ALASKA STATE LEGISLATURE  SENATE HEALTH AND SOCIAL SERVICES STANDING COMMITTEE  February 8, 2022 1:31 p.m. MEMBERS PRESENT Senator David Wilson, Chair Senator Shelley Hughes, Vice Chair Senator Lora Reinbold Senator Tom Begich MEMBERS ABSENT  Senator Mia Costello COMMITTEE CALENDAR  DHSS CYBERATTACK UPDATE - HEARD SENATE BILL NO. 132 "An Act exempting veterinarians from the requirements of the controlled substance prescription database." - MOVED SB 132 OUT OF COMMITTEE COMMITTEE SUBSTITUTE FOR HOUSE BILL NO. 133(L&C) "An Act relating to the Alaska savings program for eligible individuals; relating to education savings programs; relating to the Education Trust of Alaska; relating to the Alaska advance college tuition savings fund; relating to the Alaska education savings program for children; and relating to the Governor's Council on Disabilities and Special Education." - HEARD & HELD PREVIOUS COMMITTEE ACTION  BILL: SB 132 SHORT TITLE: CONTROLLED SUB. DATA: EXEMPT VETERINARIAN SPONSOR(s): SENATOR(s) HOLLAND 04/28/21 (S) READ THE FIRST TIME - REFERRALS 04/28/21 (S) HSS, L&C 02/03/22 (S) HSS AT 1:30 PM BUTROVICH 205 02/03/22 (S) Heard & Held 02/03/22 (S) MINUTE(HSS) 02/08/22 (S) HSS AT 1:30 PM BUTROVICH 205 BILL: HB 133 SHORT TITLE: AK ED SAVINGS PROGRAMS/ELIGIBILITY SPONSOR(s): LABOR & COMMERCE 03/10/21 (H) READ THE FIRST TIME - REFERRALS 03/10/21 (H) L&C, FIN 03/17/21 (H) L&C AT 5:45 PM BARNES 124 03/17/21 (H) 03/19/21 (H) L&C AT 3:15 PM BARNES 124 03/19/21 (H) Heard & Held 03/19/21 (H) MINUTE(L&C) 03/24/21 (H) L&C AT 3:15 PM DAVIS 106 03/24/21 (H) Moved CSHB 133(L&C) Out of Committee 03/24/21 (H) MINUTE(L&C) 03/24/21 (H) L&C AT 5:45 PM DAVIS 106 03/24/21 (H) -- MEETING CANCELED -- 03/25/21 (H) L&C RPT CS(L&C) 6DP 1NR 03/25/21 (H) DP: SNYDER, SCHRAGE, MCCARTY, NELSON, SPOHNHOLZ, FIELDS 03/25/21 (H) NR: KAUFMAN 04/07/21 (H) HSS REPLACES FIN REFERRAL 04/07/21 (H) BILL REPRINTED 04/20/21 (H) HSS AT 3:00 PM DAVIS 106 04/20/21 (H) Heard & Held 04/20/21 (H) MINUTE(HSS) 04/22/21 (H) HSS AT 3:00 PM DAVIS 106 04/22/21 (H) Moved CSHB 133(L&C) Out of Committee 04/22/21 (H) MINUTE(HSS) 04/26/21 (H) HSS RPT CS(L&C) 5DP 1NR 04/26/21 (H) DP: FIELDS, SPOHNHOLZ, MCCARTY, ZULKOSKY, SNYDER 04/26/21 (H) NR: KURKA 05/07/21 (H) TRANSMITTED TO (S) 05/07/21 (H) VERSION: CSHB 133(L&C) 05/10/21 (S) READ THE FIRST TIME - REFERRALS 05/10/21 (S) HSS, L&C 02/03/22 (S) HSS AT 1:30 PM BUTROVICH 205 02/03/22 (S) Heard & Held 02/03/22 (S) MINUTE(HSS) 02/08/22 (S) HSS AT 1:30 PM BUTROVICH 205 WITNESS REGISTER SYLVAN ROBB, Assistant Commissioner Office of the Commissioner Department of Health and Social Services (DHSS) Juneau, Alaska POSITION STATEMENT: Co-presented the DHSS Cyberattack Update. SCOTT MCCUTCHEON, Information Technology Manager Finance and Management Services Department of Health and Social Services (DHSS) Juneau, Alaska POSITION STATEMENT: Co-presented the DHSS Cyberattack Update. REPRESENTATIVE ZACK FIELDS Alaska State Legislature Juneau, Alaska POSITION STATEMENT: Sponsor of HB 133. TRISTAN WALSH, Staff Representative Zack Fields Alaska State Legislature Juneau, Alaska POSITION STATEMENT: Answered questions on HB 133. PATRICK STOCKS, Attorney Disability Law Center of Alaska Anchorage, Alaska POSITION STATEMENT: Testified by invitation on HB 133. ACTION NARRATIVE 1:31:16 PM CHAIR DAVID WILSON called the Senate Health and Social Services Standing Committee meeting to order at 1:31 p.m. Present at the call to order were Senators Reinbold, Begich, Hughes, and Chair Wilson. ^DHSS Cyberattack Update DHSS CYBERATTACK UPDATE    1:32:19 PM CHAIR WILSON announced the consideration of an update by the Department of Health and Social Services (DHSS) on cyberattacks. 1:33:13 PM SYLVAN ROBB, Assistant Commissioner, Office of the Commissioner, Department of Health and Social Services (DHSS), Juneau, Alaska, introduced herself. 1:33:46 PM At ease. 1:34:08 PM CHAIR WILSON reconvened the meeting. 1:34:14 PM MS. ROBB stated that the Department of Health and Social Services (DHSS) manages 600 servers that operate around 350 applications and must adhere to Health Insurance Portability and Accountability Act (HIPAA) requirements. Instances exist where DHSS utilizes services outside of the Office of Innovation and Technology (OIT) to maintain HIPPA compliance. MS. ROBB turned to slide 2 and stated that on May 5, personnel in OIT noticed malicious activity happening within the DHSS system. The impacted systems were immediately taken offline, law enforcement was notified, and an incident response team was assembled. On May 10, 2021, an experienced global contractor was hired to address the sophistication of the attack. 