Health-E Law Podcast Ep. 12
Healthcare Needs More Hackers with Ilona Cohen of HackerOne
Thank you for downloading this transcript.
Listen to the podcast released September 26, 2024, here:
https://www.sheppardmullin.com/multimedia-590
Welcome to Health-e Law, Sheppard Mullin's podcast exploring the fascinating HealthTech topics and trends of the day. In this episode, Sheppard Mullin’s Phil Kim, Sara Shanti and Michael D. Sutton are joined by Ilona Cohen, Chief Legal Officer and Chief Policy Officer of HackerOne, to discuss creative and inspiring solutions for addressing the surge of data breaches in healthcare.
About Ilona Cohen
Ilona Cohen was formerly a senior lawyer to President Obama and served as General Counsel of the White House Office of Management and Budget (OMB). Highly experienced with cybersecurity and ethical hacking solutions, she was part of a core group in the White House responsible for the development of President Obama’s long-term strategy to enhance cybersecurity awareness and protection in the public and private sectors. These efforts resulted in the launch of the first U.S. government bug bounty program, Hack The Pentagon, run by HackerOne.
Prior to joining HackerOne in July 2022, Ilona served as Chief Legal and Compliance Officer at Aledade, another venture-backed tech company, where she successfully built and scaled the company’s legal and compliance teams. At HackerOne, she’s leveraging her extensive experience to build out the public policy team, mature the legal function to support expanded growth and provide strategic leadership to the rest of the company.
About Sara Shanti
A partner in the Corporate Practice Group in the Sheppard Mullin's Chicago office and co-lead of its Digital Health Team, Sara Shanti’s practice sits at the forefront of healthcare technology by providing practical counsel on novel innovation and complex data privacy matters. Using her medical research background and HHS experience, Sara advises providers, payors, start-ups, technology companies, and their investors and stakeholders on digital healthcare and regulatory compliance matters, including artificial intelligence (AI), augmented and virtual reality (AR/VR), gamification, implantable and wearable devices, and telehealth.
At the cutting edge of advising on "data as an asset" programming, Sara's practice supports investment in innovation and access to care initiatives, including mergers and acquisitions involving crucial, high-stakes and sensitive data, medical and wellness devices, and web-based applications and care.
About Phil Kim
A partner in the Corporate and Securities Practice Group in Sheppard Mullin's Dallas office and co-lead of its Digital Health Team, Phil Kim has a number of clients in digital health. He has assisted multinational technology companies entering the digital health space with various service and collaboration agreements for their wearable technology, along with global digital health companies bolstering their platform in the behavioral health space. He also assists public medical device, biotechnology, and pharmaceutical companies, as well as the investment banks that serve as underwriters in public securities offerings for those companies.
Phil also assists various healthcare companies on transactional and regulatory matters. He counsels healthcare systems, hospitals, ambulatory surgery centers, physician groups, home health providers, and other healthcare companies on the buy- and sell-side of mergers and acquisitions, joint ventures, and operational matters, which include regulatory, licensure, contractual, and administrative issues. Phil regularly advises clients on matters related to healthcare compliance, including liability exposure, the Stark law, anti-kickback statutes, and HIPAA/HITECH privacy issues. He also provides counsel on state and federal laws, business structuring formation, employment issues, and involving government agencies, including state and federal agencies.
About Michael D. Sutton
As an associate in the Corporate Practice Group at Sheppard Mullin’s Dallas office, Michael D. Sutton specializes in cutting-edge and disruptive areas of practice, blending healthcare, technology, and legal compliance. In particular, he focuses on HIPAA and privacy regulations, considering their relationship with technological advancements in both healthcare and consumer sectors. He is skilled in negotiations regarding data usage and ownership rights, guiding clients on marketing or integrating technological innovations while navigating emerging regulations in digital healthcare, including artificial intelligence, web tracking, information blocking, offshoring, and de-identification.
