[Senate Hearing 118-55]
[From the U.S. Government Publishing Office]
S. Hrg. 118-55
IN NEED OF A CHECKUP: EXAMINING THE
CYBERSECURITY RISKS TO THE HEALTHCARE SECTOR
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED EIGHTEENTH CONGRESS
FIRST SESSION
__________
MARCH 16, 2023
__________
Available via the World Wide Web: http://www.govinfo.gov
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
52-484 PDF WASHINGTON : 2023
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada MITT ROMNEY, Utah
ALEX PADILLA, California RICK SCOTT, Florida
JON OSSOFF, Georgia JOSH HAWLEY, Missouri
RICHARD BLUMENTHAL, Connecticut ROGER MARSHALL, Kansas
David M. Weinberg, Staff Director
Zachary I. Schram, Chief Counsel
Christopher J. Mulkins, Director of Homeland Security
Jeffrey D. Rothblum, Senior Professional Staff Member
William E. Henderson III, Minority Staff Director
Christina N. Salazar, Minority Chief Counsel
Kendal B. Tigner, Minority Professional Staff Member
Laura W. Kilbride, Chief Clerk
Ashley A. Gonzalez, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Peters............................................... 1
Senator Hassan............................................... 13
Senator Carper............................................... 15
Senator Hawley............................................... 17
Senator Blumenthal........................................... 20
Senator Padilla.............................................. 22
Senator Rosen................................................ 24
Senator Sinema............................................... 26
Prepared statements:
Senator Peters............................................... 31
WITNESSES
Thursday, March 16, 2023
Scott Dresen, Senior Vice President, Information Security and
Chief Information Security Officer, Corewell Health............ 3
Kate Pierce, Senior Virtual Information Security Officer,
Fortified Health Security...................................... 5
Greg Garcia, Executive Director, Cyber Security, Healthcare and
Public Health Sector Coordinating Council...................... 7
Stirling Martin, Senior Vice President and Chief Privacy and
Security Officer, Epic Systems................................. 9
Alphabetical List of Witnesses
Dresen, Scott:
Testimony.................................................... 3
Prepared statement........................................... 33
Garcia, Greg:
Testimony.................................................... 7
Prepared statement........................................... 56
Martin, Stirling:
Testimony.................................................... 9
Prepared statement........................................... 83
Pierce, Kate:
Testimony.................................................... 5
Prepared statement........................................... 36
APPENDIX
Ms. Pierce supplemental response................................. 86
American Academy of Family Physicians Statement for the Record... 88
Responses to post-hearing questions for the Record:
Mr. Dresen................................................... 95
Ms. Pierce................................................... 97
Mr. Garcia................................................... 100
IN NEED OF A CHECKUP:
EXAMINING THE CYBERSECURITY RISKS TO THE HEALTHCARE SECTOR
----------
Thursday, March 16, 2023
U.S. Senate,
Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 10 a.m., in room
SD-562, Dirksen Senate Office Building, Hon. Gary Peters,
Chairman of the Committee, presiding.
Present: Senators Peters [presiding], Carper, Hassan,
Sinema, Rosen, Padilla, Ossoff, Blumenthal, Scott, Hawley, and
Marshall.
OPENING STATEMENT OF SENATOR PETERS\1\
Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
\1\ The prepared statement of Senator Peters appears in the
Appendix on page 31.
---------------------------------------------------------------------------
Today's hearing will examine cybersecurity threats facing
the healthcare sector, how both the Federal Government and
health care providers are working to combat these threats, and
what actions Congress should take to bolster our cybersecurity
defenses against these attacks.
Health care is a rapidly growing sector of our economy that
employs more than 18 million workers, and is made up of both
public and private sector organizations related to patient
services, medical devices and manufacturers, and electronic
health and medical records, that store considerable amounts of
personal information, making them frequent targets of attacks.
In recent years, increasingly sophisticated cyberattacks in
the health care and public health sectors have posed alarming
threats to people in Michigan as well as all across the
country.
Cyberattacks on hospitals, and other health care providers,
can cause serious disruptions to their operations and prevent
them from effectively providing critical, lifesaving care to
their patients. Breaches can also lead to the exposure of
sensitive personal and medical information of patients and
health care personnel.
Most recently, the DC Health Link, a health insurance
marketplace for residents and lawmakers in the nation's
capital, experienced a cyberattack that exposed the personal
data and information of tens of thousands of people, putting
victims at risk of identity theft, scams, and additional
cyberattacks.
Earlier this year, in my home State, the University of
Michigan Health System experienced a cyberattack that
temporarily limited access to their public websites. Thankfully
in that attack, no patient information was compromised and the
issue was quickly resolved.
These relentless cyberattacks show that foreign adversaries
and cybercriminals will stop at nothing to exploit
cybersecurity vulnerabilities, our critical infrastructure, and
most essential systems.
What is most concerning about these attacks is that they do
not just compromise personal information. They can actually
affect patient health and safety. Last month, a ransomware
attack on Tallahassee Memorial HealthCare in Florida took the
hospital's information technology (IT) systems offline for more
than a week, and required them to divert patients to other
facilities and cancel procedures until they could restore those
networks.
A 2019 catastrophic ransomware attack on the Spring Hill
Medical Center in Mobile, Alabama, may have even led to a
patient's death. The attack prevented health care providers
from using equipment to monitor a baby's condition during
delivery. As a result, the infant tragically passed away
because of delayed medical care.
This shocking example shows just how grave the consequences
of cyberattacks in the health care sector can be. Given the
threats facing this sector, and the potential life or death
consequences, there is no question that investments in health
care cybersecurity are also investments in patient care.
This Committee has already taken important steps to
strengthen cybersecurity for our critical infrastructure
sectors, including the health care sector. Last Congress, the
Committee advanced a bipartisan bill that I introduced along
with Senator Portman to require these organizations to report
cyberattacks and ransomware payments to the Cybersecurity and
Infrastructure Security Agency (CISA).
This law will help ensure that government is able to better
track cybersecurity threats to our critical infrastructure,
provide more transparency and situational awareness for our
cybersecurity defenses, and enable CISA to warn potential
victims of ongoing attacks, so they know if they could be the
next target.
This is an important first step, but there is much more
Congress can do to ensure that critical networks in our health
care and public health sector remain resilient against
cyberattacks.
I am grateful our colleague, Senator Rosen, is leading
efforts that would improve the way CISA and the Department of
Health and Human Services (HHS) share information about
cybersecurity threats with the health care sector, as well as
provide cybersecurity training to medical professionals. I look
forward to working together to build on these efforts.
Today, I am pleased to have an expert panel of health care
cybersecurity professionals who can speak more about the
challenges we face and discuss potential solutions.
With that I would normally turn it over to our Ranking
Member, who is not here, so I will move to swear in our
witnesses.
It is the practice of Homeland Security and Governmental
Affairs Committee (HSGAC) to swear in witnesses, so if each of
you would please stand and raise your right hand.
Do you swear that the testimony you will give before this
Committee will be the truth, the whole truth, and nothing but
the truth, so help you, God?
Mr. Dresen. I do.
Ms. Pierce. I do.
Mr. Garcia. I do.
Mr. Martin. I do.
Chairman Peters. Thank you. You may be seated.
Our first witness is Scott Dresen. Mr. Dresen serves as the
Chief Information Security Officer (CISO) of Corewell Health.
In his role, he is responsible for maintaining and managing the
Enterprise Business Assurance Program including emergency
management, business continuity, and operational readiness.
Previously he served as the Chief Information Officer (CIO) for
Wayne State University Physician Group.
Mr. Dresen, thank you for being here. You may proceed with
your opening remarks.
TESTIMONY OF SCOTT DRESEN,\1\ SENIOR VICE PRESIDENT,
INFORMATION SECURITY AND CHIEF INFORMATION SECURITY OFFICER,
COREWELL HEALTH
Mr. Dresen. Thank you, Chairman Peters and Members of the
Homeland Security and Governmental Affairs Committee. It is an
honor to be speaking with you about cybersecurity risks. I am
the Chief Information Security Officer of Corewell Health, an
integrated health system committed to health and wellness so
that people can live their healthiest life possible.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Dresen appears in the Appendix on
page 33.
---------------------------------------------------------------------------
Cybersecurity threats to the health care sector could
compromise our health system's ability to effectively provide
access to and deliver health care services to our patients and
members. Of particular concern are high-impact ransomware
attacks, which disrupt and delay health care delivery, may
cause risks to patient safety, and can be used to conceal
activity by threat actors to exfiltrate personal health
information.
We live in a world where health care is highly digital and
highly connected, making us vulnerable given the value of the
data we manage. We have a responsibility to protect the data of
our patients and members, and this obligation is of the highest
priority across our system leadership and board of directors.
Health care is a complex business model whereby multiple,
often independent entities come together to form what the
patient sees as a cohesive care delivery process. Over time and
out of necessity, this model has evolved in ways that have made
us more vulnerable to cyberattacks, has expanded the footprint
of health care systems that must be protected, and increases
the opportunities for threat actors to compromise us.
