[Senate Hearing 117-398]
[From the U.S. Government Publishing Office]









                                                        S. Hrg. 117-398

                      CYBERSECURITY IN THE HEALTH
                         AND EDUCATION SECTORS

=======================================================================

                                HEARING

                                 OF THE

                    COMMITTEE ON HEALTH, EDUCATION,
                          LABOR, AND PENSIONS

                          UNITED STATES SENATE

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                                   ON

      EXAMINING CYBERSECURITY IN THE HEALTH AND EDUCATION SECTORS

                               __________

                              MAY 18, 2022

                               __________

 Printed for the use of the Committee on Health, Education, Labor, and 
                                Pensions



[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]





        Available via the World Wide Web: http://www.govinfo.gov  
        
                             _________
                              
                 U.S. GOVERNMENT PUBLISHING OFFICE
                 
48-909 PDF               WASHINGTON : 2024  

        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
        
          COMMITTEE ON HEALTH, EDUCATION, LABOR, AND PENSIONS

                    PATTY MURRAY, Washington, Chair
BERNIE SANDERS (I), Vermont          RICHARD BURR, North Carolina, 
ROBERT P. CASEY, JR., Pennsylvania       Ranking Member
TAMMY BALDWIN, Wisconsin             RAND PAUL, M.D., Kentucky
CHRISTOPHER S. MURPHY, Connecticut   SUSAN M. COLLINS, Maine
TIM KAINE, Virginia                  BILL CASSIDY, M.D., Louisiana
MAGGIE HASSAN, New Hampshire         LISA MURKOWSKI, Alaska
TINA SMITH, Minnesota                MIKE BRAUN, Indiana
JACKY ROSEN, Nevada                  ROGER MARSHALL, M.D., Kansas
BEN RAY LUJAN, New Mexico            TIM SCOTT, South Carolina
JOHN HICKENLOOPER, Colorado          MITT ROMNEY, Utah
                                     TOMMY TUBERVILLE, Alabama
                                     JERRY MORAN, Kansas

                     Evan T. Schatz, Staff Director
               David P. Cleary, Republican Staff Director
                  John Righter, Deputy Staff Director   
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                  
                            C O N T E N T S

                              ----------                              

                               STATEMENTS

                        WEDNESDAY, MAY 18, 2022

                                                                   Page

                           Committee Members

Murray, Hon. Patty, Chair, Committee on Health, Education, Labor, 
  and Pensions, Opening statement................................     1

Cassidy, Hon. Bill, a U.S. Senator from the State of North 
  Carolina, Opening statement....................................     3

                               Witnesses

Anderson, Denise, President and CEO, Health Information Sharing 
  and Analysis Center, Oakton, VA................................     6
    Prepared statement...........................................     8
    Summary statement............................................    16

Corman, Joshua, Founder, I Am The Cavalry, Dover, NH.............    16
    Prepared statement...........................................    19
    Summary statement............................................    35

McLaughlin, Amy, Cybersecurity Program Director, Consortium of 
  School Networking, Corvallis, OR...............................    35
    Prepared statement...........................................    37
    Summary statement............................................    41

Norris, Helen, Vice President and Chief Information Officer, 
  Chapman University, Orange, CA.................................    42
    Prepared statement...........................................    44
    Summary statement............................................   129

                         QUESTIONS AND ANSWERS

Response by Denise Anderson to questions of:
    Sen. Baldwin.................................................   144
    Sen. Rosen...................................................   145
Response by Helen Norris to questions of:
    Sen. Hassan..................................................   146
Response by Amy McLaughlin to questions of:
    Sen. Hassan..................................................   147

 
                      CYBERSECURITY IN THE HEALTH 
                         AND EDUCATION SECTORS 

                              ----------                              


                        Wednesday, May 18, 2022

                                       U.S. Senate,
       Committee on Health, Education, Labor, and Pensions,
                                                    Washington, DC.

    The Committee met, pursuant to notice, at 10:01 a.m., in 
room 216, Hart Senate Office Building, Hon. Patty Murray, Chair 
of the Committee, presiding.

    Present: Senators Murray [presiding], Casey, Baldwin, 
Murphy, Hassan, Hickenlooper, Cassidy, Braun, Scott, and 
Tuberville.

                  OPENING STATEMENT OF SENATOR MURRAY

    The Chair. Good morning. The Senate Health, Education, 
Labor, and Pensions Committee will please come to order. Today 
we are having a hearing on cybersecurity in the health and 
education sectors. I will have an opening statement followed by 
Senator Cassidy, and then we will introduce our witnesses. 
After they give their testimony, Senators will each have 5 
minutes for a round of questions.

    Again, while we were unable to have this hearing fully open 
to the public or media for in-person attendance, live video is 
available on our Committee website at help.senate.gov. And 
again, if you are in need of accommodations including closed 
captioning, please reach out to the Committee or the Office of 
Congressional Accessibility Services.

    Every day, students, educators, patients, and health care 
providers across the country rely on countless programs and IT 
systems to learn with online tools, to get a prescription, do a 
telehealth appointment, and so much more.

    It is easy to take for granted how critical technology is 
to fundamental tasks like collecting and protecting the 
personal data of students and patients. Keeping track of course 
requirements, lesson plans, student financial aid, or providing 
information about prescriptions, allergies, and surgeries, 
information with potentially life and death consequences.

    During the past few years, COVID-19 has made technology 
even more central in health care and education, as patients and 
providers have made greater use of telehealth services to make 
care accessible and schools are helping close the digital 
divide by connecting students to the internet and devices.

    With that increased reliance on technology, we must also 
increase the attention given to the challenges that technology 
present. A critical part of that is closing the digital divide 
and ensuring all of our communities have access to the 
internet, which is why I fought so hard to invest in universal 
broadband and digital equity in our bipartisan infrastructure 
law. But we can't just call it a day after we make technology 
easy to use or access. We need to make sure it is also safe and 
secure.

    We need to address cybersecurity attacks and ensure they 
are treated like the National Security threat they are because 
cyber-attacks are on the rise. In 2020, 70 percent of hospitals 
surveyed said they had faced a significant security incident 
within the past 12 months. And between 2016 and 2021, there 
were over 1,300 school cybersecurity incidents in the U.S. and 
that is just counting the ones that were publicly disclosed.

    In my home State of Washington, we know that there were at 
least 44 data breaches in the health care sector last year and 
at least 35 in education. And the number of cyber-attacks in 
our state overall increased significantly from 2020, with the 
number of large scale attacks affecting over 50,000 people 
having tripled.

    During this pandemic, we also saw hackers infiltrate our 
state's unemployment insurance system, a breach that exposed 
the information of over a million people across my state. These 
attacks can come from a wide variety of sources, individual 
hackers, organized crime, and even hostile state actors, as we 
have seen most recently in Russia's invasion of Ukraine.

    This is a serious National Security threat and families 
need to know we are taking action to keep them safe from our 
enemies here. Because we know our biggest global adversaries, 
Russia, China, North Korea, Iran have been putting resources 
into sharpening their cyber-attack capacity.

    Cyber-attacks can also take a wide variety of forms. Data 
breaches that expose sensitive information from health 
information adversaries might use to threaten National Security 
to private financial information about patients, students, and 
staff, distributed denial of service attacks that can be used 
by hostile countries and others to make computers and networks 
unresponsive and shut down services, or ransomware attacks 
where foreign actors or other dangerous organizations hold 
essential services and data hostage unless a large financial 
ransom is paid.

    Even when a hospital or school is doing everything right, 
there are always new threats they may not be able to be 
prepared for. And every organization is still vulnerable to 
attacks on the tech vendors that they rely on. For example, a 
2019 cyber-attack on Pearson affected over 13,000 students and 
a breach at another education vendor last year, Blackbaud, 
exposed the financial information of 17,000 students just from 
my home State of Washington alone.

    The fallout from these attacks can be devastating and wide 
ranging. Hospitals can get locked out of the electronic health 
care records they need to understand a patient's condition or 
software needed to schedule surgeries or track prescriptions or 
get lab results and divert ambulances. I have even heard from 
health departments back in Washington State about how 
responding to cyber-attacks has pulled resources and staff from 
their COVID vaccination efforts. These kinds of challenges 
don't just cause major headaches or losses and expenses, they 
put patients in danger, they undermine our National Security, 
and in some cases, they even cost lives.

    Meanwhile, our schools are at risk of getting locked out of 
online programs that students use to get in turn in assignments 
or teachers used to post and track grades, and administrators 
use to layout courses and schedules for the semester. Hacks can 
disrupt routine and functions like payroll, and can leave 
patients, students, and staff exposed to identity theft. And 
that can be especially concerning for K-12 students, as it 
often isn't clear to students or parents that a child's 
identity has been stolen until they try to open a bank account 
or request student aid, which may not happen for several years.

    Cyber-attacks also have huge implications for our Country 
as a whole. They can undermine our competitiveness on the world 
stage. And the possibility of a cyber-attack coordinated by our 
enemies to take out health care facilities, especially at a 
moment of crisis, is a serious threat. So we have to make sure 
we are ready and vigilant.

    That is why I am glad President Biden signed into law 
legislation we passed to require more reporting of cyber 
incidents and to study the impact of cyber-attacks on K-12 
schools. It is why I am now watching closely as HHS works to 
strengthen its information security systems and as ED works to 
help protect K-12 schools from cyber-attacks, and it is why 
today's hearing is so important.

    I want to hear from all of our witnesses about how we can 
address urgent challenges, like how do we recruit, train, and 
retain more cybersecurity experts, especially in the health and 
education sectors where there is a big shortage? What are some 
best practices that schools and health care providers should be 
implementing? And how can we better connect organizations to 
share information like this that will help prevent, mitigate, 
and respond to cybersecurity incidents? How can we improve 
disclosure of cybersecurity incidents so people will know when 
and how they have been affected by a hack, what they might do 
about it, and how can they protect themselves? And what are we 
doing to prepare for attacks from hostile foreign actors? How 
do we make sure we don't just keep up but keep ahead of Russia, 
China, North Korea, Iran, and others?

    It is especially critical to me that we are treating cyber-
attacks like the National Security threat we know they are. 
These are incredibly important questions for families back at 
home in Washington State and across the entire country whose 
privacy, finances, futures, and even lives depend on making 
sure we have good answers and take clear steps to put them in 
practice.

    I look forward to hearing from all of our witnesses today 
about these issues and really appreciate all of you being here. 
With that, I will turn it over to Senator Cassidy for his 
opening remarks.

                  OPENING STATEMENT OF SENATOR CASSIDY

    Senator Cassidy. Thank you, Madam Chair. Good morning. 
Thank you all for attending today's hearing on cybersecurity in 
the health and education sectors. Looking at you out there, I 
feel like I am Vladimir Putin meeting with his generals, like 
on a table 60 yards long. But thank you for being here. In 
April 2020, the FBI announced that it expected cyber-attacks to 
increase as a result of a shift to virtual environments during 
the pandemic. Their prediction was correct.

    While cyber threats impact nearly every aspect of our daily 
lives, we are discussing just two. According to data from the K 
through 12 Cyber Security Resource Center, K-12 schools have 
experienced an 18 percent increase in cyber-attacks in 2020 
compared to 2019. Specifically, 317 school districts across 40 
states suffered 408 publicly disclosed cyber security 
incidences in 2020.

    Microsoft Security Intelligence found that 61 percent of 
nearly 7.7 million enterprise malware encounters reported in 
May 2020 came from the education sector, making it the most 
affected industry. With regard to health care, nearly 50 
million people in the U.S. had their sensitive health data 
breached in 2021, more than triple 2018 numbers.

    Just last month, U.S. Federal agencies led by the 
Cybersecurity and Infrastructure Security Agency issued the 
strongest warning yet of cyber-attacks on critical 
infrastructure by Russian government security and intelligence 
services retaliating against any organization providing support 
to Ukraine. So what exactly are these cyber threats and 
incidences in both health and education, the industries being 
hit by ransomware and phishing attacks? In the health industry, 
patient care is time sensitive.

    As a doctor, I cannot express enough the importance of 
timeliness in care. Cyber-attacks to delay care cost American 
lives, and that was particularly during the pandemic. A 
September 2021 CISA report found that ransomware cyber-attacks 
on hospitals led to significant and sustained hospital strain 
and related consequences such as IT network failure, ambulance 
diversion, strain on ICU bed utilization, and increased 
mortality.

    We must talk today about stopping adversaries from denying 
our patients the care that is needed. Cyber-attacks are never a 
victimless crime. In K through 12, phishing attacks stealing 
data from our youngest children are especially concerning 
because it can take years to discover that a child's identity 
has been stolen. In the meantime, the thieves can open credit 
cards and mount up large debts with a child's identifying 
information.

    Ransomware attacks, on the other hand, show themselves 
immediately and can result in significant disruptions in the 
classroom. These attacks come at a high cost, both in the 
ransom paid and the work it takes to restore systems. One 
higher education example, University of California San 
Francisco Medical School paid $1.14 million to hackers who 
encrypted and threatened to publish sensitive information 
stolen from the institution.

    In another health care example, universal health care 
services, or UHC, experienced a cyber-attack in October 2020, 
costing UHC $67 million in lost revenue and recovery efforts. 
Collaboration with and among the private sector is essential to 
solving this problem. Existing partnerships with organizations 
like some of the ones you represent, as well as closer 
collaboration among Federal agencies, are key ingredients we 
must pursue as a long term solution to cyber vulnerability.

    A strong cyber defense to protect our Country from virtual 
threats is becoming just as important as a strong military and 
police force to defend from physical threats. From the 
bipartisan infrastructure bill to military aid for Ukraine, 
nearly every comprehensive piece of legislation has to consider 
and address the importance of cybersecurity.

    Continuing that discussion in regards to Americans health 
and education is also needed. It is important that the 
Committee is doing this today. With that, I look forward to 
hearing from our witnesses about how to improve cybersecurity 
protocols on the Federal level. And I yield.

    The Chair. Thank you, Senator Cassidy. I will now introduce 
today's witnesses. Our first witness is Denise Anderson, 
President and CEO of the Health Information Sharing and 
Analysis Center, or ISAC a nonprofit organization dedicated to 
protecting the health sector from physical and cyber-attacks 
and incidents by serving as a trusted and timely resource for 
information.

    Ms. Anderson is also Chair of the National Council of 
ISACs, on the Board of Directors for the Global Resilience 
Federation, on the Cyber Working Group Executive Committee for 
the Health and Public Health Sector Coordinating Council and 
engaged in a number of other groups and initiatives focused on 
cyber issues in the health care sector.

    Ms. Anderson, thank you for joining us today. I look 
forward to your testimony. And with that, I am going to turn 
over to Senator Hassan, who will introduce our next witness, 
Joshua Corman.

    Senator Hassan. Well, thank you so much, Chair Murray. It 
is a real pleasure to introduce our second witness today, Mr. 
Joshua Corman from Dover, New Hampshire. He is joined today by 
his fiance, Andra. Thank you for being here as well. Mr. Corman 
is a founder of a volunteer organization called I Am the 
Cavalry, which focuses on using the cybersecurity skills of its 
members to protect public safety.

    He also recently served as the Chief Strategist on the 
Cybersecurity and Infrastructure Security Agency, or CISA's 
COVID Task Force, where he worked to protect the healthcare 
sector from cyberattacks and cyber espionage, as the COVID-19 
pandemic strained the sector.

    He has previously served in several different senior 
cybersecurity and technology roles, including as Chief Security 
Officer at PTC, a software company, Director of the Cyber 
Statecraft Initiative for the Atlantic Council, and Chief 
Technology Officer for Sonatype, a cybersecurity company. He 
also serves as an adjunct faculty for the Chief Information 
Security Officer Certificate Program at Carnegie Mellon 
University.

    As someone who has worked with Members of both parties to 
strengthen cybersecurity at all levels of Government, 
especially in small communities, I appreciate Mr. Corman's work 
very much. Welcome, and thank you for your service, Mr. Corman. 
I look forward to your testimony today.

    The Chair. Thank you, Senator Hassan. Today, we will also 
be hearing from Amy McLaughlin, a knowledgeable technology and 
information security leader with experience in education, 
finance, medical, and Government sectors. Ms. McLaughlin is the 
Cybersecurity Program Director at the Consortium of School 
Networking.

    That is an organization focused on meeting the technology 
needs of K-12 leaders and supporting the entire IT system, team 
and school systems. She is also the Executive Director of 
Technology and Solutions Architecture at Oregon State 
University. Thank you for joining us today. We look forward to 
your testimony.

    Finally, our last witness today is Helen Norris. She is 
Vice President and Chief Information Officer at Chapman 
University. She is responsible for leading the university's 
information technology strategy and services and overseeing the 
university library.

    She is also a Board Chair of EDUCAUSE, a nonprofit whose 
mission is to advance higher education through the use of 
information technology. We look forward to hearing from you 
today as well. And thank you again to all of you for joining us 
today. With that, we will begin testimony. Ms. Anderson, we 
will start with you.

    STATEMENT OF DENISE ANDERSON, PRESIDENT AND CEO, HEALTH 
      INFORMATION SHARING AND ANALYSIS CENTER, OAKTON, VA

    Ms. Anderson. Good morning, Chair Murray, and Members of 
the Committee. My name is Denise Anderson, as you mentioned, 
and I am President and CEO of the Health ISAC. I am also 
representing the Health Sector Coordinating Council 
Cybersecurity Working Group. I want to thank you for the 
opportunity to speak today. Health ISAC is a global nonprofit. 
Our members range from small to large organizations and 
represent approximately two-thirds of the U.S. health and 
public health GDP.

    Members include providers, academic medical centers, and 
medical device and pharmaceutical manufacturers, among others. 
Recently, Health ISAC published its report on the current and 
emerging health care cyberthreat landscape. And last month, 
Health ISAC worked with Microsoft to take down a Zloader 
malware family through coordinated legal and technical actions.

    The takedowns struck a major blow against cybercriminals 
using ransomware to extort hospitals and other victims. The 
Health Sector Coordinating Council Cybersecurity Working Group 
is a volunteer coalition of 320 organizations. Membership is 
open to any organization that meet certain criteria. It is 
organized into task groups that work to develop best practices 
for various health care cybersecurity disciplines.

