Legislature(2021 - 2022)BUTROVICH 205
02/08/2022 01:30 PM Senate HEALTH & SOCIAL SERVICES
Note: the audio ![]()
and video ![]()
recordings are distinct records and are obtained from different sources. As such there may be key differences between the two. The audio recordings are captured by our records offices as the official record of the meeting and will have more accurate timestamps. Use the icons to switch between them.
| Audio | Topic |
|---|---|
| Start | |
| Dhss Cyberattack Update | |
| SB132 | |
| HB133 | |
| Adjourn |
* first hearing in first committee of referral
+ teleconferenced
= bill was previously heard/scheduled
+ teleconferenced
= bill was previously heard/scheduled
| + | TELECONFERENCED | ||
| += | SB 132 | TELECONFERENCED | |
| += | HB 133 | TELECONFERENCED | |
| + | TELECONFERENCED |
ALASKA STATE LEGISLATURE
SENATE HEALTH AND SOCIAL SERVICES STANDING COMMITTEE
February 8, 2022
1:31 p.m.
MEMBERS PRESENT
Senator David Wilson, Chair
Senator Shelley Hughes, Vice Chair
Senator Lora Reinbold
Senator Tom Begich
MEMBERS ABSENT
Senator Mia Costello
COMMITTEE CALENDAR
DHSS CYBERATTACK UPDATE
- HEARD
SENATE BILL NO. 132
"An Act exempting veterinarians from the requirements of the
controlled substance prescription database."
- MOVED SB 132 OUT OF COMMITTEE
COMMITTEE SUBSTITUTE FOR HOUSE BILL NO. 133(L&C)
"An Act relating to the Alaska savings program for eligible
individuals; relating to education savings programs; relating to
the Education Trust of Alaska; relating to the Alaska advance
college tuition savings fund; relating to the Alaska education
savings program for children; and relating to the Governor's
Council on Disabilities and Special Education."
- HEARD & HELD
PREVIOUS COMMITTEE ACTION
BILL: SB 132
SHORT TITLE: CONTROLLED SUB. DATA: EXEMPT VETERINARIAN
SPONSOR(s): SENATOR(s) HOLLAND
04/28/21 (S) READ THE FIRST TIME - REFERRALS
04/28/21 (S) HSS, L&C
02/03/22 (S) HSS AT 1:30 PM BUTROVICH 205
02/03/22 (S) Heard & Held
02/03/22 (S) MINUTE(HSS)
02/08/22 (S) HSS AT 1:30 PM BUTROVICH 205
BILL: HB 133
SHORT TITLE: AK ED SAVINGS PROGRAMS/ELIGIBILITY
SPONSOR(s): LABOR & COMMERCE
03/10/21 (H) READ THE FIRST TIME - REFERRALS
03/10/21 (H) L&C, FIN
03/17/21 (H) L&C AT 5:45 PM BARNES 124
03/17/21 (H) <Bill Hearing Canceled>
03/19/21 (H) L&C AT 3:15 PM BARNES 124
03/19/21 (H) Heard & Held
03/19/21 (H) MINUTE(L&C)
03/24/21 (H) L&C AT 3:15 PM DAVIS 106
03/24/21 (H) Moved CSHB 133(L&C) Out of Committee
03/24/21 (H) MINUTE(L&C)
03/24/21 (H) L&C AT 5:45 PM DAVIS 106
03/24/21 (H) -- MEETING CANCELED --
03/25/21 (H) L&C RPT CS(L&C) 6DP 1NR
03/25/21 (H) DP: SNYDER, SCHRAGE, MCCARTY, NELSON,
SPOHNHOLZ, FIELDS
03/25/21 (H) NR: KAUFMAN
04/07/21 (H) HSS REPLACES FIN REFERRAL
04/07/21 (H) BILL REPRINTED
04/20/21 (H) HSS AT 3:00 PM DAVIS 106
04/20/21 (H) Heard & Held
04/20/21 (H) MINUTE(HSS)
04/22/21 (H) HSS AT 3:00 PM DAVIS 106
04/22/21 (H) Moved CSHB 133(L&C) Out of Committee
04/22/21 (H) MINUTE(HSS)
04/26/21 (H) HSS RPT CS(L&C) 5DP 1NR
04/26/21 (H) DP: FIELDS, SPOHNHOLZ, MCCARTY,
ZULKOSKY, SNYDER
04/26/21 (H) NR: KURKA
05/07/21 (H) TRANSMITTED TO (S)
05/07/21 (H) VERSION: CSHB 133(L&C)
05/10/21 (S) READ THE FIRST TIME - REFERRALS
05/10/21 (S) HSS, L&C
02/03/22 (S) HSS AT 1:30 PM BUTROVICH 205
02/03/22 (S) Heard & Held
02/03/22 (S) MINUTE(HSS)
02/08/22 (S) HSS AT 1:30 PM BUTROVICH 205
WITNESS REGISTER
SYLVAN ROBB, Assistant Commissioner
Office of the Commissioner
Department of Health and Social Services (DHSS)
Juneau, Alaska
POSITION STATEMENT: Co-presented the DHSS Cyberattack Update.