Media reports of cyberattacks, data breaches, and
unintended exposure of sensitive data underscores the
vulnerability of health care systems to these disruptive
incidents and the impact to our patients and members.
Operational disruption prevents patients from being able to
receive the care they need when they need it. Material
financial impact in the form of fines, penalties, and
associated remediation costs increase financial pressures
significant. Brand and reputational impacts can have lasting
consequences on organizations victimized by cyberattacks.
These issues only serve to undermine the trust our
communities have in our health care system and our ability to
serve them in their most vulnerable time of need. A
comprehensive information security program is critical to
manage these risks, yet there exists significant disparity in
the health care sector for organizations to resource an
effective security team and the necessary technology to provide
their requisite protections to reduce the risk of an attack.
Small and medium-sized health care systems are at a significant
disadvantage compared to larger systems to be able to recruit,
retain, and fund an effective information security program.
Despite the advantage larger organizations have in comparison,
the increasing trend of attacks prove even the largest
organizations are vulnerable and can be compromised.
The increasing frequency of attack from nation-state actors
and organized crime has created a sense of urgency within the
health care sector, and we need help from the United States
government to respond to these threats more effectively.
Requirements for interagency sharing of cybersecurity threat
intelligence is a productive step forward. We need more of this
and need that enhanced collaboration to include critical
infrastructure sector participation, including the ability to
automate threat intelligence data sharing with sector
participants, enabling rapid, near-real-time automatic
ingestion of threat intelligence into the technologies
participating members use to protect their respective
organizations.
The United States government has actionable intelligence
that would be of immediate value to the health care sector.
While there is some degree of automated intelligence sharing,
we need to make more of that intelligence accessible.
We are in an environment where keeping up with technology
to defend against advanced, persistent threat is extremely
expensive. Many of these technologies are an option for
financially disadvantaged health care systems due to cost. We
recommend creating incentives to make technology more
affordable and accessible to the entire health care sector.
We recommend reforms on the penalties health care entities
face because of cyberattacks and related data breaches. We
understand and support the legislative intent to encourage
adoption of best practices and the implementation of
appropriate protections to safeguard our data. However,
penalizing victims of cyberattack, when defensive measures
cannot keep up with the sophistication of hackers, is not the
fair approach.
We are at our best and most capable when it comes to caring
for our patients and members. That is our expertise. Our
adversaries are at their best and most capable when they are
attacking us. They are extremely well funded, extremely
talented, and highly motivated. Many or either nation-state
actors or sponsored and supported by nation-states. We cannot
beat them alone, but together we can be more effectively
protecting this vital, critical infrastructure sector.
Thank you for this opportunity to testify, and I look
forward to your questions.
Chairman Peters. Thank you, Mr. Dresen, for your testimony.
Our next witness is Kate Pierce. Ms. Pierce serves as the
Senior Virtual Information Security Officer at Fortified Health
Security. Ms. Pierce has over two decades of experience in
North Country Hospital, where she served as the Chief
Information Officer and Chief Information Security Officer. Ms.
Pierce is also part of the Fortified Health Security, one of
the leading health care-only cybersecurity managed services
companies in the United States.
Ms. Pierce, welcome to our Committee. You may proceed with
your opening remarks.
TESTIMONY OF KATE PIERCE,\1\ SENIOR VIRTUAL INFORMATION
SECURITY OFFICER, FORTIFIED HEALTH SECURITY
Ms. Pierce. Chairman Peters and Members of the Committee,
my name is Kate Pierce. I served as the CIO and CISO for a
critical access hospital in Vermont for over 21 years, and I
currently serve as the Virtual Information Security Officer for
Fortified Health Security. I thank you for this opportunity to
address the Committee to provide an industry perspective on
cybersecurity threats, specifically in the small and rural
facilities.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Pierce appears in the Appendix on
page 36.
---------------------------------------------------------------------------
In 2022, health care continued to be the most targeted
critical infrastructure sector, with nearly a quarter of
ransomware attacks directed at health care. We also saw cyber
criminals shift their focus to small and rural hospitals, with
this group lagging behind in strengthening their defenses.
Average recovery times expanded, and costs for health care
attacks increased to over $10.1 million per incident.
Our rural hospitals are facing unprecedented budget
constraints, with up to 30 percent or more in the red. With the
public health emergency scheduled to end in May, hospitals
anticipate a rise in free care, with as many as 15 million
Medicaid patients projected to lose coverage.
Cyber programs continue to lag behind with budgeted
security spending redirected to cover higher priority expenses.
These small hospitals struggle to employ and retain skilled
cybersecurity professionals, and often have little to no staff
solely dedicated to security. Cyber insurance coverage can no
longer be considered an alternative, with skyrocketing
premiums, lower limits, and increasing requirements.
The value of health care records in the dark web continues
to be up to more than 60 times higher than other records. The
risk of identity theft, credit card fraud, and reputational
harm is now supplemented by patients being directly exploited
with threats to release their sensitive information on the web.
Post attack, hospitals are now seeing a rise in civil cases,
costing millions of dollars.
The impact on our rural communities during an attack is
hard to overstate. While attacks in urban areas are impactful,
populated areas provide other health care options for patients
to choose. In most rural areas, the nearest health care
facility may be 45 miles or more away, making the diversion of
patients unfeasible. With direct attacks causing outages
lasting weeks and sometimes months, the impact on patient
safety is easy to comprehend.
Delays in care can directly contribute to negative outcomes
for many high-risk conditions. Facilities that continue to
treat patients are challenged to provide high levels of patient
care without access to patient information, safety alerts,
delays in results, and other key tools.
To meet these challenges I recommend implementing several
measures to improve the cybersecurity for our small and rural
facilities.
First, we must move beyond guidance and recommendations and
create minimum standards for cybersecurity. These standards
must be effective, reasonable, achievable, and continually
evolving as cybersecurity requirements change. Specific
recommendations are in my written testimony.
Second, we cannot leave our small and rural hospitals
behind. Funding opportunities must be made available to these
hospitals. My insights on subsidies, grants, and other
incentives are also included in my written testimony.
Third, we need better coordination of government cyber
efforts. While guidance and services from many agencies is
appreciated, there is often a knowledge gap regarding the
unique health care challenges that must be considered. Also,
most rural hospitals are not effectively utilizing available
resources. To be effective, government services must be
streamlined, knowledgeable, and available.
Last, establishing a Federal Emergency Management Agency
(FEMA) cyber disaster relief program would provide this
vulnerable sector with important resources. This could assist
organizations in their recovery process and increase the
likelihood that hospitals can survive beyond an attack.
In conclusion, small and rural health care organizations
are losing the cybersecurity battle. The Cybersecurity Act of
2015 is now eight years old. While advancement have been made
with respect to published documents, services, and guidance, as
a nation definitive, coordinated action is needed now. Our
rural hospitals are in crisis, and further delay would
jeopardize health care for our rural communities.
Thank you for your time. I look forward to answering your
questions.
Chairman Peters. Thank you, Ms. Pierce. Thank you for your
testimony.
Our next witness is Greg Garcia. Mr. Garcia serves as the
Executive Director for Cyber Security of the Healthcare and
Public Health Sector Coordinating Council (HSCC). It is a
convening organization that works in partnership with other
Federal agencies to protect the security and resilience of
these sectors. Mr. Garcia served as the nation's first
Department of Homeland Security (DHS) Assistant Secretary for
Cybersecurity and Communications under President George W.
Bush.
Previously, Mr. Garcia held executive positions with the
Bank of America and served as professional staff on the
Committee on Science, Space, and Technology in the U.S. House
of Representatives.
Welcome to the Committee, sir. You may proceed with your
opening comments.
TESTIMONY OF GREG GARCIA,\1\ EXECUTIVE DIRECTOR, CYBER
SECURITY, HEALTHCARE AND PUBLIC HEALTH SECTOR COORDINATING
COUNCIL
Mr. Garcia. Thank you, Chairman Peters and Members of the
Committee. Thanks for inviting me to testify today. I am the
Executive Director of the Health Sector Coordinating Council.
We are an industry-led advisory council of more than 350 health
care organizations and government agencies, working together as
a public-private partnership.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Garcia appears in the Appendix on
page 56.
---------------------------------------------------------------------------
The main point I want to leave you with today is that the
industry is mobilizing collaboratively against evolving cyber
threats in the health system, and our government is doing the
same and can be doing more.
The industry is regulated for cybersecurity in various
ways, and more is being contemplated. But there are ways that
HHS, CISA, and other government offices can improve
coordination, in programs and funding, to facilitate the
security of the health sector.
What matters most about cyber insecurity in the health
sector is the potential impact on patient safety. We have heard
that from our previous witnesses. In particular, ransomware
events over the past few years have resulted in clinical
disruptions that can cause and have caused harm to patients.
Consider when a health system is disabled by a cyber incident,
stroke, trauma, cardiac imaging, and other systems and services
as closed to admission. Ambulances with patients en route to
hospitals are diverted. Radiation and surgery for cancer
patients are delayed. Medical records for prescriptions,
diagnoses, therapies are inaccessible or lost. Clinical trial
data are lost. Payment systems are down. Order and receiving
supplies is disrupted.