    The CWG has produced 15 best practices publications which 
are freely available via their public website. Both Health ISAC 
and the CWG worked closely with HHS and the FDA as well as 
CISA. Our ongoing engagement includes weekly calls with the 
leadership in each organization to assess and discuss issues 
facing the sector. With the rise in digital health care, the 
proliferation of advances in technology, and the efficiencies 
of connecting devices and data, the cyber threat surface in 
health care has ballooned and the threat actors have followed.

    The focus has traditionally been on data and privacy, but 
if providers cannot deliver services or data is manipulated or 
destroyed, patient lives can be at risk. Ransomware has had a 
big impact on the health sector. According to the FBI's 2021 
Internet Crime Report, the sector experienced at least 148 
ransomware attacks between June and December 2021, resulting in 
millions of dollars of losses.

    Conti and its Ryuk Ransomware have been especially 
prolific. Ryuk has been linked to more than 200 ransomware 
attacks impacting health facilities, with revenue losses 
amounting to nearly $100 million and remediation costs of $500 
million. A high profile attack as a result of Conti was against 
the national health system in Ireland in May 2021. The attack 
brought down all of their IT systems and resulted in canceled 
surgeries and delayed medical care. It took 4 months to recover 
from that incident.

    The other impact of ransomware is the downstream effects 
when suppliers are attacked. When a human resources firm was 
attacked in December 2021, hospitals were forced to manage 
payroll and staff scheduling manually during a surge in COVID-
19 infections. In January 2021, a manufacturer essential in 
providing packaging for COVID-19 treatments was attacked and 
pharmaceutical manufacturers experienced slowdowns in package 
production and shipping during a vital period in the pandemic.

    The COVID-19 pandemic spurred several incidents. Threat 
actors accessed sensitive documents for a COVID-19 vaccine at 
the European Medicines Agency, where the documents were stored. 
Actors attacked and blocked access to an Italian COVID-19 
vaccination booking system, and organizations offering cold 
storage and delivery processes for keeping vaccines at safe 
temperatures were targeted.

    A concerning threat actor trend has been the intention and 
ability to target the IT supply chain, such as the SolarWinds 
attack, to gain access to a larger group of victims. 
Vulnerabilities also posed a huge problem for the sector. This 
reported vulnerabilities increased for a fifth straight year. 
Over 18,000 were reported in 2021, and almost 20 percent of 
those were considered high risk.

    With the tensions between Russia and Ukraine high, many 
fear a fall out like what occurred during the 2017 Petya 
attacks that impacted over 300 companies and cost over $10 
billion. In February, Russian actors attacked Viasat, 1 hour 
before Russia invaded Ukraine. Internet users and wind turbines 
producing electricity in Europe were impacted. Even if health 
care is not directly targeted, cascading impacts such as access 
to communications and electricity can be substantial.

    The health sector is highly interconnected. Sensitive 
patient information must move between entities to facilitate 
proper patient care and history. Hospitals use tens of 
thousands of medical devices, expensive devices are not easily 
replaced, and run on software that is no longer patched or 
supported.

    In addition, many of these devices run 24 hours a day, 7 
days a week, 365 days a year, so taking them offline or 
patching them is not--is complicated. As can be seen by the 
contributions of the CWG and Health ISAC, industry dedicates 
endless hours to help ensure the sector is strong and secure.

    The publications, webinars, workshops, exercises, the many 
alerts are free and open to the sector. The Zloader takedown 
will benefit countless organizations inside and outside of 
healthcare, and we look to do more of the same. Despite the 
number of great initiatives and efforts underway, we can no 
longer look at the challenges through just a cyber and or 
physical lens but must consider all threats to operational 
resilience.

    As evidenced by Hurricane Maria in Puerto Rico and the 
impact on IV bag supply, ransomware attacks which have crippled 
the health care delivery, and the COVID-19 shut down in China 
affecting the supply of contrast fluid used in imaging, health 
organizations must constantly be focused on all threats to 
health care delivery and patient safety.

    The health sector should be supported and incentivized in 
this vital effort. This concludes my testimony. Thank you again 
for the opportunity and look forward to your questions.


    [The prepared statement of Ms. Anderson follows:]
                 prepared statement of denise anderson
                            ISAC Background
    Chair Murray, Ranking Member Burr, and Members of the Committee, my 
name is Denise Anderson. I am President and CEO of the Health 
Information Sharing & Analysis Center (Health-ISAC), Chair of the 
National Council of ISACs (NCI) and serve on the Executive Committee of 
the Health Sector Coordinating Council Cybersecurity Working Group 
(HSCC CWG). I want to thank you for this opportunity to address the 
Committee on Health, Education, Labor, and Pensions about the industry 
perspective on cybersecurity threats to the Health sector and the 
resulting challenges and impacts, as well as the activities the sector 
is undertaking to combat these threats including collaborating and 
coordinating within, between and across the public and private critical 
infrastructure sectors.

    ISACs were formed in response to the 1998 Presidential Decision 
Directive 63 (PDD 63), which called for the public and private sectors 
to work together to address cyber threats to the Nation's critical 
infrastructures. After 9/11, in response to Homeland Security 
Presidential Directive 7 (its 2013 successor, Presidential Policy 
Directive 21) and the Homeland Security Act, ISACs expanded their role 
to encompass physical threats to their respective sectors. Many ISACs 
have been in existence over a decade and in some cases over two 
decades.

    ISACs are industry driven, trusted communities that promote the 
sharing of timely, actionable, and reliable information for their 
respective critical infrastructure sectors and provide forums for owner 
and operator sharing around threats, incidents, vulnerabilities, best 
practices, and mitigation strategies. ISACs are operational in nature 
and have strong reach into their sectors to gather and disseminate 
information quickly and efficiently. ISACs have been thriving and 
growing in recent years as owners and operators have seen the benefit 
to participating in these trusted communities, which is a testament to 
the value ISACs deliver to their members. ISACs coordinate with each 
other through the National Council of ISACs (NCI), a voluntary 
organization formed in 2003.
                         Health-ISAC Background
    Health-ISAC, (www.h-isac.org) founded in 2010, is a 501(c)6 
nonprofit organization and is funded primarily by its member firms 
through member dues. Since 2010 the membership has expanded to over 700 
organizations including healthcare delivery organizations (HDOs), 
providers, academic medical centers, medical research and development 
centers, medical materials manufacturers and distributors, 
pharmaceutical and medical device manufacturers, retail pharmacies, 
laboratories and radiological centers, telehealth providers, electronic 
health record providers and payers representing approximately two-
thirds of the US Health and Public Health GDP \1\.
---------------------------------------------------------------------------
    \1\  Based on the annual revenue of all Health-ISAC member 
organizations. ($2.3 Trillion).

    Health-ISAC members represent 79 percent of the top 103 hospital 
chains in the United States, 61 percent of the top 51 global medical 
device manufacturers, 84 percent of the top 25 global pharmaceutical 
manufacturers, 93 percent of Fortune 500 healthcare companies in the 
United States and 86 percent of electronic health record providers in 
the United States. Our members range from small organizations with less 
than one million dollars in annual revenue to large Fortune 50 
---------------------------------------------------------------------------
organizations with over 238 billion dollars in annual revenue.

    Health-ISAC is a global organization that has members headquartered 
in over 20 countries and membership is growing rapidly. Health-ISAC saw 
its largest member growth ever in 2021.

    The mission of Health-ISAC is to empower trusted relationships in 
the global healthcare industry to prevent, detect and respond to cyber-
and physical security events so that members can focus on improving 
health and saving lives.

    Besides offering a trusted forum and community for sharing 
information around threats, vulnerabilities, best practices and 
mitigation strategies, Health-ISAC offers a number of other services 
such as global workshops and webinars, four annual summits--two in the 
United States, one in Europe and one in Asia, daily cyber and physical 
reports, alerts, targeted threat alerts, a monthly newsletter, a weekly 
blog on cybersecurity issues in healthcare, white papers, monthly 
member-only threat briefings, monthly podcasts, exercises, special 
interest groups, a number of working groups and committees and various 
technical tools and partner programs for members to use in their 
environments. In addition, the Health-ISAC Threat Intelligence 
Committee (TIC) sets the sector cyber threat level monthly, or as 
needed, and provides valuable insight and mitigation strategies when 
threats arise, or incidents occur.

    Health-ISAC has numerous sharing and collaboration channels, 
including platforms where hundreds of thousands of actionable 
indicators and threat actor tactics, techniques, and procedures (TTPs) 
are shared. Health-ISAC was one of the first organizations to adopt 
STIX and TAXII, which are protocols for automated indicator and 
intelligence sharing and fosters a robust member machine-to-machine 
sharing environment. Health-ISAC uses the Traffic Light Protocol, (TLP) 
an information owner dissemination determination protocol for sharing 
of information. TLP RED is the most restricted sharing protocol, with 
TLP WHITE, the broadest. Over 100,000 individuals have access to our 
TLP GREEN and TLP WHITE alerts.

    In 2021, for example, Health-ISAC:

          Provided alerts, papers, webinars, thought leadership 
        and facilitated collaboration on myriad incidents during the 
        year including SolarWinds, Accelion, ProxyLogon, 
        PrintNightmare, VPN Vulnerabilities, in Fortinet, Pulse and 
        Citrix, Colonial Pipeline, JBS Meats, Irish National Health 
        Service, Kaseya, Geopolitical Tensions, Hurricane Ida and other 
        physical threats, and Log4j.

          Added 119 new members amounting to a member community 
        of over 5,500 individuals.

          Nearly tripled the number of member organizations 
        using automated indicator sharing.

          Conducted 12 highly attended Monthly Member Threat 
        Briefings, published 242 Finished Intelligence Reports, sent 
        over 419 Targeted Alerts, held ten Threat Operations Center 
        (TOC) Spotlight threat and vulnerability webinars, and 
        distributed over 65,812 actionable indicators of compromise.

          Worked with security researchers to develop four pre-
        public alerts and vulnerability notifications impacting 
        millions of medical devices.

          Stood up several new programs including a new webinar 
        program, Continue the Conversation for members to bring subject 
        matter expert panels and discussions around hot topics from the 
        chat channels, the Microsoft Patch Tuesday Podcast and TOC Open 
        House Office Hours.

          Hosted an Analytics Training Workshop, offered 63 
        webinars, and held three successful global in-person Summits, 
        with our Fall Summit attendance close to pre-pandemic numbers. 
        Health-ISAC also conducted nine customized exercises and in 
        2022 published an After-Action report from our 2021 Rethinking 
        Resiliency exercise series.

          Planned, and held the Hobby Exercise, a tabletop 
        exercise designed to engage the Health sector and strategic 
        partners, including those in government, on significant 
        security and resilience challenges. The overarching objective 
        is to inform and provide opportunities for continuous 
        organizational improvement while increasing Health sector 
        resiliency. The annual exercise is named for Oveta Culp Hobby, 
        the first U.S. Secretary of Health, Education and Welfare. The 
        2021 After-Action Report illustrating findings from the 
        exercise was recently published in March 2022.

          Worked with Cisco to conduct a well-received 2-day 
        Leadership Development Course for rising CISOs at the 2021 Fall 
        Summit. This was also held at our Spring Summit in May 2022.

          Produced four white papers, developed Pharmaceutical 
        and Supply Chain Guidance for practitioners and healthcare 
        CISOs, and expanded physical threat information deliverables 
        for Health sector organizations. Also published Full and Lite 
        versions of copyrighted Health-ISAC Questionnaires for Third-
        Party Risk Management. In 2022 we also published a white paper 
        on Securing the Modern Pharmaceutical Supply Chain.

          Offered valuable tools for members such as third-
        party risk management, digital risk protection and internet 
        traffic visualization through our Community Services Program.

          Facilitated five Committees, over 15 Working Groups 
        and three Councils devoted to topics such as Cybersecurity 
        Analytics, Information Security Incident Response, Security 
        Engineering and Architecture, Business Resiliency and 
        Cybersecurity Awareness and Training.

          Continued to build on our work to improve security 
        across the Medical Device Community with over 25 medical device 
        public advisories, two Food and Drug Administration (FDA) Town 
        Halls at Health-ISAC Summits and curated medical device 
        information related to Log4j and other vulnerabilities on the 
        Health-ISAC website. Our Medical Device Cybersecurity 
        Information Sharing Council is comprised of 331 individuals 
        from 135 organizations with half of the group comprised of 
        Healthcare Delivery Organizations (HDOs) and the other half 
        comprised of Medical Device Manufacturers (MDMs).

          Conducted over 30-member interest surveys on topics 
        such as SolarWinds Impact, Security Workforce Size and 
        Strategy, and Security Operations Centers Resourcing.

    In 2022, to date, Health-ISAC has engaged in five major activities 
of note. The first is the publishing of the first annual Health-ISAC 
report on the Current and Emerging Healthcare Cyber Threat Landscape in 
both TLP GREEN and TLP WHITE versions. The report features survey 
results on member threat perspectives, as well as, top issues from 2021 
and a look ahead into 2022 (https://h-isac.org/health-isacs-first-
annual-current-and-emerging-healthcare-cyber-threat-landscape-
executive-summary/). The second is the publishing of the 2021 Health-
ISAC Annual Report (https://h-isac.org/2021-annual-report/). Third, the 
ISAC held several webinars, produced alerts and briefings, and 
published a joint bulletin with the Health Sector Cybersecurity 
Coordination Center (HC3), part of the Department of Health and Human 
Services (HHS), regarding the geopolitical tensions in Russia. The ISAC 
emphasized several messages to the sector that resulted from Classified 
briefings conducted by the White House, Cybersecurity and 
Infrastructure Security Agency (CISA), and its partners and stood up a 
working group of members directly impacted by the situation so that 
they could share challenges, issues, and best practices with each 
other. Fourth, Health-ISAC worked on another pre-public vulnerability 
disclosure with CISA and CyberMDX/Forescout on Access: 7 
vulnerabilities found in PTC Axeda agenda and Axeda Desktop server.

    Fifth, in April 2022, Health-ISAC worked with Microsoft and others 
to take down the Zloader malware family, one of the most notorious 
cybercrime operations responsible for ransomware attacks against 
hospitals in the United States and around the world. The takedown was 
accomplished through coordinated legal and technical actions and 
disrupted massive botnets using the Zloader malware family, striking a 
major blow against cybercriminal operators using Ransomware, such as 
Ryuk, to extort victims.

    With the seizing of hundreds of domain names used by the Zloader 
malware to remotely command and control victim computers, Microsoft 
will use the intelligence gained from this takedown to partner with Law 
Enforcement, Internet Service Providers and Computer Emergency Response 
Teams around the world to help remediate infected computers, making the 
Internet safer for consumers and businesses worldwide. Together, these 
aspects of the operation are expected to undermine the criminal 
infrastructure that relies on these botnets every day to make money and 
helps to provide new tools for the industry to work together to 
proactively fight cybercrime.

    At Health-ISAC, our mission is much bigger than the ISAC. We 
believe building a stronger community both inside and outside of the 
sector leads to better patient care and a healthier world.
     Health Sector Coordinating Council Cybersecurity Working Group
                               Background
    Healthcare is designated under U.S. national policy as ``critical 
infrastructure'' along with 15 other industry sectors, such as 
financial services, energy, telecommunications, water, transportation 
and more, represented by industry-organized ``Sector Coordinating 
Councils (SCCs).'' These SCC's and their government counterparts form a 
national public-private partnership coordinated overall by the U.S. 
Department of Homeland Security through the National Infrastructure 
Protection Plan (NIPP). The Health Sector Coordinating Council (HSCC) 
serves as an official advisory council to its government counterparts--
HHS and FDA--with a formally designated critical infrastructure 
protection function distinct from the advocacy and member services 
roles of traditional industry associations. The HSCC, HHS and FDA work 
jointly to identify and mitigate systemic threats to critical 
healthcare infrastructure, such as pandemics, major weather events, 
terrorism, active shooters, and cyber-attacks, with a mission to 
identify cyber and physical risks to the security and resiliency of the 
sector, develop guidance and policies for mitigating those risks, and 
facilitate threat preparedness and incident response. The Office of the 
White House National Cyber Director has identified and engaged the HSCC 
as a model to accelerate a national healthcare cyber resilience 
strategy.

    The HSCC Cybersecurity Working Group (CWG) is a volunteer coalition 
of 320 organizations that operate under a charter-based governance 
structure with an elected Chair, Vice-Chair and Executive Committee. 
Membership is open to any organization that is; (a) a covered entity or 
business associate under HIPAA; (b) a Health plan or payer; (c) 
regulated by FDA as medical device or pharmaceutical company; (d) 
regulated by HHS Office of the National Coordinator as a Health IT 
company; (e) a public health organization and (f) a healthcare industry 
association or professional society. A small allotment of an 
``Advisor'' member category of consulting and security companies is 
permitted to participate and support CWG initiatives pro-bono.

    When working with our government partners, the industry-led 
Cybersecurity Working Group becomes the Joint Cybersecurity Working 
Group, which identifies and develops preparedness measures against 
cybersecurity threats to the security and resiliency of the Health 
sector. It is organized into outcome-oriented task groups (currently 
13) that meet regularly to develop best-practices for various 
healthcare cybersecurity disciplines such as 405(d) Health Industry 
Cybersecurity Practices, Supply Chain Cyber Risk Management, Five-Year 
Plan, Emerging Technology, Workforce Development, Measurement, Policy, 
Outreach and Awareness and Risk Assessment and Medical Technology 
Security including sub-groups around the Joint Security Plan Update, 
MedTech Legacy Devices, and MedTech Vulnerability Communications.

    The CWG has produced 15 major best-practices publications since 
2019, freely available to sector stakeholders and the public via its 
website (HealthSectorCouncil.org). These publications include Health 
Industry Cybersecurity Practices, Health Industry Cybersecurity 
Tactical Crisis Response Guide, Health Industry Cybersecurity Securing 
Telehealth and Telemedicine, Model Contract Language for Medtech 
Cybersecurity Medtech Vulnerability Communications Toolkit and 
Operational Continuity Cyber Incident.

    Many of these HSCC CWG task group initiatives and deliverables 
directly address the many important recommendations contained in the 
2017 HHS report of the Health Care Industry Cybersecurity (HCIC) Task 
Force, which was established by the Congress in Section 405(c) of the 
2015 Cybersecurity Information Sharing Act and was composed of industry 
and government experts in healthcare and cybersecurity. At the time, 
the report characterized the healthcare industry's cybersecurity 
preparedness as being ``in critical condition.'' As the Health Sector 
Coordinating Council has been focused on developing cybersecurity best 
practices and tool kits--by the sector, for the sector--we hope that as 
more healthcare organizations implement these scalable practices over 
time, we will raise the sector's preparedness diagnosis to ``stable.'' 
But in the business of cybersecurity, we are never done, only better.

