[Senate Hearing 118-55]
[From the U.S. Government Publishing Office]


                                                         S. Hrg. 118-55

                  IN NEED OF A CHECKUP: EXAMINING THE
              CYBERSECURITY RISKS TO THE HEALTHCARE SECTOR

=======================================================================

                                HEARING

                               BEFORE THE

                              COMMITTEE ON
               HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                    ONE HUNDRED EIGHTEENTH CONGRESS


                             FIRST SESSION
                               __________

                             MARCH 16, 2023
                               __________

        Available via the World Wide Web: http://www.govinfo.gov

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs
        
        
                  [GRAPHIC NOT AVAILABLE IN TIFF FORMAT]        


                    U.S. GOVERNMENT PUBLISHING OFFICE
                    
52-484 PDF                 WASHINGTON : 2023   
        

        COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS

                   GARY C. PETERS, Michigan, Chairman
THOMAS R. CARPER, Delaware           RAND PAUL, Kentucky
MAGGIE HASSAN, New Hampshire         RON JOHNSON, Wisconsin
KYRSTEN SINEMA, Arizona              JAMES LANKFORD, Oklahoma
JACKY ROSEN, Nevada                  MITT ROMNEY, Utah
ALEX PADILLA, California             RICK SCOTT, Florida
JON OSSOFF, Georgia                  JOSH HAWLEY, Missouri
RICHARD BLUMENTHAL, Connecticut      ROGER MARSHALL, Kansas

                   David M. Weinberg, Staff Director
                    Zachary I. Schram, Chief Counsel
         Christopher J. Mulkins, Director of Homeland Security
         Jeffrey D. Rothblum, Senior Professional Staff Member
           William E. Henderson III, Minority Staff Director
              Christina N. Salazar, Minority Chief Counsel
          Kendal B. Tigner, Minority Professional Staff Member
                     Laura W. Kilbride, Chief Clerk
                   Ashley A. Gonzalez, Hearing Clerk

                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Peters...............................................     1
    Senator Hassan...............................................    13
    Senator Carper...............................................    15
    Senator Hawley...............................................    17
    Senator Blumenthal...........................................    20
    Senator Padilla..............................................    22
    Senator Rosen................................................    24
    Senator Sinema...............................................    26
Prepared statements:
    Senator Peters...............................................    31

                               WITNESSES
                        Thursday, March 16, 2023

Scott Dresen, Senior Vice President, Information Security and 
  Chief Information Security Officer, Corewell Health............     3
Kate Pierce, Senior Virtual Information Security Officer, 
  Fortified Health Security......................................     5
Greg Garcia, Executive Director, Cyber Security, Healthcare and 
  Public Health Sector Coordinating Council......................     7
Stirling Martin, Senior Vice President and Chief Privacy and 
  Security Officer, Epic Systems.................................     9

                     Alphabetical List of Witnesses

Dresen, Scott:
    Testimony....................................................     3
    Prepared statement...........................................    33
Garcia, Greg:
    Testimony....................................................     7
    Prepared statement...........................................    56
Martin, Stirling:
    Testimony....................................................     9
    Prepared statement...........................................    83
Pierce, Kate:
    Testimony....................................................     5
    Prepared statement...........................................    36

                                APPENDIX

Ms. Pierce supplemental response.................................    86
American Academy of Family Physicians Statement for the Record...    88
Responses to post-hearing questions for the Record:
    Mr. Dresen...................................................    95
    Ms. Pierce...................................................    97
    Mr. Garcia...................................................   100

 
                         IN NEED OF A CHECKUP:
       EXAMINING THE CYBERSECURITY RISKS TO THE HEALTHCARE SECTOR

                              ----------                              


                        Thursday, March 16, 2023

                                     U.S. Senate,  
                           Committee on Homeland Security  
                                  and Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 10 a.m., in room 
SD-562, Dirksen Senate Office Building, Hon. Gary Peters, 
Chairman of the Committee, presiding.
    Present: Senators Peters [presiding], Carper, Hassan, 
Sinema, Rosen, Padilla, Ossoff, Blumenthal, Scott, Hawley, and 
Marshall.

             OPENING STATEMENT OF SENATOR PETERS\1\

    Chairman Peters. The Committee will come to order.
---------------------------------------------------------------------------
    \1\ The prepared statement of Senator Peters appears in the 
Appendix on page 31.
---------------------------------------------------------------------------
    Today's hearing will examine cybersecurity threats facing 
the healthcare sector, how both the Federal Government and 
health care providers are working to combat these threats, and 
what actions Congress should take to bolster our cybersecurity 
defenses against these attacks.
    Health care is a rapidly growing sector of our economy that 
employs more than 18 million workers, and is made up of both 
public and private sector organizations related to patient 
services, medical devices and manufacturers, and electronic 
health and medical records, that store considerable amounts of 
personal information, making them frequent targets of attacks.
    In recent years, increasingly sophisticated cyberattacks in 
the health care and public health sectors have posed alarming 
threats to people in Michigan as well as all across the 
country.
    Cyberattacks on hospitals, and other health care providers, 
can cause serious disruptions to their operations and prevent 
them from effectively providing critical, lifesaving care to 
their patients. Breaches can also lead to the exposure of 
sensitive personal and medical information of patients and 
health care personnel.
    Most recently, the DC Health Link, a health insurance 
marketplace for residents and lawmakers in the nation's 
capital, experienced a cyberattack that exposed the personal 
data and information of tens of thousands of people, putting 
victims at risk of identity theft, scams, and additional 
cyberattacks.
    Earlier this year, in my home State, the University of 
Michigan Health System experienced a cyberattack that 
temporarily limited access to their public websites. Thankfully 
in that attack, no patient information was compromised and the 
issue was quickly resolved.
    These relentless cyberattacks show that foreign adversaries 
and cybercriminals will stop at nothing to exploit 
cybersecurity vulnerabilities, our critical infrastructure, and 
most essential systems.
    What is most concerning about these attacks is that they do 
not just compromise personal information. They can actually 
affect patient health and safety. Last month, a ransomware 
attack on Tallahassee Memorial HealthCare in Florida took the 
hospital's information technology (IT) systems offline for more 
than a week, and required them to divert patients to other 
facilities and cancel procedures until they could restore those 
networks.
    A 2019 catastrophic ransomware attack on the Spring Hill 
Medical Center in Mobile, Alabama, may have even led to a 
patient's death. The attack prevented health care providers 
from using equipment to monitor a baby's condition during 
delivery. As a result, the infant tragically passed away 
because of delayed medical care.
    This shocking example shows just how grave the consequences 
of cyberattacks in the health care sector can be. Given the 
threats facing this sector, and the potential life or death 
consequences, there is no question that investments in health 
care cybersecurity are also investments in patient care.
    This Committee has already taken important steps to 
strengthen cybersecurity for our critical infrastructure 
sectors, including the health care sector. Last Congress, the 
Committee advanced a bipartisan bill that I introduced along 
with Senator Portman to require these organizations to report 
cyberattacks and ransomware payments to the Cybersecurity and 
Infrastructure Security Agency (CISA).
    This law will help ensure that government is able to better 
track cybersecurity threats to our critical infrastructure, 
provide more transparency and situational awareness for our 
cybersecurity defenses, and enable CISA to warn potential 
victims of ongoing attacks, so they know if they could be the 
next target.
    This is an important first step, but there is much more 
Congress can do to ensure that critical networks in our health 
care and public health sector remain resilient against 
cyberattacks.
    I am grateful our colleague, Senator Rosen, is leading 
efforts that would improve the way CISA and the Department of 
Health and Human Services (HHS) share information about 
cybersecurity threats with the health care sector, as well as 
provide cybersecurity training to medical professionals. I look 
forward to working together to build on these efforts.
    Today, I am pleased to have an expert panel of health care 
cybersecurity professionals who can speak more about the 
challenges we face and discuss potential solutions.
    With that I would normally turn it over to our Ranking 
Member, who is not here, so I will move to swear in our 
witnesses.
    It is the practice of Homeland Security and Governmental 
Affairs Committee (HSGAC) to swear in witnesses, so if each of 
you would please stand and raise your right hand.
    Do you swear that the testimony you will give before this 
Committee will be the truth, the whole truth, and nothing but 
the truth, so help you, God?
    Mr. Dresen. I do.
    Ms. Pierce. I do.
    Mr. Garcia. I do.
    Mr. Martin. I do.
    Chairman Peters. Thank you. You may be seated.
    Our first witness is Scott Dresen. Mr. Dresen serves as the 
Chief Information Security Officer (CISO) of Corewell Health. 
In his role, he is responsible for maintaining and managing the 
Enterprise Business Assurance Program including emergency 
management, business continuity, and operational readiness. 
Previously he served as the Chief Information Officer (CIO) for 
Wayne State University Physician Group.
    Mr. Dresen, thank you for being here. You may proceed with 
your opening remarks.