SCOTT MCCUTCHEON, Information Technology Manager
Finance and Management Services
Department of Health and Social Services (DHSS)
Juneau, Alaska
POSITION STATEMENT: Co-presented the DHSS Cyberattack Update.
REPRESENTATIVE ZACK FIELDS
Alaska State Legislature
Juneau, Alaska
POSITION STATEMENT: Sponsor of HB 133.
TRISTAN WALSH, Staff
Representative Zack Fields
Alaska State Legislature
Juneau, Alaska
POSITION STATEMENT: Answered questions on HB 133.
PATRICK STOCKS, Attorney
Disability Law Center of Alaska
Anchorage, Alaska
POSITION STATEMENT: Testified by invitation on HB 133.
ACTION NARRATIVE
1:31:16 PM
CHAIR DAVID WILSON called the Senate Health and Social Services
Standing Committee meeting to order at 1:31 p.m. Present at the
call to order were Senators Reinbold, Begich, Hughes, and Chair
Wilson.
^DHSS Cyberattack Update
DHSS CYBERATTACK UPDATE
1:32:19 PM
CHAIR WILSON announced the consideration of an update by the
Department of Health and Social Services (DHSS) on cyberattacks.
1:33:13 PM
SYLVAN ROBB, Assistant Commissioner, Office of the Commissioner,
Department of Health and Social Services (DHSS), Juneau, Alaska,
introduced herself.
1:33:46 PM
At ease.
1:34:08 PM
CHAIR WILSON reconvened the meeting.
1:34:14 PM
MS. ROBB stated that the Department of Health and Social
Services (DHSS) manages 600 servers that operate around 350
applications and must adhere to Health Insurance Portability and
Accountability Act (HIPAA) requirements. Instances exist where
DHSS utilizes services outside of the Office of Innovation and
Technology (OIT) to maintain HIPPA compliance.
MS. ROBB turned to slide 2 and stated that on May 5, personnel
in OIT noticed malicious activity happening within the DHSS
system. The impacted systems were immediately taken offline, law
enforcement was notified, and an incident response team was
assembled. On May 10, 2021, an experienced global contractor was
hired to address the sophistication of the attack.
1:36:38 PM
MS. ROBB said the contractor completed system checks on May 17.
Nineteen systems were identified as having elements of
compromise. Sites taken down included the DHSS website, the
background check unit, Alaska's Automated Information Management
System (AKAIMS), grants management, and vital records. On May
18, the public was notified of the attack through a press
release and social media. HIPAA guidelines require a low level
of information compromise. Therefore, in September, the
department notified all Alaskans of the breach and offered
credit monitoring.
1:38:08 PM
SCOTT MCCUTCHEON, Information Technology Manager, Finance and
Management Services, Department of Health and Social Services
(DHSS), Juneau, Alaska, said the cyberattack response consisted
of three phases. The detection and analysis phase determined the
scope of the intrusion, date, length, and reason.
The containment and eradication plan was created in phase one
but carried out in phase two. The containment and eradication
plan involved isolating affected systems, disabling accounts,
and resetting, then rotating, privileged account passwords every
other day across the enterprise. Malware provided by the
contractor was distributed across the enterprise to find
additional signs of compromise.
MR. MCCUTCHEON said the third phase was post-incident activity.