1:36:38 PM MS. ROBB said the contractor completed system checks on May 17. Nineteen systems were identified as having elements of compromise. Sites taken down included the DHSS website, the background check unit, Alaska's Automated Information Management System (AKAIMS), grants management, and vital records. On May 18, the public was notified of the attack through a press release and social media. HIPAA guidelines require a low level of information compromise. Therefore, in September, the department notified all Alaskans of the breach and offered credit monitoring. 1:38:08 PM SCOTT MCCUTCHEON, Information Technology Manager, Finance and Management Services, Department of Health and Social Services (DHSS), Juneau, Alaska, said the cyberattack response consisted of three phases. The detection and analysis phase determined the scope of the intrusion, date, length, and reason. The containment and eradication plan was created in phase one but carried out in phase two. The containment and eradication plan involved isolating affected systems, disabling accounts, and resetting, then rotating, privileged account passwords every other day across the enterprise. Malware provided by the contractor was distributed across the enterprise to find additional signs of compromise. MR. MCCUTCHEON said the third phase was post-incident activity. It involved reviewing and improving server and application hardening processes recommended by the contractor. Code scanning of the software applications was implemented before bringing the systems back to production. Penetration tests were later conducted on each system to determine reasonable assurance of a secured system. 1:40:15 PM MS. ROBB advanced to slide 5 and announced that eleven systems had been restored to date, including those mentioned on slide 3. The remaining eight systems are in various stages of the 23-step restoration process. Although time-consuming, the 19 systems will be hardened and more robust than before the attack. An appropriation is in the fast track supplemental budget for a Security Program Assessment for DHSS. DHSS is hopeful the assessment will occur as soon as possible. A contractor would work with the department to make all DHSS systems as secure and robust as possible. 1:42:02 PM SENATOR REINBOLD commented that the State of Alaska paying for credit monitoring does not correct Alaskan's data being taken in a cyberattack. She opined that Alaskans have a right to know who took their data. 1:42:53 PM MS. ROBB replied it was a sophisticated state-sponsored attacker and that law enforcement requested details not be shared. SENATOR REINBOLD responded that cyber security should be taken seriously and more should be done for Alaskans. SENATOR HUGHES asked for clarification on what occurred in September. MS. ROBB answered that at the request of law enforcement DHSS waited to alert the public of the HIPAA breach until September. 1:44:27 PM CHAIR WILSON asked if state or federal law enforcement made the request. 1:44:34 PM MR. MCCUTCHEON replied that state and federal law enforcement are involved in the ongoing investigation across the United States. SENATOR HUGHES asked why the HIPAA breach notification people took four months when the cyberattack had already been publicly announced 1:45:53 PM MS. ROBB stated that the delay was at the request of law enforcement, who are conducting an active investigation. Due to the nature of the attack and the breadth of services provided by DHSS, the state used the Permanent Fund Dividend database to notify individual Alaskans of the breach. SENATOR HUGHES stated she understands information can be withheld because of an investigation but opined that people should have been informed promptly of their data being breached so they could monitor their interests. She analogized the breach to a house being robbed. The homeowner is informed of the robbery even though the investigation is ongoing. She found the length of time the information was withheld to be curious and would like an explanation from law enforcement. 1:47:22 PM CHAIR WILSON asked if HIPPA has a timeframe for reporting a data breach. MS. ROBB replied that HIPPA does have a notice requirement. The requirement allows for notice to be delayed for purposes of investigation. Notifications were made as required by HIPPA. SENATOR REINBOLD asked if it is correct to assume that a foreign bad actor took Alaskans' names, social security numbers, and other private information. 