     TESTIMONY OF SCOTT DRESEN,\1\ SENIOR VICE PRESIDENT, 
 INFORMATION SECURITY AND CHIEF INFORMATION SECURITY OFFICER, 
                        COREWELL HEALTH

    Mr. Dresen. Thank you, Chairman Peters and Members of the 
Homeland Security and Governmental Affairs Committee. It is an 
honor to be speaking with you about cybersecurity risks. I am 
the Chief Information Security Officer of Corewell Health, an 
integrated health system committed to health and wellness so 
that people can live their healthiest life possible.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Dresen appears in the Appendix on 
page 33.
---------------------------------------------------------------------------
    Cybersecurity threats to the health care sector could 
compromise our health system's ability to effectively provide 
access to and deliver health care services to our patients and 
members. Of particular concern are high-impact ransomware 
attacks, which disrupt and delay health care delivery, may 
cause risks to patient safety, and can be used to conceal 
activity by threat actors to exfiltrate personal health 
information.
    We live in a world where health care is highly digital and 
highly connected, making us vulnerable given the value of the 
data we manage. We have a responsibility to protect the data of 
our patients and members, and this obligation is of the highest 
priority across our system leadership and board of directors.
    Health care is a complex business model whereby multiple, 
often independent entities come together to form what the 
patient sees as a cohesive care delivery process. Over time and 
out of necessity, this model has evolved in ways that have made 
us more vulnerable to cyberattacks, has expanded the footprint 
of health care systems that must be protected, and increases 
the opportunities for threat actors to compromise us.
    Media reports of cyberattacks, data breaches, and 
unintended exposure of sensitive data underscores the 
vulnerability of health care systems to these disruptive 
incidents and the impact to our patients and members. 
Operational disruption prevents patients from being able to 
receive the care they need when they need it. Material 
financial impact in the form of fines, penalties, and 
associated remediation costs increase financial pressures 
significant. Brand and reputational impacts can have lasting 
consequences on organizations victimized by cyberattacks.
    These issues only serve to undermine the trust our 
communities have in our health care system and our ability to 
serve them in their most vulnerable time of need. A 
comprehensive information security program is critical to 
manage these risks, yet there exists significant disparity in 
the health care sector for organizations to resource an 
effective security team and the necessary technology to provide 
their requisite protections to reduce the risk of an attack. 
Small and medium-sized health care systems are at a significant 
disadvantage compared to larger systems to be able to recruit, 
retain, and fund an effective information security program. 
Despite the advantage larger organizations have in comparison, 
the increasing trend of attacks prove even the largest 
organizations are vulnerable and can be compromised.
    The increasing frequency of attack from nation-state actors 
and organized crime has created a sense of urgency within the 
health care sector, and we need help from the United States 
government to respond to these threats more effectively. 
Requirements for interagency sharing of cybersecurity threat 
intelligence is a productive step forward. We need more of this 
and need that enhanced collaboration to include critical 
infrastructure sector participation, including the ability to 
automate threat intelligence data sharing with sector 
participants, enabling rapid, near-real-time automatic 
ingestion of threat intelligence into the technologies 
participating members use to protect their respective 
organizations.
    The United States government has actionable intelligence 
that would be of immediate value to the health care sector. 
While there is some degree of automated intelligence sharing, 
we need to make more of that intelligence accessible.
    We are in an environment where keeping up with technology 
to defend against advanced, persistent threat is extremely 
expensive. Many of these technologies are an option for 
financially disadvantaged health care systems due to cost. We 
recommend creating incentives to make technology more 
affordable and accessible to the entire health care sector.
    We recommend reforms on the penalties health care entities 
face because of cyberattacks and related data breaches. We 
understand and support the legislative intent to encourage 
adoption of best practices and the implementation of 
appropriate protections to safeguard our data. However, 
penalizing victims of cyberattack, when defensive measures 
cannot keep up with the sophistication of hackers, is not the 
fair approach.
    We are at our best and most capable when it comes to caring 
for our patients and members. That is our expertise. Our 
adversaries are at their best and most capable when they are 
attacking us. They are extremely well funded, extremely 
talented, and highly motivated. Many or either nation-state 
actors or sponsored and supported by nation-states. We cannot 
beat them alone, but together we can be more effectively 
protecting this vital, critical infrastructure sector.
    Thank you for this opportunity to testify, and I look 
forward to your questions.
    Chairman Peters. Thank you, Mr. Dresen, for your testimony.
    Our next witness is Kate Pierce. Ms. Pierce serves as the 
Senior Virtual Information Security Officer at Fortified Health 
Security. Ms. Pierce has over two decades of experience in 
North Country Hospital, where she served as the Chief 
Information Officer and Chief Information Security Officer. Ms. 
Pierce is also part of the Fortified Health Security, one of 
the leading health care-only cybersecurity managed services 
companies in the United States.
    Ms. Pierce, welcome to our Committee. You may proceed with 
your opening remarks.

    TESTIMONY OF KATE PIERCE,\1\ SENIOR VIRTUAL INFORMATION 
          SECURITY OFFICER, FORTIFIED HEALTH SECURITY

    Ms. Pierce. Chairman Peters and Members of the Committee, 
my name is Kate Pierce. I served as the CIO and CISO for a 
critical access hospital in Vermont for over 21 years, and I 
currently serve as the Virtual Information Security Officer for 
Fortified Health Security. I thank you for this opportunity to 
address the Committee to provide an industry perspective on 
cybersecurity threats, specifically in the small and rural 
facilities.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Pierce appears in the Appendix on 
page 36.
---------------------------------------------------------------------------
    In 2022, health care continued to be the most targeted 
critical infrastructure sector, with nearly a quarter of 
ransomware attacks directed at health care. We also saw cyber 
criminals shift their focus to small and rural hospitals, with 
this group lagging behind in strengthening their defenses. 
Average recovery times expanded, and costs for health care 
attacks increased to over $10.1 million per incident.
    Our rural hospitals are facing unprecedented budget 
constraints, with up to 30 percent or more in the red. With the 
public health emergency scheduled to end in May, hospitals 
anticipate a rise in free care, with as many as 15 million 
Medicaid patients projected to lose coverage.
    Cyber programs continue to lag behind with budgeted 
security spending redirected to cover higher priority expenses. 
These small hospitals struggle to employ and retain skilled 
cybersecurity professionals, and often have little to no staff 
solely dedicated to security. Cyber insurance coverage can no 
longer be considered an alternative, with skyrocketing 
premiums, lower limits, and increasing requirements.
    The value of health care records in the dark web continues 
to be up to more than 60 times higher than other records. The 
risk of identity theft, credit card fraud, and reputational 
harm is now supplemented by patients being directly exploited 
with threats to release their sensitive information on the web. 
Post attack, hospitals are now seeing a rise in civil cases, 
costing millions of dollars.
    The impact on our rural communities during an attack is 
hard to overstate. While attacks in urban areas are impactful, 
populated areas provide other health care options for patients 
to choose. In most rural areas, the nearest health care 
facility may be 45 miles or more away, making the diversion of 
patients unfeasible. With direct attacks causing outages 
lasting weeks and sometimes months, the impact on patient 
safety is easy to comprehend.
    Delays in care can directly contribute to negative outcomes 
for many high-risk conditions. Facilities that continue to 
treat patients are challenged to provide high levels of patient 
care without access to patient information, safety alerts, 
delays in results, and other key tools.
    To meet these challenges I recommend implementing several 
measures to improve the cybersecurity for our small and rural 
facilities.
    First, we must move beyond guidance and recommendations and 
create minimum standards for cybersecurity. These standards 
must be effective, reasonable, achievable, and continually 
evolving as cybersecurity requirements change. Specific 
recommendations are in my written testimony.
    Second, we cannot leave our small and rural hospitals 
behind. Funding opportunities must be made available to these 
hospitals. My insights on subsidies, grants, and other 
incentives are also included in my written testimony.
    Third, we need better coordination of government cyber 
efforts. While guidance and services from many agencies is 
appreciated, there is often a knowledge gap regarding the 
unique health care challenges that must be considered. Also, 
most rural hospitals are not effectively utilizing available 
resources. To be effective, government services must be 
streamlined, knowledgeable, and available.
    Last, establishing a Federal Emergency Management Agency 
(FEMA) cyber disaster relief program would provide this 
vulnerable sector with important resources. This could assist 
organizations in their recovery process and increase the 
likelihood that hospitals can survive beyond an attack.
    In conclusion, small and rural health care organizations 
are losing the cybersecurity battle. The Cybersecurity Act of 
2015 is now eight years old. While advancement have been made 
with respect to published documents, services, and guidance, as 
a nation definitive, coordinated action is needed now. Our 
rural hospitals are in crisis, and further delay would 
jeopardize health care for our rural communities.
    Thank you for your time. I look forward to answering your 
questions.
    Chairman Peters. Thank you, Ms. Pierce. Thank you for your 
testimony.
    Our next witness is Greg Garcia. Mr. Garcia serves as the 
Executive Director for Cyber Security of the Healthcare and 
Public Health Sector Coordinating Council (HSCC). It is a 
convening organization that works in partnership with other 
Federal agencies to protect the security and resilience of 
these sectors. Mr. Garcia served as the nation's first 
Department of Homeland Security (DHS) Assistant Secretary for 
Cybersecurity and Communications under President George W. 
Bush.
    Previously, Mr. Garcia held executive positions with the 
Bank of America and served as professional staff on the 
Committee on Science, Space, and Technology in the U.S. House 
of Representatives.
    Welcome to the Committee, sir. You may proceed with your 
opening comments.