Michael has managed investigations, worked to resolve active breach incidents, and advised clients on healthcare privacy and technology matters. He supports clients navigating HIPAA and other privacy laws to ensure their objectives are achieved within all legal and regulatory requirements. Michael also provides comprehensive regulatory services to a range of healthcare participants, including investors, managed care organizations, health plans, and medical groups. In particular, he has tackled operational and contractual negotiations, licensing, compliance, and fraud considerations and conducted regulatory due diligence for transactions, including mergers and acquisitions.
Michael also supports transactions involving tech companies and healthcare providers, guiding negotiations related to software and service relationships while identifying vulnerabilities in targets and devising creative solutions to address them.
Transcript:
Sara Shanti:
Welcome to Health-e Law. I'm Sara Shanti here with my co-host and Sheppard Mullin Law Firm Partner, Phil Kim.
Phil Kim:
Thanks, Sara. Today we're also joined by our colleague Michael Sutton, to discuss creative and inspired solutions to address the devastating data breaches that we see in healthcare every day now.
Michael Sutton:
Thanks, Phil. Happy to be here and pleased to have our guest, Ilona Cohen with us today.
Ilona Cohen:
Thank you so much for inviting me.
Phil Kim:
Ilona is the Chief Legal Officer and Chief Policy Officer for HackerOne, a global leader in human-powered security. Ilona was formerly Senior Lawyer to President Obama and served as GC of the White House Office of Management and Budget. HackerOne is well established in the industry, as it supports clients pinpoint the critical security flaws to stay ahead of cyber criminals. HackerOne also combines the most creative human intelligence with the latest AI to reduce threat exposure across the full spectrum of platforms. Ilona, thanks so much for joining us and we'll jump right into the questions.
Ilona Cohen:
Great. I'm excited to be here.
Michael Sutton:
So Ilona, to level set for our listeners, would you start by providing a short description of the terms, data breach and ransomware in healthcare? What exactly do those mean for our listeners?
Ilona Cohen:
Sure. A breach generally is when unauthorized parties would gain access to sensitive or confidential information. In the healthcare context though, the B word, as I used to call it when I was the general counsel of a healthcare company, involves specifically access to records that contain PHI. So, it has a specific meaning in healthcare context that it might not in other industries. And the reason I say B word is because I instilled in my company that they were not allowed to use that word unless I said it was okay. Because once you have a breach, then a whole host of other requirements follow.
Phil Kim:
Yeah, we'd agree with that. And we think that's probably the worst B word in the English dictionary. And speaking of regulatory definitions like the B word, and despite the government's best efforts to enhance more regulation security requirements than ever before, healthcare service halting data breaches and ransomware attacks have really become the modern-day norm. We know there are a host of reasons for this, but we're curious as to your thoughts on what you think is driving the increase surge of threat actors.
Ilona Cohen:
Sure. Well, ransomware, for maybe the listeners who are not quite as familiar with cybersecurity, that's when a user or an organization is denied access to their files or their computer until payment has been made to a criminal actor. And over the last couple of years, ransomware attacks have really spiked. And that's in part because in certain areas of the world, it has become a professional business.
There are sophisticated organizations, they work regular banker hours, they know exactly what they're looking for. They have their own SLAs, they have certain number of hours they'll devote to any attack. And then they get into your system through vulnerabilities. They look for your cyber insurance policy first, they know exactly how much you're willing to pay as a result, and they are very efficient at what they do. And so, that has become big business in the world. And as a result, you're seeing an uptick in those types of attacks. They pay big money.
Phil Kim:
What would you say are some of the ways that healthcare stakeholders have helped to mitigate these risks or see these issues rise within their space?
Ilona Cohen:
Well, the best way to prevent a breach or a cyberattack or a ransomware attack is to make sure that you have limited vulnerabilities so that you're identifying your vulnerabilities beforehand. And by vulnerabilities, I mean flaws in your system, something that would allow a cyber-criminal access. And there are multiple weaknesses in any company's security, whether it's people, systems, networks. Even the most sophisticated companies, that devote millions of dollars, sometimes multi-millions of dollars to their security programs, have flaws. And it's helpful to have a group of actors who are not affiliated with that program look for vulnerabilities, identify them, and fix them before they're exploited. And so many industries do this, but unfortunately the healthcare industry is a little bit further behind in this type of best practice.