1:48:19 PM MS. ROBB replied that HIPPA notification is required if the state cannot assert that there was a low probability that data was not taken. Items such as social security numbers, names, and addresses are information DHSS has in its database. Still, due to the nature of the attack, the department cannot say with certainty what information was taken. 1:48:42 PM SENATOR REINBOLD stated that the assumption that can be made is obvious. She asked how many people were impacted by the breach. MS. ROBB replied that all Alaskans were notified. The number of individuals impacted is indeterminable. 1:49:10 PM CHAIR WILSON asked how many people could have been exposed. SENATOR REINBOLD interjected that the number of Alaskans receiving public assistance is 300,000 and asked if that is the number or could it be more. MR. MCCUTCHEON stated that the amount and type of data exfiltrated in the potential HIPAA breach could not be determined. The extent would be the department's data input. According to HIPAA regulations, the department could not prove that data was not taken; therefore, Alaskans were notified. CHAIR WILSON asked how many Alaskans were notified of the HIPPA breach. MS. ROBB stated that everyone in the PFD database was notified. The breach had nothing to do with the Department of Revenue or the PFD. The PFD database was used because it was the most comprehensive and up-to-date database for contacting Alaskans. CHAIR WILSON reiterated that all Alaskans who received a dividend received notice of the HIPPA breach. MS. ROBB replied yes. CHAIR WILSON asked if that notice was in the year 2020 or 2021. MS. ROBB answered that contact information was received from the Department of Revenue in September 2021. 1:51:12 PM SENATOR REINBOLD commented that about 675,000 Alaskans were notified that their information might have been compromised. Legislators need answers for constituents. When DHSS evades basic questions and does not provide a number when asked, the department gives the appearance of hiding information. 1:52:16 PM MS. ROBB responded that the department does not mean to appear evasive. In truth, even with the help of a global contractor, the department is unable to identify the exact number of people whose data may have been taken. SENATOR REINBOLD retorted that an exact number was not requested. 1:52:43 PM CHAIR WILSON interjected that he understands how it could be challenging to make contact since people's data can change with time. He remarked that 11 systems had been restored and asked how many remained. MS. ROBB stated that eight systems are in the process, and four are waiting to begin restoration. CHAIR WILSON asked if there is an expected timeframe for all systems to be online. MS. ROBB deferred to Mr. McCutcheon. MR. MCCUTCHEON stated that a timeline is not feasible since each system is being rebuilt. It is expected to take several more months. 1:54:08 PM CHAIR WILSON stated that the budget for this year contains costs for systems that have been rebuilt. He asked if there was an estimated cost for the remaining systems. MS. ROBB answered that the supplemental item in the budget for the cyberattack includes the systems waiting to be finished. The amount in the budget is $2.4 million of new unrestricted general funds (UGF), with a portion having matched federal funds. 1:55:06 PM SENATOR REINBOLD asked when the Security Program Assessment would be completed and the database made as secure as possible. MS. ROBB replied that funds for the Security Program Assessment are in the fast track supplemental. The department is eager and will begin once the funds are released to the department. SENATOR REINBOLD stated it has been almost a year since the cyberattack. She asked if the first step to making DHSS's system secure is a $4 million assessment followed by an unknown amount to complete the work. 1:56:10 PM MS. ROBB apologized if her words were confusing and replied that the item in the fast track supplemental for the Security Program Assessment is $1.9 million. SENATOR REINBOLD restated her question and asked when information in the DHSS database would be secure. MS. ROBB stated that the department was trying to be proactive. The cost of the assessment would be $400,000. The remaining $1.5 million will be used to harden the system as recommended. 1:57:18 PM CHAIR WILSON asked for further comments, and Ms. Rob thanked the committee for hearing DHSS's cyberattack recovery update. 