    TESTIMONY OF GREG GARCIA,\1\ EXECUTIVE DIRECTOR, CYBER 
  SECURITY, HEALTHCARE AND PUBLIC HEALTH SECTOR COORDINATING 
                            COUNCIL

    Mr. Garcia. Thank you, Chairman Peters and Members of the 
Committee. Thanks for inviting me to testify today. I am the 
Executive Director of the Health Sector Coordinating Council. 
We are an industry-led advisory council of more than 350 health 
care organizations and government agencies, working together as 
a public-private partnership.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Garcia appears in the Appendix on 
page 56.
---------------------------------------------------------------------------
    The main point I want to leave you with today is that the 
industry is mobilizing collaboratively against evolving cyber 
threats in the health system, and our government is doing the 
same and can be doing more.
    The industry is regulated for cybersecurity in various 
ways, and more is being contemplated. But there are ways that 
HHS, CISA, and other government offices can improve 
coordination, in programs and funding, to facilitate the 
security of the health sector.
    What matters most about cyber insecurity in the health 
sector is the potential impact on patient safety. We have heard 
that from our previous witnesses. In particular, ransomware 
events over the past few years have resulted in clinical 
disruptions that can cause and have caused harm to patients. 
Consider when a health system is disabled by a cyber incident, 
stroke, trauma, cardiac imaging, and other systems and services 
as closed to admission. Ambulances with patients en route to 
hospitals are diverted. Radiation and surgery for cancer 
patients are delayed. Medical records for prescriptions, 
diagnoses, therapies are inaccessible or lost. Clinical trial 
data are lost. Payment systems are down. Order and receiving 
supplies is disrupted.
    What we see now and in the future is a changing health care 
system that may complicate this challenge. Consider that health 
care innovation is going direct to the consumer, to wearable 
and home medical technology and telemedicine. This expands the 
so-called attack surface for connected technology outside the 
clinical environment, which is harder for hospitals to secure 
remotely with patients.
    There is an increase in mergers and acquisitions among 
provider institutions, and that involves having to integrate 
incompatible systems, different suppliers. That adds to 
complexity, cost, and risk.
    There is an increased migration to cloud service providers, 
in which technology, clinical data management systems and 
software are outsourced to third parties, and that can increase 
the scalability of attack to thousands of customers with just 
one mouse click.
    There are workforce shortages, that Ms. Pierce referred to, 
in both clinical and cybersecurity support, which strains the 
ability to manage those intersecting needs, cyber and clinical.
    Finally, the cyber insurance market is simultaneously 
retrenching, increasing premiums, reducing coverage, and this 
is severely limiting its risk reduction value.
    What are we doing about it? How do individual enterprises 
deal with these threats, and how does the sector collectively 
deal with it. I am going to concentrate my answer on the latter 
question.
    As I mentioned earlier, the Health Sector Council is one of 
many federally designated critical infrastructure sector 
coordinating councils. Health care is in the same category as 
financial services, telecommunications, electricity, and 
others, and we are organized to work with our government 
counterparts to identify and mitigate threats and incidents, 
from pandemics, natural disasters, supply chain disruptions, 
and cyberattack.
    In government, there are designated sector risk management 
agencies (SRMA), in our case HHS. They are directed by statute 
and Executive Orders (EO) to work with their corresponding 
critical sectors on this shared mission, not just with 
regulation but with partnership and innovative problem-solving.
    Indeed, cyber regulation on the nation's small and under-
resourced health systems cannot succeed without corresponding 
support from the government. To reduce that cyber and patient 
risk, our Council, over the past five years, has worked 
tirelessly. We started with fewer than 50 members, in 2017, and 
now the Council has grown to 380 industry organizations and 16 
government organizations. We are all motivated by the same 
unifying imperative, that patient safety requires cyber safety.
    We are structured into task groups that work on specific 
cybersecurity problems. The result over the past four years is 
the publication of 18 cybersecurity best practices and guidance 
documents by the sector, for the sector: medical device 
security, cybersecurity for health systems, workforce 
development, information sharing, intellectual property 
protection, et cetera.
    Two of these resources were published jointly, by our 
Council and by HHS. This demonstrates the importance we place 
on this shared responsibility, and four more resources are in 
the pipeline for publication in the second quarter of this 
year, one of which is another joint publication with HHS.
    But as a partnership with government, we are making 
positive steps but we can do more. We are encouraged that HHS 
is reorganizing to enhance its SRMA responsibilities. That 
means working with us, in industry, to develop cybersecurity 
initiatives, incentives, and programs. It means improving 
information sharing, impact analysis, and incident response. It 
means coordinating across the agency and with industry to make 
cybersecurity policy development and enforcement more matrixed 
and coherent. Some of that may require congressional action.
    It is commendable that CISA, in its role as the national 
coordinator for critical infrastructure protection, has 
directed more of its attention to health care cybersecurity. 
But that level of attention needs to be triangulated, among HHS 
as the sector lead, CISA as the technical support, and industry 
as the owners and operators. In our view, that necessary 
relationship is improving, and we are glad for that, but more 
improvement can be done.
    In conclusion, my written statement includes options we are 
considering as recommendations for how the government can 
better partner with that critical infrastructure sector against 
evolving threats, and I will be happy to discuss them during 
the question period.
    To finalize, we are working collectively in pursuit of the 
imperative of patient safety. It requires cyber safety, and 
succeeding at this will mean, as my friend and former National 
Cyber Director, Chris Inglis, would tell us, ``To beat one of 
us you have to beat all of us.''
    Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Mr. Garcia, for your testimony.
    Our final witness is Stirling Martin. Mr. Martin is the 
Senior Vice President for Epic. In his over 25 years at Epic he 
has helped develop, implement, and support Epic's products and 
worked closely with customers around the world to ensure their 
needs are met.
    Mr. Martin also serves as the Chief Security and Privacy 
Officer and President of Epic's hosting business.
    Mr. Martin, thank you for being here today. You may proceed 
with your opening remarks.