Phil Kim:
Yeah, I think we see that's often the case within our industry. But yeah, we definitely think that with the ever-evolving nature of not just technology but really Health Tech, we see this being even more important topic for those in our industry to be aware of.
Ilona Cohen:
Oh yeah, it's essential. I mean, take a look at the impact that some of these breaches have had. You had the most recent one that got the biggest amount of attention is of course, the Change Healthcare ransomware attack. And that impacted millions of patients. And not just in a way that resulted in sensitive data being stolen, but actually in denial of critical prescriptions and other really alarming consequences. And so, you have to really take a step back after something like that and some of these other high-profile incidents and wonder, how did we get here? And more importantly, what can we do next?
Michael Sutton:
You know, those of us that work in this space on a daily basis are always concerned about the privacy of patients and consumers when we hear about breaches. But patients don't always understand all of the risks that arise from these breaches. So for example, could you describe how breached data is being monetized or even laundered back into legitimate businesses? What should patients be worried about when their data is taken?
Ilona Cohen:
Yeah, I think in some ways, I don't know about you, but I seem to get an email every other week it seems, from another company telling me about a breach or a notification that my data has been stolen. And most of the time, even I, just sort of shrug my shoulders and say, "Okay, what can I do about it?" I'll change my passwords, I'll put my credit lock on my accounts, and hope for the best. And that's when it comes to stuff like something that could subject you to fraud or identity theft even, that no one wants to deal with that, that's problematic. But when it comes to the private personal health details that most personal information that you share in your doctor's office, no one really wants to see that exposed. And that could subject a person to fraud and identity theft, for sure, but even blackmail in some instances.
Michael Sutton:
Now of course, patients aren't the only parties with exposure following a breach. We see industry players, businesses, healthcare providers, they have exposure as well. And we've really noticed an uptick in class actions or enforcement actions and settlements. They're really hitting high dollar figures. Could you just touch on some of the exposure that businesses need to look out for, following a breach?
Ilona Cohen:
Sure. You have lawsuits from customers of course, whose personal information was stolen. There are any number of enforcement actions, potential enforcement actions from regulatory bodies, both at the federal level and the state level. And those claims can vary. They assess whether the actions that the company was taking before the breach were reasonable or were appropriate, whether the company was prepared, whether the SEC is involved in some ways, whether the company's preparedness actually matched their public disclosures.
Here was a new one actually that I saw a couple of months ago. There's a new requirement for public companies to report material incidents within four days of the company's determination that they were material. So, a company actually was the subject of a ransomware attack and then the cybercriminal that actually perpetrated the attack then reported that company to the SEC for failure to report the incident as material. So, even the cyber criminals are getting in the game when it comes to regulatory enforcement.
Michael Sutton:
That's exactly why businesses need to be thoughtful about this, and that's exactly why they need to work with folks like HackerOne. Because you help them get on the forefront of that to try to stay ahead of it. Could you tell us a little bit about HackerOne and the kind of work that you do?
Ilona Cohen:
Yeah, sure. Thanks for the question. I think I mentioned earlier, it's really a security best practice to run what's called a vulnerability disclosure policy or a bug bounty program. So that's understood as the see something, say something model in cybersecurity. If you see a vulnerability on someone's system, please say something. If it reaches a certain severity, we're going to pay you. That's the gist. So the company will set up a program on our platform. They will ask ethical hackers or good faith security researchers, depending on your comfort level, you might want to call them hacker or a researcher. And they ask for those reports because it allows the company to mitigate any of those vulnerabilities before they can be exploited.
So the bug bounty programs, they really have the best engagement because they offer monetary rewards or other incentives to the hackers who might successfully identify and report those in scope vulnerabilities. The vulnerability disclosure policies are the version that just asks out of kindness, "If you see something, let us know", but it doesn't involve an exchange of payment.