    To support the development of these initiatives, our preparedness, 
information sharing and incident response, both Health-ISAC and the 
HSCC CWG work closely with HHS and FDA, both of which serve as our CWG 
co-chairs and Sector Risk Management Agency (SRMA), as well as, CISA. 
Our ongoing partnership engagement includes holding weekly calls with 
the leadership in each organization to assess and discuss issues facing 
the sector.
                The Cyber Threat Landscape in Healthcare
    Ten years ago, `cyber' and `healthcare' were not even placed in the 
same sentence. Today because of the rise in digital healthcare, the 
proliferation of advances in technology and the efficiencies of 
connecting devices and data, the cyber threat surface in healthcare has 
ballooned and the threat actors have followed. Threat actors have many 
motivations to attack whether for financial reasons, disruption, 
intellectual property theft, revenge or to make a political statement.

    Unfortunately, the stakes are very high. The focus has 
traditionally been on data and privacy but if HDOs, providers, or their 
suppliers cannot deliver services, as was seen in numerous ransomware 
attacks, or data is manipulated or destroyed, patient lives can be at 
risk.

    There are essentially five malicious actor groups that are 
responsible for threats to healthcare, which include Nation States such 
as Russia and China, Cyber Criminals, Hacktivists, Terrorists, and 
Insiders who can be malicious or non-malicious. Their motivations range 
from Advantage--intellectual property theft, gain a foothold for 
further disruption, espionage, blackmail--Ego--notoriety, revenge--
Ideology--political, social, cultural and Greed--money, power.

    The various actor groups use several Tactics, Techniques and 
Procedures (TTPs) to conduct their activity. Some TTPs are Phishing and 
Spearphishing, Ransomware, Wipers, Distributed Denial of Service 
(DDoS), Business Email Compromise, Remote Access, Supply Chain Attacks, 
Scanning and Exploiting Vulnerabilities, Social Engineering and 
Credential Theft.

    In November 2021, Health-ISAC conducted a survey of its members 
asking them to rank order the Top 5 ``greatest cybersecurity concerns'' 
facing their organizations for both 2021 and 2022. The survey included 
cyber (e.g., CISO) and non-cyber executives (e.g., CFO), multiple 
healthcare subsectors (e.g., Providers, Pharmaceutical Manufacturers, 
Payers, Medical Device Manufacturers, Health Information Technology), 
as well as, healthcare organizations of varying sizes and budgets. The 
Top 5 threats, which were the same for both 2021 and 2022 were:

        1. Ransomware Deployment

        2. Phishing/Spear-Phishing Attacks

        3. Third-Party/Partner Breach

        4. Data Breach

        5. Insider Threat

    Ransomware has had a big impact on the Health sector and threat 
actors have evolved their techniques over the last 2 years from simply 
just asking for a payment to unlock files to blackmailing organizations 
with threats to release records to the public. According to the Federal 
Bureau of Investigation (FBI) Internet Crime Complaint Center's (IC3) 
2021 Internet Crime Report, the Health sector experienced at least 148 
ransomware attacks between June 2021 and December 2021 resulting in 
millions of dollars of losses.

    Ransomware family groups that have been particularly prolific in 
the healthcare sector include Conti and its Ryuk Ransomware. Ryuk has 
been linked to more than 200 ransomware attacks impacting hospitals, 
public health departments, nursing homes and patient care facilities 
around the world since 2018. The attacks resulted in the temporary or 
permanent loss of IT systems that support many of the provider delivery 
functions in modern hospitals resulting in canceled surgeries and 
delayed medical care. Some examples of impacts caused by Ryuk at 
patient care facilities in the United States since 2018 include:

          Ryuk attack forced ambulances to divert, causing a 
        90-minute delay in emergency patient services.

          Ryuk disrupted delivery of chemotherapy treatments 
        for cancer patients.

          Ryuk forced hospitals to cancel elective procedures.

          Ryuk caused delays in reporting of laboratory 
        results.

          Ryuk caused delays in scheduling appointments for 
        maternity and oncology patients.

          Ryuk caused more than 3 weeks of downtime for the 
        Electronic Health Records management system.

          Ryuk impacted systems at nursing homes, causing 
        patient records to be unavailable and prohibiting 
        pharmaceuticals orders from being placed, and

          Ryuk leaked sensitive patient data including 
        treatments, diagnoses, and other information of hundreds of 
        thousands of people.

    Hospitals reported revenue losses due to Ryuk infections of nearly 
$100 million from data Health-ISAC obtained through interviews with 
hospital staff, public statements, and media articles. The Ryuk attacks 
also caused an estimated $500 million in costs to respond to the 
attacks--costs that include ransomware payments, digital forensic 
services, security improvements and upgrading impacted systems plus 
other expenses. A high-profile attack as the result of Conti/Ryuk was 
against the Health Service Executive (HSE), the national health system 
in Ireland consisting of 54 hospitals, in May 2021. The attack brought 
all the IT systems within HSE nationwide down and it took 4 months to 
completely recover from the incident.

    Other Ransomware families are REvil/Sodinokibi, Hive, Lokibot, Pysa 
and Clop. Health-ISAC assesses that in 2022, Ransomware will continue 
to proliferate, and cybercriminals will target critical systems to the 
operations of healthcare organizations to force healthcare 
organizations to pay a ransom quickly and not allow time for 
investigation or forensic examination prior to paying the ransom 
demanded.

    The other impact of Ransomware is the downstream effects that 
result when suppliers are attacked. When Kronos, a Human Resources 
Management Solutions firm widely used in healthcare, was attacked in 
December 2021, numerous hospitals were impacted. Hospitals were forced 
to manage payroll, staff scheduling, and issuing staff IDs manually 
during a surge in COVID-19 infections. In January 2021, when WestRock, 
a packaging solutions manufacturer that was essential in providing 
packaging for COVID-19 vaccines, treatments, and diagnostics, was hit 
with a Ransomware attack, pharmaceutical manufacturers were impacted by 
slowdowns in package production and shipping during a vital period in 
the pandemic.

    The COVID-19 Pandemic was a factor in several incidents that took 
place over 2020 and 2021. Nation State activity has always been present 
in the sector, but it was especially visible during the COVID-19 
pandemic with the desire to gain knowledge about vaccines, diagnostics 
and therapeutics related to COVID-19. Threat actors accessed documents 
covering the regulatory submission for Pfizer and BioNTech's COVID-19 
vaccine candidate BNT162b2 at the European Medicines Agency (EMA) where 
the documents had been stored on EMA's servers. There were also several 
incidents such as when threat actors attacked and blocked access to an 
Italian COVID-19 vaccination booking system. Other activities targeted 
organizations offering cold storage and delivery processes for keeping 
vaccines at safe temperatures with phishing and spear-phishing 
campaigns.

    A concerning threat actor trend has been the intention and ability 
to target IT providers, Managed Service Providers and Enterprise 
Management Software Systems to gain access to a larger group of 
victims. For example, in February 2020, threat actors affiliated with 
Russia's SVR (foreign intelligence service) injected malicious code 
into an update for SolarWinds Orion, a network monitoring software used 
by several organizations including the U.S. Federal Government. The 
malicious code went undetected until December 2020 and infected over 
18,000 machines through the supply chain. Other high profile supply 
chain compromises included Kaseya and Accenture. Likely heading into 
2022 threat actors will evolve this tactic and focus on compromising 
cloud providers to gain access to the sensitive data and networks of 
multiple victims.

    Vulnerabilities also posed a huge problem for the sector. According 
to a graph published by the National Institute of Standards and 
Technology (NIST), vulnerabilities increased for a fifth straight year 
with 18,378 reported in 2021. Of that number, 3,646 were considered 
high-risk. Of particular note were the PrintNightmare vulnerability, 
the Microsoft Exchange Proxy Shell Attack vulnerability, and the Apache 
Log4j vulnerability which had very broad implications across the 
sector.

    In 2022 there has been increased focus on Nation State activity and 
related criminal cyber activity surrounding the geopolitical events 
occurring between Russia and Ukraine. Many fear a fall-out from Russian 
activities against Ukraine such as what occurred during the 2017 Petya/
Not Petya attacks that impacted over 300 companies, many of which were 
large multi-national corporations, and cost over $10 billion. Recent 
reporting shows Russian threat actors attacked Viasat, a US provider of 
high-speed satellite broadband services, 1 hour before Russia invaded 
Ukraine. Thousands of satellite terminals were affected impacting 
myriad internet users in Europe as well as over 5,800 wind turbines 
producing electricity. Even if healthcare is not directly targeted, 
cascading impacts such as access to communications and electricity can 
be substantial. Health-ISAC assesses that threat actor cyber activities 
will continue to rise and evolve, and the sector needs to be ever 
vigilant, as well as, develop robust enterprise risk management and 
resiliency strategies.
                    The Unique Nature of Healthcare
    The Health sector is highly inter-connected. Unlike in other 
sectors, healthcare data must be portable. Sensitive patient 
information must move between various medical providers, pharmacies, 
diagnostic facilities, and payers to facilitate proper patient care and 
history, as well as, payment for those services. Many healthcare 
facilities such as hospitals operate in environments that are 
accessible to the public. Hospitals employ tens of thousands of medical 
devices, many using outdated operating systems, and many of which are 
connected to a network. These devices are made by a variety of 
manufacturers with various levels of security and patching protocols 
built in. Expensive equipment such as Magnetic Resonance Imaging (MRI) 
machines are not easily replaced and run on software that is no longer 
patched or supported. In addition, many of these devices run 24 hours a 
day, 7 days a week, 365 days a year, so taking them offline for 
patching or other security needs is complicated.

    When supply chains are tightened or non-existent for various 
reasons, or pandemics or natural or man-made regional disasters occur, 
stretched supplies and staff become an additional factor.

    Coupled with a diverse base within the sector, a highly regulated 
environment, complex siloed departments, a lack of skilled cyber staff, 
a lack of cyber security situational awareness, a lack of knowledge and 
training for the medical staff as well as at the CEO and Board level, 
and lack of cyber security strategy including a risk management 
approach, the Health and Public Health sector faces enormous 
challenges.
                         Meeting the Challenge
    Despite the numerous challenges, many organizations in the Health 
sector have taken great strides to make certain their environments are 
as protected and resilient as they can be. As can be seen by the 
contributions of the Health Sector Coordinating Council Cybersecurity 
Working Group and Health-ISAC, countless individuals dedicate numerous 
hours of their time to help ensure the sector is strong and secure. 
Both the HSCC CWG and Health ISAC have robust communities that thrive 
on collaboration in their mission. As is the tradition in medicine, 
members of these two organizations truly care about patient welfare and 
safety and the protection of the ecosystem that contributes to them. 
Members share best practices, indicators of compromise, mitigation 
strategies and other vital information to accomplish this. When the 
Petya/Not Petya attacks of 2017 took place, some 60 individuals of 
approximately 34 Health-ISAC member firms came together and within 48 
hours, determined what the actual attack was, the attack vector, how it 
spread and how to stop it and the shared their findings not just within 
the sector but globally via the Health-ISAC website and alerts. The 
publications produced, webinars and workshops held, exercises conducted 
and TLP WHITE alerts are open to the sector and are free. In 2021, 
Health-ISAC delivered targeted alerts to 49 healthcare companies that 
were non-members. The Zloader takedown will benefit countless 
organizations inside and outside of the sector and industry is looking 
to do more in this space.

    Despite the number of great initiatives and efforts underway within 
the sector, the sector needs to be vigilant. We can no longer look at 
the challenges through just a cyber-or physical security lens, but must 
employ enterprise risk management to consider all threats to 
operational resilience. As evidenced by Hurricane Maria in Puerto Rico 
and its impact on the availability of IV bags, ransomware attacks on 
healthcare and healthcare suppliers, which have crippled healthcare 
delivery, the COVID-19 shutdown in Shanghai that has tightened the 
supply of contrast fluid used for imaging, which has forced physicians 
to prioritize which patients can get CT scans, MRIs and more, 
healthcare organizations must constantly be focused on all threats to 
healthcare delivery and patient safety. The healthcare sector should be 
supported and incentivized in this vital effort.
    Congress can help meet this challenge by focusing on three key 
areas:
   (1) EDUCATION, RECOGNITION AND FACILITATION OF THE IMPORTANCE OF 
                          INFORMATION SHARING
    One of the greatest challenges for Health-ISAC and all ISACs is the 
lack of awareness amongst the critical infrastructure owners and 
operators, particularly the smaller owners and operators, that the 
ISACs and SCCs exist and have valuable tools available to improve 
security--many of which are free to use. Numerous incidents have shown 
that effective information sharing amongst robust trusted networks of 
members works in combatting cyber threats.

    Government, and specifically the SRMAs should regularly and 
consistently encourage owner/operators and especially at the Board and 
CEO level to join their respective ISACs and Sector Coordinating 
Councils. This has been very effective in the financial sector where 
the United States Department of the Treasury, the regulators and state 
agencies have been strongly encouraging membership in the FS-ISAC as a 
best practice.

    The SRMAs indeed have a policy reference for this kind of advisory 
to their sector representatives: the NIST Cybersecurity Framework. This 
Framework, developed over the course of a year collaboratively by 
government and private sector stakeholders, lays out a cyber risk 
management framework linked to five core functions: identify, protect, 
detect, respond, and recover. Among the functional categories 
identified as part of a mature cyber risk management strategy is 
external communications and coordination around cyber security threats, 
response, and best practices. In other words, membership in an ISAC or 
ISAO and/or the SCC is an essential element of a successful cyber risk 
management strategy.

    Another way to facilitate sharing and build robust communities is 
by providing financial incentives through tax breaks or other means to 
critical infrastructure organizations that join their respective ISACs 
and/or SCCs.
  (2) PROVIDE INCENTIVES FOR ADOPTION OF CYBERSECURITY BEST PRACTICES
    Cyber threat actors are agile, in many cases run their operations 
as businesses, are sophisticated and constantly evolve their TTPs to 
infiltrate an organization's defenses and achieve their goal. It is 
much easier to attack versus defend and healthcare organizations are 
often at a disadvantage, especially smaller organizations that do not 
have financial and infrastructure resources. Due to the huge growth in 
cybercrime and large ransomware payouts, sophisticated and organized 
criminal groups will be able to invest heavily into R&D and develop new 
ways to conduct automated and effective scams. The criminals will 
leverage machine learning, artificial intelligence, and deep fakes to 
perpetrate efficient and effective criminal campaigns. Therefore, it is 
essential to support healthcare organizations by incentivizing them to 
adopt at a minimum basic cybersecurity and risk management strategies. 
Some good best practices include employing multi-factor authentication 
(MFA) and other access controls, having a layered defense, using 
endpoint security, developing network segmentation, building prevention 
and detection strategies, backing up data and training staff on cyber 
impacts and policies.
      (3) ESTABLISH CYBER SECURITY PROFESSIONALS AS SRMA LIAISONS
    With the challenging nature of the Health sector and the steady 
rise in cyber threats and incidents, there should be a cyber security 
professional within HHS to act as a strong, government liaison and 
advocate for the public private partnership when it comes to cyber 
matters. It has become increasingly apparent that industry needs a 
government representative who understands cyber security issues, 
threats, vulnerabilities and impacts as well as the blended threats 
between physical and cyber security. Having an established, clear 
government `go-to' lead in this area is imperative to strengthening the 
partnership and improving the overall cyber security posture of the 
Health and Public Health sector.

    This concludes my testimony. Thank you again for the opportunity to 
present this testimony and I look forward to your questions.
                                 ______
                                 
                 [summary statement of denise anderson]
    The testimony will provide descriptions of Health-ISAC, ISACs in 
general, and the Health Sector Coordinating Council Cybersecurity 
Working Group, including the numerous initiatives that are taking place 
within industry to help secure the sector and keep it resilient in the 
face of threats. It will look at the cyber threat landscape in 
healthcare and will include the major threat actor groups, threat actor 
motivations, as well as, threat actor Tactics, Techniques and 
Procedures (TTPs). The testimony will provide a summary view of the top 
five ``greatest cybersecurity concerns'' Health-ISAC members see facing 
their organizations for both 2021 and 2022. Also covered are 
Ransomware, downstream impacts of Ransomware, Supply Chain attacks, 
vulnerabilities, and Nation State activity--especially related to 
COVID-19 and the development and distribution of vaccines, diagnostics, 
and therapeutics, as well as the recent geopolitical tensions between 
Russia and Ukraine. The unique nature of healthcare and its myriad 
challenges, such as the necessity of portable data, 24-by-7-by 365 
operations, equipment and devices that are no longer supported, but not 
easily replaced, reliance upon other critical infrastructure and supply 
chains, all exacerbated when pandemics, natural and man-made events 
take place, will be described. Finally, three suggestions are made 
where Congress and Government can help the Health sector in its efforts 
to improve security and resilience.
                                 ______
                                 

    The Chair. Thank you very much.

    Mr. Corman.

 STATEMENT OF JOSHUA CORMAN, FOUNDER, I AM THE CAVALRY, DOVER, 
                               NH

    Mr. Corman. Chair Murray, Senator Cassidy, distinguished 
Members of the Senate Health Committee, thank you for the time 
to speak to you today about some pretty grave matters that 
weigh heavy on my heart----

    The Chair. Is your mic on?

    Mr. Corman. I will try that again.

    The Chair. Very good.

    Mr. Corman. Chair Murray, Senator Cassidy, and 
distinguished Members of the Senate Health Committee, thank you 
for the opportunity today to talk about these grave matters 
that weigh heavy on my heart.

    As described, I am Josh Corman. I am the founder of a 
volunteer grassroots group of hackers trying to save lives 
through security research. In recognition that the cavalry 
isn't coming, we asked, what are you willing and able to do? 
Will you be part of that solution? Will you be a voice of 
reason and technical literacy and a helping hand to work with 
policymakers such as yourselves to make things safer?

    Our problem statement was simple, our dependence on 
connected technology was growing faster than our ability to 
secure it in areas affecting public safety, human life, and 
National Security. What we were doing 9 years ago was trying to 
build the trust and the foundation so that we could prevent 
loss of life.