  TESTIMONY OF STIRLING MARTIN,\1\ SENIOR VICE PRESIDENT AND 
        CHIEF PRIVACY AND SECURITY OFFICER, EPIC SYSTEMS

    Mr. Martin. Thank you. Distinguished Members of the 
Committee, thank you for the opportunity to provide my 
testimony today. My name is Stirling Martin, my formal training 
is as a computer scientist, and I am the Chief Security and 
Privacy Officer and Senior Vice President at Epic.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Martin appears in the Appendix on 
page 83.
---------------------------------------------------------------------------
    Since 1979, we have created clinical, financial, and 
administrative systems, including the patient portal, MyChart, 
for health care organizations in the United States and around 
the world. Our customers include academic medical centers, 
large integrated health systems, small critical access 
hospitals, and federally qualified health centers.
    Our focus, first and foremost, is on helping patients. 
Personal health data is uniquely sensitive if compromised 
because it cannot be reset like passwords or changed like 
credit card information. A patient's health information can 
also be immensely personal, and even just the threat of 
exposure can create angst for an individual. If exposed, 
private health care data can be leveraged by malicious actors 
through identity theft and the potential for blackmail. In an 
extreme case, patient safety could be directly impacted if a 
bad actor were to manipulate health care data.
    Within a community, cyberattacks can reduce access to care. 
In a rural community with only one health care facility, 
patients may need to delay preventative care or elective 
treatments until an incident is resolved.
    In a larger community, a cyberattack can have a cascading 
effect as patients may be diverted to an unfamiliar care team 
at another facility, and those facilities need to deal with an 
influx of additional patients.
    We have been shoulder-to-shoulder with our customers as 
health care has become increasingly targeted by cyberattacks. 
For a health system, a cyberattack disrupts their patient care 
mission and causes both reputational harm and financial burden. 
Organizations often take their systems offline as they mitigate 
the impact of a security incident. Doing so places stress on 
staff to provide high-quality care without the IT systems that 
drive their workflows. As organizations may see fewer patients, 
the financial impact extends beyond the cost of incident 
response to lost revenue as well.
    Organizations face several challenges in improving their 
security posture. First is staffing, and their ability to hire 
and retain high-demand security talent.
    Second, security is a constant effort, and there are always 
more steps that can be taken to make systems more secure. In 
working with health care organizations across the country, we 
see both basic and highly sophisticated security programs in 
use, and yet there is no defined benchmark of what security 
practices are considered sufficient.
    An additional challenge is the lack of cybersecurity 
information-sharing among health care organizations, as well as 
the limited threat intelligence from government agencies and 
private industry.
    These challenges are exacerbated as many health care 
organizations currently face unprecedented financial and 
staffing pressures. The costs to improve one's security posture 
through new technology or staff must be weighed against other 
needs such as hiring or retaining nurses at the bedside.
    There are a variety of ways the Federal Government could 
help health care organizations prevent and respond to 
cyberattacks.
    Starting first with prevention, there is a dire shortage of 
security talent in the United States. To build a deeper bench 
of skilled IT security professionals, the Federal Government 
could develop security training programs and incentivize newly 
trained professionals working in health care. This could be 
similar to the Rural Community Loan Repayment program for 
physicians who agree to provide care to rural communities after 
medical school and residency.
    Second, the industry needs a single set of prescriptive 
security practices, whether defined by Federal agencies such as 
the National Institute of Standards and Technology (NIST) or 
CISA, industry efforts such as Health Information Trust 
Alliance (HITRUST), or a collaboration such as the Healthcare 
Sector Coordinating Council. This will raise the overall 
security posture of health care organizations by encouraging 
them to meet those acceptable security practices.
    The government should take the further step of establishing 
a legal safe harbor for organizations that meet the defined 
benchmark if they fall victim to an incident. This would also 
encourage information sharing to remediate active issues more 
quickly and prevent similar issues in the future, and could be 
further bolstered by government agencies sharing deeper threat 
intelligence.
    Lastly, on incident response, similar to how FEMA responds 
to a natural disaster, at-the-elbow support from the government 
could help health care organizations remediate an attack. For 
example, an organization recovering from a ransomware attack 
may need assistance cleaning and redeploying the computers used 
by their staff. On-the-ground support could help reduce the 
time it takes to bring systems back online by patching devices 
or by delivering a strategic reserve of computers and network 
equipment that can be used immediately. This could reduce 
recovery time by hours or even days, providing tremendous value 
to health care organizations and the patients they serve.
    In closing, people often ask me what keeps me up at night, 
and it is the fact that we have to be perfect 100 percent of 
the time, and the bad guys, they only need to get lucky once.
    Thank you for the opportunity to share Epic's perspective 
on this important topic.
    Chairman Peters. Thank you, Mr. Martin, and thank you for 
your opening comments.
    My first question is for Mr. Dresen. Clearly we know that 
cyberattacks are pervasive all through our society and all 
across our economy now, and they are increasing in intensity. 
But my question for you is what do you see as a distinguishing 
characteristic of working to secure the health care sector from 
cybersecurity attacks when we look at it in total? What is the 
distinguishing factor with health care?
    Mr. Dresen. Thank you, Senator, for that question. I 
appreciate the opportunity to answer. For me, the defining 
characteristic of the work that we do really comes down to the 
clarity of focus we have around the impact of the decisions we 
make, the actions we take, and the things we are doing to help 
protect our organization, understanding that when a cyberattack 
does occur and has the potential for significant operational 
disruption, financial penalties, longstanding reputational 
impact to the organization, it ultimately affects our families, 
it affects our neighbors, it affects our community. There is a 
clear connection to purpose for the work that we do, 
understanding that the impact if things do not go well can be 
significant on the people who are closest to us. For me that is 
the defining characteristic of what it means to protect the 
health care sector from cyberattack.
    Chairman Peters. Thank you.
    My next question is for you, Ms. Pierce. Certainly all 
hospitals across the country are still dealing with the impact 
of Coronavirus Disease 2019 (COVID-19) pandemic. But rural 
hospitals, in particular, are really challenged. They are often 
bound to provide care to a high concentration of patients with 
limited financial resources. As you mentioned, these hospitals 
are often located many miles apart. They are very far from 
urban centers which present a number of other challenges for 
them.
    My question for you, ma'am, is how can the Federal 
Government help ensure that small and rural hospitals are able 
to invest in cybersecurity while also balancing all the needed 
investments that they have to make to provide quality patient 
care?
    Ms. Pierce. Thank you for that question, Senator Peters. 
Senator Warner stated it well when he said that cybersecurity 
is patient safety. Cybersecurity initiatives cannot be 
considered in isolation. They have direct and immediate impact 
on patient care, and small and rural facilities are currently 
devastated still by the pandemic, with staffing shortages. They 
have seen significant increases in cost with supply chain and 
technical costs skyrocketing.
    Rural facilities also tend to serve lower-income patients, 
and they have show that the longer patients have to travel is a 
direct correlation to the income levels for the patients. This 
means that our Medicaid population is typically higher in these 
rural facilities. Medicaid reimbursement tends to lag behind 
and is lower than the average cost of care for these rural 
facilities. Even Medicare reimbursements for critical access 
hospitals (CAHs), tend to lag two to three years behind as cost 
reports for those facilities take time to reconcile.
    We are experiencing these high costs, but it is taking a 
long time for the reimbursement levels to catch up, which is 
creating a crisis in budgets. I have seen small hospitals 
running 5 to 10 percent below budget for their facilities, and 
we cannot continue at that rate.
    While I agree it is important to control costs, 
cybersecurity should be a built-in requirement for all 
hospitals, with minimum standards that are required. Medicaid 
should also reimburse at cost. The subsidies for hospitals 
could be in the form of grants, it could be in the form of CMS 
increased reimbursement for services, or incentive programs 
similar to meaningful use, sort of a meaningful security type 
incentive program.
    I urge you, however, to not delay any longer. Many rural 
hospitals are already on the brink of closure. Thank you.
    Chairman Peters. Thank you, Ms. Pierce.
    Mr. Garcia, in your experience how does the Health Sector 
Coordinating Council, along with the Federal Government, 
working right now to address some of these significant 
challenges faced by our small and rural hospitals?
    Mr. Garcia. We have a number of engagements with our 
government partners on a regular basis. Every other Friday, in 
fact, we meet with our HHS and CISA counterparts to think about 
longer-term strategic direction. In fact, we are beginning the 
process now of developing a five-year strategic plan, looking 
at how is the health care industry changing over the next five 
years, what cybersecurity challenges do those changes 
introduce, and how do we prepare for them.
    I will say one of the flagship resources that we produced 
that is scalable from small, rural, critical access hospitals 
all the way up to the large national and regional systems is 
something called the Health Industry Cybersecurity Practices 
(HICP). This is initially, the result of an act of Congress, 
and it comes out of something called the 405(d) program, 
section 405(d) of the Cybersecurity Information Sharing Act of 
2015. It directed HHS to work with industry to develop a series 
of cybersecurity best practices for health systems. That 
process took about a year and a half to develop these best 
practices, which is a joint effort between HHS, which owns the 
405(d) program, and the Health Sector Coordinating Council.
    This is partnership at its best, where there is consensus 
about what health systems need to do in cybersecurity, some of 
the basic blocking and tackling, not necessarily expensive and 
a high investment level, but some of the foundational elements 
of good cybersecurity practices.
    That is one example, and on our website, 
healthsectorcouncil.org, there are 18 resources, best practices 
that are accessible to any stakeholders who need them, all the 
way from medical device security best practices to workforce 
development to intellectual property protection, supply chain 
security, which is a huge issue for all of us. I would commend 
the public to those resources.
    Chairman Peters. Thank you, Mr. Garcia.
    Senator Hassan, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR HASSAN