It involved reviewing and improving server and application
hardening processes recommended by the contractor. Code scanning
of the software applications was implemented before bringing the
systems back to production. Penetration tests were later
conducted on each system to determine reasonable assurance of a
secured system.
1:40:15 PM
MS. ROBB advanced to slide 5 and announced that eleven systems
had been restored to date, including those mentioned on slide 3.
The remaining eight systems are in various stages of the 23-step
restoration process. Although time-consuming, the 19 systems
will be hardened and more robust than before the attack.
An appropriation is in the fast track supplemental budget for a
Security Program Assessment for DHSS. DHSS is hopeful the
assessment will occur as soon as possible. A contractor would
work with the department to make all DHSS systems as secure and
robust as possible.
1:42:02 PM
SENATOR REINBOLD commented that the State of Alaska paying for
credit monitoring does not correct Alaskan's data being taken in
a cyberattack. She opined that Alaskans have a right to know who
took their data.
1:42:53 PM
MS. ROBB replied it was a sophisticated state-sponsored attacker
and that law enforcement requested details not be shared.
SENATOR REINBOLD responded that cyber security should be taken
seriously and more should be done for Alaskans.
SENATOR HUGHES asked for clarification on what occurred in
September.
MS. ROBB answered that at the request of law enforcement DHSS
waited to alert the public of the HIPAA breach until September.
1:44:27 PM
CHAIR WILSON asked if state or federal law enforcement made the
request.
1:44:34 PM
MR. MCCUTCHEON replied that state and federal law enforcement
are involved in the ongoing investigation across the United
States.
SENATOR HUGHES asked why the HIPAA breach notification people
took four months when the cyberattack had already been publicly
announced
1:45:53 PM
MS. ROBB stated that the delay was at the request of law
enforcement, who are conducting an active investigation. Due to
the nature of the attack and the breadth of services provided by
DHSS, the state used the Permanent Fund Dividend database to
notify individual Alaskans of the breach.
SENATOR HUGHES stated she understands information can be
withheld because of an investigation but opined that people
should have been informed promptly of their data being breached
so they could monitor their interests. She analogized the breach
to a house being robbed. The homeowner is informed of the
robbery even though the investigation is ongoing. She found the
length of time the information was withheld to be curious and
would like an explanation from law enforcement.
1:47:22 PM
CHAIR WILSON asked if HIPPA has a timeframe for reporting a data
breach.
MS. ROBB replied that HIPPA does have a notice requirement. The
requirement allows for notice to be delayed for purposes of
investigation. Notifications were made as required by HIPPA.
SENATOR REINBOLD asked if it is correct to assume that a foreign
bad actor took Alaskans' names, social security numbers, and
other private information.
1:48:19 PM
MS. ROBB replied that HIPPA notification is required if the
state cannot assert that there was a low probability that data
was not taken. Items such as social security numbers, names, and
addresses are information DHSS has in its database. Still, due
to the nature of the attack, the department cannot say with
certainty what information was taken.
1:48:42 PM
SENATOR REINBOLD stated that the assumption that can be made is
obvious. She asked how many people were impacted by the breach.
MS. ROBB replied that all Alaskans were notified. The number of
individuals impacted is indeterminable.
1:49:10 PM
CHAIR WILSON asked how many people could have been exposed.
SENATOR REINBOLD interjected that the number of Alaskans
receiving public assistance is 300,000 and asked if that is the
number or could it be more.
MR. MCCUTCHEON stated that the amount and type of data
exfiltrated in the potential HIPAA breach could not be
determined. The extent would be the department's data input.
According to HIPAA regulations, the department could not prove
that data was not taken; therefore, Alaskans were notified.
CHAIR WILSON asked how many Alaskans were notified of the HIPPA
breach.
MS. ROBB stated that everyone in the PFD database was notified.
The breach had nothing to do with the Department of Revenue or
the PFD. The PFD database was used because it was the most
comprehensive and up-to-date database for contacting Alaskans.
CHAIR WILSON reiterated that all Alaskans who received a
dividend received notice of the HIPPA breach.
MS. ROBB replied yes.
CHAIR WILSON asked if that notice was in the year 2020 or 2021.
MS. ROBB answered that contact information was received from the
Department of Revenue in September 2021.
1:51:12 PM
SENATOR REINBOLD commented that about 675,000 Alaskans were
notified that their information might have been compromised.