    There is a promise in a parallel to connect to technology. 
We always adopt things that are immediate and obvious benefits. 
We have a very hard time determining the delayed consequences 
of those choices. And I warned the teams, people would have to 
die first before anyone would listen to us.

    To our delight and surprise, bravery from Dr. Suzanne 
Schwartz at FDA took bold action to try to make sure we raised 
the bar for minimum cybersecurity hygiene for medical devices 
and issued the first ever safety communication for a medical 
device purely for cybersecurity reasons and no one had died. 
They sent a shot over the bow to the industry of 10,000 medical 
device makers that the dependence we place on connected 
technology should be worthy of that trust.

    These are devices like this little pacemaker, some of which 
have found a sync--a hardcoded three digit password is 
sufficient to affect the hearts and functions of 750,000 
patients. We have similarly compromised insulin pumps to give a 
second lethal dose of insulin without authentication done by a 
diabetic himself. We have found bedside infusion pumps that 
should deliver a 3-hour dose of a calcium channel blocker could 
empty the contents in 30 seconds.

    We have done these through clinical E.R. hacking 
simulations in consultation and collaboration with Federal 
agencies, with medical practitioners, with physicians to see, 
can we handle these disruptions to the technologies we take for 
granted? Through that work, I got to serve on the 2015 405c 
Congressional Task Force on Health Care Industry Cybersecurity.

    Because of the trust built there, when the country and the 
world faced the pandemic of the COVID-19 virus, Director Krebs, 
using the Cares Act hiring authority, asked me to serve my 
country and design and implement what became this as a COVID 
task force. Senator Cassidy, that report that you referred to, 
we looked harder and closer at the ability, the Nation's 
ability to provide medical care than anyone had before. And 
armed with the extreme pressures and strains of the pandemic, 
we could use data science to calculate how ICU strain 
dramatically caused loss of human life.

    We found that if the country's ICU beds hit 75 percent, you 
would see 18,000 lost Americans in 2 weeks with additional 
amounts four and 6 weeks later. And if you hit 100 percent ICU 
strain, you would see 80,000 lost Americans. And unlike the 
losses to COVID, these were 25 to 44 year olds primarily.

    The question became, can these cybersecurity failures 
affect patient care and human life? And we were able to 
determine the answer was yes. Delays in integrated care affect 
mortality rates. The seminal New England Journal of Medicine 
article showed that a 4.4 minute longer ambulance ride during a 
U.S. marathon had a statistically significant impact on 
mortality rates 30 days later. Similarly, with strokes, the 
golden hour or golden hours is one, three, or 4 hours can 
affect patient care, if you can walk again, if you can talk 
again.

    A 4.4 minutes can affect the mortality for heart. And 4 
hours is the difference between life and death for brain. What 
do 4 weeks of downtime for the State of Vermont or for the 
protracted impacts to Scripps Health Care in San Diego? These 
failures further strained already record strained health care 
delivery, introducing a loss of life, not just of elderly with 
65 years or four or more co-morbidities, but critical 
infrastructure aged workforce that we depend upon, and in 
parallel with these record high strains, as these losses of 
life succumb to COVID, non-covid conditions, injury, burnout, 
retirement, and alterations to their family support structure.

    If we zoom out to Maslow's hierarchy of needs, in the last 
2 years, we have seen successful compromises of the water we 
drink, the food we put on our table, the oil and gas that fuels 
our cars in our homes, the schools our children attend, the 
municipalities who run our towns or our cities, the timely 
access to patient care during a pandemic. I myself suffered 
degraded and delayed care, which imperiled my ability to serve 
the country during these 2 years.

    We are overdependent on the panel things and while we are 
doing many correct things and this body themselves have taken 
bold action, these voluntary practices where we take our time 
have not proven sufficient to transcend the market failures. 
The adversaries are setting the pace.

    We are messing with Maslow. It is not tenable for an 
individual nor a nation. And with the threats or further 
attacks from Putin and other nations or adversaries, we need 
bold action, and we need it now. Any crisis of confidence in 
the public to trust these baseline functions is unacceptable. 
We need to be better. We have a head start.

    I have in my testimony areas where we can stem the bleeding 
in the foreseeable future, but it will take much more 
substantive action. I look forward to answering your questions.


    [The prepared statement of Mr. Corman follows:]
                  prepared statement of joshua corman   
                  
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                  
                  


                                 ______
                                 
                  [summary statement of joshua corman]
    Attacks on healthcare are increasing in volume, variety, and 
impact--with consequences now including the loss of life. While 
directionally correct steps have been taken, we're getting worse faster 
than we're getting better. Bold actions and assistance will be required 
to change this trajectory, address these market failures, lack of 
incentives, and historical under-investments.

    Attackers have gotten stronger, but defenders have not--and many 
got weaker. The number of healthcare attacks have grown. The costs of 
the ransom payments have grown. \1\ The impact of attacks are no longer 
merely measured by record count, fines, ransom payments, or recovery 
costs . . . but include double-digit millions of lost revenue and worse 
. . . degraded patient care and human life. \2\ Hurried crisis 
adjustments added more technologies and attack surfaces. Financial 
constraints forced reduced investments in cybersecurity staff & 
operating budgets.
---------------------------------------------------------------------------
    \1\  RTF Report: Combating Ransomware https://
securityandtechnology.org/ransomwaretaskforce/report/.
    \2\  CISAInsights Provide MedicalCare is in CriticalCondition 
https://www.cisa.gov/sites/default/files/publications/CISA-Insight-
Provide-Medical-Care-Sep2021.pdf.

    ``Cyber Safety is Patient Safety''. I love my privacy; I'd like to 
be alive to enjoy it. Defensible connected technologies will require 
investment--as will the talent to defend them. Scrubbing-in before 
surgery takes time/money--and this vital hygiene practice dramatically 
reduces post-op infection, complications, and mortality rates. As 
technology increasingly plays a role in the delivery of modern 
healthcare, cyber-hygiene is no longer negotiable. Many exclaim they 
can't afford to do more. I hear Stan Lee: With Great Connectivity, 
---------------------------------------------------------------------------
Comes Great Responsibility . . .

    The pandemic brought an untenable, perfect storm of a record high 
need for patient care in the face of record high adversary activity, 
and severely diminished resources with which to defend the healthcare 
delivery environments. \3\
---------------------------------------------------------------------------
    \3\  Ransomware Hits Dozens of Hospitals in an Unprecedented Wave 
https://www.wired.com/story/ransomware-hospitals-ryuk-trickbot/.

    Degraded and delayed care affects patient outcomes. Cybersecurity 
disruptions can cause and exacerbate delays and degrade care for a 
hospital, town, region, or even at the state level. Adversaries are 
disrupting the bottom of Maslow's Hierarchy of Needs. Insecurity at the 
base of his famous pyramid is not tenable for an individual--and 
certainly not sustainable for a country. Do not mess with Maslow . . .
    Last, purely voluntary efforts have not proven able to transcend 
these market failures-and we're on a troubling trajectory with 
increasingly aggressive nationstates attacks. We have useful building 
blocks, but they require more speed & support. As the world is 
increasingly depending upon digital infrastructure, that infrastructure 
needs to be more dependable.
                                 ______
                                 

    The Chair. Thank you.

    Ms. McLaughlin.

 STATEMENT OF AMY MCLAUGHLIN, CYBERSECURITY PROGRAM DIRECTOR, 
         CONSORTIUM OF SCHOOL NETWORKING, CORVALLIS, OR

    Ms. McLaughlin. Chair Murray, Senator Cassidy, and Members 
of the Committee, it is an honor to be here with you today to 
talk about the cybersecurity threats and challenges facing K-12 
education. As mentioned earlier, I am Amy McLaughlin. I 
maintain multiple cybersecurity certifications and have over 20 
years' experience as a cybersecurity professional that spans 
state and local Government, K-12 and higher education, and 
health care.

    I serve as the Cybersecurity Program Director for the 
Consortium of School Networking, CoSN, the national 
organization dedicated to meeting the needs of K-12 education 
technology leaders. K-12 school districts face increasing 
attacks and threats. Today's cyber threats largely come from 
organized crime, nation state actors, and terrorist 
organizations.

    The most prevalent threats facing K-12 schools are 
ransomware attacks designed to encrypt and block data access to 
computer systems until a ransom is paid, phishing attacks that 
inundate education employees with fraudulent emails, attempting 
to trick them into responding with sensitive data, distributed 
denial of service attacks that flood the target networks making 
them inaccessible, and cybersecurity--or cyber-attacks against 
vendors providing services to multiple districts that result in 
wide scale impacts.

    The impacts of cyber-attacks on K-12 school districts, 
teachers, and students include lost instructional time, damage 
to schools' reputations, high financial costs of cyber 
incidents, rising cybersecurity insurance costs, financial and 
credit hardships for students and employees from the loss of 
their personal data, and rising mental health impacts, 
including increases in anxiety and depression.

    These impacts are being realized around the country. In 
Toledo, Ohio, and Fairfax County, Virginia, attackers 
threatened to make personal information of students and 
educators public. School districts in Baltimore, Maryland and 
Hartford, Connecticut were forced to shut down and cancel 
several days of school due to ransomware. And on the first day 
of classes, the Miami-Dade County Public Schools in Florida, 
the fourth largest U.S. district, saw their networks 
overwhelmed by denial of service attack.

    K-12 schools and districts experience significant 
challenges in protecting themselves from cyber-attacks. Most 
districts see cybersecurity as a technical issue, and it isn't. 
It is an issue that requires everybody in an organization to 
understand and be part of the solution and understand their 
role in protecting the organization. Safeguarding technologies 
are expensive, and the leading K-12 funder, the E-Rate program, 
does not fund cybersecurity or network defenses.

    School districts struggle to hire cybersecurity 
professionals. With almost 500,000 unfilled positions in 
cybersecurity in the United States, districts cannot compete 
with private sector salaries and opportunities. Digital equity 
is a significant challenge as cyber issues, security issues 
disproportionately impact our school districts who have less 
funding available to support and secure their technologies.

    The addition of Internet of Things devices to networks 
demand additional protections the districts are unable to fund 
and unprepared to deliver. Our K-12 school systems are taking 
many steps already to improve and expand protections for data 
and IT systems, including training their IT staff in 
cybersecurity, training their end users to protect themselves 
from cyber-attack, backing up data to offsite facilities to 
recover faster from ransomware attacks, and upgrading their 
password requirements from basic eight character passwords to 
stronger pass phrases and implementing multiple factor 
authentication.

    But there are additional Federal actions that should be 
taken to help our schools and districts improve their 
cybersecurity defenses. E-Rate needs to be updated to include 
cybersecurity and expand the E-Rate definition of firewalls to 
encompass next generation firewalls and services.

    We need to encourage the U.S. Department of Education 
through the Privacy Technical Assistance Center to expand 
guidance materials and coordinate services across Federal 
agencies. We need support for implementation of Representative 
Matsui's 2021 Enhancing K-12 Cybersecurity Act, which CoSN has 
endorsed.

    We need funding, additional funding for MS-ISAC to provide 
their fee based services to K-12 free of charge. Additionally, 
funding university and college run security operations centers, 
or SOCs, which offer cost effective services for K-12 schools 
and train new cybersecurity professionals, is an excellent 
opportunity, and we need to help schools hire expert staffing.

    Our K-12 districts are on the front lines of protecting 
their data and systems against much larger, better funded 
organizations and a rapidly evolving cyberthreat environment. 
They need access to staffing and technical resources and 
continue to securely deliver education. I thank you for your 
time and look forward to your questions.


    [The prepared statement of Ms. McLaughlin follows:]
                  prepared statement of amy mclaughlin
    Chair Murray, Ranking Member Burr and Members of the Committee:

    It is an honor to be with you today to talk about the cybersecurity 
threats and challenges facing K-12 education. I'm Amy McLaughlin, I 
maintain multiple cybersecurity certifications including the Certified 
Information Systems Security Professional (CISSP), and Certified 
Information Systems Manager (CISM). I have over 20 years of experience 
as a cybersecurity professional that spans state and local government, 
K-12 and higher education, and health care. I serve as the 
Cybersecurity Program Director for the Consortium of School Networking 
(CoSN) the national organization dedicated to meeting the needs of K-12 
education technology leaders.

    These challenges were daunting before the COVID-19 pandemic, and 
the rapid deployment of millions of one-to-one mobile devices to shift 
schools to remote and hybrid learning expanded the technology footprint 
and increased opportunities for malicious attacks.

    The threats faced by K 12 schools and the education sector are very 
serious and constantly changing. Gone are the days where cyber threats 
came from individual ``script kiddies'' who sought to access systems, 
write viruses and worms just to see if they could. Today's cyber 
threats come from organized crime, nation state actors, and terrorist 
organizations \1\ who have three objectives--use cybercrime to make 
money through ransoming data or stealing and selling data, collecting 
data for future use, and disrupting U.S. infrastructure and daily life 
with attacks on our ability to offer a free public education. In 
addition to external threats, education faces internal threats from 
students who can quickly and easily learn how to buy or conduct 
disruptive attacks online.
---------------------------------------------------------------------------
    \1\  https://www.cisa.gov/uscert/ics/content/cyber-threat-source-
descriptions.

    Attacks against the K-12 system are increasing. In December 2020, 
the Federal Bureau of Investigation (FBI), the Cybersecurity and 
Infrastructure Security Agency (CISA), and the Multi-State Information 
Sharing and Analysis Center (MS-ISAC) issued a TLP:WHITE level Joint 
Advisory \2\ identifying K-12 as targets of opportunity for cyber 
actors and identified increased attacks against education 
organizations.
---------------------------------------------------------------------------
    \2\  https://www.cisa.gov/uscert/ncas/alerts/aa20-345a.

    The increase in attacks is reflected in the data around ransomware 
attacks. The 2020 Joint Advisory cited the MS-ISAC data indicating that 
``the percentage of reported ransomware incidents against K-12 schools 
increased at the beginning of the 2020 school year. In August and 
September, 57 percent of ransomware incidents reported to the MS-ISAC 
involved K-12 schools, compared to 28 percent of all reported 
ransomware incidents from January through July.'' This trend continued 
into 2021 and continues to be a significant issue going into 2022. Bad 
actors do not discriminate by location. Cyberattacks hit the biggest 
urban and suburban school districts as well as the smallest rural 
---------------------------------------------------------------------------
schools.

    Our K-12 schools and districts recognize the serious privacy, 
monetary, and operational significance of the cyber threats. CoSN's 
2022 Ed Tech Trends report identified cybersecurity as the top unmet 
technology need stating that even before the pandemic required schools 
to move more services online, cybersecurity has been a top concern for 
districts. In a situation where even well-funded corporations in the 
private sector struggle to address cybersecurity issues, poorly funded 
districts are at a disadvantage. One respondent called the need for 
more cybersecurity funding as ``desperate.''

    Cybersecurity is not only an unmet technology need; it is an 
organizational culture challenge. K-12 organizations are vulnerable to 
cyber actors who leverage phishing attacks and social engineering 
skills to attack school systems with ransomware and other malware or 
obtain login credentials to access and hack systems. These attacks 
exploit the helpful and service-oriented focus of school staff and 
teachers to perpetrate malicious attacks. School district technology 
leaders work to help staff and teachers recognize these tricks but 
cybersecurity education must become a more systemic part of educator 
preparation and professional development and other staff training.

    There are many cybersecurity threats facing K-12 schools. In lieu 
of providing an exhaustive list, I'll share with you the most prevalent 
threats:

    Ransomware and other malware attacks are often the most destructive 
and disruptive threat facing education. Ransomware is malicious 
software designed to encrypt files and block access to computer systems 
until a sum of money is paid. The more advanced forms of ransomware not 
only encrypt files, they also exfiltrate the files to the attacker who 
can then hold the data hostage, resell the data on the dark web, or 
collect the data for later uses that are, as yet, unknown and, in the 
case of data stolen by nation state actors, may become a national 
security threat. Just to be clear, these bad actors are stealing the 
most damaging and sensitive student, family, employee, and district 
financial data held by school districts and disseminating it to the 
highest bidder.

    The State of Louisiana experienced the devastating impact of 
ransomware in 2019 when Louisiana's Governor had to declare a state of 
emergency after a series of cyber-attacks shut down phones and locked 
and encrypted data at three of the state's school districts. \3\ The 
attack disrupted teaching and learning and ransomware response 
ultimately cost the state over $2.3 million. \4\ 75,000 students in 
Albuquerque, NM missed 2 days of school in a 2022 ransomware attack. 
\5\
---------------------------------------------------------------------------
    \3\  https://www.cnbc.com/2019/07/26/louisiana-declares-state-of-
emergency-after-cybercriminals-attack-school-districts.html.
    \4\  https://www.theadvocate.com/baton--rouge/news/politics/
legislature/article-caf129ae-5e62-11ea-912b-77e0d8405441.html.
    \5\  https://www.usnews.com/news/best-states/new-mexico/articles/
2022-01-18/albuquerque-schools-confirm-ransomware-attack-resume-class.

    Second, education is inundated with ongoing phishing attacks 
through school district and other email systems. Phishing is an attack 
that leverages sending fraudulent emails purporting to be from 
reputable companies and organizations in order to trick individuals to 
reveal personal information, such as passwords and credit card numbers 
or send data directly to the cyber actor for example, W2 forms and gift 
card numbers. ``Phishing attacks are responsible for more than 80 
percent of reported security incidents. According to CISCO's 2021 
Cybersecurity Threat Trends report, about 90 percent of data breaches 
occur due to phishing. Spear phishing is the most common type of 
phishing attack, comprising 65 percent of all phishing attacks. The 
2021 Tessian research revealed that employees receive an average of 14 
malicious emails every year''. \6\
---------------------------------------------------------------------------
    \6\  https://spanning.com/blog/cyberattacks-2021-phishing-
ransomware-data-breach-statistics/.

    Third, schools are frequently victims of (DDOS) distributed denial 
of service attacks. DDOS attacks occur when multiple machines are 
operating together to attack one target, they flood the target network, 
server or system, with traffic and illegitimate activity disabling the 
systems and making them inaccessible. As the FBI, CISA, MS-ISAC Joint 
Advisory noted, the availability of DDoS-for-hire services provides 
opportunities for any motivated malicious cyber actor to conduct 
disruptive attacks regardless of experience level, including students. 
Miami-Dade School District experienced a particularly disruptive DDoS 
attack in September 2020 that impacted the districts ability to offer 
200,000 students remote learning for the first 2 days of the school 
year. \7\ This attack was perpetrated by a 16-year old high school 
junior. \8\
---------------------------------------------------------------------------
    \7\  https://thehill.com/policy/cybersecurity/514802-miami-dade-
school-district-virtual-classes-disrupted-by-cyberattack/.
    \8\  https://www.nytimes.com/2020/09/03/us/miami-dade-school-
cyberattack.html.

