Cassie (Leonard) Ballard, Director of Congressional Affairs for CHIME stops by. In this heightened state of cybersecurity awareness, especially with the war going on in the Ukraine, how is CHIME helping health systems understand the required federal regulations?
This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.
Today we have another interview in action from the conferences that just happened down here in Miami and Orlando. My name is bill Russell. I'm a former CIO for a 16 hospital system and creator of this week health, a set of channels dedicated to keeping health it staff current and engaged. We want to thank our show sponsors who are investing in developing the next generation of health leaders, Gordian dynamics, Quill health tau site nuance, Canaan, medical, and current health.
Check them out at this week. health.com/today. Here we go. Good morning. We're here from the, a chime of Springfield. I want to call it the times three, four, but really it's five twenty twenty two. Or do we call it both?
We call it vibe:We're here with Cassie Leonard, the director of congressional affairs for chimes. So, , interesting job. A lot going on on the hill right now. , definitely. , where do we want to start? Do you want to start with cybersecurity? You want to start?
I think cyber would be a good place to start. It's it's amazing. so we. The conflict or war going on in the Ukraine right now. And CHIME has been really helping health systems to understand the heightened state of awareness that is required. Is that coming out of the federal government, is that coming out of, , partnerships with them. And we were saying, look, Hey, here's what's going on?
And we're just disseminating that out to the, to the community.
Yeah. So I think. Asset. I guess what time can bring to the table is that, , we provide a lot of resources for our members, especially the public policy team. , you know, we talk to members regularly, actually, who need to be in touch with FBI, says, , et cetera.
And we are able to provide that connection for them so far. If so, I'm breached, you got people who were actually will reach out to chime and say, Hey, I've been
breached. So though, I mean, my boss, Marie, she gives that her personal cell phone number. So members will call or text her and, , we don't need to know any details, but, , we're able to pass that information along and get them in touch with the right people.
Yes. So, , so when we look at the congressional calendar, are they taking up legislation around cybersecurity right now? They are actually, and we've been happy because of the last year. There've been several committees, I would say. Most notably the Senate Homeland security committee. , they recently, , passed a package of three cyber bills out of the Senate by unanimous consent.
And we've been following that really closely three bills out of the Senate. I feel like we're doing schoolhouse rock here again. So when they come out of the Senate, they still have to go over to the house. Exactly. Yeah. So that package of bills has not passed the house yet, but there is one in particular.
We've been following really closely the cyber incident reporting act because that would actually impact our members pretty significantly cyber incident reporting acts. I believe I'm, I'm saying that right yet.
CISAC, there's an acronym for everything,
right. I don't know if this one has an acronym, but, , but yeah, so I'm not sure how familiar you are.
No. So it requires it will require health systems to do what, so it would require them within 72 hours of a significant cyber. To report, , that incident to CYSA.
Okay. And then if we don't there's penalties and all sorts of other things, I see exactly. , there's also a provision on ransomware, so you'd have to report, , you know, , a ransomware payment within 24 hours.
And so this is a bill we've been following over the last couple months. There've been several iterations of it. There've been a couple of versions that would require a party within 24 hours. and we were really happy to see, , that timeframe shifted a little bit. Yeah. There's the fog of war in the first 24 hours because we've, we've done a, , we've done a webinar and we've done a couple of shows with, , like sky lakes.
Medical center was, was ransom that first 24 hours is sorta like, are we where what's happening? Are we really sure what's happening? It's now at 72.
So it's at 72 hours and, , we feel a little bit more comfortable with that. However, we do have, smaller providers who have definitely still expressed concern about that time period.
Just not knowing enough information and just, no, I, I understand that, but healthcare naturally will push to, you know, Hey, let's do digital in 10 years. Not. I said that night, you just, so people can send her their, their nasty emails to me. But I mean, within 72 hours, you know, you've been breached. I mean that first 24 hours, just based on my experience, interviewing people, you have the what's happening, what's happening.