What we see now and in the future is a changing health care
system that may complicate this challenge. Consider that health
care innovation is going direct to the consumer, to wearable
and home medical technology and telemedicine. This expands the
so-called attack surface for connected technology outside the
clinical environment, which is harder for hospitals to secure
remotely with patients.
There is an increase in mergers and acquisitions among
provider institutions, and that involves having to integrate
incompatible systems, different suppliers. That adds to
complexity, cost, and risk.
There is an increased migration to cloud service providers,
in which technology, clinical data management systems and
software are outsourced to third parties, and that can increase
the scalability of attack to thousands of customers with just
one mouse click.
There are workforce shortages, that Ms. Pierce referred to,
in both clinical and cybersecurity support, which strains the
ability to manage those intersecting needs, cyber and clinical.
Finally, the cyber insurance market is simultaneously
retrenching, increasing premiums, reducing coverage, and this
is severely limiting its risk reduction value.
What are we doing about it? How do individual enterprises
deal with these threats, and how does the sector collectively
deal with it. I am going to concentrate my answer on the latter
question.
As I mentioned earlier, the Health Sector Council is one of
many federally designated critical infrastructure sector
coordinating councils. Health care is in the same category as
financial services, telecommunications, electricity, and
others, and we are organized to work with our government
counterparts to identify and mitigate threats and incidents,
from pandemics, natural disasters, supply chain disruptions,
and cyberattack.
In government, there are designated sector risk management
agencies (SRMA), in our case HHS. They are directed by statute
and Executive Orders (EO) to work with their corresponding
critical sectors on this shared mission, not just with
regulation but with partnership and innovative problem-solving.
Indeed, cyber regulation on the nation's small and under-
resourced health systems cannot succeed without corresponding
support from the government. To reduce that cyber and patient
risk, our Council, over the past five years, has worked
tirelessly. We started with fewer than 50 members, in 2017, and
now the Council has grown to 380 industry organizations and 16
government organizations. We are all motivated by the same
unifying imperative, that patient safety requires cyber safety.
We are structured into task groups that work on specific
cybersecurity problems. The result over the past four years is
the publication of 18 cybersecurity best practices and guidance
documents by the sector, for the sector: medical device
security, cybersecurity for health systems, workforce
development, information sharing, intellectual property
protection, et cetera.
Two of these resources were published jointly, by our
Council and by HHS. This demonstrates the importance we place
on this shared responsibility, and four more resources are in
the pipeline for publication in the second quarter of this
year, one of which is another joint publication with HHS.
But as a partnership with government, we are making
positive steps but we can do more. We are encouraged that HHS
is reorganizing to enhance its SRMA responsibilities. That
means working with us, in industry, to develop cybersecurity
initiatives, incentives, and programs. It means improving
information sharing, impact analysis, and incident response. It
means coordinating across the agency and with industry to make
cybersecurity policy development and enforcement more matrixed
and coherent. Some of that may require congressional action.
It is commendable that CISA, in its role as the national
coordinator for critical infrastructure protection, has
directed more of its attention to health care cybersecurity.
But that level of attention needs to be triangulated, among HHS
as the sector lead, CISA as the technical support, and industry
as the owners and operators. In our view, that necessary
relationship is improving, and we are glad for that, but more
improvement can be done.
In conclusion, my written statement includes options we are
considering as recommendations for how the government can
better partner with that critical infrastructure sector against
evolving threats, and I will be happy to discuss them during
the question period.
To finalize, we are working collectively in pursuit of the
imperative of patient safety. It requires cyber safety, and
succeeding at this will mean, as my friend and former National
Cyber Director, Chris Inglis, would tell us, ``To beat one of
us you have to beat all of us.''
Thank you, Mr. Chairman.
Chairman Peters. Thank you, Mr. Garcia, for your testimony.
Our final witness is Stirling Martin. Mr. Martin is the
Senior Vice President for Epic. In his over 25 years at Epic he
has helped develop, implement, and support Epic's products and
worked closely with customers around the world to ensure their
needs are met.
Mr. Martin also serves as the Chief Security and Privacy
Officer and President of Epic's hosting business.
Mr. Martin, thank you for being here today. You may proceed
with your opening remarks.
TESTIMONY OF STIRLING MARTIN,\1\ SENIOR VICE PRESIDENT AND
CHIEF PRIVACY AND SECURITY OFFICER, EPIC SYSTEMS
Mr. Martin. Thank you. Distinguished Members of the
Committee, thank you for the opportunity to provide my
testimony today. My name is Stirling Martin, my formal training
is as a computer scientist, and I am the Chief Security and
Privacy Officer and Senior Vice President at Epic.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Martin appears in the Appendix on
page 83.
---------------------------------------------------------------------------
Since 1979, we have created clinical, financial, and
administrative systems, including the patient portal, MyChart,
for health care organizations in the United States and around
the world. Our customers include academic medical centers,
large integrated health systems, small critical access
hospitals, and federally qualified health centers.
Our focus, first and foremost, is on helping patients.
Personal health data is uniquely sensitive if compromised
because it cannot be reset like passwords or changed like
credit card information. A patient's health information can
also be immensely personal, and even just the threat of
exposure can create angst for an individual. If exposed,
private health care data can be leveraged by malicious actors
through identity theft and the potential for blackmail. In an
extreme case, patient safety could be directly impacted if a
bad actor were to manipulate health care data.
Within a community, cyberattacks can reduce access to care.
In a rural community with only one health care facility,
patients may need to delay preventative care or elective
treatments until an incident is resolved.
In a larger community, a cyberattack can have a cascading
effect as patients may be diverted to an unfamiliar care team
at another facility, and those facilities need to deal with an
influx of additional patients.
We have been shoulder-to-shoulder with our customers as
health care has become increasingly targeted by cyberattacks.
For a health system, a cyberattack disrupts their patient care
mission and causes both reputational harm and financial burden.
Organizations often take their systems offline as they mitigate
the impact of a security incident. Doing so places stress on
staff to provide high-quality care without the IT systems that
drive their workflows. As organizations may see fewer patients,
the financial impact extends beyond the cost of incident
response to lost revenue as well.
Organizations face several challenges in improving their
security posture. First is staffing, and their ability to hire
and retain high-demand security talent.
Second, security is a constant effort, and there are always
more steps that can be taken to make systems more secure. In
working with health care organizations across the country, we
see both basic and highly sophisticated security programs in
use, and yet there is no defined benchmark of what security
practices are considered sufficient.
An additional challenge is the lack of cybersecurity
information-sharing among health care organizations, as well as
the limited threat intelligence from government agencies and
private industry.
These challenges are exacerbated as many health care
organizations currently face unprecedented financial and
staffing pressures. The costs to improve one's security posture
through new technology or staff must be weighed against other
needs such as hiring or retaining nurses at the bedside.
There are a variety of ways the Federal Government could
help health care organizations prevent and respond to
cyberattacks.
Starting first with prevention, there is a dire shortage of
security talent in the United States. To build a deeper bench
of skilled IT security professionals, the Federal Government
could develop security training programs and incentivize newly
trained professionals working in health care. This could be
similar to the Rural Community Loan Repayment program for
physicians who agree to provide care to rural communities after
medical school and residency.
Second, the industry needs a single set of prescriptive
security practices, whether defined by Federal agencies such as
the National Institute of Standards and Technology (NIST) or
CISA, industry efforts such as Health Information Trust
Alliance (HITRUST), or a collaboration such as the Healthcare
Sector Coordinating Council. This will raise the overall
security posture of health care organizations by encouraging
them to meet those acceptable security practices.
The government should take the further step of establishing
a legal safe harbor for organizations that meet the defined
benchmark if they fall victim to an incident. This would also
encourage information sharing to remediate active issues more
quickly and prevent similar issues in the future, and could be
further bolstered by government agencies sharing deeper threat
intelligence.
Lastly, on incident response, similar to how FEMA responds
to a natural disaster, at-the-elbow support from the government
could help health care organizations remediate an attack. For
example, an organization recovering from a ransomware attack
may need assistance cleaning and redeploying the computers used
by their staff. On-the-ground support could help reduce the
time it takes to bring systems back online by patching devices
or by delivering a strategic reserve of computers and network
equipment that can be used immediately. This could reduce
recovery time by hours or even days, providing tremendous value
to health care organizations and the patients they serve.
In closing, people often ask me what keeps me up at night,
and it is the fact that we have to be perfect 100 percent of
the time, and the bad guys, they only need to get lucky once.
Thank you for the opportunity to share Epic's perspective
on this important topic.
Chairman Peters. Thank you, Mr. Martin, and thank you for
your opening comments.
My first question is for Mr. Dresen. Clearly we know that
cyberattacks are pervasive all through our society and all
across our economy now, and they are increasing in intensity.
But my question for you is what do you see as a distinguishing
characteristic of working to secure the health care sector from
cybersecurity attacks when we look at it in total? What is the
distinguishing factor with health care?
