bittner: Okay.

Ben Yelin: There's already been probably hundreds if not thousands of lawsuits filed that directly reference the Bright Loper decision, and as we're recording this, it was released less than two weeks ago, so I do not think that that's an exaggeration. I think organizations or companies or whomever who were previously affected by these regulations thought, you know, maybe this regulation was a bit of a stretch in terms of agency authority, but because of Chevron deference, the court will probably hold that the agency was able to take this action, and that's just no longer the case, and now lower courts will have to go through the process of making the decision themselves as to what these statutes mean, and they have tools for statutory interpretation that we have throughout our legal system, and they can do that, but what they don't have is subject matter expertise. Federal courts have a couple -- or federal district courts have a couple of clerks each to do research. These clerks are law school grads from, you know, very prestigious law schools, but they're certainly not experts necessarily in cybersecurity unless they came through the University of Maryland Cybersecurity Program. Free advertisement there. So just to give a couple other examples that I thought the Center for Cybersecurity and Policy document provided that I think are valuable. The Gramm-Leach-Bliley Act from the late 1990s charges agency regulators with creating standards relating to the security and confidentiality of customer records. Under Gramm-Leach-Bliley in 2022, there are new rules that require cyber incident reporting for these financial institutions. Just like the SEC regulations, the Gramm-Leach-Bliley Act doesn't make a direct reference to cybersecurity. The risk of some type of financial crisis that emerges from cybersecurity which would necessitate the need for cyber incident reporting, that might be written out of that statute entirely. They mentioned the TSA, so our favorite airport security agents. They issued cybersecurity requirements for airport and aircraft operators as well as passenger and freight railroad carriers. These regulations were promulgated, as I said, in 2022. They include cybersecurity measures in the TSA authorizing statute from the Homeland Security Act back in the early 2000s. Cybersecurity was not mentioned. So this is just an enormous risk for people who believe in effective federal regulation, and I think the question, of course, is what happens now.

Dave Bittner: Does it ultimately then have to go back to the legislators to clarify all this stuff?

Ben Yelin: Yes, and that's part of the problem. So critics of Chevron have always said, "We don't need Chevron because Congress can just do its job. If there is an unclear interpretation of the statute, Congress can just come in and clarify." I think that sounds very good in theory, but to me, it represents a naive view of the capabilities of our Congress.

Dave Bittner: Our highly effective, well-oiled machine that is the U.S. Congress.

Ben Yelin: Yeah, I mean, they can barely pass must-pass budget measures. They always do it at the last possible minute before we go into a government shutdown. We're constantly on the precipice of self-imposed deadlines for things like the debt ceiling. The idea that Congress has the institutional expertise to go line by line through these extraordinarily obscure regulations and try to provide some level of clarity for all of them and then turn that into legislation, which is subject to the filibuster and all sorts of time delays, I think it's extremely naive. So I think what's going to happen is that federal courts are going to interpret these statutes and they're going to start interpreting them far more narrowly than they did in the Chevron era, and that's going to make it much harder for federal agencies to anticipate future threats or to promulgate regulations on threats that did not exist when the statute was enacted, and I just think that's a really significant risk. I think that's going to be something that's, if you're a CISO out there, this is going to be part of what you're going to have to deal with in the legal landscape over the next several years. So I can't really overstate the significance of this decision and how it's going to impact really every aspect of federal rulemaking, but specifically for our purposes, cybersecurity and things like data privacy.

Dave Bittner: What was the world like before 1984 when Chevron deference became a thing?