1:57:39 PM At ease. SB 132-CONTROLLED SUB. DATA: EXEMPT VETERINARIAN  1:59:32 PM CHAIR WILSON reconvened the meeting and announced the consideration of SENATE BILL NO. 132 "An Act exempting veterinarians from the requirements of the controlled substance prescription database." 2:00:19 PM SENATOR HOLLAND stated that the Prescription Drug Monitoring Program (PDMD) is important in Alaska for medical purposes; however, 34 other states realized it does not work well for veterinarians. SENATOR HUGHES thanked Senator Begich for noting that HIPPA requirements do not bind veterinarians. She stated that the presentation and testimonies convinced the committee that the PDMP is not an appropriate program for veterinarians. Having veterinarians participate in the PDMP puts them at a disadvantage. It also risks exposure of clients' HIPPA protected information. 2:02:10 PM SENATOR HUGHES moved to report SB 132, work order 32-LS0861\A, from committee with individual recommendations and attached fiscal note(s). 2:02:25 PM CHAIR WILSON found no objection and SB 132 was reported from the Senate Health and Social Services Standing Committee. 2:02:42 PM At ease. HB 133-AK ED SAVINGS PROGRAMS/ELIGIBILITY  2:04:37 PM CHAIR WILSON reconvened the meeting and announced the consideration of CS FOR HOUSE BILL NO. 133(L&C) "An Act relating to the Alaska savings program for eligible individuals; relating to education savings programs; relating to the Education Trust of Alaska; relating to the Alaska advance college tuition savings fund; relating to the Alaska education savings program for children; and relating to the Governor's Council on Disabilities and Special Education." 2:05:26 PM REPRESENTATIVE ZACK FIELDS, Alaska State Legislature, Juneau, Alaska, stated that an update to the Achieving a Better Life Experience (ABLE) Act was necessary because federal changes occurred after the program was established in Alaska. Federal changes included the potential to increase account sizes, account flexibility, and age limit. 2:06:08 PM At ease. 2:06:41 PM CHAIR WILSON reconvened the meeting. SENATOR HUGHES asked for the new federal disability age limit. She recalled hearing 49 but could only find documentation stating age 26. REPRESENTATIVE FIELDS responded that the age is 46; however, HB 133 was written with conforming language. If the federal government makes changes in the future, the age in Alaska will automatically change. 2:07:57 PM SENATOR HUGHES asked if the age change might be in regulation. REPRESENTATIVE FIELDS deferred the question to his staff. 2:08:20 PM TRISTAN WALSH, Staff, Representative Zack Fields, Alaska State Legislature, Juneau, Alaska, replied that federal legislation to raise the onset age of disability to 46 was debated but not finalized. HB 133 will keep state statutes mirroring federal law. 2:08:57 PM SENATOR HUGHES reiterated that the federal age is still 26, but the federal government is considering 46. SENATOR BEGICH sought clarification that HB 133 would follow federal regulatory changes. REPRESENTATIVE FIELDS stated that is correct. 2:09:39 PM CHAIR WILSON opened invited testimony. 2:09:54 PM PATRICK STOCKS, Attorney, Disability Law Center of Alaska, Anchorage, Alaska, stated that the Disability Law Center of Alaska is the Protection and Advocacy System (P&A's) agent in Alaska. In 2016 it advocated for the passage of the ABLE Act. ABLE accounts have been the solution that allows many disabled individuals to go to school, maintain housing or obtain employment while still receiving benefits. The account is a tax- preferred savings vehicle that essentially does not count against asset limits for Medicaid, Financial Services Institute (FSI), and public assistance programs. MR. STOCKS explained that HB 133 would allow rollovers from ABLE and 529 accounts, giving disabled individuals greater control over saving and spending for disability-related expenses. HB 133 also ties ABLE state requirements to controlling federal requirements, allowing federal changes to immediately take effect at the state level, saving the agency time and resources. 2:13:30 PM CHAIR WILSON opened public testimony on HB 133; he found none, and closed public testimony. 2:13:48 PM SENATOR HUGHES suggested Alaska's congressional delegation be encouraged to support an increase in the onset age of disability. REPRESENTATIVE FIELDS agreed. 2:14:23 PM CHAIR WILSON held HB 133 in committee. 2:15:25 PM There being no further business to come before the committee, Chair Wilson adjourned the Senate Health and Social Services Standing Committee meeting at 2:15 p.m.