Mr. Dresen. Thank you, Senator, for that question. I
appreciate the opportunity to answer. For me, the defining
characteristic of the work that we do really comes down to the
clarity of focus we have around the impact of the decisions we
make, the actions we take, and the things we are doing to help
protect our organization, understanding that when a cyberattack
does occur and has the potential for significant operational
disruption, financial penalties, longstanding reputational
impact to the organization, it ultimately affects our families,
it affects our neighbors, it affects our community. There is a
clear connection to purpose for the work that we do,
understanding that the impact if things do not go well can be
significant on the people who are closest to us. For me that is
the defining characteristic of what it means to protect the
health care sector from cyberattack.
Chairman Peters. Thank you.
My next question is for you, Ms. Pierce. Certainly all
hospitals across the country are still dealing with the impact
of Coronavirus Disease 2019 (COVID-19) pandemic. But rural
hospitals, in particular, are really challenged. They are often
bound to provide care to a high concentration of patients with
limited financial resources. As you mentioned, these hospitals
are often located many miles apart. They are very far from
urban centers which present a number of other challenges for
them.
My question for you, ma'am, is how can the Federal
Government help ensure that small and rural hospitals are able
to invest in cybersecurity while also balancing all the needed
investments that they have to make to provide quality patient
care?
Ms. Pierce. Thank you for that question, Senator Peters.
Senator Warner stated it well when he said that cybersecurity
is patient safety. Cybersecurity initiatives cannot be
considered in isolation. They have direct and immediate impact
on patient care, and small and rural facilities are currently
devastated still by the pandemic, with staffing shortages. They
have seen significant increases in cost with supply chain and
technical costs skyrocketing.
Rural facilities also tend to serve lower-income patients,
and they have show that the longer patients have to travel is a
direct correlation to the income levels for the patients. This
means that our Medicaid population is typically higher in these
rural facilities. Medicaid reimbursement tends to lag behind
and is lower than the average cost of care for these rural
facilities. Even Medicare reimbursements for critical access
hospitals (CAHs), tend to lag two to three years behind as cost
reports for those facilities take time to reconcile.
We are experiencing these high costs, but it is taking a
long time for the reimbursement levels to catch up, which is
creating a crisis in budgets. I have seen small hospitals
running 5 to 10 percent below budget for their facilities, and
we cannot continue at that rate.
While I agree it is important to control costs,
cybersecurity should be a built-in requirement for all
hospitals, with minimum standards that are required. Medicaid
should also reimburse at cost. The subsidies for hospitals
could be in the form of grants, it could be in the form of CMS
increased reimbursement for services, or incentive programs
similar to meaningful use, sort of a meaningful security type
incentive program.
I urge you, however, to not delay any longer. Many rural
hospitals are already on the brink of closure. Thank you.
Chairman Peters. Thank you, Ms. Pierce.
Mr. Garcia, in your experience how does the Health Sector
Coordinating Council, along with the Federal Government,
working right now to address some of these significant
challenges faced by our small and rural hospitals?
Mr. Garcia. We have a number of engagements with our
government partners on a regular basis. Every other Friday, in
fact, we meet with our HHS and CISA counterparts to think about
longer-term strategic direction. In fact, we are beginning the
process now of developing a five-year strategic plan, looking
at how is the health care industry changing over the next five
years, what cybersecurity challenges do those changes
introduce, and how do we prepare for them.
I will say one of the flagship resources that we produced
that is scalable from small, rural, critical access hospitals
all the way up to the large national and regional systems is
something called the Health Industry Cybersecurity Practices
(HICP). This is initially, the result of an act of Congress,
and it comes out of something called the 405(d) program,
section 405(d) of the Cybersecurity Information Sharing Act of
2015. It directed HHS to work with industry to develop a series
of cybersecurity best practices for health systems. That
process took about a year and a half to develop these best
practices, which is a joint effort between HHS, which owns the
405(d) program, and the Health Sector Coordinating Council.
This is partnership at its best, where there is consensus
about what health systems need to do in cybersecurity, some of
the basic blocking and tackling, not necessarily expensive and
a high investment level, but some of the foundational elements
of good cybersecurity practices.
That is one example, and on our website,
healthsectorcouncil.org, there are 18 resources, best practices
that are accessible to any stakeholders who need them, all the
way from medical device security best practices to workforce
development to intellectual property protection, supply chain
security, which is a huge issue for all of us. I would commend
the public to those resources.
Chairman Peters. Thank you, Mr. Garcia.
Senator Hassan, you are recognized for your questions.
OPENING STATEMENT OF SENATOR HASSAN
Senator Hassan. Thanks, Mr. Chair, and thanks for holding
this hearing, and thank you to our witnesses not only for being
before the Committee today but for the work you do to protect
patient privacy and safety. We really appreciate it.
Ms. Pierce, I want to start with a couple of questions for
you that really follow up on what Senator Peters was asking
about with the focus on rural hospitals. I am really concerned,
as someone from a small State, your next-door neighbor, New
Hampshire, about cybersecurity threats to rural or smaller
health care providers.
In 2021, a ransomware attack targeted a small health
service in Berlin, New Hampshire, forcing the provider to shut
down some of its clinics for several days. Based on your
experience as a cybersecurity professional, what are the most
significant cybersecurity challenges facing rural and smaller
health care providers?
Ms. Pierce. Thank you for that question, Senator. I believe
that some of the biggest issues that these organizations face
is the fact that nearly all the staff in a critical access
hospital or a small facility wear many hats. They do not
specifically focus on cybersecurity, and with the competing
priorities that we are now seeing in health care, it is very
difficult to focus on something that is not required. If I had
10 things to do today and I knew that two of them were mandated
and required for me to do, those are the things that I will
focus on.
As we continue to provide guidance and recommendation from
the Federal Government we have not seen any minimum standards
or requirements from the government which would take us to the
point where those would become imperative for facilities to
implement. I would urge us to go in that direction but do not
do that without supporting us in achieving those standards.
Senator Hassan. Right, because one of the differences I
think you are really referencing is a larger, more metropolitan
hospital might have the capacity to have an administrative
staff, where somebody with the expertise and focus can really
devote themselves to cyber, and in our smaller places, even
when they are fully staffed on the patient care side, the
administrative staffing tends to be very sparse.
Ms. Pierce. I agree.
Senator Hassan. There are a number of resources and tools
available for health care entities to improve their
cybersecurity, such as the best practice guidance that Mr.
Garcia described today in his testimony. But as we have just
discussed, rural hospitals are under-resourced, understaffed.
You got at this a little bit with Senator Peters, Ms.
Pierce. You were talking about the need to make sure funding is
really reimbursing costs. But what specifically can the Federal
Government do to ensure that small and rural health care
providers are both aware of and have the ability to utilize
existing resources and tools for cybersecurity?
Ms. Pierce. I think the first step that we need to take is
to move from guidance and recommendations to minimum standards.
Once we do that I believe that those recommendations and
guidance will be very helpful in moving that sector to secure
their environments.
Currently I have worked with a lot of small hospitals,
being with Fortified, hospitals across the country, and
invariably they are at a state where there is either absolutely
no security program or it is very minimal.
We asked all of our health care organizations to perform
risk assessments when we implemented the Health Information
Technology for Econimic and Clinical Health Act (HITECH).
Everyone is now aware of where their risks are, but they are
choosing to accept those risks mostly for financial reasons,
where they cannot afford or cannot staff their personnel to
address those risks.
Senator Hassan. Your thinking is that some baseline
standards and requirements would kind of drive hospitals to
work with the Federal Government and others to find out the
resources they need and then to actually prioritize that. Is
that fair?
Ms. Pierce. That is fair. Also do not forget, we need to
also provide them the ability to actually implement their
security measures.
Senator Hassan. Fair enough. OK.
A question for you, Mr. Garcia. The Health Information
Sharing and Analysis Center (Health-ISAC), is a valuable forum
where health care partners can share vital cybersecurity
information such as intelligence about current and future
threats or best practices for addressing those threats.
However, as we just heard, smaller health care entities are
already under-resourced and understaffed. In your experience,
do rural and smaller health care entities have adequate access
to the Health-ISAC?
Mr. Garcia. The Health-ISAC does provide a lot of free
resources to the public at large. I think, as Ms. Pierce
expressed, however, there is a lot of information out there,
and trying to sift through it in ways that would be relevant
and actionable to your particular instance, is difficult.
Many hospital systems around the country rely also on
regional clusters, information sharing and analysis
organizations, peer organizations within a region where there
is a trust relationship.
There are a lot of options for how you gather your
information. At this point, the Health-ISAC is populated by a
lot of very well-resourced organizations that do have
sophisticated information security professionals who are really
tracking this on a 24/7 basis.
The priority is for every organization to consider what
kind of information are you able to actually take in and then
take action on.
Senator Hassan. Are there incentives that we could use to
help smaller rural hospitals really access the Health-ISAC, or
are there barriers that they have to membership in it right
now? How can we help them become more integrated into the
Health-ISAC?
