The healthcare sector and supporting critical infrastructure sectors “can no longer look at the challenges through just a cyber and/or physical lens but must consider all threats to operational resilience,” while the education sector suffers from equity issues reflected in reduced cyber protection capabilities in under-funded K-12 districts and colleges, experts told lawmakers.
“With the rise in digital health care, the proliferation of advances in technology and the efficiencies of connecting devices and data, the cyber threat surface in health care has ballooned and the threat actors have followed,” Health Information Sharing and Analysis Center (H-ISAC) President and CEO Denise Anderson, also representing the Health Sector Coordinating Council Cybersecurity Working Group, said at the hearing of the Senate Health, Education, Labor and Pensions Committee on May 18 to examine cyber threats to the healthcare and education sectors. “The focus has traditionally been on data and privacy, but if providers cannot deliver services or data is manipulated or destroyed patient lives can be at risk.”
Ransomware, she stressed, “has had a big impact on the health sector,” with Ryuk ransomware linked to more than 200 ransomware attacks impacting health facilities that inflicted revenue losses of nearly $100 million and remediation costs of $500 million.
The national health system in Ireland was hit with Conti ransomware in May 2021, bringing down all IT systems resulting in canceled surgeries and delayed medical care. Recovery from the attack took four months.
“The other impact of ransomware is the downstream effects when suppliers are attacked,” Anderson said. “When a human resources firm was attacked in December 2021, hospitals were forced to manage payroll and staff scheduling manually during a surge in COVID-19 infections. In January 2021, a manufacturer essential in providing packaging for COVID-19 treatments was attacked and pharmaceutical manufacturers experienced slowdowns in package production and shipping during a vital period in the pandemic.”
The COVID-19 pandemic “spurred several incidents,” she added. “Threat actors assessed sensitive documents for a COVID-19 vaccine at the European Medicines Agency where the documents were stored. Actors attacked and blocked access to an Italian COVID-19 vaccination booking system and organizations offering cold storage and delivery processes for keeping vaccines at safe temperatures were targeted. A concerning threat actor trend has been the intention and ability to target the IT supply chain, such as the SolarWinds attack to gain access to a larger group of victims.”
Noting fear of repercussions such as those that followed the 2017 Petya attacks that impacted over 300 companies and cost over $10 billion, Anderson emphasized that “even if health care is not directly targeted, cascading impacts such as access to communications and electricity can be substantial.”
“The health sector is highly interconnected. Sensitive patient information must move between entities to facilitate proper patient care and history. Hospitals use tens of thousands of medical devices,” she told senators. “Expensive devices are not easily replaced and run on software that is no longer patched or supported. In addition, many of these devices run 24 hours a day, seven days a week, 365 days a year, so taking them offline or patching them is complicated.”
Joshua Corman, founder of I Am the Cavalry, a volunteer grassroots group of hackers “trying to save lives through security research,” said they have “compromised insulin pumps to give a second lethal dose of insulin without authentication.”
“We have found bedside infusion pumps that should deliver a three-hour dose of a calcium channel blocker could empty the contents in 30 seconds,” he said. “And we’ve done these through clinical ER hacking simulations in consultation and collaboration with federal agencies, with medical practitioners, with physicians to see can we handle these disruptions to the technologies we take for granted.”
Cybersecurity Program Director Amy McLaughlin with the Consortium of School Networking told senators that K-12 school districts “face increasing attacks and threats” from largely organized crime, nation-state actors and terrorist organizations.
“The most prevalent threats facing K-12 schools are ransomware attacks designed to encrypt and block data access to computer systems until a ransom is paid, phishing attacks inundate education employees with fraudulent emails attempting to trick them into responding with sensitive data, distributed denial of service attacks that flood the target networks making them inaccessible, and cyber-attacks against vendors providing services to multiple districts that result in wide-scale impacts,” she said.
“The impacts of cyber-attacks on K-12 school districts, teachers and students include lost instructional time, damage to schools’ reputations, high financial costs of cyber incidents, rising cybersecurity insurance costs, financial and credit hardships for students and employees from the loss of their personal data, and rising mental health impacts, including increases in anxiety and depression,” she added.
In Toledo, Ohio, and Fairfax County, Virginia, McLaughlin noted, cyber attackers threatened to release personal information of students and educators, and ransomware crippled school districts in Baltimore and Hartford, Conn.
“And on the first day of classes, the Miami-Dade County Public Schools in Florida, the fourth-largest U.S. district, saw their networks overwhelmed by denial of service attack,” she continued. “K-12 schools and districts experienced significant challenges in protecting themselves from cyber-attacks. Most districts see cybersecurity as a technical issue and it isn’t. It is an issue that requires everybody in an organization to understand and be part of the solution and understand their role in protecting the organization.”
“Safeguarding technologies are expensive and the leading K-12 funder, the E-rate program, does not fund cybersecurity or network defenses. School districts struggle to hire cybersecurity professionals. With almost 500,000 unfilled positions in cybersecurity in the United States, districts cannot compete with private-sector salaries and opportunities.”
McLaughlin stressed that “digital equity is a significant challenge as cybersecurity issues disproportionately impact our school districts who have less funding available to support and secure their technologies, and the addition of IoT devices to networks demand additional protections the districts are unable to fund and unprepared to deliver.”
K-12 school systems are taking “many steps” to beef up cybersecurity from training staff to implementing multifactor authentication, “but there are additional federal actions that should be taken to help our schools and districts improve their cybersecurity defenses,” including additional funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC) “to provide their fee-based services to K-12 free of charge” as well as funding universities and colleges to run Security Operations Centers that can simultaneously offer cost-effective services to K-12 schools and train new cybersecurity professionals.
“Our K-12 districts are on the front lines of protecting their data and systems against much larger, better-funded organizations and a rapidly evolving cyberthreat environment,” McLaughlin said. “They need access to staffing and technical resources to continue to securely deliver education. I thank you for your time and look forward to your questions.”
Chapman University Chief Information Officer Helen Norris told senators that threats to higher education include ransomware, phishing, hacking and social engineering, and universities that include medical centers and teaching hospitals “have even greater challenges in managing personal health information for individuals.”
“Our systems have grown into complex environments that include large data centers and a growing set of third-party partners,” she said. “The scope and intensity of our operations presents challenges to keeping them secure. And we know that bad actors are always looking to turn our difficulties into their opportunities.”
Addressing cybersecurity threats “is expensive,” Norris noted, and investment varies with the type of institution. A smaller university or a community college with fewer financial resources “will be challenged to do so even though they must protect sensitive student data in a similar way… the complexity of this work is enormous.” Institutions are also “challenged by the increasing number and complexity of cybersecurity regulations, which generate costs that draw resources away from managing risks.”
“Many security incidents occur when an individual falls into a trap set by a hacker,” Norris said. “So a large part of our work is educational, ensuring that our students and others have the tools that they need to protect themselves. Colleges and universities also address cybersecurity by combining our strength through collaboration to protect the entire ecosystem. We share information on new threats, best practices, and community source tools.”
“We also work closely with partners in federal and state agencies, particularly the FBI and CISA. Institutions want to continue to build upon our response to the threats that are out there and we see partnering at the federal level as critical to that. We encourage continued and growing collaboration between our community and federal agencies.”