Ben Yelin: That's a really good question, and this is, I think, part of the rationale of the majority's decision is that Chevron has only existed since 1984. Prior to that, we had the Administrative Procedure Act, which didn't say anything about deference to federal agencies, and we basically got along just fine. I think there are a couple of things to say in response to that. The first is that our administrative state has vastly expanded in the last 40 years. Now, part of that is probably due to Chevron deference. Fact is that we rely on our federal agencies to promulgate policy on areas where there's a lack of clarity in a way that we did not do prior to Chevron. It's impacted the way Congress has drafted legislation over the past 40 years, so oftentimes Congress doesn't want to make difficult decisions itself, so they'll say the Secretary of Health and Human Services or his or her designee shall decide what counts as a data breach for hospital systems. Now, Congress can still do that, but they're just going to have to be far more specific on the parameters of those types of regulations. So I think the big difference is volume, that we have a much larger federal regulatory system. Now, for some people who hate federal regulations, and that probably includes a lot of our listeners, this comes as great news. It's bad in their view that we have this unelected bureaucracy making all of these rules, and I certainly understand that, and I think that's kind of the ideological position of the justices and the majority here and their ideological brethren, but I just think it's kind of one of those laws of unintended consequences where we aren't going to be able to be forward-looking about developing federal policy.

Dave Bittner: Wow. All right, well, in the interest of time, let's move on. What else do we have to cover here from the court?

Ben Yelin: So there are two other decisions that we talked about when they went up for oral arguments, so I feel like we would be remiss to not mention them. The first is what are called the "NetChoice cases." These were two cases that were consolidated in an opinion and they dealt with a Texas law and a Florida law that sought to regulate content moderation on the part of big tech companies. So really most of the briefing on this case, and we'll get to why this is important in a second, was about Facebook news feed and YouTube. Florida and Texas enacted these statutes. The Texas law was upheld by the Fifth Circuit Court of Appeals. The Florida law was -- there was an injunction put on the Florida law by the Eleventh Circuit Court of Appeals. So we had conflicting circuit court opinions on this case, which made it ripe for Supreme Court review. The Supreme Court vacated both the Fifth Circuit decision and the Eleventh Circuit decision because, in their words, the lower courts did not conduct a proper analysis of facial First Amendment challenges to these laws. Remember how we talked about the difference between a facial challenge and an as-applied challenge?

Dave Bittner: Remind me.

Ben Yelin: Yeah, I figured you were going to say that. So a facial challenge basically says that the law in almost all of its applications, and I'm oversimplifying here, but the law in almost all of its applications is on its face unconstitutional. There is no or very few permissible applications of this law. An as-applied challenge would say, as this law applies specifically to the Facebook news feed or to the YouTube algorithm, it's unconstitutional, but we're not challenging the general constitutionality of this law in all of its applications.

Dave Bittner: Okay, yeah.

Ben Yelin: What happened was, and I think this is kind of the fault of NetChoice and its attorneys, they made the entire case at the lower court levels about Facebook and YouTube. That's what they briefed on. That was kind of the nature of their oral arguments, and so they kind of approached this case as if it were an as-applied challenge when it wasn't. This was a facial challenge. So I think what the Supreme Court here is saying is you need to do a thorough analysis, probably at the district court level, to figure out what is every possible application of this law? Not just Facebook and YouTube, but how would it apply to Etsy? How would it apply to Uber? How would it apply to some of these smaller, more obscure social media companies where the government is going to try and regulate to prevent this type of viewpoint bias, which is the allegation that led to the enactment of these laws, is that these big tech companies were biased, basically, against conservative viewpoints.

Dave Bittner: Right. I mean, this was all during COVID, right, or a lot of it was prompted by COVID where the federal government was saying, hey, we want you to try to tamp down on COVID misinformation, and one person's COVID misinformation is another person's patriotic free speech.