Mr. Garcia. My feeling is it is a small investment. It is
an investment into collective defense. But absolutely, I think
that some kind of subsidies or financial support for smaller
systems to get involved either in the Health-ISAC or other
information-sharing organizations. If it is a cost-matching
subsidy that would help them into this kind of a community I
think would be tremendously beneficial.
Small hospitals have to make all kinds of existential
financial decisions about resource prioritization, so to help
them get into a collective organization where you have this
communal situational awareness I think is a good first step.
You cannot protect against what you do not see.
Senator Hassan. Thank you. Thank you, Mr. Chairman.
Chairman Peters. Thank you, Senator Hassan.
Senator Carper, you are recognized for your questions.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thanks. Thanks so much, Mr. Chairman.
Thanks for pulling this all together. Important subjects. To
our panel, thank you for joining us as well.
My first question I am going to ask each of you to respond
to. My second question, if I have time, Mr. Garcia, it will
come to you.
A question for all of you, and let us just start with Mr.
Martin. It deals with cyber best practices and preventive
measures. But when I think about health care I focus on a few
key points. One of those is access to health care, making sure
Americans broadly have access to health care, affordable health
care hopefully. I focus on the quality of the health care that
is provided. I focus a lot on prevention, not just dealing with
the symptoms or problems but also working on prevention. I also
think about a right to privacy and empowering people to do
things to help keep themselves healthy.
When it comes to cybersecurity I believe these same issues
apply, which leads me to two questions that I want to ask each
of you to take a moment to respond to. The first of those
question is how can the Federal Government improve access to
information on cyber best practices for the health care
industry? That would be the first question. The second is how
can we make sure that the health care systems are doing their
part to take preventive measures to protect their own networks?
Mr. Martin, would you lead us off please?
Mr. Martin. Senator, thank you for your questions. In terms
of providing access to best practices, there is no shortage of
recommendations and guidance and things that organizations
could be or should be doing. As I look across the broader
industry, the challenge we see is taking stock of all of those
different resources and deciding what to actually do, given all
those different inputs. As I talked about in my opening
statement, one of the key things that the Federal Government
can do to help would be to establish a minimum threshold for
security best practices, and that threshold can and should
continue to change through time. We need to continue to raise
all boats here by continuing to advance the state of security
in the industry, but having that minimum threshold would be
incredibly helpful for our organizations, which then gets to
your second question of what can the organizations do.
Today, they are trying to balance lots of different
competing priorities, whether you are a large organization or a
smaller organization, as Ms. Pierce talked about, trying to
balance all those different competing priorities is incredibly
challenging. Having that minimum target to shoot for will help
make sure everyone is marching toward that target and
ultimately raise the security posture of everyone in the
community.
Senator Carper. All right. Again, the same two questions
for the others, and Mr. Garcia, we will go to you. How can the
Federal Government improve access to information on cyber best
practices for the health care industry? That is No. 1. No. 2,
how can we make sure that the health care systems are doing
their part to take preventive measures to protect their own
networks? Go right ahead.
Mr. Garcia. Yes, sir. Thanks for the question, Senator.
Within the Department of Health and Human Services is an office
called the Health Care Cyber Coordination Center (HC3), which
is a knowledge center which is growing, and we would like to
see that grow more. It is the center that collects information
about cyber threats, vulnerabilities, incidents, provides
analysis, and then, in turn, pushes it back out to the health
sector. They have regular monthly briefings, talking about
various threats and what to do to mitigate against those
threats. That is a very helpful resource.
On top of that I mentioned earlier the Section 405(d) task
group that has produced the Health Industry Cyber Practices.
That update is coming out in just a few weeks. It is going to
becalled HICP 2023. This is a set of best practices, just as
Mr. Martin was referring to, that are minimum security
practices that all health systems should be implementing, and
those are developed by the sector, for the sector, and jointly
with HHS.
There is, as Ms. Pierce said, a glut of information
security best practices out there. We need to pick one because
there is a lot of confusion. We advocate that the Health
Industry Cyber Practices is probably the best effort at a joint
government publication, freely accessible to all. Then CISA
needs to follow and push that along with us. That is No. 1.
Question No. 2 is how can health systems do their part. We
have talked about that a lot, and we need to do a culture
change. It has been a cultural problem for as long as I have
been in cybersecurity that everyone outside of the security
team says, ``Cybersecurity, that is the security team's job. It
is not my job. I am the CIO. I am the Chief Executive Officer
(CEO). I am in administration.'' No. It is actually everybody's
job, right down to the clinician.
Indeed, one of the biggest threats in cybersecurity
generally is the frontline user, anybody who is touching a
keyboard or a tablet or a phone or any kind of medical
technology.
Senator Carper. I am going to ask you to hold it right
there. I want to give these folks an opportunity.
Mr. Garcia. Certainly.
Senator Carper. Thanks for those responses, though. Ms.
Pierce.
Ms. Pierce. I agree with Mr. Garcia and Mr. Martin. There
are a number of best practices available. As Mr. Garcia said,
they have published many documents on cybersecurity, so I do
not think that there is a lack of information.
What I think is happening, especially for small and rurals,
is there is a lack of attention to the information. It is not a
priority currently because there are so many other things that
are competing for immediate attention. There is no one taking
those best practices off the shelf and actually putting them in
practice within those organizations because it is currently a
recommendation or a guidance. It is not a requirement.
Senator Carper. OK.
Ms. Pierce. I would say the best thing we can do is set
some minimum requirements and then begin to embed them into
everything that we do in health care. Even with the 21st
Century Cures Act there were mandates on interoperability.
There has been a big expansion of devices and technologies that
have been implemented. But cybersecurity is always a second
thought.
Senator Carper. OK. Hold it right there. Mr. Dresen, I am
running out of time. Just very briefly, if you can, to both
questions please.
Mr. Dresen. Thank you, Senator. Very briefly, to complement
what my panelists have already stated, I think the other aspect
of making best practice information available is ensuring that
we have adequate staff to execute and implement those best
practices, so advocacy and sponsorship of programming to help
build a cyber-educated workforce so that we have qualified
individuals who can participate in our organizations to
implement those best practices would be extremely useful.
In the context of the health care sector's ability to do
that is to hire those people and get them implementing those
best practices to support our protections.
Senator Carper. Great. Mr. Chairman, I will ask, for the
record, a question dealing with communications between CISA,
HHS, and the health sector. If you receive that question for
the record, please respond. That is all I ask.
Thanks, Mr. Chairman.
Chairman Peters. Thank you, Senator Carper.
I need to leave briefly to be at an Armed Services
Committee hearing, so Senator Padilla will take the gavel. But
before I leave I will recognize Senator Hawley for your
questions.
OPENING STATEMENT OF SENATOR HAWLEY
Senator Hawley. Thank you very much, Mr. Chairman, and
thanks to all the witnesses for being here.
This is a topic that is very important to us in the State
of Missouri, where we have not only many hospitals, of course,
but many rural hospitals, and there have been a number of major
cyberattacks against hospitals in the State of Missouri. In
September 2021, for example, a ransomware group stole
confidential patient information which included names, Social
Security numbers, and medical information from a health center
in Sikeston, Missouri, which is in the southeast part of our
State. In March of last year, it was reported that a hospital
affiliated with the University of Missouri Health System
experienced a cyberattack in which a third party gained
sensitive patient data. A few months ago a hospital based in
Marshall, Missouri, found out that more than 112,000
individuals were affected by a data breach. Obviously this is a
very significant problem, and I am also concerned about the
interplay of foreign adversaries here like China, and I want to
get to that in just a second.
Ms. Pierce, if I could start with you and focusing, in
particular, on rural hospitals. In Missouri we have 67
hospitals classified as rural hospitals, including one in the
town where I grew up. That is about 40 percent of the hospitals
in my State. We are a rural State, and proudly so, but I am
obviously very concerned about the threat that cyberattacks
pose for rural hospitals in particular.
And wonder if just building on the statements you made to
Senator Hassan, can you give us a sense, what are the one or
two most important steps that you think rural hospitals and
rural health care facilities can take to shore up their cyber
defenses?
Ms. Pierce. Thank you for that question. I have had the
pleasure of working with some hospitals from your State, and I
can assure you that it is not for lack of wanting to address
these issues. Part of the issue that I am seeing across the
board, from not just Missouri but from other States, is just a
lack of funding, and lack and ability to be able to address the
issues that they know about.
Some of the things that they could do I had included in my
written statement, but top priorities would be they need to
obviously have strong passwords and multifactor authentication
(MFA). We have done a poor job at implementing strong passwords
and MFA, and that is one of the areas where attackers are able
to breach our networks. Another aspect that is important is
being able to monitor our networks 24/7. Most small facilities
have no staff to be able to monitor. Even if they have the
tools for a log management or for monitoring the endpoint
devices, if nobody is watching the console and nobody is there
to pick that attack up then it could be hours, critical hours
in a cyberattack, before they even notice that somebody has
gotten into their network.