    A less obvious, but large threat to K-12 schools, are cyber-attacks 
against third party companies that provide essential operational and 
instructional technologies . Many K-12 school systems leverage software 
as a service providers and cloud hosted systems to deliver important 
technologies for supporting teaching, learning and the delivery of 
school services including student information systems, learning 
management systems, ERP systems for finance and human resources, and 
more. Attacks against third party services providers can result in wide 
scale outages for schools and widescale data theft or data destruction. 
Examples of vulnerable and exploited third-party tools that have 
impacted K-12 education include the 2020 SolarWinds hack, \9\ the 2021 
Log4J vulnerability that had organizations scrambling to identify 
vulnerable systems and remediate them, \10\ and the 2022 data breach at 
Illuminate Education which impacted at least 24 districts. \11\
---------------------------------------------------------------------------
    \9\  https://www.zdnet.com/article/sec-filings-solarwinds-
says18000-customers-are-impacted-by-recent-hack/.
    \10\  https://www.cisa.gov/uscert/apache-log4j-vulnerability-
guidance.
    \11\  https://thejournal.com/articles/2022/05/03/illuminate-
education-data-breach-impacted-at-least-24-districts-18-charter-
schools-in-ny.aspx.

    Additional threats include social engineering, end of life and 
unsupported software and operating systems, open and exposed Internet 
of Things (IoT) systems, video conference disruptions, website 
---------------------------------------------------------------------------
defacement and hacktivism, and more.

    The impacts of cyberattacks on K-12 school systems are extensive. 
Students are directly impacted by lost instructional time when schools 
are closed as a result of ransomware or other debilitating attacks. 
Successful cyberattacks damage the reputation of schools and undermine 
trust of students and parents in the ability of school districts to 
protect student data and maintain consistent services. Cyberattacks are 
a crime, yet school districts who are victimized by these sophisticated 
criminal operations face blame for the crime.

    The cost of responding to a cybersecurity incident, restoring 
systems, and providing services to impacted students and staff is high. 
In 2021, the average data breach by in the education sector costs $3.79 
million. \12\ The cost per individual record lost to a data breach can 
exceed $165 per record. These costs roll over to other schools and 
districts as insurance companies raise cybersecurity premiums and 
deductibles. Cybersecurity insurance costs for K-12 are rising by 25-
300 percent with more limited coverage and high deductible. \13\
---------------------------------------------------------------------------
    \12\  Cost of a Data Breach Report 2021, IBM Security https://doc-
0k-5g-apps-viewer.googleusercontent.com/viewer/secure/pdf/
pp9sepf14apgmvrtn4gr78ef7erikjgp/ke3i7gc3usr03dhfesplfnjgpfsrg4d1/
1652374200000/drive/14468447276760910654/ACFrOgDH7U4d-azWxsI9zUMG-
du0g1d1xPAzRyNRZOZ80u9mK7921h7ZxHLm0C2HHrjSTa-LsSLDcpD-iREpwtCR4j-
9Y6RT8Kdpooo7pTum8mhiQ9IZ0kRnnJtex2inBASkqwbNCRUozGq4Vg1B?print=true.
    \13\  https://www.businessinsurance.com/article/20220216/NEWS06/
912347780/Perspectives-New-lessons-for-K-12-schools-on-cyber-security,-
insurance-cover-#:-:text=K--2D12--20schools--20face--20a,deductibles--
20and--20narrower--20coverage--20terms.

    School districts across the country are facing rising insurance 
costs regardless of whether they have had a cybersecurity incident or 
not. Not only are insurance premiums increasing, the ability to even 
become insured has now become predicated on successful completion of a 
risk assessment and implementation of specific cybersecurity 
safeguards. The costs of new cybersecurity safeguards and rising 
insurance premiums prices many school districts out of the insurance 
---------------------------------------------------------------------------
market.

    There are individual financial and psychological impacts to staff 
and student victims of cybersecurity attacks. Individuals whose 
identities are stolen face financial hardship from the loss of their 
personal data, and students whose identities are stolen may not realize 
the full financial impact until much later. Since 2017 there has been a 
growing trend of sales of student data on the dark web. Identities of 
students who are too young to have existing credit accounts are 
valuable commodities.

    Students under 18, without existing credit accounts, have found 
themselves victims of identity theft and credit card fraud when stolen 
data is used to open accounts using their information. Often the 
fraudulent accounts go undetected until students apply for financial 
aid for college, or attempt to obtain credit for the first time only to 
discover their credit is destroyed and their finances are crippled by 
data theft from a previous cyber-attack.

    Data breaches and identity theft also result in mental health 
impacts. According to a recent survey by the nonprofit Identity Theft 
Resource Center, ``86 percent of identity theft, victims reported 
feeling worried, angry and frustrated, nearly 70 percent felt they 
could not trust others and felt unsafe, and nearly 85 percent reported 
disturbances in their sleep habits and 77 percent reported increased 
stress levels, and nearly 64 percent, they had trouble had trouble 
concentrating.''

    K-12 schools and districts experience significant challenges in 
protecting themselves from cyberattack. First, school districts are not 
funded to purchase in depth cybersecurity technologies to safeguard 
their systems and data. These technologies are expensive and existing 
mechanisms funding high speed internet access, such as the E-rate 
program, do not fund network defenses.

    Staffing and the ability to hire cybersecurity professionals is 
another challenge school districts face. There are not enough 
cybersecurity professionals available and school districts can't afford 
them. According to , ``Only a fifth (21 percent) of districts have a 
full-time equivalent (FTE) employee dedicated to network security, the 
same percentage as the prior year. This means that cybersecurity 
protection is a part-time responsibility in a large majority of school 
districts . . . In lieu of a full-time cybersecurity position, 
districts address cybersecurity in a variety of ways. A third (33 
percent) of districts include the responsibility as part of another 
job.''

    Today there are almost 500,000 unfilled cybersecurity positions in 
the United States that number is projected to increase. School 
districts struggle to find qualified cybersecurity staff who will work 
for a K-12 salary. The competition for skilled cybersecurity 
professionals also results in districts making tough choices between 
hiring one or two teachers or hiring a cybersecurity professional.

    Ensuring cybersecurity equity in education is a significant 
challenge. Every school district faces cybersecurity threats, but they 
disproportionately impact school districts with less funding available 
to staff, support, and secure their technologies. Often, rural, and 
low-income schools and districts have less funding available to hire 
dedicated expert staff and maintain their technology up-to-date 
resulting in higher risk of unsupported and aging systems vulnerable to 
attack.

    Recognizing the many attack vectors and challenges they face, K-12 
school systems are taking many steps to improve and expand protections 
for data and IT systems. The 2022 CoSN Ed Tech Leadership Survey 
identified the following steps being taken to protect data and systems:

          65 percent of schools and districts responding to the 
        survey focusing on IT staff training to help grow the skills of 
        their staff in the cybersecurity space. In lieu of hiring 
        trained cybersecurity professionals, districts are seeking to 
        grow these skills internally.

          63 percent are investing in end-user training which 
        can address the

          55 percent are leveraging offsite backups which is 
        the No. 1 step districts can take to be able to recover quickly 
        from a ransomware attack.

          54 percent were working with staff to upgrade their 
        passwords to expand from a basic eight-character password to a 
        stronger passphrase of at least 12 characters. Increasing the 
        number of characters in a password from eight to 12 characters 
        increases the time a supercomputer needs to brute-force crack a 
        password from minutes to centuries. \14\
---------------------------------------------------------------------------
    \14\  Firewalls Don't Stop Dragons, Fourth Edition, Cary Parker, 
Apress, p.109.

    There are additional steps that can be taken at a national level to 
help schools and districts improve cybersecurity defenses and services 
---------------------------------------------------------------------------
across the country.

        (1) Update E-rate's definition of firewall to encompass next-
        generation firewalls and services. CoSN \15\ filed a petition 
        with the Federal Communications Commission in 2021 requesting 
        this change. This does not require legislation and the FCC can 
        and should immediately take this action.
---------------------------------------------------------------------------
    \15\  http://d31hzlhk6di2h5.cloudfront.net/20190903/cc/f3/72/41/
228e09116606c764f2d2f2c4/CoSN-Cat-Two-Filing-Final-2019. pdf.

        (2) Encourage the U.S. Department of Education through the 
        Privacy Technical Assistance Center to expand guidance 
        materials and coordinate services across Federal agencies to 
---------------------------------------------------------------------------
        provide a comprehensive menu of products.

        (3) Support the implementation of Rep. Matsui's 2021 Enhancing 
        K-12 Cybersecurity Act, \16\ which CoSN has endorsed.
---------------------------------------------------------------------------
    \16\  https://www.Congress.gov/bill/117th-congress/house-bill/4005-
q=--7B--22search--22--3A--5B--22hr-3--22--5D--7D&s=1&r=64.

        (4) Fund MS-ISAC to provide their fee-based services to K-12 
        free of charge and expand staffing of their Security Operations 
---------------------------------------------------------------------------
        Center.

        (5) Fund university and college run Security Operations Centers 
        (SOCs). Colleges and universities are developing non-profit 
        SOCs offer cost-effective services for K-12 schools and train 
        new cybersecurity professionals increasing the number of people 
        capable of filling open positions.

        (6) Help schools hire expert staffing.

    Our K-12 school districts are on the front lines of protecting 
their data and systems against much larger, better funded 
organizations, and a rapidly evolving cyber threat environment. To 
borrow a quote from ``Hamilton'' they are ``outgunned, outmanned, 
outnumbered, out planned.'' They need access to staffing and technical 
resources to continue to securely deliver on the mission of delivering 
education.
                                 ______
                                 
                 [summary statement of amy mclaughlin]
    K-12 school districts face increasing attack and threats. Today's 
cyber threats largely come from organized crime, nation state actors, 
and terrorist organizations.

    The most prevalent threats facing K-12 schools are:

          Ransomware attacks designed to encrypt files and 
        block access to computer systems until a sum of money is paid 
        are increasing.

          Phishing attacks that inundate education employees 
        with fraudulent emails attempting to trick them into responding 
        with sensitive data.

          Distributed denial of service attacks (DDOS) that 
        flood the target networks making them inaccessible.

          Cyber-attacks against vendors providing services to 
        multiple districts with widescale impacts

    The impacts of cyberattacks on K-12 school districts, teachers and 
students include:

          Lost instructional time

          Damage to schools reputations

          Financial costs of cyber incidents

          Rising cybersecurity insurance costs

          Financial and credit hardships for students and 
        employees from the loss of their personal data

          Mental health impacts including anxiety and 
        depression


    K-12 schools and districts experience significant challenges in 
protecting themselves from cyberattack

          Safeguarding technologies are expensive and the 
        leading K-12 technology funder--the E-rate program--does not 
        fund network defenses

          School districts struggle to hire cybersecurity 
        professionals. With almost 500,000 unfilled cybersecurity 
        positions in the United States, districts can't compete with 
        private sector salaries

          Digital equity is a significant challenge as 
        cybersecurity issues disproportionately impact school districts 
        with less funding available to support and secure their 
        technologies

          The addition of Internet of Things (IoT) devices to 
        networks demand additional protections

    Our K-12 school systems are taking many steps to improve and expand 
protections for data and IT systems including:

          Training IT staff training in cybersecurity

          Training end-users to protect themselves from cyber 
        attacks

          Backing up data to offsite locations to facilitate 
        faster recovery from a ransomware attack

          Upgrading password requirements from a basic eight-
        character password to a stronger passphrase of at least 12 
        characters and implementing multi-factor authentication


    There are additional Federal actions that should be taken to help 
schools and districts improve cybersecurity defenses:

        (1) Update E-rate's definition of firewall to encompass next-
        generation firewalls and services.

        (2) Encourage the U.S. Department of Education through the 
        Privacy Technical Assistance Center to expand guidance 
        materials and coordinate services across Federal agencies.

        (3) Support implementation of Rep. Matsui's 2021 Enhancing K-12 
        Cybersecurity Act, which CoSN has endorsed.

        (4) Fund MS-ISAC to provide their fee-based services to K-12 
        free of charge and expand staffing of their Security Operations 
        Center.

        (5) Fund university and college run Security Operations Centers 
        (SOCs) which offer cost-effective services for K-12 schools and 
        train new cybersecurity professionals.

        (6) Help schools hire expert staffing.
                                 ______
                                 

    The Chair. Thank you very much.

    Ms. Norris.

STATEMENT OF HELEN NORRIS, VICE PRESIDENT AND CHIEF INFORMATION 
            OFFICER, CHAPMAN UNIVERSITY, ORANGE, CA

    Ms. Norris. Let me begin by thanking, Chair Murray, Senator 
Cassidy, and the Members of the Committee for the opportunity 
to address you on this important topic. I am Helen Norris, the 
Chief Information Officer at Chapman University.

    As the CIO, I oversee all technology for the institution, 
including our cybersecurity practice. Chapman is a mid-sized 
private university in Southern California with about 10,000 
students. However, I have worked across a variety of 
institutions since 1997, including the University of California 
at Berkeley and the California State University.

    Through my experience at these three universities, I have 
observed the cybersecurity threat landscape change over the 
years. When I arrived at Berkeley in 1997, we did not even have 
one IT professional that worked in information security.

    Now, many colleges and universities have cyber--have large 
departments, have entire departments to deal with the threats 
that we face. We must defend against a variety of threats, 
including ransomware, phishing, hacking, and social 
engineering. We manage sensitive student financial and employee 
data.

    Universities that include medical centers and teaching 
hospitals have even greater challenges in managing personal 
health information for individuals. Our systems have grown into 
complex environments that include large data center and 
growing--large data centers and a growing set of third party 
partners.cj

    The scope and intensity of our operations presents 
challenges to keeping them secure, and we know that bad actors 
are always looking to turn our difficulties into their 
opportunities. As I describe cybersecurity challenges, however, 
I do want to note that higher education is not monolithic. 
There are approximately 6,000 institutions across the country 
and there is incredible variety among them.

    The challenges related to cyber security differ across 
types of institutions, but there are some common themes. First, 
addressing cybersecurity threats is expensive. Investment in 
this area varies depending on the type of institution.

    A large research university or one with a medical center 
might employ a good sized cybersecurity department. But a 
smaller university or a community college with more financial 
limitations will be challenged to do so, even though they must 
protect sensitive student data in a similar way.

    Second, the complexity of this work is enormous. New 
threats emerge with alarming speed, and we must pivot to 
address them as they arise. The challenge is not just for our 
information security professionals. Cybersecurity threats 
impact our entire community. In higher education, we often say 
that cybersecurity is everyone's job, as we all face threats of 
ransomware, phishing, and hacking.

    Institutions are also challenged by the increasing number 
and complexity of cybersecurity regulations, which generate 
costs that draw resources away from managing risks. My peers 
and I would welcome the chance to work with agencies to 
standardize and streamline requirements so we can focus our 
limited resources on maximizing cybersecurity. While the 
challenges we face are real and complex, higher education is 
sophisticated in cybersecurity threat mitigation and 
protection.

    As noted, most institutions have added resources in this 
area to directly address risks. Our teams protect our networks 
and our systems in a variety of ways. Some of these involve 
technical measures like firewalls, encryption, and network 
segmentation. But much of the work these groups do is outreach 
to our community. Many security incidents occur when an 
individual falls into a trap set by a hacker.

    A large part of our work is an education--is educational, 
ensuring that our students and others have the tools that they 
need to protect themselves. Colleges and universities also 
address cybersecurity by combining our strength through 
collaboration to protect the entire ecosystem. We share 
information on new threats, best practices, and community 
sourced tools.

    We also work closely with partners in Federal and state 
agencies, particularly the FBI and CISA. Institutions want to 
continue to buildupon our response to the threats that are out 
there, and we see partnering at the Federal level as critical 
to that. We encourage continued and growing collaboration 
between our community and Federal agencies.

    We also welcome ongoing dialog with this Committee as it 
considers further the cybersecurity challenges and 
opportunities we face. We believe that engagement and 
partnership with colleges and universities will help ensure 
effective approaches to bolstering cybersecurity.

    With that in mind, I encourage you to reach out to colleges 
and universities in your states so that you can hear directly 
from them about their experiences and what would most help them 
to succeed in this critical area.

    In closing, I want to thank you again for giving me the 
opportunity to address you, and I look forward to your 
questions.


    [The prepared statement of Ms. Norris follows:]
                   prepared statement of helen norris  
                   
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
                   

                                 ______
                                 
                  [summary statement of helen norris]
    Cybersecurity presents numerous challenges to the higher education 
community and our students, faculty, patients and staff. Universities 
manage complex environments and sensitive data, and need to defend 
against threats in the form of ransomware, hacking, phishing and social 
engineering. This presents numerous challenges as outlined below:

          The cost of protecting our universities against 
        cybersecurity threats is very high;

          The threat landscape is complex and ever-changing and 
        the tools needed to manage threats are constantly evolving;

          Ransomware incidents or breaches are disruptive and 
        expensive;

          We have a complex regulatory environment that 
        introduces additional complexity.


    Universities protect their students and communities from these 
threats by:

          Utilizing sophisticated technical tools to protect 
        our systems and networks;

          Educating our communities to be on the alert for 
        cybersecurity risks;

          Working together to share information and best 
        practices;

          Working with Federal agencies to stay up-to-date with 
        new threats; and

          Preparing for the worst by preparing and exercising 
        incident response plans.


    In summary, it is important for universities to take a multi-
layered approach to managing cybersecurity risks.
                                 ______
                                 

    The Chair. Thank you all for your really excellent 
testimony this morning. We appreciate it. We will now begin a 
round of 5 minute questions, and I ask my colleagues to keep 
track of the clock and try and stay within those 5 minutes.

    During the COVID-19 pandemic, we have really seen a 
significant increase in cyber-attacks, particularly ransomware 
attacks on critical infrastructure here in the U.S. And those 
attacks are increasingly professionalized, and oftentimes they 
are either sponsored or supported by foreign actors like China 
or Iran or Russia.