So, that is something that has proven to be very successful. The average payout for a vulnerability on our system is a thousand dollars. So, it's very small. And when you compare that to the average cost of a breach, which is four and a half million dollars and growing, you see it's a very wise investment.
Phil Kim:
Yeah, a thousand dollars is not even a drop in the bucket in comparison. And you recently authored a really interesting article on the possibility for real cybersecurity change and I know you just touched on the topic of the promise of ethical hacking and the general concept of it. But can you describe for our listeners more of what ethical hacking is and generally the industry's adoption of ethical hacking or case studies of actual implementation?
Ilona Cohen:
Yeah, as I mentioned, when you have something like the Change Healthcare incident and you assess its impact, you really just can't feel comfortable with the status quo. And in the White House, we always used to say, "Never waste a good crisis." And there are no good crises, but there are many that prompt real thought. And certainly, the Change Healthcare one prompted a lot of thought by the Administration that was focused primarily on ransomware, but also for those of us who are interested in, how can we prevent something like this from happening in the future?
And my conclusion was healthcare needs more hackers, not cyber criminals. There's a clear distinction. They need more ethical hackers, good faith hackers who use their skills for good. There are many of those. This is something, a program that the government itself has embraced. When I was in the White House, there was a huge breach at the time, and the B word was justified there. It affected it over 20 million personnel records from the Office of Personnel Management in the U.S. federal government. And we took a step back and we thought to ourselves, how do we prevent this from happening again? And it led to the government launching what was then the very first government bug bounty program called, Hack the Pentagon.
And at the time, I remember all of the hand wringing that was involved when senior level folks kept asking, "Are we really inviting hackers to attack the Pentagon system?" And yes, that was what we were doing. And it turned out to be a huge success. HackerOne has run that program now for eight years. And they have identified during that time, over 50,000 vulnerabilities. Now, if you launch a vulnerability disclosure policy, I promise you, you will not get 50,000 reports. There's a certain cache to hacking the Pentagon that won't exist in the private sector. But that is 50,000 opportunities, other opportunities for the Pentagon system to be exploited that we prevented. And that feels pretty good.
And so for some reason, the healthcare industry has not been as willing to embrace ethical hacking as other industries. We have the financial sector. It has fully embraced this concept and this service. And we have other industries that have followed that.
In the first instance, actually, I was just at a sort of a live hacking event with the election industry. And there's always a very reluctance, just much like I described, the reluctance on the part of the Pentagon, "Are we really going to do this?" And then it just takes one vulnerability to be found. The what if that occur afterwards, the thought that a company or the organization goes through in order to identify, what could have happened if this had not been found? And that usually gets the organization or the company to overcome whatever concerns they might've had. So, healthcare needs more hackers.
Phil Kim:
Internally, we were actually just talking about how oftentimes it takes even Hollywood to affect change in legislation. And your idea of ethical hackers brings to mind just the importance of people out there doing good, and Frank Abagnale on that story from Catch Me If You Can. Really, when you talked about the financial sector and how ethical hacking, even in that perspective, it would be great to see that in the healthcare industry. And I feel like we're long overdue for that.
Sara Shanti:
Ilona, Phil, and Michael, this was an excellent episode. That's it for this episode. We look forward to next time. We're of course, standing by if you should need us in the meantime. We wish you a great day and a lifetime of secure data. Thank you all.
Ilona Cohen:
Thank you.
Contact Info:
Resources
* * *
Thank you for listening! Don't forget to SUBSCRIBE to the show to receive new episodes delivered straight to your podcast player every month.
If you enjoyed this episode, please help us get the word out about this podcast. Rate and Review this show on Apple Podcasts, Amazon Music, or Spotify. It helps other listeners find this show.
This podcast is for informational and educational purposes only. It is not to be construed as legal advice specific to your circumstances. If you need help with any legal matter, be sure to consult with an attorney regarding your specific needs.