Senator Hawley. Let me ask you about the urban-rural
divide. How do you assess the current state of cybersecurity in
rural hospitals versus urban, and if there is a disparity, as I
imagine there is, to what do you attribute that? Is it funding?
What are the factors there?
Ms. Pierce. I would say from my experience, urban hospitals
predominantly have staff within their facility, most of them
have multiple staff that are addressing each area of the
complex issue of cybersecurity. Smaller facilities, from my
experience most of them have no staff that are directly
assigned to cyber or they have very little staff in that area.
I think there is a huge disparity between them.
What is important to know is that most small hospitals are
connected to larger tertiary care centers. They need a place to
refer their sicker patients. This is the path of least
resistance for cyber attackers. When they are trying to figure
out how to attack large health systems they are coming in
through small hospitals, and we have seen that play out in
2022, where a small hospital is the avenue of least resistance.
The cyber attackers attack there, where they know the defenses
are low, and actually gain access to a plethora of information.
Senator Hawley. Is part of what needs to happen here, these
rural hospitals that, as you say, are often part of larger
hospital networks, I mean, at the network level do we need to
have more staff there that can perform the monitoring? Because
I am thinking about the hospital in the town where I grew up.
My little town was the county seat and it was the county
hospital, but they did not have excess staff--not that it is
excess to cybersecurity, but they did not have a lot of staff.
Let us put it that way. What staff they did have were treating
patients, which is exactly the scenario you have described.
Trying to think about when we try to find a solution for
these rural hospitals and we say, ``You need to have staff that
are devoted to cybersecurity,'' they are going to say, ``How in
the world would we do that?'' Do we need the larger hospital
networks, who, at the administrative level, probably do have
staff, should they be the ones who are taking on this burden? I
mean, what is the path forward here, do you think?
Ms. Pierce. I think we did allow, through Stark law
changes, for larger facilities to assist smaller facilities
with their cyber defense, and we saw absolutely no traction in
that area. Large health systems were given some leeway to
assist and they have not extended those opportunities to small
facilities.
I believe that the answer would be to incentivize those
facilities to secure their own networks, to ensure that they
have access to some funds that will enable them to implement
the security that they need to protect their networks.
Senator Hawley. Very good. Thank you for that.
Mr. Dresen, if I could just switch to you for a second, I
want to talk about China. You write, in the testimony you
submitted, about the increasing frequency of attacks from
nation-state actors and organized crime. Just drilling in on
China for a second, do you have any sense of the number or
percentage of the attacks we have seen recently, these
cyberattacks, that are committed by Chinese hackers?
Mr. Dresen. I do not have specific details of the source of
attack from China versus Russia versus other countries. It is
just significant in terms of the daily barrage we get, and are
repelling to help protect us.
Senator Hawley. What could the government do, the U.S.
Government be doing to help protect hospitals and health care
systems from attacks by these nation-state actors, and
particularly again given China, where we have heard testimony
in this Committee before about the huge increase in
cyberattacks, across industries, but arguably none more
important than the health care industry. What could the U.S.
Government be doing to help counter that?
Dr. Dresen. We need to take a whole-team approach to solve
this problem, where the hospitals and health care sector are
the defensive side of that equation and that relationship,
where we are defending our organizations and then having the
Federal Government bringing higher levels of risk and
consequences to those who are attacking us. I think the recent
example of the Hive being taken down is a great one to
celebrate, a reduction of risks to our organizations.
Getting more aggressive like that to help protect the
organizations, and then again, helping to provide more
actionable intelligence to the health sector in a real-time
manner, to allow us to be as able as possible to protect
ourselves with the most current threat information that the
government has access to.
Senator Hawley. Thank you.
Senator Padilla [presiding.] Thank you, Senator Hawley.
Senator Blumenthal is next.
OPENING STATEMENT OF SENATOR BLUMENTHAL
Senator Blumenthal. Thank you, Senator Padilla. Let me
pursue that question. Would it not be important for our law
enforcement and intelligence agencies to take more proactive
and maybe more aggressive action with respect to China and
Russia if they are condoning or even encouraging ransomware
attacks?
Mr. Dresen. We would certainly promote and advocate for
increased collaboration between government agencies, especially
those who have threat intelligence and awareness of those types
of activities.
Senator Blumenthal. More than just collaboration. Should
there not be greater focus, or resources devoted to it, and
more prosecution? Obviously, prosecution may be difficult
because the actors may be beyond our jurisdictional reach, but
certainly there are sanctions that can be imposed.
Mr. Dresen. Opportunities for attribution are challenging
in these types of circumstances, and so when that is possible I
would certainly support it. The actionable threat intelligence
that these entities can share with us to help us better protect
ourselves defensively would be extremely helpful.
Senator Blumenthal. Do you think there is actionable
intelligence that right now is unshared?
Mr. Dresen. I think there probably is in the context of
active investigations that may be taking place. The opportunity
to share that with our sector as much as they can would be
encouraged.
Senator Blumenthal. Do you know of specific investigations
that have not been shared?
Mr. Dresen. I do not.
Senator Blumenthal. Do you hear from colleagues in the
industry about such investigations?
Mr. Dresen. Not typically, no.
Senator Blumenthal. Why do you say there are?
Mr. Dresen. I think there is a perception that from law
enforcement, when they tell us that they may have
investigations they cannot share information with us, they do
not give us specifics. They just make us aware that there are
active investigations. Then we see through press reports when
they do release information, like the Hive getting taken down.
You understand that was a very long process that it took them
to take that action, and so you understand that those types of
activities take time to work themselves through.
Senator Blumenthal. If there were more effectives
prosecution, either by the Department of Justice (DOJ) or by
other agencies, it would have some deterrent effect.
Mr. Dresen. I think any improvement in our ability to
defend ourselves from those threats would be helpful.
Senator Blumenthal. Do any of the other members of the
panel have responses on this issue?
Mr. Garcia. Yes, I would say that there are innovative ways
to deal with this before there is an opportunity for
prosecution, that is various forms of takedown. I was with the
financial services sector some before this, and we worked
closely with the Justice Department to identify criminal groups
that were waging botnet battles, that is hundreds of thousands
or millions of computers infecting major system. We worked with
the Justice Department, using available statutory authorities
such as Racketeer Influenced and Corrupt Organizations (RICO)
Act, to do simply take down the network that was operating the
botnet. It was a proactive way of dealing with it.
Other actions are clearly classified in the intelligence
community (IC) that the private sector does not participate in,
but there is a lot of information that cannot be shared with
industry because it has been classified or it is under
investigation, as Mr. Dresen said.
Senator Blumenthal. Should more of it be unclassified to
help industry safeguard itself?
Mr. Garcia. I think there is general consensus that there
is a problem of over-classification in the government. Too much
information is being classified unnecessarily. Indeed,
information that sometimes flows from the private sector to the
government is subsequently classified.
Senator Blumenthal. In other words, information comes from
open public sources, it is provided to an agency of government,
and then it is classified?
Mr. Garcia. Because there may be additional intelligence
attached to that, that adds nuance or context.
Senator Blumenthal. Would you like to see more effective
investigation, more takedowns, more prosecution by the
Department of Justice or other agencies?
Mr. Garcia. Certainly. Absolutely. Any way that the
government can help disrupt incidents before they happen, based
on intelligence that it may or is about to happen, that would
be helpful to the industry, to all critical infrastructure
industries.
Senator Blumenthal. Do you or other members of the panel
have any indication that there is sometimes cooperation within
the victim institution that enables the hackers to gain access?
Mr. Garcia. Insider threat is a typical problem. Most
often, insiders within a company are just making inadvertent
errors. Others, there are disgruntled employees, and that is
pretty common anywhere, whether it is cyber or financial fraud
or other issues.
Senator Blumenthal. I do not know whether anyone else has
anything to add on this topic, but it is one of great interest
to me because I think we have devoted insufficient resources
and priority to these kinds of attacks, which are threatening,
seriously threatening to the health of our Nation, not to
mention to privacy. Would you agree?
I see most heads are shaking in the affirmative, let the
record show.
Let me ask, in terms of the other aspects that are
problematic, as you may know, Cerebral and BetterHelp are
mental health startups that shared data with social media
platforms, in other words, sold or monetized that data. The
Federal Trade Commission (FTC) fined BetterHelp for sharing
that health care data to profit from targeted advertising.
Given the increasing sharing of health care data, what kind
of privacy and security standards would you think should be
enhanced or improved to prevent the abuse of that sharing? I
will ask the panel as a whole.
Mr. Garcia. I would say, Senator, that there is an
increasing amount of personal health information that is
circulated and not regulated, based on wearable technologies
and home medical technologies. There have been groups, other
than ours, that are looking into what kinds of data are being
shared that are not under some kind of regulatory scrutiny, and
then how do we shore that up. I do not have specific answers on
that for you.
Senator Blumenthal. Cerebral recently disclosed it had
shared personal data of over 3.1 million American patients with
TikTok, Facebook, and Google. Obviously, this is not a
cyberattack, but it is an attack on the patients, not an attack
as perhaps we would characterize it normally. But it is an
attack on their privacy, and I invite you to think more about
it and respond in writing if you have any additional ideas.