    A cyber-attack, as we have talked about, on health care or 
education, can have a devastating impact on safety and well-
being of patients and students and communities. So I want to 
start with this basic question, Mr. Corman. What is driving 
this increase in cyber-attacks and how can we better prevent 
and monitor them?

    Mr. Corman. I will try to be brief, but there is more 
detail in the written testimony. But for now, there has really 
been a ransomware revolution. It used to be that Dillinger 
quote, why do you rob banks? That is where the money is. And 
most attacker adversary focus on the Fortune 100 or Fortune 500 
for funds, for things that could be sold, intellectual 
property.

    The revolution here both fueled by Bitcoin making the 
payments easy, but more importantly, the unavailability of 
whatever is important to you can be monetized for the 
adversary. So everyone and anyone is a target because you are 
in business or you are a health care institution or a 
university or an educational foundation, you need to function. 
So that unavailability became universally monetizable.

    The other problem is you--when you get away with something, 
you keep doing it. And when you are rewarded with financial 
payment, you keep doing it. So we funded their R&D to come back 
at us harder and harder to the point where something that may 
have been manageable and deterrable is now nearly unstoppable.

    It is a business model, some ransomware as a service with 
highly professionalized multi-party coordination. So we have a 
fairly significant problem where their bold actions went 
unchecked long enough and things that used to be off limits, 
like designated critical infrastructure--a cyber-attack on 
designated critical infrastructure is technically an act of war 
when perpetrated by a nation state.

    The state tolerated and sometimes state directed, have 
flirted up to and across lines that we need to reestablish. 
That is more than just the job of Congress here, but we have 
allowed and tolerated the intolerable. And unless we do 
significant things both against the adversaries and to shore up 
minimum hygiene for the defenders, we should expect more of 
this.

    The Chair. Anybody else want to add to that at this point. 
Okay. Well, I think that was pretty clear. And I appreciate 
that input. Let me go to this, we have seen cyber-attacks 
target hospitals across the country. From the largest to the 
smallest health care system, these attacks have really 
undermined the care for tens of thousands of patients in my 
state alone but more across the country.

    Protecting patients from cyber-attacks requires significant 
investment in both technology and expert staff by hospitals and 
other facilities. How can the Federal Government help to 
strengthen cybersecurity across the health care sector, 
including actually for our rural or low income communities that 
have a lot fewer resources? Mr. Corman If you want to start 
with that, and we will go from there.

    Mr. Corman. I am sure Denise will add. I call these 
organizations target rich, but cyber poor. They lack the 
resources to do minimum hygiene. There are significant Federal, 
available Federal services, and I added more while I was at 
CISA.

    There is a free cyber hygiene scanning service that can 
assess your remote attack surface and tell you if you have 
vulnerabilities. I think one of the big challenges is we don't 
have sufficient reach to these cyber poor. They don't 
participate. They don't have CISOs yet. They don't participate 
in ISACs or information sharing groups. They don't know what 
CISA is or who is who in the pantheon of the Federal Government 
and when to work with HHS versus CISA versus someone else.

    We have an awareness and adoption gap, but once we do 
engage them, I have tried to find fit for purpose things that 
can meet them where they are at their current skill level with 
empathy and give them a crawl, walk, run.

    The Chair. Ms. Norris, maybe you can talk to us about what 
the Federal Government can do with the higher education within 
them to help support under-resourced institutions to secure 
their IT systems.

    Ms. Norris. Thank you. I do agree that expanding the tools 
that are offered by organizations, by agencies like CISA and 
the outreach to those more under-resourced universities and 
colleges would be excellent. In addition, perhaps we could see 
more tools that are more focused on higher education through 
agencies like CISA.

    For example, the FBI has the campus security program and 
rolling that out, more awareness of that could be helpful. I 
also think that for institutions that are, have fewer 
resources, simplifying the regulatory environment is extremely 
critical, too, so that they can point their limited resources 
in the most effective ways.

    It would also be helpful if there were some solutions to 
address the lack of affordability of cyber insurance for under-
resourced universities. Actually, for everyone. The cost of 
cyber insurance and the availability is a problem, is a 
challenge for all of us, but it hits under-resourced 
institutions much more--in a much more impactful way.

    Finally, it is something that we do and that we could 
hopefully get more engagement at the Federal level, I have 
heard some of the other witnesses talk about this, using 
Federal work study programs. We have had great success in 
bringing our students into our cybersecurity practice.

    More engagement of our students in our universities can 
benefit all of us. And I know that I myself at Chapman and at 
other universities have made great use of that work study, for 
example, to help fund student engagement in this area.

    The Chair. Thank you very much.

    Senator Cassidy.

    Senator Cassidy. I am going to defer to my colleague, 
Senator Tuberville.


    [Technical problems.]


    Senator Tuberville. There we go. Thank you very much. 
Thanks for being here today. This is a great topic. I come from 
education, and we are behind in a lot of things, and this is 
one that is dear to my heart. I just had a son graduate from 
college in cyber and I was shocked how many people tried to 
hire him because we have a huge shortage.

    I was a little skeptical four or 5 years ago, really 6 
years ago, he was on the 6-year plan of him getting involved in 
this. But my goodness, we have overlooked this problem. It is 
going to get worse and worse if we don't address it, especially 
on the state and in the higher education levels.

    But Mr. McLaughlin, what can we do to encourage our younger 
kids, and how--what kind of programs can we put into our 
elementary schools to enhance young people to really get 
involved? They are all into video games and all that. That is 
totally different. I mean, this is something we have got to get 
them involved in.

    Ms. McLaughlin. I think that is a wonderful question, 
Senator. There are all kinds of opportunities to bring students 
in early. And I think that this becomes part of creating a 
culture of cybersecurity and cyber safety in schools.

    First off, we don't necessarily train students like we do 
for other safety issues from early on. We all know look both 
ways before you cross the street, put your seatbelt on when you 
get in the car. But those kind of integrated messages about 
cyber safety need to be built into the messaging that students 
get.

    On top of that, we have opportunities to build a pipeline 
of students who want to grow into these kind of professions 
later on by involving them and offering them opportunities like 
cybersecurity camps, cybersecurity courses.

    I want to point out, it is really important that computer 
courses include cybersecurity as a pathway and are focused on 
actually how the technology works, not how to type, which has 
become a challenge in some spaces--lack consistency in what is 
offered.

    Then there are some wonderful competitions that actually 
are offered at the Federal level for students in K-12 education 
and in higher education on what can they do to prevent hacking 
and demonstrating their skills.

    Involving students and participating in that is really 
critical for evolving that incoming workforce and having 
opportunities to work in those spaces once they get to higher 
education, whether they are at a community college or a 
university.

    It is a really great opportunity when we can fund, as Ms. 
Norris was mentioning, security operations centers and 
opportunities for students to develop their skills.

    Senator Tuberville. Thank you. In Huntsville, Alabama, we 
have got a new school that started over the last few years, and 
it is called the Alabama School of Cyber. And what they do--
this is from 9th to 12th grade.

    They take the top students from all over the state, rural, 
urban, and they bring them to Huntsville, and they train them 
in cyber. And of course, Huntsville is a missile defense 
agency, NASA, 600 defense contractors, huge. FBI is moving all 
of their cyber security to Huntsville, and they need more 
people.

    They see upfront front that they are going to need this. Do 
we need to start doing something like this, Ms. Norris? Can you 
visit with me on that? All states?

    Ms. Norris. One thing I would like to just add to what Ms. 
McLachlin said is that, and I heard Chair Murray refer in her 
comments to the digital divide. So I think as we want to bring 
more and more students, both from K-12 and higher education 
into cybersecurity, we need to make sure we continue to address 
that digital divide.

    I think in terms of what you just described at Huntsville, 
we do see centers of security excellence, whether it is at the 
Federal level or a corporate level across different states. But 
I think in this new working world where people are working from 
everywhere, we probably have to think about ways that we can 
infuse security into a more globally diverse workforce, or 
nationally diverse workforce, as well as centers where 
cybersecurity is physically located. And that is one of the 
challenges that we have.

    Senator Tuberville. Yes. It takes a special person to get 
in this type of field. And, I would like to see in the future 
our higher educational institutions that accept state and 
Federal funding get into cyber more. I mean, we are going to 
need that. I mean, it is National Security.

    When we are 400,000 or 500,000 short in people to do these 
jobs this world is getting more dangerous as we speak in terms 
of just anything that people can do to us, our water systems, 
our grids, and all those things over the years, so. Thank you 
all for being here today.

    This will be a great hearing. And again, we are pulling for 
everybody to start understanding where we are at and why we are 
at--why we are at this spot, and we need to get better. So 
thank you very much. Thank you. Thank you, Senator Cassidy.

    The Chair. Thank you.

    Senator Baldwin.

    Senator Baldwin. Thank you, Madam Chair. And thank you, 
Senator Cassidy, for jointly bringing our attention to this. I 
recently helped to introduce the bipartisan Protecting and 
Transforming Cyber Health Care, or Patch Act, with my 
colleague, Senator Cassidy.

    This legislation is aimed at helping protect patients from 
ransomware by implementing critical cybersecurity requirements 
for device manufacturers. And it would allow manufacturers to 
develop and maintain processes to update and patch devices 
throughout the life cycle.

    Mr. Corman, you anticipated my first question in your 
testimony when you were talking and in your answer to a 
previous question when you were talking about the significant 
amount of research that shows how ransomware attacks constrain 
hospitals and ICUs, etcetera, leading to excess deaths.

    I want to take my question in a slightly different 
direction, because while I am really proud to sponsor this 
legislation, it always helps me to get a more granular view of 
what devices are at risk of being hacked or being manipulated. 
You showed us a pacemaker. You talked about insulin pumps.

    I am curious to know whether part of our strategy might be 
to make smart devices into dumb devices. We famously have a 
colleague on the Democratic side of the aisle who uses his flip 
phone just because it is safer than are iPhones and Androids.

    But what about diagnostic and treatment devices in 
hospitals? Can they be manipulated? What about--anyways, open 
that up and give us some more granular examples and whether 
bringing some of those offline might be actually more helpful 
to patient, good patient outcomes.

    Mr. Corman. I appreciate the question. In the Patch Act, I 
should mention as I prepared my remarks, I called some of the 
worst victims during the pandemic and said, what are your top 
three to five things you would want Congress to know? And one 
of them, one of the biggest victims, said, all five of my top 
five are, I need the Patch Act.

    His point was, they never want what happened to them to 
ever happen again. And as they have taken a much closer look at 
their attack surface and their exposures, it is the unsupported 
software, the hardcoded passwords, the supply chain of devices, 
whether they be medical or just normal technology.

    He can't defend that indefensible kingdom, so he wanted me 
to express his, I think he said I am dying of thirst and that 
is the water I need to wear. To your more specific question, 
pretty much all technologies, even 5 years ago I want to mark 
Thursday was the 5-year anniversary of WannaCry, the most 
devastating attack on health care in the world at the time and 
mostly hit the UK.

    I remember it because we were also issuing our report to 
Congress for our 405c on the same day and it got delayed by 3 
weeks. In that, we pointed out that a typical medical 
technology has over 1,000 known vulnerabilities or CVEs, and it 
only takes one. During the pandemic, we saw even different 
types of technologies that could bring down either patient care 
in an acute sense.

    One was a radiation delivery machine that had a heavy 
dependance on the cloud. So you had this incredible 
multimillion dollar, expensive piece of gear that does its 
function but can't calculate how and where to precisely deliver 
radiation. So for several weeks, you could not deliver time 
sensitive cancer treatment. So the Internet of Medical Things 
is going to be everywhere.

    It is our electronic medical records. I try to focus people 
in a practical sense, moving more quickly to some of the things 
that later in my testimony, these pragmatic security steps, 
these are the most dangerous practices. Instead of just 
referring to best practices, I got CISA to publish something 
called cisa.gov bad practices.

    There are currently three, I think there is about to be a 
fourth, but these are the use of unsupported and end of life 
software in service of national critical functions and critical 
infrastructure is dangerous, especially egregious for internet 
facing. So I try to focus these target rich, cyber poor on 
their internet attack, surface the things reachable from the 
outside.

    I look for things like unsupported software, hardcoded 
fixed passwords, and that is really the place to start. This 
should start to become the definition of negligence.

    Senator Baldwin. Thank you. I fear I am not going to get a 
full, another question in, but let me just plant a seed. I have 
some real concern about the third party apps that aren't 
covered by HIPAA and how we go about striking the right balance 
between access to data and efforts to protect innovation and 
security.

    Ms. Anderson, I was going to ask you to elaborate on that. 
I am already out of time, and our Chair has cautioned not to 
exceed the time. So maybe we will get a second round, or I will 
submit it for the record afterwards.

    The Chair. Okay. Thank you very.

    Senator Cassidy. I will let Senator Braun go in my place 
right now.

    Senator Braun. Thank you. Thank you, Madam Chair. What I 
have heard most about not only on cybersecurity, but across the 
spectrum of workforce and enterprise is, how do we train 
individuals to actually be ready to take on the new landscape 
of jobs out there?

    Running a company in a very low unemployment area prior to 
when I got here, I was shocked at how little is being done in 
the, let's say, middle school through high school time, 
guidance in directing so many students, and a lot of times with 
parents okay with it, but into areas that--you are not 
necessarily going to benefit with a 4-year degree if it hasn't 
been guided well.

    Half the kids that pursue it don't end up with the degree, 
have got time lost, and debt incurred. We need to do better. 
And in cybersecurity, since it is something that we talk a lot 
more about now than we did 10 years ago when I was actually 
grappling with that, I think the underlying issues are the 
same.

    My question will be for Ms. McLaughlin. Do you think that 
in middle school and especially high school, are we doing the 
things that would prepare kids for cybersecurity career? And I 
would like your opinion on whether a 4-year degree is necessary 
for the bulk of the jobs that would be in the field, because it 
would be instructive, because it is the same issue I hear 
everywhere.

    I might add that a third of the kids that get a 4-year 
degree end up back in the basement because it was poorly guided 
and there is no market for it. Here at least it looks like 
there is a strong market for it. Tell me a little bit about 
whether it is working well, pre, post-secondary education, and 
what is needed to be successful to fill the job.

    Ms. McLaughlin. All right. Well, Senator, that is a really 
complicated question so I will do my best. On the middle school 
and high school level, and now, remember, we have 50 states 
plus territories. They all have their own school board 
governance processes, so it is difficult to extrapolate across 
the board.

    But my observation is that curriculum content to cover 
issues around cybersecurity and training and development of 
those skills is not up to speed with the threat that we face.

    Now, of course, there are exceptions and there are like 
charter schools or magnet schools, focused schools, and 
programs that do exceptionally well in this area. But across 
the board, I would say that we struggle in this area to get 
consistent training and education for students in middle and 
high school, and also to make sure that people are aware across 
the board that this is a really good career opportunity.

    Now, your question about the value of a 4-year degree and 
the educational component for cybersecurity. I think that there 
are actually a couple paths in the higher education space that 
I want to point out. There are a number of 2 year associate 
degree programs at community colleges, as well as 4 year 
university degree programs that focus on cybersecurity.

    They both have their own value ads depending on the 
program. And I would say that the combination of the degree 
plus experience working in a program where you are developing 
actual hands on skills is extremely valuable.

    The degree focus is on the theory and the application, and 
then the actual practice comes from that hands on work 
experience. Those people often don't actually make it to 
graduation in a 4-year program because they are getting 
recruited away faster than people can get through the program.

    Having said that, there are a lot of people who find 
alternative pathways. I would say that developing skills in the 
U.S. Armed Services, developing skills through training and 
certification programs, are also very viable paths for 
developing cybersecurity professionals.

    Senator Braun. It is a complicated question and a difficult 
answer, and I certainly wouldn't suggest that we should 
commandeer it from here. That is the bailiwick, I think, of the 
states. It might draw your attention.

    I watched with interest Sunday morning, this past weekend, 
and the ex-CEOs of Merck and IBM basically said exactly what I 
just said. And they are 15 years later and when I was grappling 
with it in running my own company.

    I think that given the time, the cost, it is just good for 
the spectrum of opportunity to make sure we are not waiting to 
be trained solely until you get out of, I think, that most 
instructive period when you are in high school. Thank you.

    The Chair. Thank you.

    Senator Hassan.

    Senator Hassan. Well, thank you, Chair Murray. And thank 
you again to our witnesses for being here. Mr. Corman, I want 
to start with a question to you. You have pointed out how 
dangerous cyber-attacks can be to the health and safety of the 
public.

    In your written testimony, you stated that cyber-attacks on 
hospitals and health care settings can lead to additional 
patient deaths, and that the impact is not limited to just the 
health care setting directly affected but also in the 
surrounding region.

    As you know, over the past few years, ransomware has shut 
down several hospitals and health care settings in and around 
New Hampshire, including the University of Vermont Medical 
Center and Coos County Family Health Services. You were working 
remotely in New Hampshire forces at the time. Can you speak to 
the impact that you saw of these attacks on the health 
generally of Granite Staters?

    Mr. Corman. Sure. The excess deaths were really correlated 
to ICU strain, irrespective of cause. The top two contributors 
were not cybersecurity. They were people reluctant to try to 
seek medical care, introducing self-delay, and then the 
inability to get seen in a timely manner when they did.

    The question we asked is, can cybersecurity make it worse? 
And we were able to use data science to measure that yes, it 
can. Just anecdotally, many of those affected systems in our 
neighboring state of Vermont, a lot of those patients were 
redirected and absorbed in the institutions in your own state.

    I just heard a very sad story yesterday of a cybersecurity 
professional in New Hampshire whose mother needed an ICU bed. 
There were none within a 50 mile radius. She had to be treated 
less attentively in the E.R. and subsequently passed away. Now, 
this is not this hack, this person who did this. It is that we 
have finite capacity in our systems, especially during a 
pandemic.

    With the mass exodus of health care workers, any elective 
strain, preventable, avoidable strain like 4 weeks of downtime 
for oncology and other things--there is an incredible case 
study. They were very transparent about the impacts to their 
oncology program and how those were pushed to surrounding 
states. There is only so much capacity and when we are cavalier 
about avoidable, preventable harm, it has consequences.