Oh my gosh. All the systems are getting locked down. , but then the next thing that happens, it's really interesting if they like lose control. So the FBI comes in and they start doing an investigation and it's. And the, the it teams are told don't touch the system. So you actually do have some time from the time those entities start coming in and doing an investigation to, , to notify.
And like you said, they could just call Mary S , Mari's, , cell phone number and she'll connect them with the right people. , so it's, , it's, , there's, there's three bills coming over. , what do we will chime advocate for those or.
, so we actually expressed some concerns with the cyber incident reporting bill, , kind of behind the scenes, if you will.
, just due to the definition of a cyber incident, , we were, you know, the feedback we received from members was that some of them have potential cyber intrusions every week. And so would they just be reporting all the time? , and that definition was strengthened a little bit, , to make it, , I believe it it's a, has to be a significant and there are some criteria you would have to meet.
So it's not any more, there was originally, I believe, , the definition was like potential or something like that, which we are not big fans of.
Right. Because, , yeah, I do talk to health systems. So they say, look, , you know, we, we do have the. People who penetrate our network from time to time, but we have these, , these, , really the architecture and the framework in place that they don't go too far wide.
And so they get sort of quarantined off in those cases, you know, get sectioned off, gets remediated, those kinds of things very quickly. So that may not fall into that category. It has to be something that either leaves. I'm not sure if you know that
I would have to look up the definition, but I believe it has to have, , certain requirements potentially like national security implications.
So we're talking national security at this point. I mean, that's how they're looking at this cybersecurity
situation. I believe so. And like I said, it's been, , , kind of a joint effort between the Homeland security committee and Senator Warner, who, as, you know, as the chairman of the intelligence committee.
So it's definitely a multi committee and also a bicameral, , piece of, of legislation. And so I know. Senator is Peter important are really pushing for the house to pass this quickly, , due to the conflict in Ukraine. So it'll be interesting to see if they, , maybe they tack it on to this March 11th spending bell.
It is bipartisan. It is bi-partisan.
Okay. So it has a good chance of getting through, I
think so I honestly, yeah.
So you came into this role.
In March of:it was, it was pretty much when the, , yeah, everything was shutting down. So have you spent much time on the hill?
I was on the hill for six years before showing to chime. , I spent three years in the Senate side and three years on the house side.
Okay. But since that March time it's been, it hasn't been business as usual has it, it
hasn't, it's been all cyber all the time, I would say. And, , it's been a little challenging.
The hill has been closed off for the most part to meetings. So a lot of our advocacy work has been virtual on zoom over the phone. So I know that our team at least is really looking forward to going back in person at least a few days a week, and meeting with people in person.
So for time, are we, , coordinating efforts to have, , CEO's and others.
For these things, or is it mostly through chime that we're doing those things?
We have utilized our CIO and CSO members, , in a few ways up until this point, but I would love to bring someone like Eric Decker on the hill. Who's really obviously strong. And he's the co-chair of the four or 5g task group.
, I would love to bring him on the hill and take him to a meeting. So they could hear firsthand. , we actually hope to do a hill briefing with staff, , virtual or in person this year. , that would just so they can hear firsthand on what exactly what, what they've been going through the past two years.
That is, that is short surgery, your role. I mean, I I've heard, you know, the bubble of Washington sort of happens and, , Sometimes just bringing people in and saying, okay, here's what hospitals are facing here. Somebody attacks, we get a day, here's the intrusions we get over here. They're like, oh, okay. I'm not sure.
I recognize that this problem was as pervasive or
challenging. Exactly. I mean, it's one thing coming from me as a government affairs person. It's another thing coming directly from a health system that, you know, you know, had a ransomware attack. Yeah. I mean, that's, that's huge. So.
Kasey, thank you for your time.
Thanks so much
another great interview. I want to thank everybody who spent time with us at the conferences. It is phenomenal that you shared your wisdom and your experience with the community, and it is greatly appreciated. We also want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, Gordian dynamics, Quill health tau site nuance, Canon medical, and current health.
Check them out at this week. health.com/today. Thanks for this. That's all for now.