Ben Yelin: I think that's absolutely correct. That was one element of it, and then there's a lot about, like, the Hunter Biden laptop stuff that I think is probably less important. I mean, they acknowledge that there were certainly some instances where these tech companies were probably overbroad in regulating content. The court here, and this was a decision written by Justice Kagan, so one of the liberal justices, acknowledges that the interests of Florida and Texas are pure here. They want to use the government to foster a forum for free speech. They just might not be doing so in a way that is constitutionally permissible. So long story short, these facial challenges will now be heard in the district court that will be appealable up to the Court of Appeals for the Eleventh Circuit and the Fifth Circuit, and that means that this litigation could be going on for a long time. There was an interesting sub-element to this case. Justice Kagan did not have to do this, but she did. She could have just said NetChoice treated this as an as-applied challenge. It was a facial challenge. They didn't go through the analysis of a facial challenge, end of story. Instead, she criticized the Fifth Circuit's decision on the Texas law where they upheld the law on the merits. Kind of her money quote -- she has a money quote that kind of describes her problems with the Texas law. So she says, first, the First Amendment offers protection when an entity engaged in compiling and curating other's speech into an expressive product of its own is directed to accommodate messages it would prefer to exclude. So in other words, these big tech companies, including the ones directly challenged here, have their own First Amendment rights to regulate content.

Dave Bittner: They're private companies.

Ben Yelin: Exactly. Second, none of that changes just because a compiler includes most items and includes just a few. I think one of the arguments was, you know, Facebook includes pornography and smut and hate speech, but they're really going to reject misinformation on COVID-19. From Justice Kagan's perspective, that doesn't matter. It is enough for the compiler to exclude the handful of messages it most disfavors. And third, she says, the government cannot get its way just by asserting an interest in better balancing the marketplace of ideas. In previous cases, the Supreme Court has barred the government from forcing a private speaker to present views it wished to spurn in order to rejigger the expressive realm. In other words, it's not the state's job, and the state doesn't have the ability to dictate to a private party how it regulates speech. So this was a warning to the Fifth Circuit to say, yes, we're remanding this because of the issues with the facial challenge. That's the main holding of this decision, and by the way, all nine justices agreed with that holding, but you screwed up, Fifth Circuit.

Dave Bittner: Knock it off, you knuckleheads.

Ben Yelin: Exactly. That's exactly what she's saying. Don't come back to us with a decision like your last one or else you are going to be in a lot of trouble.

Dave Bittner: Right. I shall humiliate you a second time.

Ben Yelin: Right, exactly. So Kagan is joined by her liberal colleagues here, Justices Sotomayor and Jackson, as well as what I would call kind of the "center-right" bloc of the court, Chief Justice Roberts, Justice Barrett, and Justice Kavanaugh. Justices Alito, Thomas, and Gorsuch concurred that the cases should be sent back, but they heavily criticized Justice Kagan's opinion because of the fact that she was so critical of the Fifth Circuit. So it wasn't --

Dave Bittner: That tracks.

Ben Yelin: Yeah, it was, in effect, a 6-3 decision.

Dave Bittner: Yeah.

Ben Yelin: So those were the NetChoice cases. We got years more of litigation on that. The last one I wanted to discuss was Murphy v. Missouri, and we talked about this one when it went in front of oral arguments. Basically, a bunch of U.S. states led by Missouri and a bunch of private parties sued a bunch of government officials saying that their contact with big tech companies was inhibiting their free speech rights. In other words, this was a First Amendment challenge saying that the government was colluding with private companies to suppress First Amendment speech, and the same things kind of motivated this lawsuit that motivated the NetChoice case. It was posts being taken down at, they say, the direction of agents of the government for misinformation on COVID-19. So the named party here is Vivek Murthy, who is the Surgeon General. So that allegation was that the Surgeon General's office was coercing big tech companies to take down information. Therefore, even though these companies are private parties, it was the government that was suppressing speech, if that makes sense.

Dave Bittner: Yeah. It was the government's hand --

Ben Yelin: Exactly.

Dave Bittner: That caused them to suppress speech.

Ben Yelin: The hidden hand of coercion.

Dave Bittner: Sure, sure. Okay.