    Senator Hassan. Thank you. I want to give each of you an 
opportunity to drill down a little bit on something you started 
to discuss in response to a question from Senator Murray. The 
Department of Health and Human Services, the Department of 
Education, CISA make more--make many affordable and often free 
cybersecurity resources available to the health care and 
education sectors.

    However, as you discussed, smaller health care settings and 
school districts that would benefit most arguably from these 
resources are often just unaware that the resources exist and 
what the benefits are. So to each of you, in your experience, 
how effective is the outreach from the Federal Government to 
smaller entities?

    I am really asking about the Federal Government's outreach 
and how we can improve that outreach so that these smaller 
entities really know what is out there and can actually connect 
and get some of this help. And why don't we start with you, and 
we will go right down the line, Ms. Anderson.

    Ms. Anderson. I believe education is one of our biggest 
obstacles as far as the public knowing what services are out 
there for them to use. The Health ISAC, for example, in health 
care and many of the ISACs offer a lot of free services.

    As I mentioned, the Sector Coordination Council also has 
free publications as well as we push all the CISA products and 
the HHS products as well. And so, I am going to use an example 
from financial services when I was with the financial services 
ISAC.

    Treasury was very supportive of the financial services 
ISAC, and they actually proposed that as part of the checklist 
and the audits that were done against financial firms, that 
they belong to a sector ISAC or that they use products and 
services from the sector. And they--it was like a tsunami.

    We called it a tsunami because people became aware of that 
and started joining the ISAC. And so there are a lot of ways I 
believe--I don't believe it is effective right now, but I do 
believe that if we can educate, that would be a huge great 
thing to do.

    Senator Hassan. Thank you. And we will go right down the 
line, and I will ask each of you to be pretty quick.

    Mr. Corman. Very briefly. It has to be fit for purpose. The 
kind of information that an expert CISO in the ISAC needs is 
going to be much more sophisticated than someone who is brand 
new to this. So a lot of this target rich, cyber poor, 
pragmatic security suite. We do need to let them know CISA 
exists, how to work with the various parts of the Federal 
Government, and then make sure the advice we are giving is 
applicable.

    Senator Hassan. Right. Thank you.

    Ms. McLaughlin. I think fit for purpose is a really good 
point. Most of our, 65 percent of our school districts have 
2,500 students or less across the country. So having a person--
having the person be able, who knows that there is a resource 
out there for them to use becomes a challenge.

    I think one of the challenges, for once you get further--
the further West you get is also--having somebody from MS-ISAC 
who is that point person for a region who can help people 
connect to the services that they need and understand why they 
need them.

    Senator Hassan. Thank you, and briefly, Ms. Norris.

    Ms. Norris. Thank you. I would echo what my colleagues have 
said and encourage Federal agencies to continue to use the 
associations of ISACs and in higher ed groups like EDUCAUSE and 
also internet to get the word out.

    Senator Hassan. Great. And I will follow-up with questions 
on the record, because I think that we could have some more 
specific coordinating council just aimed at K through 12 and 
education sector so that they could have their own special 
assistance. Thank you.

    The Chair. Thank you.

    Senator Cassidy.

    Senator Cassidy. Thank you, Madam Chair. First, Mr. Corman, 
thank you for your endorsement of the Patch Act, doing with 
Senator Baldwin.

    Just thank you for that. You make an incredibly compelling 
case. Not to make light of it, but my staff made this kind of 
funny sort of thing under a hack, and it shows this kind of 
increasing incidence from Health and Human Services of the 
amount of hacks that are occurring from 35 percent in 2016 to 
22 percent now in terms of information breaches.

    I say that because we see it coming. It has been happening. 
Unfortunately, none of the solutions that we are talking about 
today are kind of real time. They are like, let's make the 
investment for the future when we can see the trend, which is 
occurring now, both in the schools, upper and lower, as well as 
in the health care system. So I use that to frame the following 
discussion.

    When I read about the poor, cyber poor and I am looking at 
Ms. McLaughlin and probably you, ma'am, as well, there is 
probably universities that are cyber poor because their 
resources are poor.

    If there is such a shortage of people to do it, it is 
difficult to get someone. I think at the elementary school in 
which I attended. Now, the school system may have it, but not 
the school. But does therein lie a potential solution?

    Mr. Corman, in terms of cyber vulnerabilities, what are the 
main differences between an on premise facility as opposed to a 
cloud based system?

    Mr. Corman. Well, there is many ways to answer that. But 
one example----

    Senator Cassidy. Try to do it succinctly.

    Mr. Corman. Yes. The most--the one that immediately comes 
to mind is Microsoft Exchange is like the most popular email 
server that you could use on premise and people try to deploy 
it, harden it, patch it, maintain it. Unfortunately, even 
though theoretically you could take better care of your own 
server, we have found that cloud hosted email servers are much 
better maintained----

    Senator Cassidy. Let me stop you. So if I go to my cyber 
poor hospital, and maybe I will ask about a cyber poor in 
university and school, it seems like--it may be difficult for 
them to get a cyber expert, but if they put it in the cloud, 
you would get the experience and the whatever of the experts 
who are doing the cloud based system. Is that a fair intuition?

    Mr. Corman. There are efficiencies for hardening and 
security from outsourcing to expertise often in the cloud. It 
is not inherently riskier or better, but it seems to be less 
mistakes made----

    Senator Cassidy. Well, it seems like it is going to be 
inherently safer because you just have the expertise which is 
concentrated in wherever the person wishes to live, as opposed 
to kind of walking around to your neighborhood and doing it if 
you live in a small, rural neighborhood.

    Mr. Corman. One of the top ways to reduce risk is to reduce 
complexity. So it is not always defending indefensible things, 
it is having more defensible, simpler infrastructure.

    Senator Cassidy. What is a relative expense cloud based 
versus a premise based system?

    Mr. Corman. It will vary, but one idea I did suggest during 
my time at CISA is that we subsidize and fund that migration 
into cloud hosted, more secured, better maintained 
infrastructure.

    Senator Cassidy. Just like we once gave increased 
reimbursement on Medicare for people to adopt an EHR, a 
paradigm could be increased reimbursement for Medicare for 
people to migrate their system from an on premise to a cloud 
based?

    Mr. Corman. Yes. A report 5 years ago had a cash for 
clunkers suggestion for the most dangerous and egregious 
technology to be modernized.

    Senator Cassidy. Yes. Now, Ms. McLaughlin, would you--is my 
intuition correct that we have a lot of school systems that 
could do better with a cloud based versus a premise based?

    Ms. McLaughlin. We have a lot of school systems that 
already--yes, Senator. We have a lot of school systems that are 
already in cloud for a lot of their services. And then that 
leaves them with a few challenges in the cyber space, which is 
protecting and defending the large abundance of endpoints and 
ensuring that their cloud service providers are----

    Senator Cassidy. Now, just stop for 1 second. That is 
actually cyber hygiene, I think is the terminology as opposed 
to cybersecurity, correct?

    Ms. McLaughlin. Yes. Well----

    Senator Cassidy. They are connected but still it is 
hygiene, right?

    Ms. McLaughlin. Yes. And knowing what is happening and 
being able to respond to incidents, but also those endpoints 
become a gateway to potentially damage your cloud resources. So 
there are advantages to being in the cloud----

    Senator Cassidy. But I assuming the cloud has the ability 
to create cul de sacs in which somebody can't penetrate the 
whole because they are kind of walled off, correct?

    Ms. McLaughlin. If you properly engineer your cloud 
services to be split up based on roles and responsibilities and 
that you don't have an attacker who has figured out how to 
traverse across the----

    Senator Cassidy. But that is the role of the cloud based 
service, not of the small elementary school in the rural town?

    Ms. McLaughlin. Correct.

    Senator Cassidy. Yes. That is my point. It seems that--and 
one more thing, let me ask. It also seems, I have read about--I 
am out of time.

    The Chair. You can finish. Go ahead.

    Senator Cassidy. Okay. About federated systems in which 
there is not a central repository of data, but rather there is 
a central point which then reaches out into a federation of 
hospitals or schools.

    If you wish to look at something in aggregate, you pull it 
up and then you put it back. Sounds like a game that you would 
play in elementary school. But I assume that in a cloud based 
system that could similarly be allowed because you would have a 
wall here and a wall there and you would be federating within 
the system. Is that again a--Mr. Corman?

    Mr. Corman. The cloud native innovators tend to do a much 
better job at distributed, immutable, ephemeral segregation, 
separation like you are describing. It is not guaranteed, but 
they seem to be doing it better.

    Senator Cassidy. Then to summarize, maybe if we want to do 
something relatively quickly, it would be to somehow increase 
funding for entities out there in order to migrate from the 
premise to the cloud and to put in a strong cyber hygiene 
program at every level. Ms. McLaughlin?

    Ms. McLaughlin. I do think that would be extremely 
beneficial.

    Senator Cassidy. Timeline for that completion could be much 
shorter?

    Ms. McLaughlin. I wouldn't hesitate to guess on the 
timeline for that completion, given the heavily distributed 
nature of these systems.

    Senator Cassidy. All involved is Congress to pass a law. 
That is very easy. So anyway, I yield. Thank you.

    [Laughter.]

    The Chair. Senator Hickenlooper.

    Senator Hickenlooper. Thank you, Madam Chair. And thank all 
of you for taking the time today. So illuminating. I had to go 
to another meeting, but I was watching in my office. I remember 
when President Obama was finishing his last year, he gave a 
commencement address at the Air Force Academy.

    I went down when I was the Governor, and we ended up having 
lunch together in the training room. But in that lunch, I asked 
him after 8 years as being President of the United States, what 
kept him up at night, what was the single thing that most 
concerned him, and he said cybersecurity, especially the way it 
would interface with things like health care that were 
absolutely essential to our Country.

    Which was interesting because I would come back on a trip 
to Israel and saw how their cybersecurity industry was so 
connected to their military and so connected to their 
universities, and that people would come out of the military, 
and go work in a business, then go to study and then teach.

    We set up something called the National Cyber Security 
Center in Colorado Springs just because we have Northern 
Command, NORTHCOM, and Space Command, lot of intelligence 
there, a lot of retired military officials. And I think that 
building, that citadel toward cyber resiliency and awareness 
and training and education, just what all of you guys are 
doing, was one of the most rewarding things I did in the entire 
time I was in office.

    I love, especially love the term, I am cavalry, 
Iamthecavalry.org, has got to be one of the best names. I wish 
we could have thought of that. Anyway, this notion of how much 
there is to do, and I start with Ms. Anderson. How can the 
Health ISAC work within the National Cyber Security Center or 
all the other Federal level groups to provide sector specific 
guidance?

    Ms. Anderson. We do that every day, actually. We work very 
closely with CISA and HHS and FDA, as I mentioned in my 
testimony. We do have weekly meetings where we are looking at 
issues facing the sector and we are addressing them and trying 
to figure out what is the best way to handle whatever the 
situation is.

    We are partnering very closely with them. Also, another 
thing during the whole Ukraine, Russia tensions, we have been 
part of all of the briefings that have taken place. And then we 
have foot stumped those messages out to our members and the 
public writ large about things that they need to really be 
paying attention to.

    Senator Hickenlooper. Right. Good. We, like everyone, have 
experienced devastating attacks and especially ransomware 
attacks. You had 5 years of records taken from the Parkview 
Medical Center down in Pueblo. Last year, we--one of our 
universities refused to pay the ransom of $17 million ransom 
when they were hit by the Accellion data breach.

    When colleges and universities are attacked and hospitals 
are being attacked with sensitive data like health information 
and visa status, Social Security numbers, I guess, and Ms. 
Norris I ask you, why is it so critical that we don't pay these 
ransoms?

    Ms. Norris. I think when a ransom is paid, there is no 
guarantee that you are, a, going to get your data back, 
although there are some stats show about I think 68 percent of 
the time it does come back.

    In addition, there is no guarantee that your data won't be 
published. And that is another, I think aspect of ransomware, 
that while the operational disruption is really critical and 
really impactful, there is also the threat of releasing that 
data out into the dark web and for it to be misused.

    I think that it highlights the need to be prepared for a 
ransomware attack to do the things that we need to do, have a 
good backup, have a plan, test the plan, test the plan before 
you get a ransomware attack, don't do it the first time when 
somebody is asking you for a ransom.

    I think that is the critical way to go. It is so disruptive 
because it impacts the operation and the timing is always--they 
know when to time it, right. So they time it at a university at 
a time of admission or final exams so that it has the worst 
impact and that they will be more inclined to pay ransom.

    Senator Hickenlooper. The only way to deal with it is be 
prepared. I agree completely. Mr. Corman, real quickly, just 
because I am almost out of time, we have a large campus of NIST 
in Boulder, Colorado, and they are currently in the process of 
updating the framework for improving critical infrastructure 
cybersecurity.

    While this guidance is voluntary in the private sector, it 
is a critical resource for companies that are looking at how 
they can protect themselves. Given that health care has been 
deemed a critical infrastructure sector, how could NIST best 
tailor the updated guidance to meet the evolving cybersecurity 
needs of health care systems.

    Mr. Corman. The NIST framework is nearly a decade now and 
voluntary. And the recent OIG report showed very little 
adoption. So it is unnecessary and insufficient.

    I think you have seen some excellent work from the 405c in 
the joint working group in the ISAC and the Sector Coordinating 
Council, attempting to give that sector fit for purpose advice 
on how to do it. People do things when they are incentivized to 
do them and a decade later with voluntary, the adoption is 
quite low.

    Even where it is, it is amongst the haves, not the have 
nots. I think we need carrots and sticks. If we are going to 
offer safe harbors, they should be tethered to an attestation 
about your current state of practice against such a framework 
tool that isn't being used, did not realize its potential.

    Senator Hickenlooper. I couldn't agree more. Thank you. I 
am out of time, but I will have questions for each of you that 
we will filter through the appropriate channels. I yield back 
to the Chair.

    The Chair. Thank you.

    Senator Casey.

    Senator Casey. Chair Murray, thanks very much for having 
this hearing. I wanted to pose two questions to Ms. Anderson 
and one to Mr. Corman. Ms. Anderson, I want to start with the 
center that you lead.

    The question is about data and tracking data. Does the 
center track data on negative patient outcomes that result from 
cyber and ransomware attacks? That is one question. No. 2 is, 
what are the challenges in collecting the data and how can that 
data be useful?

    Ms. Anderson. We don't collect data on negative outcomes. 
We are actually threat--we are operational in nature, so we are 
looking at threats as they unfold, and we are sharing 
information.

    We do have a saying where one person's defense becomes 
everyone else's offense, and we are sharing like 65,000 in 2021 
actionable indicators. So real time, really true, positive 
indicators that help defenders put those into their system so 
that they can defend against attacks. So that is the type of 
data that we tend to collect. And that is all members shared, 
by the way.

    Senator Casey. Okay. I wanted to ask you a question as well 
about rural health care. I represent a state that has 67 
counties, but we have 48 counties that are considered rural. 
And rural, of course, means a lot of small towns.

    But communities where there is a great distance between 
health care institutions and access to care and all of those 
challenges.

    One of the big challenges, of course, is these rural 
hospitals and rural health centers don't have the resources 
that some of the big cities do, don't have the research dollars 
sometimes that the big universities and health systems have, so 
therefore they lack not only resources, but staffing to ensure 
that they have the requisite security in place to protect 
against cyber-attacks.

    Just in terms of the what the center is doing, how can you 
and how do you help those small or medium sized health care 
networks?

    Ms. Anderson. We offer many free products. And as I alluded 
to on the Sector Coordinating Council, their cybersecurity 
working group, they have put out a number of best practices 
publications that are freely available on the website. Just 
basic things that you could do with on a low budget.

    There are also things that we are developing actually in 
the Sector Coordinating Council cybersecurity working group, a 
series of videos, basic cyber videos for clinicians so that 
they understand the aspects and impacts of cybersecurity within 
their practice.

    There is a lot of efforts underway. I think, again, it goes 
back to educating people that these things do exist and that 
they can use them, and they don't cost anything, really.

    Senator Casey. I wanted to turn to Mr. Corman regarding a 
question about intelligence. I am a member of the Intelligence 
Committee, just became a member in 2021.

    Given your background with CISA and the work you have done, 
what role do you envision the intelligence community more 
broadly playing in developing not just a cyber threat picture 
for the Joint Cyber Defense Collaborative, but in particular, 
what role do you think the intelligence community can play in 
developing a health care specific cyber threat picture?

    Mr. Corman. Almost--just to be clear, two things. One, I am 
no longer in CISA. My public service ended in January 2. We 
kept this in public trust to literally be on the low side or 
not in the classified side. The role that we benefited from 
intelligence was having fit for purpose, timely, actionable 
decision support for the ISACs or for the practitioners that 
might be targeted.

    We issued one of the most full throated alerts in October 
2020 in advance of the U.S. Presidential election, with FBI and 
HHS in a pretty intense collaboration to warn of a plan to 
disrupt concurrent hospitals across the U.S. to sow panic. And 
you have now seen that covered in the Wall Street Journal and 
Wired in possible ties to Putin direction. So that is vital and 
should continue.

    If there were a national agenda to prioritize the weakest 
or highest consequence sectors, specifically with specific 
programs that maybe enhance the yield. I think the bigger issue 
is getting that in a timely way to the cyber poor, the rural 
organizations.

    10 seconds--we keep talking about data. I love my privacy. 
I would like to be allowed to enjoy it. And most of the current 
regimes, like HIPAA focuses on the confidentiality of records, 
not the availability of patient care. So even these best 
practices pre-date the shift to the unavailability of health 
care.

    Mr. Corman. Great. Thanks very much. Thanks, Chair Murray.

    The Chair. Thank you. That will end our hearing today. And 
I really want to thank all of my colleagues, as well as our 
really great witnesses today. Ms. Anderson, Mr. Corman, Ms. 
McLaughlin, and Ms. Norris, very thoughtful conversation on a 
really important issue of National Security. For any Senators 
who wish to ask additional questions, questions for the record 
will be due in 10 business days, June 2nd, 5 p.m.

    The Committee will next meet on Wednesday, May 25th to mark 
up several nominees, including Kalpana Kotegal to be a member 
of the Equal Employment Opportunity Commission, LaWanda Toney 
to be Assistant Secretary for Communications and Outreach at 
the Department of Education, Nasser Paydar to be Assistant 
Secretary for Post-Secondary Education at the Department of 
Education, and Rita Landgraf to be Assistant Secretary for 
Aging at the Department of Health and Human Services.

    Thank you all again.