Legislators need answers for constituents. When DHSS evades
basic questions and does not provide a number when asked, the
department gives the appearance of hiding information.
1:52:16 PM
MS. ROBB responded that the department does not mean to appear
evasive. In truth, even with the help of a global contractor,
the department is unable to identify the exact number of people
whose data may have been taken.
SENATOR REINBOLD retorted that an exact number was not
requested.
1:52:43 PM
CHAIR WILSON interjected that he understands how it could be
challenging to make contact since people's data can change with
time. He remarked that 11 systems had been restored and asked
how many remained.
MS. ROBB stated that eight systems are in the process, and four
are waiting to begin restoration.
CHAIR WILSON asked if there is an expected timeframe for all
systems to be online.
MS. ROBB deferred to Mr. McCutcheon.
MR. MCCUTCHEON stated that a timeline is not feasible since each
system is being rebuilt. It is expected to take several more
months.
1:54:08 PM
CHAIR WILSON stated that the budget for this year contains costs
for systems that have been rebuilt. He asked if there was an
estimated cost for the remaining systems.
MS. ROBB answered that the supplemental item in the budget for
the cyberattack includes the systems waiting to be finished. The
amount in the budget is $2.4 million of new unrestricted general
funds (UGF), with a portion having matched federal funds.
1:55:06 PM
SENATOR REINBOLD asked when the Security Program Assessment
would be completed and the database made as secure as possible.
MS. ROBB replied that funds for the Security Program Assessment
are in the fast track supplemental. The department is eager and
will begin once the funds are released to the department.
SENATOR REINBOLD stated it has been almost a year since the
cyberattack. She asked if the first step to making DHSS's system
secure is a $4 million assessment followed by an unknown amount
to complete the work.
1:56:10 PM
MS. ROBB apologized if her words were confusing and replied that
the item in the fast track supplemental for the Security Program
Assessment is $1.9 million.
SENATOR REINBOLD restated her question and asked when
information in the DHSS database would be secure.
MS. ROBB stated that the department was trying to be proactive.
The cost of the assessment would be $400,000. The remaining $1.5
million will be used to harden the system as recommended.
1:57:18 PM
CHAIR WILSON asked for further comments, and Ms. Rob thanked the
committee for hearing DHSS's cyberattack recovery update.
1:57:39 PM
At ease.
SB 132-CONTROLLED SUB. DATA: EXEMPT VETERINARIAN
1:59:32 PM
CHAIR WILSON reconvened the meeting and announced the
consideration of SENATE BILL NO. 132 "An Act exempting
veterinarians from the requirements of the controlled substance
prescription database."
2:00:19 PM
SENATOR HOLLAND stated that the Prescription Drug Monitoring
Program (PDMD) is important in Alaska for medical purposes;
however, 34 other states realized it does not work well for
veterinarians.
SENATOR HUGHES thanked Senator Begich for noting that HIPPA
requirements do not bind veterinarians. She stated that the
presentation and testimonies convinced the committee that the
PDMP is not an appropriate program for veterinarians. Having
veterinarians participate in the PDMP puts them at a
disadvantage. It also risks exposure of clients' HIPPA protected
information.
2:02:10 PM
SENATOR HUGHES moved to report SB 132, work order 32-LS0861\A,
from committee with individual recommendations and attached
fiscal note(s).
2:02:25 PM
CHAIR WILSON found no objection and SB 132 was reported from the
Senate Health and Social Services Standing Committee.
2:02:42 PM
At ease.
HB 133-AK ED SAVINGS PROGRAMS/ELIGIBILITY
2:04:37 PM
CHAIR WILSON reconvened the meeting and announced the
consideration of CS FOR HOUSE BILL NO. 133(L&C) "An Act relating
to the Alaska savings program for eligible individuals; relating
to education savings programs; relating to the Education Trust
of Alaska; relating to the Alaska advance college tuition
savings fund; relating to the Alaska education savings program
for children; and relating to the Governor's Council on
Disabilities and Special Education."
2:05:26 PM
REPRESENTATIVE ZACK FIELDS, Alaska State Legislature, Juneau,
Alaska, stated that an update to the Achieving a Better Life
Experience (ABLE) Act was necessary because federal changes
occurred after the program was established in Alaska. Federal
changes included the potential to increase account sizes,
account flexibility, and age limit.