Ben Yelin: So this case went in front of, you guessed it, the Fifth Circuit, and in another decision where a majority of justices are telling the Fifth Circuit to knock it off, they say that this lawsuit does not confer standing and, therefore, it is thrown out. So "standing" means that at least one plaintiff who's part of the lawsuit has to have suffered some type of injury. There's also a future-looking element of it, so there has to be a substantial likelihood that they'll suffer a similar injury if it is not redressed in this case, and then what I really think is the key factor here is traceability, so the injury has to be traceable to the government's action. There has to be some evidence that but for the government's involvement, their speech or their Twitter posts or their Facebook posts would not have been suppressed, and that's kind of what's lacking in this case. Facebook and Twitter and YouTube regulate speech all the time. They take down content all the time. They did so as it related to COVID-19 misinformation before President Biden took office in 2021, and allegedly officials within his administrations were coercing these federal agencies. So there's just no proof among any of these plaintiffs that you could directly trace their posts being taken down to the government through private conversations coercing these companies. There's just not enough evidence in the record.

Dave Bittner: So, I mean, is it sort of the situation where if you're Facebook, you say, "Hey, look, you know, we get opinions from lots of different people. We have lots of different experts, lots of people who are talking to us and telling us we should do this or shouldn't do that. One of those happens to be people with the federal government, but it's not a direct line."

Ben Yelin: Exactly, and there's no evidence where you could say, "Well, if all of those other people contacted us, we wouldn't have taken down this post," but the fact that the government did it, that put it over the line.

Dave Bittner: I see.

Ben Yelin: There was one close case. I think it was a private individual from Texas where she alleged, at least more compellingly than the other plaintiffs, that it really was a conversation with, I believe it was the Surgeon General's office or a representative of that office and Facebook that caused her post to be taken down. I think there was like a time element that was in favor of her argument. Like, it was quite soon after the conversation took place that they discovered through their discovery process that her posts were taken down, but even in that case, there's just no direct traceability. You don't have that evidence that it was the government's action in communicating with these big tech companies that caused these posts to be taken down, and without that traceability, you do not have standing, and therefore, you don't really have to get to the merits of the case. This is another 6-3 decision written by Justice Barrett. So we have our three center-right justices, Barrett, the Chief Justice Roberts, and Kavanaugh, joined by the liberals, Sotomayor, Kagan, and Jackson, and then Justice Alito with Justice Thomas and Justice Gorsuch writing in dissent, basically saying that this is a broader First Amendment case. We should establish -- standing can be established here. Basically, if you use your imagination, you can see that direct connection. He didn't say it in those terms. That's sort of my interpretation of it.

Dave Bittner: Your own editorialization there, Ben?

Ben Yelin: Yeah. And we should be very concerned about the government communicating with these giant tech companies to take down content, and I think that is certainly a valid concern.

Dave Bittner: Sure.

Ben Yelin: It probably rubs a lot of people the wrong way, myself included, that the government is having these back-channel discussions with big tech companies who are so powerful and can potentially suppress people's speech, but there is just not enough evidence in this case to establish that direct traceability. So therefore, all of the named government agents in this case are still able to communicate with these big tech companies. So in case we have another pandemic, the Surgeon General could go to Facebook and browbeat them and say, "You're going to be responsible for thousands of deaths if you don't take down this post," and that would still be constitutional because this case was thrown out.

Dave Bittner: All right, before we move on with the show and with our guest this week, there's a couple of broader questions about this year and the Supreme Court that I want to talk to you about.

Ben Yelin: Absolutely.

Dave Bittner: So one of the things that caught my eye in seeing discussion over the rulings that came through this session of the Supreme Court, I saw someone say that, as a law professor, that they felt like some of these decisions threw them into chaos. Like, they weren't sure how to teach some things these days. And you're a law professor. I was curious what your take is on that. I mean, are some of these rulings just that -- I don't know, do they go off in a different direction that as a law professor you're thinking to yourself, whoa, okay, how are we going to cover this?

Ben Yelin: Yes, 100%.

Dave Bittner: Okay.