    The Committee will stand adjourned.

                         QUESTIONS AND ANSWERS

  Response by Denise Anderson, to Questions From Senator Baldwin, and 
                             Senator Rosen

                            senator baldwin
     I was proud to help craft the 21st Century Cures Act, which worked 
to address many of the interoperability concerns that we've all heard 
about from providers and patients. In the process, this legislation 
made health data much more sharable.

    Question 1. Can you share any concerns that you have around the 
security of the health data that's gathered and used by entities not 
covered by HIPAA, such as third-party apps? How do we strike the right 
balance between access to data and efforts to protect innovation and 
security?

    Answer 1. Senator Baldwin, thank you for your question. While there 
are many third-party applications covered by HIPAA, there are health 
applications that are provided by non-covered entities to whom 
individuals provide health information that can potentially be shared 
with others often without much transparency. I think there are three 
main points here:

    First, while updating HIPAA is not high on the priority list given 
the other challenges being faced, it is time to update HIPAA. HHS has 
been doing what they can to provide guidance on applications and cloud, 
but the reality is that HIPAA is too dependent on defining covered 
entities and the relationships between them. Instead, HIPAA should 
focus on the data itself, rather than who holds/transmits it. For 
example, information about a patient can be shared with a covered 
entity and the data is protected, but if the exact, same information is 
shared with a non-covered entity, the data is not protected.

    Second, there should be education and transparency around how data 
is used. There was an article published June 16th, 2022, illustrating 
how Facebook is receiving sensitive medical data that it can then 
potentially use to track patients for commercial purposes without 
patient knowledge:

    https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-
sensitive-medical-information-from-hospital-websites.

    The Executives for Health Innovation (EHI) published a report in 
March 2022 that makes the case for why a robust accountability 
mechanism is needed to govern the use of health data held and used by 
health tech companies. While EHI is proposing a private-sector 
solution--a neutral, independently run self-regulatory program that 
will oversee the data use policies and procedures, the report does 
point out several value points:

          Defining health information broadly enough to cover 
        all the data that reflects mental or physical well-being or 
        health and applying to all entities that develop consumer 
        technology and may access, hold, or use consumer health data.

          Focusing on how consumer health information is used 
        rather than what information, and putting clear restrictions on 
        the collection, disclosure, and use of consumer data.

          Shifting the burden of privacy risk off consumers and 
        onto the companies collecting and storing consumer data. The 
        detail, length, and density of most company privacy practices 
        make it unrealistic and untenable for consumers to meaningfully 
        research each technology with which they interact, nor 
        understand the terms of use they are asked--or required--to 
        accept before they can use each tool.

          Enabling consumers selecting health technologies to 
        do so with less confusion and risk.

          Creating a system to receive and review consumer 
        complaints.

    https://www.ehidc.org/resources/report-case-health-data-use-
accountability-outside-healthcare-system.

    Finally, the security of applications and the cloud need to be 
continuously reinforced. While that doesn't get to the inherent 
problems with authorized (or at least marginally legal) sharing of 
individual health information, it does help address the breach 
scenarios. Secure software development is a hot topic and one that 
should be continually talked about and reinforced in every way and 
venue possible. Holding application developers accountable for good 
security practices helps to protect all information.

                             senator rosen
     Increasing Federal Collaboration And Resource Sharing In The 
Health Care And Public Health Sector: Healthcare and Public Health 
Sector entities are increasingly the targets of malicious cyberattacks, 
resulting not only in data breaches, but also driving up the cost of 
care and ultimately affecting patient health outcomes. Currently, 
Federal collaboration and information sharing between HHS and the 
Cybersecurity and Infrastructure Security Agency (CISA) is fragmented 
and limited, and many small and rural healthcare sector entities--who 
arguably need this Federal information sharing the most--are not aware 
of the many free Federal resources that are available to them. That's 
why I've introduced bipartisan legislation with Senator Cassidy that 
would require CISA to coordinate with and make resources available to 
Healthcare and Public Health Sector entities, including by developing 
products tailored to the specific needs of small and rural hospitals 
and health clinics. Our bipartisan bill also would authorize HHS to 
coordinate with CISA and private sector healthcare experts and provide 
training to Healthcare and Public Health Sector asset owners and 
operators on cybersecurity risks and mitigation.

    Question 1. Ms. Anderson, I was pleased to work with the H-ISAC in 
developing this bipartisan bill. As the leader of a major information 
sharing organization, would additional Federal resources and 
collaboration be helpful for the H-ISAC to push out to your members?

    Answer 1. Senator Rosen, thank you for your question and thank you 
for working with H-ISAC on this important legislation. I too believe 
and am a strong proponent of collaboration and while there has been 
good progress over the years, there is still much more we can do. I 
think if CISA and HHS could work with Health ISAC and the Health Sector 
Coordinating Council Cybersecurity Working Group together in 
partnership to develop and deliver products through joint webinars, 
workshops, products, and programs, that would be a powerful and 
productive way to reach those entities that may not be aware of all the 
resources that currently exist. As I mentioned in my testimony, many 
entities are not aware these resources exist and are free. The more we 
can push out education and broad awareness of the resources 
collaboratively and together as one voice, the better we can help the 
sector.

    Public/Private collaboration during incidents or potential threats 
is also needed. We do have recent, good examples of collaboration, such 
as Health ISAC's joint product with HC3 on the geopolitical Russian 
threat and H-ISAC's foot-stomping of CISA's Shields Up messaging and 
information from briefings. However, the more CISA and HHS can be 
encouraged to approach sharing in partnership with the private sector, 
such as jointly briefing the sector on threats, situational awareness 
and incident response mitigations and strategies, the more powerful the 
impact. Again, when we can work together as one voice, the better we 
can help the sector.

    Consideration around encouraging organizations to join the Health 
Sector ISAC or related ISAOs as a best practice, would be beneficial. 
Having a strong community of health organization participants 
strengthens the sector and ecosystem. Many years ago, there was some 
discussion around providing tax incentives for critical infrastructure 
organizations to join their respective sector ISACs. ISACs stood up 
under Presidential Decision Directive 63, are robust, valuable, sharing 
communities, many of which have been in existence for over two decades. 
Federal support in the form of incentives or grants to small 
organizations would go a very long way to helping these entities and 
the sector at large.

    Finally, another area of support would involve improved regulation 
and control over digital currency to prevent issues like Ransomware and 
Digital Extortion. Crypto-currency provides for an unregulated, and 
anonymous money exchange that is widely used by cyber criminals to 
conduct nefarious activities. Crypto-currency should be highly 
regulated or eliminated as it is the primary mechanism fueling cyber-
criminal activities and money laundering.
                                 ______
                                 

       Response by Helen Norris, to Questions From Senator Hassan

                             senator hassan
    In her testimony, Ms. Anderson highlighted the important role that 
the Health Sector Coordinating Council has played in improving the 
cybersecurity of the health care sector. Paraphrasing from her written 
testimony: The Health Sector Coordinating Council serves as an official 
advisory council to the Federal Government with critical infrastructure 
protection functions distinct from the advocacy and member services 
roles of traditional industry associations. The education sector, 
however, does not have a dedicated Sector or Government Coordination 
Council.

    Question 1. How might Sector and Government Coordinating Councils 
help with the critical infrastructure protection function for the 
education sector?

    Answer 1. The coordinating council model fills an important role 
for sectors designated as ``critical infrastructure'' by the Federal 
Government, but that carries with it functions and responsibilities 
that are specific to those sectors ``critical infrastructure'' status. 
As a result, it may not be the right model for more effective DHS/CISA 
engagement with areas such as higher education that have national 
significance while not presenting the same types and levels of systemic 
risk as sectors like health care, transportation finance, and so forth.

    With that distinction in mind, it would be worthwhile to consider 
how we can build on the CISA Cybersecurity Advisory Committee (CSAC) 
(https://www.cisa.gov/about-cisa-cybersecurity-advisory-committee) that 
was established roughly a year ago. CSAC, which includes cybersecurity 
leaders from a range of private and public sector organizations, serves 
as an official advisory body that provides the agency with broad-based 
input on its cybersecurity policies and programs. Given higher 
education's unique structure, and thus the unique cybersecurity 
challenges it faces, having a higher education subcommittee of the CSAC 
could ensure that issues and recommendations particularly relevant to 
colleges and universities are surfaced, both for the benefit of higher 
education as well as the overall cybersecurity space that the CSAC is 
intended to represent. Likewise, establishing such a subcommittee might 
provide a model for developing CISA's advisory structure so that 
nationally significant fields with unique structures and 
characteristics, which would include our colleagues in K-12, have ``a 
seat at the table'' as CISA considers how it can best work with us to 
advance cybersecurity nationwide.

    Question 2. The Department of Health and Human Services, Department 
of Education, and the Cybersecurity and Infrastructure Security Agency 
make many affordable, and often free, cybersecurity resources available 
to the health care and education sectors. However, smaller health care 
settings and school districts that would benefit most from these 
resources are often not aware of these resources or their benefits.

    Question 2(a). In your experience, how effective is the outreach 
from the Federal Government to smaller entities?

    Answer 2(a). Federal agencies employ a variety of tools to reach 
the education sector, with electronic methods such as email and online 
groups being among the most effective. However, for many of us in 
larger institutions, we find our relationships with specific Federal 
agency offices and/or representatives to be more effective still. They 
give us an opportunity to have an interactive discussion with an 
agency, which allows for greater understanding and impact in the 
results. Unfortunately, such connections are generally not scalable, 
and as a result, smaller entities often feel out of the loop. In many 
cases, even if the Federal agencies had the capacity to reach out to 
every organization, the smaller entities often have limited staff with 
multiple responsibilities in addition to cybersecurity, adding to the 
communications challenges that the agencies face. Finally, the volume 
of information can be overwhelming for smaller entities, especially 
when one considers that the states are also communicating to colleges 
and universities.

    Question 2(b). How can we improve that outreach to increase support 
for these entities that have the greatest need?

    Answer 2(b). The Federal Government is most effective in outreach 
to smaller colleges when they partner with states and other 
organizations. For example, in California we have an organization 
called AICCU (https://aiccu.edu/) representing independent colleges, 
many of them smaller entities. They do an excellent job of liaising 
between their members and the State of California and could be 
effective in playing the same role with Federal entities. I would also 
recommend that Federal agencies target communications to non-technical 
leaders in smaller institutions, ensuring that the communications are 
clear to a non-technical audience.

    In addition, a higher education-specific advisory body, as 
described above, would be helpful in broadening engagement. Likewise, 
Federal agencies should establish and maintain consistent channels of 
engagement and communication with national associations and 
organizations that support higher education cybersecurity leaders and 
professionals, such as EDUCAUSE and the Research and Education Networks 
Information Sharing and Analysis Center (REN-ISAC). The professional 
and operational connections that these entities sustain are often the 
most direct and effective ways to reach the higher education IT 
community at every level, from community colleges through research 
universities. Finally, Federal agencies could expand their methods of 
communication, leveraging video and social media to extend their reach 
given the increased prevalence of those means of engagement following 
the pandemic.
                                 ______
                                 

      Response by Amy McLaughlin, to Questions From Senator Hassan

                             senator hassan
    In her testimony, Ms. Anderson highlighted the important role that 
the Health Sector Coordinating Council has played in improving the 
cybersecurity of the health care sector. Paraphrasing from her written 
testimony: The Health Sector Coordinating Council serves as an official 
advisory council to the Federal Government with critical infrastructure 
protection functions distinct from the advocacy and member services 
roles of traditional industry associations. The education sector, 
however, does not have a dedicated Sector or Government Coordination 
Council.

    Question 1. How might Sector and Government Coordinating Councils 
help with the critical infrastructure protection function for the 
education sector?

    Answer 1. The Health Sector Coordinating Council is coordinated by 
the Cybersecurity and Infrastructure Security Agency (CISA) and offers 
the benefit of coordinating Federal cybersecurity resources from 
multiple agencies through a single working group and providing a 
central point of access to those resources, giving health sector 
organizations a single access point and reducing overlap and 
duplication of services.

    From this perspective, a sector coordinating council for K-12 
public schools could be extremely beneficial in bringing existing 
resources together in a single, coordinated location, identifying, and 
resolving gaps in resources, and reducing the development of 
duplicative services. Reducing the number of locations and 
organizations a K-12 district needs to interact with to access 
available resources would increase efficiency and effectiveness of 
those resources.

    Finally, a sector specific coordinating council offers the benefit 
of reviewing and curating available resources from a K-12 perspective 
to determine if they fit the K-12 environment.

    Question 2. In your written testimony, you highlighted the 
involvement of the Multi-State Information Sharing and Analysis Center 
(MS-ISAC) in supporting cybersecurity in K-12 public schools.

    Question 2(a). How effectively is the MS-ISAC serving the needs of 
K-12 schools?

    Answer 2 & 2(a). The K-12 membership in MS-ISAC has grown steadily 
and currently represents over 2,000 schools and districts nationally 
and about one fifth of the organization's membership. \1\ MS-ISAC 
provides a valuable range of services that support the needs of K-12 
schools, including:
---------------------------------------------------------------------------
    \1\  https://www.cisecurity.org/ms--isac/k-12--text--Membership--
20is--20open--20to--20all--2C--20and--20private--20sector--20partners.

          Malicious Domain Blocking and Reporting (MDBR)--a 
        free service that blocks students and staff from accessing 
---------------------------------------------------------------------------
        known bad websites

          Access to MS-ISAC's 4x7x365 Security Operations 
        Center (SOC)

          Training resources including: MS-ISAC Cybersecurity 
        Awareness Month Poster Contest for Students and Kid Safe Online 
        Activity Book \2\
---------------------------------------------------------------------------
    \2\  Ibid.

    MS-ISAC actively partners with COSN and other K-12 organizations to 
connect with school districts, offer training and build access to the 
resources that support K-12 organizations. They continue to improve and 
---------------------------------------------------------------------------
expand their effectiveness in supporting K-12 schools.

    One area where MS-ISAC's effectiveness has been limited is in their 
ability to consistently offer Security Operations Center services in a 
timely manner because of the rapid increase in need for SOC services 
caused by the increase in cyberattacks against MS-ISAC members. This 
impacts all MS-ISAC members, including K-12 members and is why we 
support increasing funding for the MS-ISAC SOC and opportunities to 
help MS-ISAC in staffing an expanded SOC.

    Question 2(b). Do you believe that a dedicated K-12 ISAC would be 
beneficial?

    Answer 2(b). MS-ISAC has spent significant time building 
relationships with K-12 schools, districts and partner organizations 
that developing a separate dedicated K-12 ISAC at this point may be 
more disruptive than helpful. Supporting and funding a K-12 specific 
segment of MS-ISAC would be extremely beneficial in providing a way for 
MS-ISAC to customize services and information specifically for the K-12 
environment. For example, MS-ISAC regularly releases security 
advisories that are available free to all members. However, the 
advisories are targeted to a generic State, Local, Tribal and 
Territorial Government (SLTT) audience and can be difficult for the K-
12 practitioner to translate into actionable activities necessary in 
the K-12 environment.

    Question 3. The Department of Health and Human Services, Department 
of Education, and the Cybersecurity and Infrastructure Security Agency 
make many affordable, and often free, cybersecurity resources available 
to the health care and education sectors. However, smaller health care 
settings and school districts that would benefit most from these 
resources are often not aware of these resources or their benefits or 
they lack the trained personnel required to use them.

    Question 3(a). In your experience, how effective is the outreach 
from the Federal Government to smaller entities?

    Answer 3 & 3(a). Outreach from the Federal Government to smaller 
entities is generally less effective than it could be, for several 
reasons.

    First, Federal Government agencies often expect or assume that 
there is an individual dedicated to the cybersecurity in place at each 
organization which is an inaccurate assumption. In smaller entities, 
time for cybersecurity functions competes with daily technical support 
and customer service, and in the smallest entities, with teaching and 
administration of the school. This is especially true in rural and 
frontier schools and districts, where not only are staff expected to 
take on myriad responsibilities, they are also hampered by the lack of 
cybersecurity skills in the local community.

    Second, programs to fund additional technologies and support often 
come with administrative overhead and reporting requirements that are 
too intensive for small K-12 entities to absorb into their workload, so 
those programs remain unused by the groups that need them most.

    Third, many programs developed by Federal agencies offer one-time 
grant funding for improvements, for example offering one-time funding 
for cybersecurity implementation, but don't support the ongoing costs 
post-implementation and/or require ongoing reporting even beyond the 
lifetime of the grant. This approach adds financial burden to small K-
12 entities that they are unable to absorb the costs into their 
budgets.

    Building the capacity of the Department of Education's Privacy 
Technical Assistance Center to help schools address their cybersecurity 
needs could be particularly helpful for the smallest and most resource 
limited school districts.

    Question 3(b). How can we improve that outreach to increase support 
for these entities that have the greatest need?

    Answer 3(b). Outreach to K-12 entities that have the greatest need 
can be improved by:

          Expanding K-12 access to cybersecurity resources 
        through existing Federal programs, such as E-Rate, that are 
        already widely used by K-12 schools and districts. In 2021, 
        CoSN filed a petition with the FCC urging the agency to make 
        cybersecurity costs eligible for E-rate Category 2 support. \3\ 
        The FCC has not yet published a request for comments seeking 
        public input about the ideas featured in the CoSN petition, 
        including modernizing the E-rate's ``firewall'' definition.
---------------------------------------------------------------------------
    \3\  http://d31hzlhk6di2h5.cloudfront.net/20190903/cc/f3/72/41/
228e09116606c764f2d2f2c4/CoSN-Cat-Two-Filing-Final-2019.pdf.

          Utilizing the forthcoming results of the CISA study 
        on cybersecurity in K-12 education to develop a coordinated 
        approach to offering cybersecurity resources that scale to fit 
        small entities and are easy to access, and/or provide centrally 
        funded and offered services that expand the cybersecurity 
        capability of small entities. For example, providing the MS-
        ISAC Albert Network Monitoring and Management service to small 
---------------------------------------------------------------------------
        entities free of charge.

          Providing funding to community college and university 
        cybersecurity programs that operate security operations centers 
        that offer low-cost cybersecurity monitoring and incident 
        response services to K-12 schools and districts and serve as a 
        training ground for new cybersecurity professionals.
                                 ______
                                 

    [Whereupon, at 11:28 a.m., the hearing was adjourned.]

                                   [all]