Health-E Law Podcast Ep. 15

Healthcare Security is Homeland Security with Jonathan Meyer, former DHS GC and Partner at Sheppard Mullin

Thank you for downloading this transcript.

Listen to the podcast released February 5, 2025, here:

https://www.sheppardmullin.com/multimedia-622

Welcome to Health-e Law, Sheppard Mullin's podcast exploring the fascinating health tech topics and trends of the day. In this episode, Jonathan Meyer, former general counsel of the Department of Homeland Security and Leader of Sheppard Mullin’s National Security Team, joins us to discuss cyberthreats and data security from the perspective of national security, including the implications for healthcare.

About Jonathan Meyer

As a partner in Sheppard Mullin’s Governmental Practice Group and leader of the firm’s National Security team, Jonathan E. Meyer counsels clients on their interactions with federal and state government, as well as national and homeland security, Congressional oversight, cybersecurity, AI, high tech, and transportation security, among other issues.

Prior to returning to Sheppard Mullin, Jon was nominated by President Biden and confirmed by the Senate as the Sixth General Counsel of the U.S. Department of Homeland Security, serving from 2021 to 2024. His decades of experience in Congress, the Justice Department and DHS position him to bring an insider’s perspective to interactions between private companies and the government. He has defended scores of Congressional investigations and has prepared witnesses for over 100 hearings, including Supreme Court nomination hearings, impeachment hearings, oversight hearings, high tech and antitrust investigations, and civil rights investigations, among others. He has also represented defendants and witnesses in high-stakes Justice Department criminal investigations.

The media – including CBS News, NPR, The Wall Street Journal, The New York Times, The Washington Post and Politico – regularly turn to Jon for insight into issues regarding national security, homeland security, government investigations, cybersecurity, immigration, politics and Congress. He has twice been honored with the Secretary of Homeland Security’s Outstanding Service Medal, the highest civilian award bestowed by DHS. He has also received the U.S. Secret Service Director’s Honor Award, the Customs and Border Protection Commissioner’s Ensign Award, and the U.S. Coast Guard Commandant’s Distinguished Service Medal, among numerous other prestigious accolades recognizing his exceptional service.

About Sara Shanti

A partner in the Corporate Practice Group in the Sheppard Mullin's Chicago office and co-lead of its Digital Health Team, Sara Shanti’s practice sits at the forefront of healthcare technology by providing practical counsel on novel innovation and complex data privacy matters. Using her medical research background and HHS experience, Sara advises providers, payors, start-ups, technology companies, and their investors and stakeholders on digital healthcare and regulatory compliance matters, including artificial intelligence (AI), augmented and virtual reality (AR/VR), gamification, implantable and wearable devices, and telehealth.

At the cutting edge of advising on "data as an asset" programming, Sara's practice supports investment in innovation and access to care initiatives, including mergers and acquisitions involving crucial, high-stakes and sensitive data, medical and wellness devices, and web-based applications and care.

Transcript:

Sara Shanti:

Welcome to Health-e Law. I'm Sara Shanti, a partner in Sheppard Mullin's Healthcare Group, which has recently been honored to be named the 2024 Healthcare Practice Group of the Year by Law360.

Today, I have the pleasure of being joined with Jonathan Meyer, my esteemed law partner in Washington, DC and who serves as the team lead for Sheppard Mullin's National Security team. John served in the Biden administration as general counsel of the US Department of Homeland Security from 2021 to 2024 after lengthy stints at the Justice Department and in the US Senate. John is a two-time recipient of the Secretary of Homeland Security's Outstanding Service Medal, DHS's highest civilian honor, along with numerous other awards and honors. Now that John has transitioned away from the public sector, and of course, we're so pleased to have him here at Sheppard Mullin, he counsels clients on their interactions with federal and state government as well as national and homeland security and congressional investigations among many other cutting-edge issues. Thank you so much for joining us today, John.

Jonathan Meyer:

Thanks, Sara. It's great to be here. I'm excited to talk to you.

Sara Shanti:

Excellent. As you know, perhaps better than anyone, cyber threats are on the rise. We hear of massive foreign ransomware events or cyberattacks which crippled domestic organizations as a result of theft of personal data. How does cyberattacks and data privacy impact national security?