Thanks, Mr. Chairman.
Senator Padilla. Thank you, Senator Blumenthal.
OPENING STATEMENT OF SENATOR PADILLA
It is my opportunity to ask questions next, and continuing
on with that last question, or issue that you raised, Senator
Blumenthal, I may, in my time, hopefully get to a follow-up
question on that, because it may not be a cyberattack but
hugely significant vulnerability that you raise.
Our health care system is uniquely important and vulnerable
to cybersecurity attacks and vulnerabilities, and the issue
touches all of our constituents. As has been discussed, data
breaches and ransomware attacks on health care providers and
third-party device makers have affected millions of
Californians alone. I reviewed the mandatory breach
notifications filed with the Department of Health and Human
Services, and as of yesterday morning, there are 63 different
California-based breaches of unsecured protected health
information under investigation, affecting over 90 million
people. That is more than two times the State's population, so
the national scale of the problem is alarming.
In addition to the inappropriate disclosure of personal
information, any disruption to the systems used in the health
care and public health care settings could be catastrophic for
many Americans who rely on their services for care. I thank
Chairman Peters for holding this important hearing.
The first question may seem a little basic, and maybe a
little softball, but I think it is critical for folks that are
following this person, in person and online.
Breaching in the health care sector allow for the
disclosure of patient health information as well as Social
Security, other personal identifiable information (PII), and
sensitive information. I want to be sure that the public
appreciates why this information is so sensitive for patients
and why the health care sector, in particular, is such an
attractive target for attacks.
I will direct the question to Mr. Martin. Why is personal
health information so sensitive and valuable to those who seek
to steal it?
Mr. Martin. Senator, thank you for the question. Part of
what makes health care data so sensitive is that it does not
change, that it is something that continues to grow, but it is
not something that can be reset or changed, like a password or
credit card number or something like that. Once it falls into a
bad actor's hands, that information can be used in perpetuity
to purport future crimes, whether that is identity theft or
blackmail the individual. Those types of things then become
possible forever as opposed to something where an individual
could take an action to stop that happening in the future.
Senator Padilla. Thank you. It is, again, important, I
think, to put a spotlight on.
Now according to a report last year from the cybersecurity
firm, Sophos, 66 percent of health care organizations, two-
thirds, were hit by ransomware attacks last year. Forty-four
percent of health care organizations suffered an attack in the
last year, and took up to a week to recover from the most
significant attack, and 25 percent of them took up to a month.
I will direct the question to Mr. Garcia. Can you speak to
the specific challenges that health care organizations face in
recovering from a ransomware attack and the resulting impact on
people seeking medical care? I think a more direct version of
the question that Senator Hawley asked, vis-a-vis foreign
actions, how can the government help reduce the recovery time?
Mr. Garcia. That is a very good question. Many hospitals
that are disrupted by ransomware attacks are unable to schedule
appointments, they are unable to perform procedures or
surgeries. They have to go to a paper-based environment. Our
graduating medical students these days have never seen a pad of
prescription paper with a pen. It is all electronic now.
Senator Padilla. Does that mean their penmanship is even
worse?
Mr. Garcia. Their penmanship is even worse. It is now all
thumbs.
Getting back online, we actually put together a resource
for health systems that have been disabled for an extended
period of time. It is called ``Operational Continuity After a
Cyber Incident,'' and there are many steps that need to be
taken to ensure that you appropriately sequence getting
infected systems back online so that they are not reinfected,
and prioritizing continuity of care to those patients who need
it most, and that includes getting your financial systems back
online so that you can get reimbursement so that you do not go
into the red and insolvent.
Recommendations about what the government can do to help,
one of the things we have been discussing and we sort of
touched on, on this panel, is can there be a strike force from
the government that can come in and help with, whether it is
CISA or HHS, to help with reconstituting systems and bringing
things back online, doing the forensics and the triage at a
cybersecurity level for those smaller systems. That could
include some kind of financial assistance to make sure that the
priority is going to patients while they are bringing systems
back online.
Senator Padilla. Thank you. In my time left I want to raise
one more issue and question. Today there are hundreds of
thousands of unfilled vacancies in cybersecurity positions
nationwide. Both private and public sector employers face
challenges in recruiting, personnel, hiring, and retaining
professionals to fill these vacancies, which negatively affects
our collective cybersecurity.
Growing talents is a priority under the recently released
White House National Cybersecurity Strategy and Congress. Mr.
Garcia and Ms. Pierce, can you speak to the specific and unique
challenges in the health care sector as far as identifying,
recruiting, hiring, and retaining IT professionals, and do you
have any recommendations for us today?
Ms. Pierce. Thank you for the question. I can personally
share that recruiting and retaining cybersecurity staff is a
daunting task for a small facility. I do not believe that there
will be a time when small hospitals will have dedicated
cybersecurity staff in-house. I believe moving to a managed
service provider type environment where those types of services
are outsourced to the people whose business is cybersecurity
defenses.
Hospitals' main priority is taking care of patients. It is
health care. That is their mission. It is not cybersecurity. I
believe if we go to a model where those things are more
outsourced it would be beneficial for smaller facilities.
Senator Padilla. First do no harm, and I think that is
inclusive of protecting somebody's personal and health
information. Senator Rosen.
OPENING STATEMENT OF SENATOR ROSEN
Senator Rosen. Thank you, Senator Padilla. I really
appreciate it. We are all going to build off of each other on
these questions, and I really want to thank you all for being
here today, for the work you are doing.
Of course, we are here to talk about health care
cybersecurity. As one of the 16 critical infrastructure
sectors, securing the health care and public health sector we
know is critical to protecting our national security, for
obvious reasons. Over the past three years, the health care
data breaches have doubled. In addition to threatening patient
privacy and security, as all of my colleagues have mentioned,
these attacks ultimately drive up the cost of health care as
well, as there have to be more investments made in protecting
this data.
Last Congress Senator Cassidy and I introduced the
Healthcare Cybersecurity Act. It was bipartisan legislation
that would require CISA to coordinate with and make resources
available to health care entities, including by developing
products tailored to the specific needs of small and rural
hospitals and health clinics, to what you are speaking to, Ms.
Pierce. You spoke to maybe a task force or separate businesses
for ransomware security issues.
But Mr. Garcia, and then Mr. Dresen, maybe you can speak
about how we could maybe, in the meantime, or instead of doing
that, or in conjunction, how can we provide cybersecurity
training to the health care assets owners and operators so that
we can empower them to be partners in this, instead of just
maybe turning it over, that they are engaged and empowered,
especially these small and rural hospitals. Like you said, they
do not have the capacity to have IT staff. But we want their
empowerment and engagement.
If you could speak to that. First, Mr. Garcia, and then Mr.
Dresen.
Mr. Garcia. Certainly. Thanks for that question, Senator. I
mentioned previously a resource that the health care industry,
our Council, and HHS together produced called Health Industry
Cybersecurity Practices, which is intended to provide the top
ten cybersecurity best practices that health systems need to
implement to be cybersecure. This is a strong partnership
between HHS and the sector, and we look to CISA with the
technical support. They have regional cybersecurity advisors
all over the country and they do provide assistance, technical
assistance, not just to health systems but to many other
industry sectors.
We would like to see them use the HICP in their engagement
with health systems around the country, because CISA does not
itself have health care expertise. They need to rely on their
sector risk management agency, HHS, as the guiding force for
the technical support that CISA should provide. We believe that
the HICP and the HICP which is based on the NIST Cybersecurity
Framework, which is by now a de facto standard, that is the
best way to provide focused level of controls to the health
care industry and try to remove some of the noise around too
many choices to implement.
Senator Rosen. That is right.
Mr. Dresen. Thank you, Senator Rosen. I would call two
examples of opportunities I think could demonstrate how we
could be more effective collaborating together. The first is an
organization in the State of Michigan called the Michigan
Healthcare Cybersecurity Council, and it is an organization
that has been together for about 10 years, and originated with
the sponsorship from the Governor's Office at the time. It
brought together all the health care entities in the State of
Michigan to create an environment where we could have a
collaborative discussion around cybersecurity issues, we could
share best practices. It connected large systems with small
systems so that you gave that connectivity and access to
expertise to everybody in the State to help improve the State
of the health care sector overall.
Connecting programs like that to CISA, as Mr. Garcia
suggested, is an excellent way to connect the knowledge with
the ability to deliver that information to the people who most
need it.
The other example I would share is an organization in Grand
Rapids called the West Michigan Center for Arts and Technology,
and they have an innovative program, and Senator Peters had a
chance to visit last year, and we thank you, Senator Peters,
for you doing that. It is a program to train diverse students
who are interested in entering the cybersecurity field, and is
a tuition-free program that puts them through education
delivered by a partner entity out of California. They come out
of that program with certifications and employability in the
cybersecurity field, which enables them to have a living wage
for them and their families and provides a well-needed access
to talent that is needed in the health care sector.
Advocacy for and sponsorship of those types of programs at
the Federal level can help local entities deliver that talent
where it is most needed.