Ben Yelin: I teach an intro course for Master's students called "U.S. Law and the Legal System," which is basically a crash course in all the subjects one would learn about in their first year of law school, and I do a session on administrative law. About 50% of that session was on Chevron deference. So throw that in the shredder. I'm going to have to develop a whole new hour and a half worth of content that reflects this Loper Bright decision.

Dave Bittner: Right.

Ben Yelin: Which gives me more work for the next several months.

Dave Bittner: Yeah.

Ben Yelin: And I have to say there's kind of a less tangible impact in how I will teach that class because so much of it is teaching students what our body of law is and recognizing now that that body of law is subject to change based on the makeup of the Supreme Court. That was always the case, but I think it's important for me to emphasize. I can tell the students Roe v. Wade was overturned and Chevron was overturned, but I think I'm going to have to be more mindful of saying these are our precedent cases. They have yet to be overturned, but we've seen a Supreme Court that is willing to overturn long-held precedents and I think we have to take account of that, that the law as we teach it now is not etched into stone. I think it is going to be subject to change. Now, granted, in the past, there were a lot of decisions that discarded previous decisions that I think all of us thought were good. Brown v. Board of Education overturned Plessy v. Ferguson which held that separate but equal was constitutional under our 14th Amendment, and all of us agreed that that was a bad decision, but I think now more broadly, we're just going to have to discuss the fact that our current court seems more willing in a greater number of cases to go against established judicial precedents.

Dave Bittner: The other thing that caught my eye was I saw someone talking about how the court itself, and correct me here because I'm outside of certainly my range of expertise, but they were saying that of the three branches of government, that the court has no enforcement mechanism.

Ben Yelin: That is correct.

Dave Bittner: And so if --

Ben Yelin: Doesn't have an army.

Dave Bittner: Right. So if a state wanted to say, "Yeah, we're not going to do that," then the court's legitimacy is based on people's willingness to go by what it says, and I believe they were using an example from where Hawaii was responding to some gun legislation, and I might be -- I might have this completely wrong, so forgive me, but I believe it was something having to do with allowing domestic violence abusers access to firearms, and Hawaii said, "Yeah, we're not going to do that, sorry." So I just thought that was really fascinating, this whole notion that what happens if the Supreme Court in its makeup swings so politically and so obviously so that its legitimacy is harmed potentially to the point where states just discount the rulings, and then where are we?

Ben Yelin: That would be really bad. I mean, our entire system relies on adherence to Supreme Court decisions. Now, nothing in the Constitution itself gives the Supreme Court the ultimate authority over what the law says. They gave it to themselves in Marbury v. Madison, but we've held that as precedent for more than 200 years, that the Supreme Court is the final arbiter of what the law is, and that has been tested. It was tested in the 1950s after Brown v. Board of Education. A lot of Southern school districts refused to integrate, and the Supreme Court had to come in with additional rulings saying you cannot disregard an opinion by this court. We're going to bring in the National Guard to enforce it.

Dave Bittner: Okay.

Ben Yelin: It happened in the 1970s with President Nixon where the Supreme Court knew that if they required President Nixon to release the Watergate tapes that he would probably be impeached and convicted or would end up resigning, and they forced him to do that anyway. It was a real recognition of their power, even though Nixon was president at the time. I certainly don't think that would happen today, by the way, but that was a 9-0 decision. So their power has been tested and it has endured, but it is fleeting, and if people and states and whomever start to lose confidence in the Supreme Court, that's what could end up causing a constitutional crisis. I think that the Supreme Court is mindful of that, and the center-right bloc of Kavanaugh, Chief Justice Roberts, and Barrett have played the role of making sure the court can go in a very conservative direction without completely undermining its own legitimacy.

Dave Bittner: Okay.