Jonathan Meyer:

So there are a number of ways that cyberattacks impact national security, some relating to data privacy, some not. So those not relating to data privacy are when we get attacks from foreign adversaries, groups affiliated with foreign adversaries, which are called APTs or Advanced Persistent Threat groups, that hack into the US government's networks and into our secure systems or hack into critical infrastructure, which it may not be government, but which is critical to the functioning of the country. Things like our water systems and our natural gas and energy systems, what have you. Those are all obviously dangerous because once an adversary is in the system, they can, first of all, fiddle with it and change things, but even worse, wait, hiding in the system until the right time, what they view as the right time, and then paralyze that system at a crucial time for the United States, perhaps when we are in a conflict with that country. So it is a huge national security issue.

But even the theft of people's private data is a national security issue for several reasons. First of all, some of our adversaries are really interested in collecting data on government officials that they can then use to try and blackmail them or use it as leverage against them. But even if you're not a government official, there are countries that try to collect this information illicitly. And then if you happen to visit that country, they're going to be aware about a lot more about you than you realize and could use it against you. So for all these reasons, cybersecurity is a huge national security issue.

Sara Shanti:

It sounds like it's not only about if you're at the highest level of government or an executive at a global corporation, it can really affect just any civilian or ultimately gets into a position of having some sort of ability to have power over an infrastructure or company.

Jonathan Meyer:

I actually just recently sat in on a briefing by the FBI and the CIA where they were talking about just this issue and emphasizing that our adversaries, they're not just interested in what appear to be board and government officials. They're interested in successful businesses, trade secrets, intellectual property, that sort of thing. And so if you are involved in the service business or producing a particularly important product, they're going to be very interested in you and collecting information on you.

Sara Shanti:

Do you have any specific cases or examples where you, this isn't theoretical, and of course, we don't want you to disclose anything that was confidential, but are you able to share any example where you saw this really have an immediate effect on an individual?

Jonathan Meyer:

Sure. No, a lot of this is public. So with regard to specific individuals, I probably can't get into it other than to say that I have seen instances of high-level government officials, Senate confirmed government officials, who had been hacked by adversaries and leading to very dangerous exposure. But in a broader sense, I mean, we're seeing it in the news every day. Many of you may have read about the recent revelation that the Chinese government, I think they said it was the Chinese government, has hacked into our telecommunication systems and are just sitting there reading any SMS text. That obviously affects probably most of the United States population. And unless you are texting on an encoded app like iMessage or WhatsApp or Signal, they're reading everything. So you may think when you are texting with your friend and sharing intimate secrets, or what have you, that you're the only one reading it, but you may not be. And that's a really scary thought, and you can imagine the implications of it.

Sara Shanti:

Yes, thank you so much. I heard mostly it's where like iMessage, iPhone to iPhone where you're both using iMessage is secure, same with Android, but when you start going between those two, I thought I heard was one of the biggest risks where two people had different devices and where communicating by SMS.

Jonathan Meyer:

That's right. Or for example, if you are an iPhone user, if you're texting with someone and it's blue, it's encrypted, so you're fine. If it's green, it is not. It's SMS, and it is not fine. And then there are other apps that people use around the world. People use WhatsApp a lot. That is encrypted fortunately, but the unencrypted stuff is wide open.

Sara Shanti:

So we hear a lot, and maybe some of our listeners are saying this very thing, "I have nothing to hide. You can read my SMS. I have nothing to hide. I'm just talking about where we're going to get dinner or we're out of milk." Can you talk a little bit more about how personal data of just the masses even really can cause harm and why people should care more? And maybe allude a little bit to how data can really be a weapon and weaponized at the right moment. I know you touched on that briefly.

Jonathan Meyer:

Yeah, so people often their initial reaction, mine too, is, "Oh, I don't have anything to hide. What I text, sometimes it's private, but it's not dangerous." But think about it, every once in a while your doctor's office asks for your Social Security number or your employer and you don't feel like walking down and giving it to them in person, so you're like, "Ah, it's okay, just this once I'll send in a text or in an email." Then it's exposed.

And of course with Social Security number and other information like that, date of birth, same thing, you can do a lot of mischief. You can start to access funding and steal people's identity. And so, first of all, as a lot of people have heard about, that causes all sorts of havoc when you have identity theft and you have to lock down all of your credit card accounts and what have you. But even on the national security side, what we've seen, it's become a regular thing now, for example, for North Korean groups to assume a person's, just a normal American's, identity and create a fictitious employment arrangement where they are working at some company from whom they want to get the data. And the person whose identity they're using doesn't even know that this is happening. So there's all sorts of mischief that can be accomplished with that information.