2:06:08 PM
At ease.
2:06:41 PM
CHAIR WILSON reconvened the meeting.
SENATOR HUGHES asked for the new federal disability age limit.
She recalled hearing 49 but could only find documentation
stating age 26.
REPRESENTATIVE FIELDS responded that the age is 46; however, HB
133 was written with conforming language. If the federal
government makes changes in the future, the age in Alaska will
automatically change.
2:07:57 PM
SENATOR HUGHES asked if the age change might be in regulation.
REPRESENTATIVE FIELDS deferred the question to his staff.
2:08:20 PM
TRISTAN WALSH, Staff, Representative Zack Fields, Alaska State
Legislature, Juneau, Alaska, replied that federal legislation to
raise the onset age of disability to 46 was debated but not
finalized. HB 133 will keep state statutes mirroring federal
law.
2:08:57 PM
SENATOR HUGHES reiterated that the federal age is still 26, but
the federal government is considering 46.
SENATOR BEGICH sought clarification that HB 133 would follow
federal regulatory changes.
REPRESENTATIVE FIELDS stated that is correct.
2:09:39 PM
CHAIR WILSON opened invited testimony.
2:09:54 PM
PATRICK STOCKS, Attorney, Disability Law Center of Alaska,
Anchorage, Alaska, stated that the Disability Law Center of
Alaska is the Protection and Advocacy System (P&A's) agent in
Alaska. In 2016 it advocated for the passage of the ABLE Act.
ABLE accounts have been the solution that allows many disabled
individuals to go to school, maintain housing or obtain
employment while still receiving benefits. The account is a tax-
preferred savings vehicle that essentially does not count
against asset limits for Medicaid, Financial Services Institute
(FSI), and public assistance programs.
MR. STOCKS explained that HB 133 would allow rollovers from ABLE
and 529 accounts, giving disabled individuals greater control
over saving and spending for disability-related expenses. HB 133
also ties ABLE state requirements to controlling federal
requirements, allowing federal changes to immediately take
effect at the state level, saving the agency time and resources.
2:13:30 PM
CHAIR WILSON opened public testimony on HB 133; he found none,
and closed public testimony.
2:13:48 PM
SENATOR HUGHES suggested Alaska's congressional delegation be
encouraged to support an increase in the onset age of
disability.
REPRESENTATIVE FIELDS agreed.
2:14:23 PM
CHAIR WILSON held HB 133 in committee.
2:15:25 PM
There being no further business to come before the committee,
Chair Wilson adjourned the Senate Health and Social Services
Standing Committee meeting at 2:15 p.m.
| Document Name | Date/Time | Subjects |
|---|---|---|
| CSHB 133 Sectional Analysis Ver I 1.31.2022.pdf |
SHSS 2/3/2022 1:30:00 PM SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| CSHB 133 Fiscal Note UA-SYSBRA 1.19.2022.pdf |
SHSS 2/3/2022 1:30:00 PM SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| CSHB 133 Version I 1.19.2022.PDF |
SHSS 2/3/2022 1:30:00 PM SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| CSHB 133 ver I Sponsor Statement 1.19.2022.pdf |
SHSS 2/3/2022 1:30:00 PM SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| CSHB 133 Supporting Document - UA Press Release 1.19.2022.pdf |
SHSS 2/3/2022 1:30:00 PM SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| CSHB 133 Supporting Document - IRS ABLE Accounts Info 1.19.2022.pdf |
SHSS 2/3/2022 1:30:00 PM SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| CSHB 133 Sponsor Presentation UPDATED 2.1.2022.pdf |
SHSS 2/3/2022 1:30:00 PM SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| CSHB 133 Supporting Document - 10 Things You Should Know About ABLE 1.19.2022.pdf |
SHSS 2/3/2022 1:30:00 PM SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| CSHB 133 Summary of Changes ver B to ver I 1.19.2022.pdf |
SHSS 2/3/2022 1:30:00 PM SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| HB 133 FN UofA.pdf |
SHSS 2/8/2022 1:30:00 PM |
HB 133 |
| DHSS 2-8-21 SHSS Cyber Security presentation-final.pdf |
SHSS 2/8/2022 1:30:00 PM |
Cybersecurity |