Ben Yelin: I think if it were up to Alito, Gorsuch, and Thomas, this is just my personal opinion, I think they would light the whole place on fire, figuratively, figuratively. I think that they disagree with a lot of long-held Supreme Court precedents that is even more highly regarded than Roe v. Wade or Chevron and they would have no reluctance to go against that precedence. I think Barrett, Kavanaugh, and Roberts are concerned about the court's reputation, its standing, and I think that has found its way into their decisions, including two of the ones we talked about today, the NetChoice case and Murphy v. Missouri where they said to the Fifth Circuit, "Knock it off, and I realize that you are furthering conservative policy aims, but this is not the way to do it. We have an established standing, etc., etc." So I think there is that bloc on the court right now that is trying to protect the institution. Who knows if that's going to hold in the future, especially given kind of what's happening in the presidential election right now and if President Trump comes back into office and has the chance to nominate more justices.

Dave Bittner: So to what degree do you think these kinds of concerns are legitimate, and to what degree do you think that they're kind of breathless and overstated?

Ben Yelin: It's a little bit of both. You know, a lot of the overheated rhetoric about how we should disregard the Supreme Court, I believe in institutions, I believe in Marbury v. Madison, I do think the Supreme Court is the best arbiter of what the law is. That is its proper constitutional role that's been long established, and so I think any calls to kind of revolutionize the system are both not wise and also not likely to go anywhere, but I do think there is a very valid concern that the Supreme Court has taken back power for itself. That's one of my main concerns in the case overturning Chevron, is that they've taken power away from federal agencies who have that institutional expertise and they've given it to the federal court system which doesn't, and I just think, from my perspective, that's a bad thing. But I think there's a way to criticize them without questioning our entire system of government. I get that some people disagree with that and want to put the whole system under review, but that's not where I am, at this point, at least.

Dave Bittner: Yeah. All right, well, interesting discussion for sure. Thank you, Ben, for sharing your expertise here. It certainly is a lot to think about, and, of course, we would love to hear from you. If there's something you'd like us to consider for our show, you can email us. It's caveat@n2k.com. [ Music ] Ben, I recently had the pleasure of speaking with Errol Weiss. He is the Chief Security Officer of the Health-ISAC, and we are discussing the current threat landscape in health care and the Health-ISAC's contributions to the recent Cyberspace Solarium Commission's healthcare report. Here's my conversation with Errol Weiss. [ Music ]

Errol Weiss: I always start the conversation off with saying that the ISAC is probably the world's worst acronym. It's a concept that started in the mid-1990s when the U.S. government completed a study and realized that much of the critical infrastructure was owned and operated by the private sector, and if we can roll ourselves back to that time frame, mid-1990s, and think about what was going on at the Internet at the time, I mean, things were just starting to happen, right? I mean, online banking was just becoming a thing, and with the amount of commerce that was beginning to happen and the amount of other businesses that were starting to be drawn to the Internet and other critical infrastructure functions that were relying on the Internet for service, I think it was good of those, I'll say, founding fathers to realize how important it was to get the private sector motivated to begin to work with each other to better protect that infrastructure. So that first ISAC came together and really, you know, rolling ahead 20-plus years later at this time, they still provide that same basic function. It is about sharing incident information, best practices, threat information with each other, all around the idea of helping each other to better protect themselves from threats and vulnerabilities and other issues, and if I had to say it in 10 seconds, I probably would just use the words "it's a lot like a virtual neighborhood watch program." You know, much like in your own neighborhood, if you see something happening, you want to use that information to protect yourself and your neighbors from that happening to you. It's really what it's all about.

Dave Bittner: Well, tell me about some of the specific challenges and opportunities that the health ISAC has.

Errol Weiss: Yeah, so in health care, certainly has been top of mind, probably for a lot of people recently with all of the news about ransomware and some of the big incidents that have already happened here in 2024, speaking specifically about the Change Healthcare incident back in February and then the Ascension Hospital attack that happened here in May, and again, just really large ransomware incidents that had just dramatic impact across the U.S. In the case of Change Healthcare, we saw literally hospitals across the U.S. being impacted, patients going to pharmacies not being able to get prescriptions filled. I mean, just the impact was just incredibly broad and widespread just from that incident in and of itself, and so as you can imagine, there's already a lot of activity happening trying to figure out how we can avoid that from ever happening again. But ransomware continues to be a big issue, and we can certainly talk about why that is.