    Senator Hassan. Thanks, Mr. Chair, and thanks for holding 
this hearing, and thank you to our witnesses not only for being 
before the Committee today but for the work you do to protect 
patient privacy and safety. We really appreciate it.
    Ms. Pierce, I want to start with a couple of questions for 
you that really follow up on what Senator Peters was asking 
about with the focus on rural hospitals. I am really concerned, 
as someone from a small State, your next-door neighbor, New 
Hampshire, about cybersecurity threats to rural or smaller 
health care providers.
    In 2021, a ransomware attack targeted a small health 
service in Berlin, New Hampshire, forcing the provider to shut 
down some of its clinics for several days. Based on your 
experience as a cybersecurity professional, what are the most 
significant cybersecurity challenges facing rural and smaller 
health care providers?
    Ms. Pierce. Thank you for that question, Senator. I believe 
that some of the biggest issues that these organizations face 
is the fact that nearly all the staff in a critical access 
hospital or a small facility wear many hats. They do not 
specifically focus on cybersecurity, and with the competing 
priorities that we are now seeing in health care, it is very 
difficult to focus on something that is not required. If I had 
10 things to do today and I knew that two of them were mandated 
and required for me to do, those are the things that I will 
focus on.
    As we continue to provide guidance and recommendation from 
the Federal Government we have not seen any minimum standards 
or requirements from the government which would take us to the 
point where those would become imperative for facilities to 
implement. I would urge us to go in that direction but do not 
do that without supporting us in achieving those standards.
    Senator Hassan. Right, because one of the differences I 
think you are really referencing is a larger, more metropolitan 
hospital might have the capacity to have an administrative 
staff, where somebody with the expertise and focus can really 
devote themselves to cyber, and in our smaller places, even 
when they are fully staffed on the patient care side, the 
administrative staffing tends to be very sparse.
    Ms. Pierce. I agree.
    Senator Hassan. There are a number of resources and tools 
available for health care entities to improve their 
cybersecurity, such as the best practice guidance that Mr. 
Garcia described today in his testimony. But as we have just 
discussed, rural hospitals are under-resourced, understaffed.
    You got at this a little bit with Senator Peters, Ms. 
Pierce. You were talking about the need to make sure funding is 
really reimbursing costs. But what specifically can the Federal 
Government do to ensure that small and rural health care 
providers are both aware of and have the ability to utilize 
existing resources and tools for cybersecurity?
    Ms. Pierce. I think the first step that we need to take is 
to move from guidance and recommendations to minimum standards. 
Once we do that I believe that those recommendations and 
guidance will be very helpful in moving that sector to secure 
their environments.
    Currently I have worked with a lot of small hospitals, 
being with Fortified, hospitals across the country, and 
invariably they are at a state where there is either absolutely 
no security program or it is very minimal.
    We asked all of our health care organizations to perform 
risk assessments when we implemented the Health Information 
Technology for Econimic and Clinical Health Act (HITECH). 
Everyone is now aware of where their risks are, but they are 
choosing to accept those risks mostly for financial reasons, 
where they cannot afford or cannot staff their personnel to 
address those risks.
    Senator Hassan. Your thinking is that some baseline 
standards and requirements would kind of drive hospitals to 
work with the Federal Government and others to find out the 
resources they need and then to actually prioritize that. Is 
that fair?
    Ms. Pierce. That is fair. Also do not forget, we need to 
also provide them the ability to actually implement their 
security measures.
    Senator Hassan. Fair enough. OK.
    A question for you, Mr. Garcia. The Health Information 
Sharing and Analysis Center (Health-ISAC), is a valuable forum 
where health care partners can share vital cybersecurity 
information such as intelligence about current and future 
threats or best practices for addressing those threats. 
However, as we just heard, smaller health care entities are 
already under-resourced and understaffed. In your experience, 
do rural and smaller health care entities have adequate access 
to the Health-ISAC?
    Mr. Garcia. The Health-ISAC does provide a lot of free 
resources to the public at large. I think, as Ms. Pierce 
expressed, however, there is a lot of information out there, 
and trying to sift through it in ways that would be relevant 
and actionable to your particular instance, is difficult.
    Many hospital systems around the country rely also on 
regional clusters, information sharing and analysis 
organizations, peer organizations within a region where there 
is a trust relationship.
    There are a lot of options for how you gather your 
information. At this point, the Health-ISAC is populated by a 
lot of very well-resourced organizations that do have 
sophisticated information security professionals who are really 
tracking this on a 24/7 basis.
    The priority is for every organization to consider what 
kind of information are you able to actually take in and then 
take action on.
    Senator Hassan. Are there incentives that we could use to 
help smaller rural hospitals really access the Health-ISAC, or 
are there barriers that they have to membership in it right 
now? How can we help them become more integrated into the 
Health-ISAC?
    Mr. Garcia. My feeling is it is a small investment. It is 
an investment into collective defense. But absolutely, I think 
that some kind of subsidies or financial support for smaller 
systems to get involved either in the Health-ISAC or other 
information-sharing organizations. If it is a cost-matching 
subsidy that would help them into this kind of a community I 
think would be tremendously beneficial.
    Small hospitals have to make all kinds of existential 
financial decisions about resource prioritization, so to help 
them get into a collective organization where you have this 
communal situational awareness I think is a good first step. 
You cannot protect against what you do not see.
    Senator Hassan. Thank you. Thank you, Mr. Chairman.
    Chairman Peters. Thank you, Senator Hassan.
    Senator Carper, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks. Thanks so much, Mr. Chairman. 
Thanks for pulling this all together. Important subjects. To 
our panel, thank you for joining us as well.
    My first question I am going to ask each of you to respond 
to. My second question, if I have time, Mr. Garcia, it will 
come to you.
    A question for all of you, and let us just start with Mr. 
Martin. It deals with cyber best practices and preventive 
measures. But when I think about health care I focus on a few 
key points. One of those is access to health care, making sure 
Americans broadly have access to health care, affordable health 
care hopefully. I focus on the quality of the health care that 
is provided. I focus a lot on prevention, not just dealing with 
the symptoms or problems but also working on prevention. I also 
think about a right to privacy and empowering people to do 
things to help keep themselves healthy.
    When it comes to cybersecurity I believe these same issues 
apply, which leads me to two questions that I want to ask each 
of you to take a moment to respond to. The first of those 
question is how can the Federal Government improve access to 
information on cyber best practices for the health care 
industry? That would be the first question. The second is how 
can we make sure that the health care systems are doing their 
part to take preventive measures to protect their own networks?
    Mr. Martin, would you lead us off please?
    Mr. Martin. Senator, thank you for your questions. In terms 
of providing access to best practices, there is no shortage of 
recommendations and guidance and things that organizations 
could be or should be doing. As I look across the broader 
industry, the challenge we see is taking stock of all of those 
different resources and deciding what to actually do, given all 
those different inputs. As I talked about in my opening 
statement, one of the key things that the Federal Government 
can do to help would be to establish a minimum threshold for 
security best practices, and that threshold can and should 
continue to change through time. We need to continue to raise 
all boats here by continuing to advance the state of security 
in the industry, but having that minimum threshold would be 
incredibly helpful for our organizations, which then gets to 
your second question of what can the organizations do.
    Today, they are trying to balance lots of different 
competing priorities, whether you are a large organization or a 
smaller organization, as Ms. Pierce talked about, trying to 
balance all those different competing priorities is incredibly 
challenging. Having that minimum target to shoot for will help 
make sure everyone is marching toward that target and 
ultimately raise the security posture of everyone in the 
community.
    Senator Carper. All right. Again, the same two questions 
for the others, and Mr. Garcia, we will go to you. How can the 
Federal Government improve access to information on cyber best 
practices for the health care industry? That is No. 1. No. 2, 
how can we make sure that the health care systems are doing 
their part to take preventive measures to protect their own 
networks? Go right ahead.
    Mr. Garcia. Yes, sir. Thanks for the question, Senator. 
Within the Department of Health and Human Services is an office 
called the Health Care Cyber Coordination Center (HC3), which 
is a knowledge center which is growing, and we would like to 
see that grow more. It is the center that collects information 
about cyber threats, vulnerabilities, incidents, provides 
analysis, and then, in turn, pushes it back out to the health 
sector. They have regular monthly briefings, talking about 
various threats and what to do to mitigate against those 
threats. That is a very helpful resource.
    On top of that I mentioned earlier the Section 405(d) task 
group that has produced the Health Industry Cyber Practices. 
That update is coming out in just a few weeks. It is going to 
becalled HICP 2023. This is a set of best practices, just as 
Mr. Martin was referring to, that are minimum security 
practices that all health systems should be implementing, and 
those are developed by the sector, for the sector, and jointly 
with HHS.
    There is, as Ms. Pierce said, a glut of information 
security best practices out there. We need to pick one because 
there is a lot of confusion. We advocate that the Health 
Industry Cyber Practices is probably the best effort at a joint 
government publication, freely accessible to all. Then CISA 
needs to follow and push that along with us. That is No. 1.
    Question No. 2 is how can health systems do their part. We 
have talked about that a lot, and we need to do a culture 
change. It has been a cultural problem for as long as I have 
been in cybersecurity that everyone outside of the security 
team says, ``Cybersecurity, that is the security team's job. It 
is not my job. I am the CIO. I am the Chief Executive Officer 
(CEO). I am in administration.'' No. It is actually everybody's 
job, right down to the clinician.
    Indeed, one of the biggest threats in cybersecurity 
generally is the frontline user, anybody who is touching a 
keyboard or a tablet or a phone or any kind of medical 
technology.
    Senator Carper. I am going to ask you to hold it right 
there. I want to give these folks an opportunity.
    Mr. Garcia. Certainly.
    Senator Carper. Thanks for those responses, though. Ms. 
Pierce.
    Ms. Pierce. I agree with Mr. Garcia and Mr. Martin. There 
are a number of best practices available. As Mr. Garcia said, 
they have published many documents on cybersecurity, so I do 
not think that there is a lack of information.
    What I think is happening, especially for small and rurals, 
is there is a lack of attention to the information. It is not a 
priority currently because there are so many other things that 
are competing for immediate attention. There is no one taking 
those best practices off the shelf and actually putting them in 
practice within those organizations because it is currently a 
recommendation or a guidance. It is not a requirement.
    Senator Carper. OK.
    Ms. Pierce. I would say the best thing we can do is set 
some minimum requirements and then begin to embed them into 
everything that we do in health care. Even with the 21st 
Century Cures Act there were mandates on interoperability. 
There has been a big expansion of devices and technologies that 
have been implemented. But cybersecurity is always a second 
thought.
    Senator Carper. OK. Hold it right there. Mr. Dresen, I am 
running out of time. Just very briefly, if you can, to both 
questions please.
    Mr. Dresen. Thank you, Senator. Very briefly, to complement 
what my panelists have already stated, I think the other aspect 
of making best practice information available is ensuring that 
we have adequate staff to execute and implement those best 
practices, so advocacy and sponsorship of programming to help 
build a cyber-educated workforce so that we have qualified 
individuals who can participate in our organizations to 
implement those best practices would be extremely useful.
    In the context of the health care sector's ability to do 
that is to hire those people and get them implementing those 
best practices to support our protections.
    Senator Carper. Great. Mr. Chairman, I will ask, for the 
record, a question dealing with communications between CISA, 
HHS, and the health sector. If you receive that question for 
the record, please respond. That is all I ask.
    Thanks, Mr. Chairman.
    Chairman Peters. Thank you, Senator Carper.
    I need to leave briefly to be at an Armed Services 
Committee hearing, so Senator Padilla will take the gavel. But 
before I leave I will recognize Senator Hawley for your 
questions.