Sara Shanti:

And as a follow up to that, of course I think a lot of adults are aware of how they should keep their information secure and they have immediate financial concerns. But what about those that are not active financially, mostly children and minors, who out there on social media because they're adorable and parents are posting and do have Social Security numbers, just might not have a bank account or haven't needed to build their credit yet, are you seeing that that's a vulnerability too?

Jonathan Meyer:

Yes, minors and also senior citizens who often are not as technologically savvy or simply don't have their guard up the way younger adults do. Particularly with children, it's a little different. As you say, it's not really a financial thing, but they're able to track any individual, including a child's activity, and learn everything they're interested in and what they're doing, which can be used down the road to try and assume an identity or forge some sort of relationship with them maybe to try and get information that the kid may have heard from their parents or what have you. And then, of course, with senior citizens, it can be financial, it often is financial because they do have assets, but they are often more vulnerable.

Sara Shanti:

So some of this sounds very Hollywood, what we think about of cyberattacks and national security, military operations or hacks, but we know that it has a real footing in the healthcare space. Can you tell us a little bit more about how healthcare is particularly vulnerable, even outside of just the hospital setting, kind of where health information has really been a pathway to some big risks to homeland security?

Jonathan Meyer:

Yeah, so let me start with the hospital setting because we've seen any number of hospital groups and networks be the victims of ransomware and have had their entire systems shut down and have had to pay ransom or figure out a way to get out of it. And of course, with hospitals, it's in many ways a bigger deal than it is if it's a company that makes widgets because people's lives are at stake, and it's a really dangerous thing. But even outside of that hacking of hospitals, again, obtaining sensitive health information is of value to bad guys, particularly our international adversaries, because again, they're learning more about a person and where they may have weakness. They may learn, for example, that a person has a health condition that they haven't disclosed to their employer. And then it becomes useful for blackmail if the person is working in a sensitive position. And that's just an example. So there's any number of ways.

But there's a reason that healthcare information is considered so sensitive. It's not just that it's very private, it's also very sensitive in a more general way and can be used as leverage or as intelligence. And so for example, if you are going to visit a country that may have strained relations with ours, and a lot of people do go to China or Russia or where have you, and even some countries that are friendly to us are very advanced at this and do this, they create a profile on you and they can know a ton about you when you arrive on their shores, and you never know how they might use it.

Sara Shanti:

So generally at this point of the podcast we ask our guests to leave the audience with some pearls of wisdom. But I'm going to do something a little different, I'm going to ask what you can advise to our healthcare stakeholders in cybersecurity.

Jonathan Meyer:

Great question. So at the healthcare level and for institutions, my advice would be to remain vigilant, keep an eye on the executive actions that are coming out and ultimately the regulations and agency actions. Make sure in terms of cybersecurity that your cybersecurity protection plan, first of all, exists, and secondly, remains updated and compliant with the latest requirements, but also follows the latest technology and the latest advice. I would also suggest you forge relationships with the relevant government entities so that if something happens you've already got a relationship and you can reach out to the FBI, to CISA, and then to the relevant subject matter agencies, HHS, FDC, whomever.

Sara Shanti:

Thank you, John. I think it was a great recommendation to engage with agencies and know who your contacts are. We've also seen this on the ransomware front where you want to know who your legal team is, you want to know who your forensic experts are. So I would really encourage our listeners in the healthcare industry specifically to reach out and meet you, our healthcare team, and we have some really great relationships with experts so that when that incident happens, that you don't want and did not expect, you're able to take immediate action.

Jonathan Meyer:

Absolutely. That's very sage advice.

Sara Shanti:

All right. Well, thank you so much, John, for being with us and we look forward to speaking on our next podcast. In the meantime, we're standing by if we can support.

Contact Info:

Jonathan E. Meyer

Sara Shanti

* * *

Thank you for listening! Don't forget to SUBSCRIBE to the show to receive new episodes delivered straight to your podcast player every month.

If you enjoyed this episode, please help us get the word out about this podcast. Rate and Review this show on Apple Podcasts, Amazon Music, or Spotify. It helps other listeners find this show.

This podcast is for informational and educational purposes only. It is not to be construed as legal advice specific to your circumstances. If you need help with any legal matter, be sure to consult with an attorney regarding your specific needs.

Jump to Page

By scrolling this page, clicking a link or continuing to browse our website, you consent to our use of cookies as described in our Cookie and Advertising Policy. If you do not wish to accept cookies from our website, or would like to stop cookies being stored on your device in the future, you can find out more and adjust your preferences here.