Dave Bittner: Well, I mean, let's dig into that. It seems like ransomware operators really have the healthcare industry set in their sights.

Errol Weiss: Yeah, that's true, and I think one of the things we've done at Health-ISAC is we've actually been tracking ransomware incidents since 2020, and just as an example, in 2023, we saw 5,559 ransomware events across all sectors and only 455 ransomware incidents that were actually involving healthcare sector organizations, so it's just a little bit over 8% when you think about it, but I think everybody would believe that number to be higher based on all the media reporting and other issues that we see happening, and I think it's very understandable, because when ransomware impacts a hospital and they're out, it becomes really a human tragedy. I mean, we see patients being diverted to other hospitals, ambulances having to get sent to other emergency rooms, I mean, you know, and God forbid you're in a small rural location, that other hospital may be hours away, and so this could be very life-impacting, certainly a large inconvenience at the very least for so many people, and so when ransomware hits, it becomes a newsworthy event.

Dave Bittner: Yeah, I think it strikes a lot of folks that it's kind of unconscionable that healthcare organizations aren't off the table here, that there are -- there seem to be no limits, you know, to what these folks will do in their attempts to ransom the money off of you folks.

Errol Weiss: And that's exactly what it's all about, right? Cyber criminals are motivated by money and they literally do not care where that money comes from, and so certainly things like hospitals are directly within their wheelhouse.

Dave Bittner: We reported recently on a healthcare report that was put out by the Cyberspace Solarium Commission. I would love to get your insights. As someone who's really intimate with cybersecurity in the healthcare sector, what was your take on the report from the Solarium Commission?

Errol Weiss: Yeah, I really appreciate the work that the Cyberspace Solarium Commission has been doing, and that report, I think, hit the nail on the head in so many ways. I really appreciated the fact, well, of course, that they did a shout-out to Health-ISAC and talked about information-sharing and collaboration in general. We can definitely talk more about that, but I really appreciate how they went into detail about really putting organizations, I'll say, on notice, right? Like calling to Congress to do their fair share, provide more funding, looking at the rest of the federal government to do their fair share when it comes to providing more resources and more programs around info-sharing and information security in general across the healthcare sector, and then leaning appropriately on the private sector itself to do more to protect themselves. A lot of great recommendations in there, and like with so much of the work that the Solarium Commission is doing, I'm hoping to see some of that gets put into law and that gets appropriately funded as well.

Dave Bittner: Now, it's my understanding that you and your colleagues were significant contributors to that report.

Errol Weiss: Yeah, we did have several of our folks that were interviewed during the preparation of that report, myself included. One thing I'll mention there, too, I'm really glad that they also had in there the notion of a virtual CISO, so the whole idea that it would be great to get funding to support a vCISO program where these small rural underserved communities could tap into that vCISO network and literally borrow an experienced CISO's time and use that virtual CISO to help that organization build an effective information security program. Now, of course, they'll need funding. They'll need resources to help implement all of that, but I really feel that without a strategic plan in place, without that strategy in place from someone who has that experience, school of hard knocks, so to speak, they need that advice. They need an advocate like that to help get that program off the ground, and I think that vCISO program is just the ticket to do that.

Dave Bittner: Where do you suppose the Health-ISAC stands right now in terms of participation from the community that you hope to interact with? Are you satisfied with where you are, or is there more work to be done?

Errol Weiss: Yeah, we're always looking to grow. We've got just over 900 institutional members globally. We just passed the 900 mark a few weeks ago, still looking to grow. I think some of our big opportunities today are going to be further growth in Europe and Asia Pacific region, even Australia as well. We're doing a lot of work there, too, with partners, hoping to further broaden not only the membership, but the network of people that we have out there that have different experiences and certainly different visibility into threats, vulnerabilities, other networks, other opportunities to learn from others, and so the bigger the network, the better and stronger that will be globally.