              OPENING STATEMENT OF SENATOR HAWLEY

    Senator Hawley. Thank you very much, Mr. Chairman, and 
thanks to all the witnesses for being here.
    This is a topic that is very important to us in the State 
of Missouri, where we have not only many hospitals, of course, 
but many rural hospitals, and there have been a number of major 
cyberattacks against hospitals in the State of Missouri. In 
September 2021, for example, a ransomware group stole 
confidential patient information which included names, Social 
Security numbers, and medical information from a health center 
in Sikeston, Missouri, which is in the southeast part of our 
State. In March of last year, it was reported that a hospital 
affiliated with the University of Missouri Health System 
experienced a cyberattack in which a third party gained 
sensitive patient data. A few months ago a hospital based in 
Marshall, Missouri, found out that more than 112,000 
individuals were affected by a data breach. Obviously this is a 
very significant problem, and I am also concerned about the 
interplay of foreign adversaries here like China, and I want to 
get to that in just a second.
    Ms. Pierce, if I could start with you and focusing, in 
particular, on rural hospitals. In Missouri we have 67 
hospitals classified as rural hospitals, including one in the 
town where I grew up. That is about 40 percent of the hospitals 
in my State. We are a rural State, and proudly so, but I am 
obviously very concerned about the threat that cyberattacks 
pose for rural hospitals in particular.
    And wonder if just building on the statements you made to 
Senator Hassan, can you give us a sense, what are the one or 
two most important steps that you think rural hospitals and 
rural health care facilities can take to shore up their cyber 
defenses?
    Ms. Pierce. Thank you for that question. I have had the 
pleasure of working with some hospitals from your State, and I 
can assure you that it is not for lack of wanting to address 
these issues. Part of the issue that I am seeing across the 
board, from not just Missouri but from other States, is just a 
lack of funding, and lack and ability to be able to address the 
issues that they know about.
    Some of the things that they could do I had included in my 
written statement, but top priorities would be they need to 
obviously have strong passwords and multifactor authentication 
(MFA). We have done a poor job at implementing strong passwords 
and MFA, and that is one of the areas where attackers are able 
to breach our networks. Another aspect that is important is 
being able to monitor our networks 24/7. Most small facilities 
have no staff to be able to monitor. Even if they have the 
tools for a log management or for monitoring the endpoint 
devices, if nobody is watching the console and nobody is there 
to pick that attack up then it could be hours, critical hours 
in a cyberattack, before they even notice that somebody has 
gotten into their network.
    Senator Hawley. Let me ask you about the urban-rural 
divide. How do you assess the current state of cybersecurity in 
rural hospitals versus urban, and if there is a disparity, as I 
imagine there is, to what do you attribute that? Is it funding? 
What are the factors there?
    Ms. Pierce. I would say from my experience, urban hospitals 
predominantly have staff within their facility, most of them 
have multiple staff that are addressing each area of the 
complex issue of cybersecurity. Smaller facilities, from my 
experience most of them have no staff that are directly 
assigned to cyber or they have very little staff in that area. 
I think there is a huge disparity between them.
    What is important to know is that most small hospitals are 
connected to larger tertiary care centers. They need a place to 
refer their sicker patients. This is the path of least 
resistance for cyber attackers. When they are trying to figure 
out how to attack large health systems they are coming in 
through small hospitals, and we have seen that play out in 
2022, where a small hospital is the avenue of least resistance. 
The cyber attackers attack there, where they know the defenses 
are low, and actually gain access to a plethora of information.
    Senator Hawley. Is part of what needs to happen here, these 
rural hospitals that, as you say, are often part of larger 
hospital networks, I mean, at the network level do we need to 
have more staff there that can perform the monitoring? Because 
I am thinking about the hospital in the town where I grew up. 
My little town was the county seat and it was the county 
hospital, but they did not have excess staff--not that it is 
excess to cybersecurity, but they did not have a lot of staff. 
Let us put it that way. What staff they did have were treating 
patients, which is exactly the scenario you have described.
    Trying to think about when we try to find a solution for 
these rural hospitals and we say, ``You need to have staff that 
are devoted to cybersecurity,'' they are going to say, ``How in 
the world would we do that?'' Do we need the larger hospital 
networks, who, at the administrative level, probably do have 
staff, should they be the ones who are taking on this burden? I 
mean, what is the path forward here, do you think?
    Ms. Pierce. I think we did allow, through Stark law 
changes, for larger facilities to assist smaller facilities 
with their cyber defense, and we saw absolutely no traction in 
that area. Large health systems were given some leeway to 
assist and they have not extended those opportunities to small 
facilities.
    I believe that the answer would be to incentivize those 
facilities to secure their own networks, to ensure that they 
have access to some funds that will enable them to implement 
the security that they need to protect their networks.
    Senator Hawley. Very good. Thank you for that.
    Mr. Dresen, if I could just switch to you for a second, I 
want to talk about China. You write, in the testimony you 
submitted, about the increasing frequency of attacks from 
nation-state actors and organized crime. Just drilling in on 
China for a second, do you have any sense of the number or 
percentage of the attacks we have seen recently, these 
cyberattacks, that are committed by Chinese hackers?
    Mr. Dresen. I do not have specific details of the source of 
attack from China versus Russia versus other countries. It is 
just significant in terms of the daily barrage we get, and are 
repelling to help protect us.
    Senator Hawley. What could the government do, the U.S. 
Government be doing to help protect hospitals and health care 
systems from attacks by these nation-state actors, and 
particularly again given China, where we have heard testimony 
in this Committee before about the huge increase in 
cyberattacks, across industries, but arguably none more 
important than the health care industry. What could the U.S. 
Government be doing to help counter that?
    Dr. Dresen. We need to take a whole-team approach to solve 
this problem, where the hospitals and health care sector are 
the defensive side of that equation and that relationship, 
where we are defending our organizations and then having the 
Federal Government bringing higher levels of risk and 
consequences to those who are attacking us. I think the recent 
example of the Hive being taken down is a great one to 
celebrate, a reduction of risks to our organizations.