Senator Rosen. Thank you. Collaboration amongst entities
and building the pipeline through apprenticeships, those are
some of my future questions, so we will collaborate and get the
information from Chair Peters.
But also we have been talking a lot about our medical
device cybersecurity. It is very important people have the test
of pacemakers, all kinds of things. You just call in on your
phone and they get all of those results. I did have a bill last
year to strengthen medical device cybersecurity, the updated
the Food and Drug Administration (FDA) guidance, and it was
included in last year's FDA package and became law as part of
the omnibus. I do hope, in conjunction with the other things we
are working on, that this legislation becomes a platform for
FDA and CISA to work together going forward. You have spoken a
lot about it, but we are beginning to give those tools.
But I want to build out a little bit about your, in the
minute I have left, Senator Padilla's question and everyone's
question, is building and expanding our workforce because there
are nearly 800,000 cyber jobs. In every single sector we are
facing these same challenges. I have introduced a bill with
Marsha Blackburn, the Cyber Ready Workforce Act, to surge up
capacity with the Department of Labor (DOL) to award grants to
increase access to things like a registered apprenticeship
program that is going to lead to an industry-recognized
certification, encourage those stackable and portable
credentials so people can get into the system.
Mr. Garcia, since Mr. Dresen already talked about it, can
you explain how we could improve and expand these
apprenticeship programs through public-private partnership,
through a community college, that will really help get people
working in the industry and then they can move up where they
need to?
Mr. Garcia. There are lots of ideas to that effect, and one
that could even be modeled the medical profession itself, that
is there is a loan forgiveness or some other kind of subsidies
for medical students when they go into small to rural settings,
that they will be forgiven some medical school debt.
Senator Rosen. I have some of that legislation myself I
have sponsored.
Mr. Garcia. That is perfect. The same can be done for
cybersecurity, and we have that with the National Security
Agency Centers for Academic Excellence in Cybersecurity,
scholarship for service by National Science Foundation (NSF).
There are various ways that we can incentivize students to
study cybersecurity and then go into the workforce where it is
most needed and get some level of compensation for that.
Senator Rosen. Thank you. I see my time has expired. Chair,
you are back, Chair Peters. Thank you.
Chairman Peters [presiding.] Thank you, Senator Rosen.
Senator Sinema, you are recognized for your questions.
OPENING STATEMENT OF SENATOR SINEMA
Senator Sinema. Thank you, Mr. Chairman, and thank you to
the witnesses for joining us today.
Last year, when Yuma Regional Medical Center fell victim to
a ransomware attack, 700,000 patients were notified that their
personal health data had been stolen. But when a hospital is
hacked it is not just Arizonans' sensitive data that is placed
at risk. Particularly in rural communities where alternative
hospitals may not be available, crippling cyberattacks can
literally be matters of life and death.
This is also true in other health care contexts. Last year,
the National Suicide Hotline was brought offline by a
cyberattack, resulting in an entire day where Arizonans facing
mental health emergencies could not call 988 and receive the
support they needed.
My first question is for Mr. Dresen. Imagine looking in the
eyes of a parent whose child may have called the Suicide
Hotline on December 1st but was not able to get through due to
the cyberattack. I am committed to ensuring that our nation's
suicide prevention system is better prepared for the next
attack. The question for you is, what lessons should other
public health stakeholders take from the hack on the 988
lifeline?
Mr. Dresen. Thank you, Senator, for your question. It is
unfortunate. The event on the 988 attack was a sobering
reminder of the impact to critical health care services when
cyberattacks have successful outcomes. It reminds us all of the
importance of being very aware of the risks we face as a health
care sector to deliver those services, the need to have an
adequately funded and staffed team that can implement the
protections to protect us, and the understanding that we can
only do so much to protect us and cannot eliminate all risk. It
requires the partnership of the government to help us provide
additional protections, increasing risk and consequences for
those who attack us, and the understanding and the support when
we are attacked that we are the victims, and help us work
through that process and do not penalize us for being attacked.
Senator Sinema. Thank you. Ms. Pierce, a few years ago
hackers took Wickenburg Community Hospital, the only hospital
in a small Arizona community, offline. Fortunately, the
talented IT team in Wickenburg had backed up the hospital's
data and then worked around the clock to quickly rebuild their
system from scratch. But not all community hospitals or other
rural or tribal health care providers are so fortunate. Many
simply do not have the resources or the cybersecurity expertise
to quickly recover.
Given your experience with the rural health system, can you
discuss some of the unique cybersecurity challenges that are
facing smaller hospitals?
Ms. Pierce. Thank you for the question. I think that
smaller hospitals have a varying degree of ability to recover
from those attacks. One of the things that is imperative is
that the attacks are identified and remediated quickly. I am
not aware of the particular attack you are speaking of, but I
would imagine that they identified quickly that there was an
issue, took things offline immediately, and were able to
restore from backup.
Frequently cyberattackers have been within the network and
been able to not only compromise existing systems but have also
compromised the backups. The challenges can be extensive in
recovery to that type of attack and we have seen some health
systems, even larger systems, take weeks, if not months, to
recover.
I would say that there is no one answer to that question.
There is a wide range of abilities and talent within rural
communities. I think that your particular hospital was the
exception, not the rule, when it comes to cyberattacks.
Senator Sinema. Thank you. Mr. Garcia, today ransomware
attacks against hospitals are mostly financially motivated, but
tomorrow cyberattacks may target specific patients with the
intent to kill or injure them. As more Arizonans receive
wireless medical device implants, the possibility that a hacker
could disable a pacemaker or manipulate an insulin pump is
something we need to take seriously.
How could public and private sectors get ahead of this
threat and ensure that wireless medical devices meet the most
rigorous cybersecurity standards?
Mr. Garcia. Yes, that is a very good question. Thank you,
Senator. There is a lot of work being done in ensuring the
security of a variety of connected medical devices--wireless,
wired, and otherwise. The idea of pacemakers and such, the one
issue about that is it is one of those low probability, high
impact kinds of events. You have to be right next to somebody
with a phone to actually communicate with the pacemaker.
Senator Sinema. Right now.
Mr. Garcia. Yes, right now. What we are concerned about,
however, is a much broader attack, where patient data can be
corrupted in a much broader scale within a hospital system, so
that anybody who is being treated in a hospital can be given
the wrong dose of medicine, or the wrong treatment based on
corrupted data about their specific patient data.
That is the much higher risk that we need to be concerned
about. Meanwhile, the medical device industry, through the
Sector Coordinating Council, is working hard to develop
standards of practice for how you design, develop, manufacture
cybersecurity into medical devices, connected wirelessly,
Bluetooth, whatever, from the ground up, so that they are
secure by design. That is an ongoing and long-term program that
the medical device community is acutely aware of.
Senator Sinema. Thank you. Mr. Dresen, if a ransomware
attack affects an emergency room, even if we are able to
restore those systems within one hour, some patients may not
live that long. This sense of urgency incentivizes hospitals to
pay ransoms to hackers, something, of course, that the Federal
Bureau of Investigation (FBI) and CISA advise against. Although
paying may protect specific patients in hospitals in the short
term, it also, of course, guarantees and perhaps incentivizes
that hackers will continue targeting hospitals in the future.
How do you believe that hospitals should navigate the
decision of whether or not to pay a ransom, and how can the
Federal Government help hospitals enhance their cyberattack
prevention and mitigation capabilities so that the question of
whether to pay or not to pay becomes irrelevant?
Mr. Dresen. It is our policy to align with the FBI guidance
to not pay ransomware, and so we do everything we can to
mitigate the risk that that is going to happen. We do that by
evaluating the risk we have to our organization of a
cyberattack, making investments with our leadership support to
ensure we have protections in place to reduce the likelihood
that that is going to happen.
The support we can gain from the government to help further
mitigate that risk is improved threat intelligence sharing that
is actionable and near real-time, so we can have the most up-
to-date information available to us to help protect us, as well
as, again, reinforcing educational programs that can help train
qualified staff that we can have work with us to ensure we can
implement the best practice recommendations to protect our
organization.
Senator Sinema. Thank you. Thank you, Mr. Chair.
Chairman Peters. Thank you, Senator Sinema.
I would like to thank our witnesses for joining us here
today and for your contributions to what is a very important
conversation. As we heard today, cyberattacks against our
health care sector can result in tragic consequences and can
cause serious disruptions to patients' lives.
As Chairman of this Committee, I have worked on a
bipartisan basis to significantly strengthen our nation's
cybersecurity, and I hope that we can build on those efforts by
making sure the Federal Government can provide additional
support for our most frequent targets of ransomware, including
the health care sector. I urge my colleagues to join me in
these efforts to ensure our nation can continue to combat these
threats and build resiliency into our critical infrastructure.
Our witnesses' testimony today will help inform the Committee's
future legislative activity as well as oversight on this issue.
The record for this hearing will remain open for 15 days,
until 5 p.m. on March 31, 2023, for the submission of
statements and questions for the record.
This hearing is now adjourned.
[Whereupon, at 11:34 a.m., the hearing was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
[all]