Dave Bittner: What do you suppose it's going to take to really move the needle here to make healthcare organizations, to make hospitals an unattractive target for these folks?

Errol Weiss: Yeah, I think there's a lot of reasons why health care is so underfunded when it comes to cybersecurity. We can certainly talk about that, too. I think that's one of the toughest jobs that someone in that CISO position or if they're leading IT security for an organization, it's probably one of the biggest challenges they're going to have, is trying to get the adequate cybersecurity budget that they really need to protect that organization, to be able to buy the equipment, the technology that they need to implement improved security, but I think most importantly, it's also the people, the experienced people that they need to run and operate all of that. It is, as we all know, and through the other podcasts that I know, I've been listening to you talking about it as well, how difficult it is to attract and retain that talent as well. Again, especially I always look to the small rural hospitals and how difficult it must be for them to attract and retain really good cybersecurity talent.

Dave Bittner: Where do you suppose we're headed here? I mean, what is the trajectory as you look towards the horizon? Any predictions here for where we're going to see ourselves in the near future when it comes to being able to protect healthcare organizations?

Errol Weiss: Well, I think the bad guys innovate really quickly and they are incredibly creative, and today, as we have seen multiple times already, they are leveraging tools like artificial intelligence to do their jobs even better than before. So we've got a lot of catching up to do, and we've got to get on top of that and in front of that in order to really defend these organizations from these kinds of threats. I also think that from all of the incidents that we've seen this year in health care specifically, and in prior years in some of the other critical infrastructures, I think the U.S. population, especially those lawmakers in D.C., are getting tired of all of these breaches and incidents that we keep seeing over and over again, and we're probably going to be facing more regulation and probably other mandates from the government when it comes to cybersecurity and health care. My only caution with that is it's got to come with appropriate funding to help these organizations. Like I talked about before, hospitals are running on razor-thin margins as it is today, and so to divert any kind of budget into cybersecurity is literally going to take away from providing health care to individuals. So it's a tough decision. It's a really big problem that these organizations are facing, so we need help to do it the right way. [ Music ]

Dave Bittner: Ben, what do you think?

Ben Yelin: Yeah, it was really highlighted here over the past several months in Maryland, which was greatly affected by the breach on Ascension Health Systems, I think, that piqued interest in the subject. In the past, our concern with attacks on our health systems was about getting people's personal data, which is very serious, but in the Ascension case, it meant we had to divert people from hospitals because their systems were down. So those are very serious consequences, and I'm just glad that hospitals and health systems are taking that seriously.

Dave Bittner: It strikes me in particular, you know, folks who are in parts of our country, rural areas where you don't have multiple hospitals to choose from, you know, there may be one hospital within several hours' distance from you, and so a hospital being shut down or having to divert patients, that can be a real life-or-death situation.

Ben Yelin: I think that's absolutely the case, and it's no longer hypothetical. I mean, that's exactly what happened in this Ascension case, and they did an excellent job of getting their systems back online, but we know that it always could be worse.

Dave Bittner: Yeah. All right, well, again, our thanks to Errol Weiss from the Health-ISAC for joining us. We do appreciate him taking the time and sharing his expertise. [ Music ] And that is Caveat, brought to you by N2K CyberWire. We'd love to know what you think of this podcast. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you like our show, please share a rating and review in your favorite podcast app. Please also fill out the survey in the show notes, or send an email to caveat@n2k.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at n2k.com. This episode is produced by Liz Stokes. Our executive producer is Jennifer Eiben. The show is mixed by Tre Hester. Our executive editor is Brandon Karpf. Peter Kilpe is our publisher. I'm Dave Bittner

Ben Yelin: And I'm Ben Yelin.

Dave Bittner: Thanks for listening. [ Music ]