    Getting more aggressive like that to help protect the 
organizations, and then again, helping to provide more 
actionable intelligence to the health sector in a real-time 
manner, to allow us to be as able as possible to protect 
ourselves with the most current threat information that the 
government has access to.
    Senator Hawley. Thank you.
    Senator Padilla [presiding.] Thank you, Senator Hawley.
    Senator Blumenthal is next.

            OPENING STATEMENT OF SENATOR BLUMENTHAL

    Senator Blumenthal. Thank you, Senator Padilla. Let me 
pursue that question. Would it not be important for our law 
enforcement and intelligence agencies to take more proactive 
and maybe more aggressive action with respect to China and 
Russia if they are condoning or even encouraging ransomware 
attacks?
    Mr. Dresen. We would certainly promote and advocate for 
increased collaboration between government agencies, especially 
those who have threat intelligence and awareness of those types 
of activities.
    Senator Blumenthal. More than just collaboration. Should 
there not be greater focus, or resources devoted to it, and 
more prosecution? Obviously, prosecution may be difficult 
because the actors may be beyond our jurisdictional reach, but 
certainly there are sanctions that can be imposed.
    Mr. Dresen. Opportunities for attribution are challenging 
in these types of circumstances, and so when that is possible I 
would certainly support it. The actionable threat intelligence 
that these entities can share with us to help us better protect 
ourselves defensively would be extremely helpful.
    Senator Blumenthal. Do you think there is actionable 
intelligence that right now is unshared?
    Mr. Dresen. I think there probably is in the context of 
active investigations that may be taking place. The opportunity 
to share that with our sector as much as they can would be 
encouraged.
    Senator Blumenthal. Do you know of specific investigations 
that have not been shared?
    Mr. Dresen. I do not.
    Senator Blumenthal. Do you hear from colleagues in the 
industry about such investigations?
    Mr. Dresen. Not typically, no.
    Senator Blumenthal. Why do you say there are?
    Mr. Dresen. I think there is a perception that from law 
enforcement, when they tell us that they may have 
investigations they cannot share information with us, they do 
not give us specifics. They just make us aware that there are 
active investigations. Then we see through press reports when 
they do release information, like the Hive getting taken down. 
You understand that was a very long process that it took them 
to take that action, and so you understand that those types of 
activities take time to work themselves through.
    Senator Blumenthal. If there were more effectives 
prosecution, either by the Department of Justice (DOJ) or by 
other agencies, it would have some deterrent effect.
    Mr. Dresen. I think any improvement in our ability to 
defend ourselves from those threats would be helpful.
    Senator Blumenthal. Do any of the other members of the 
panel have responses on this issue?
    Mr. Garcia. Yes, I would say that there are innovative ways 
to deal with this before there is an opportunity for 
prosecution, that is various forms of takedown. I was with the 
financial services sector some before this, and we worked 
closely with the Justice Department to identify criminal groups 
that were waging botnet battles, that is hundreds of thousands 
or millions of computers infecting major system. We worked with 
the Justice Department, using available statutory authorities 
such as Racketeer Influenced and Corrupt Organizations (RICO) 
Act, to do simply take down the network that was operating the 
botnet. It was a proactive way of dealing with it.
    Other actions are clearly classified in the intelligence 
community (IC) that the private sector does not participate in, 
but there is a lot of information that cannot be shared with 
industry because it has been classified or it is under 
investigation, as Mr. Dresen said.
    Senator Blumenthal. Should more of it be unclassified to 
help industry safeguard itself?
    Mr. Garcia. I think there is general consensus that there 
is a problem of over-classification in the government. Too much 
information is being classified unnecessarily. Indeed, 
information that sometimes flows from the private sector to the 
government is subsequently classified.
    Senator Blumenthal. In other words, information comes from 
open public sources, it is provided to an agency of government, 
and then it is classified?
    Mr. Garcia. Because there may be additional intelligence 
attached to that, that adds nuance or context.
    Senator Blumenthal. Would you like to see more effective 
investigation, more takedowns, more prosecution by the 
Department of Justice or other agencies?
    Mr. Garcia. Certainly. Absolutely. Any way that the 
government can help disrupt incidents before they happen, based 
on intelligence that it may or is about to happen, that would 
be helpful to the industry, to all critical infrastructure 
industries.
    Senator Blumenthal. Do you or other members of the panel 
have any indication that there is sometimes cooperation within 
the victim institution that enables the hackers to gain access?
    Mr. Garcia. Insider threat is a typical problem. Most 
often, insiders within a company are just making inadvertent 
errors. Others, there are disgruntled employees, and that is 
pretty common anywhere, whether it is cyber or financial fraud 
or other issues.
    Senator Blumenthal. I do not know whether anyone else has 
anything to add on this topic, but it is one of great interest 
to me because I think we have devoted insufficient resources 
and priority to these kinds of attacks, which are threatening, 
seriously threatening to the health of our Nation, not to 
mention to privacy. Would you agree?
    I see most heads are shaking in the affirmative, let the 
record show.
    Let me ask, in terms of the other aspects that are 
problematic, as you may know, Cerebral and BetterHelp are 
mental health startups that shared data with social media 
platforms, in other words, sold or monetized that data. The 
Federal Trade Commission (FTC) fined BetterHelp for sharing 
that health care data to profit from targeted advertising.
    Given the increasing sharing of health care data, what kind 
of privacy and security standards would you think should be 
enhanced or improved to prevent the abuse of that sharing? I 
will ask the panel as a whole.
    Mr. Garcia. I would say, Senator, that there is an 
increasing amount of personal health information that is 
circulated and not regulated, based on wearable technologies 
and home medical technologies. There have been groups, other 
than ours, that are looking into what kinds of data are being 
shared that are not under some kind of regulatory scrutiny, and 
then how do we shore that up. I do not have specific answers on 
that for you.
    Senator Blumenthal. Cerebral recently disclosed it had 
shared personal data of over 3.1 million American patients with 
TikTok, Facebook, and Google. Obviously, this is not a 
cyberattack, but it is an attack on the patients, not an attack 
as perhaps we would characterize it normally. But it is an 
attack on their privacy, and I invite you to think more about 
it and respond in writing if you have any additional ideas.
    Thanks, Mr. Chairman.
    Senator Padilla. Thank you, Senator Blumenthal.

              OPENING STATEMENT OF SENATOR PADILLA

    It is my opportunity to ask questions next, and continuing 
on with that last question, or issue that you raised, Senator 
Blumenthal, I may, in my time, hopefully get to a follow-up 
question on that, because it may not be a cyberattack but 
hugely significant vulnerability that you raise.
    Our health care system is uniquely important and vulnerable 
to cybersecurity attacks and vulnerabilities, and the issue 
touches all of our constituents. As has been discussed, data 
breaches and ransomware attacks on health care providers and 
third-party device makers have affected millions of 
Californians alone. I reviewed the mandatory breach 
notifications filed with the Department of Health and Human 
Services, and as of yesterday morning, there are 63 different 
California-based breaches of unsecured protected health 
information under investigation, affecting over 90 million 
people. That is more than two times the State's population, so 
the national scale of the problem is alarming.
    In addition to the inappropriate disclosure of personal 
information, any disruption to the systems used in the health 
care and public health care settings could be catastrophic for 
many Americans who rely on their services for care. I thank 
Chairman Peters for holding this important hearing.
    The first question may seem a little basic, and maybe a 
little softball, but I think it is critical for folks that are 
following this person, in person and online.
    Breaching in the health care sector allow for the 
disclosure of patient health information as well as Social 
Security, other personal identifiable information (PII), and 
sensitive information. I want to be sure that the public 
appreciates why this information is so sensitive for patients 
and why the health care sector, in particular, is such an 
attractive target for attacks.
    I will direct the question to Mr. Martin. Why is personal 
health information so sensitive and valuable to those who seek 
to steal it?
    Mr. Martin. Senator, thank you for the question. Part of 
what makes health care data so sensitive is that it does not 
change, that it is something that continues to grow, but it is 
not something that can be reset or changed, like a password or 
credit card number or something like that. Once it falls into a 
bad actor's hands, that information can be used in perpetuity 
to purport future crimes, whether that is identity theft or 
blackmail the individual. Those types of things then become 
possible forever as opposed to something where an individual 
could take an action to stop that happening in the future.
    Senator Padilla. Thank you. It is, again, important, I 
think, to put a spotlight on.
    Now according to a report last year from the cybersecurity 
firm, Sophos, 66 percent of health care organizations, two-
thirds, were hit by ransomware attacks last year. Forty-four 
percent of health care organizations suffered an attack in the 
last year, and took up to a week to recover from the most 
significant attack, and 25 percent of them took up to a month.
    I will direct the question to Mr. Garcia. Can you speak to 
the specific challenges that health care organizations face in 
recovering from a ransomware attack and the resulting impact on 
people seeking medical care? I think a more direct version of 
the question that Senator Hawley asked, vis-a-vis foreign 
actions, how can the government help reduce the recovery time?
    Mr. Garcia. That is a very good question. Many hospitals 
that are disrupted by ransomware attacks are unable to schedule 
appointments, they are unable to perform procedures or 
surgeries. They have to go to a paper-based environment. Our 
graduating medical students these days have never seen a pad of 
prescription paper with a pen. It is all electronic now.
    Senator Padilla. Does that mean their penmanship is even 
worse?
    Mr. Garcia. Their penmanship is even worse. It is now all 
thumbs.
    Getting back online, we actually put together a resource 
for health systems that have been disabled for an extended 
period of time. It is called ``Operational Continuity After a 
Cyber Incident,'' and there are many steps that need to be 
taken to ensure that you appropriately sequence getting 
infected systems back online so that they are not reinfected, 
and prioritizing continuity of care to those patients who need 
it most, and that includes getting your financial systems back 
online so that you can get reimbursement so that you do not go 
into the red and insolvent.
    Recommendations about what the government can do to help, 
one of the things we have been discussing and we sort of 
touched on, on this panel, is can there be a strike force from 
the government that can come in and help with, whether it is 
CISA or HHS, to help with reconstituting systems and bringing 
things back online, doing the forensics and the triage at a 
cybersecurity level for those smaller systems. That could 
include some kind of financial assistance to make sure that the 
priority is going to patients while they are bringing systems 
back online.
    Senator Padilla. Thank you. In my time left I want to raise 
one more issue and question. Today there are hundreds of 
thousands of unfilled vacancies in cybersecurity positions 
nationwide. Both private and public sector employers face 
challenges in recruiting, personnel, hiring, and retaining 
professionals to fill these vacancies, which negatively affects 
our collective cybersecurity.
    Growing talents is a priority under the recently released 
White House National Cybersecurity Strategy and Congress. Mr. 
Garcia and Ms. Pierce, can you speak to the specific and unique 
challenges in the health care sector as far as identifying, 
recruiting, hiring, and retaining IT professionals, and do you 
have any recommendations for us today?
    Ms. Pierce. Thank you for the question. I can personally 
share that recruiting and retaining cybersecurity staff is a 
daunting task for a small facility. I do not believe that there 
will be a time when small hospitals will have dedicated 
cybersecurity staff in-house. I believe moving to a managed 
service provider type environment where those types of services 
are outsourced to the people whose business is cybersecurity 
defenses.
    Hospitals' main priority is taking care of patients. It is 
health care. That is their mission. It is not cybersecurity. I 
believe if we go to a model where those things are more 
outsourced it would be beneficial for smaller facilities.
    Senator Padilla. First do no harm, and I think that is 
inclusive of protecting somebody's personal and health 
information. Senator Rosen.

               OPENING STATEMENT OF SENATOR ROSEN

    Senator Rosen. Thank you, Senator Padilla. I really 
appreciate it. We are all going to build off of each other on 
these questions, and I really want to thank you all for being 
here today, for the work you are doing.
    Of course, we are here to talk about health care 
cybersecurity. As one of the 16 critical infrastructure 
sectors, securing the health care and public health sector we 
know is critical to protecting our national security, for 
obvious reasons. Over the past three years, the health care 
data breaches have doubled. In addition to threatening patient 
privacy and security, as all of my colleagues have mentioned, 
these attacks ultimately drive up the cost of health care as 
well, as there have to be more investments made in protecting 
this data.
    Last Congress Senator Cassidy and I introduced the 
Healthcare Cybersecurity Act. It was bipartisan legislation 
that would require CISA to coordinate with and make resources 
available to health care entities, including by developing 
products tailored to the specific needs of small and rural 
hospitals and health clinics, to what you are speaking to, Ms. 
Pierce. You spoke to maybe a task force or separate businesses 
for ransomware security issues.
    But Mr. Garcia, and then Mr. Dresen, maybe you can speak 
about how we could maybe, in the meantime, or instead of doing 
that, or in conjunction, how can we provide cybersecurity 
training to the health care assets owners and operators so that 
we can empower them to be partners in this, instead of just 
maybe turning it over, that they are engaged and empowered, 
especially these small and rural hospitals. Like you said, they 
do not have the capacity to have IT staff. But we want their 
empowerment and engagement.
    If you could speak to that. First, Mr. Garcia, and then Mr. 
Dresen.
    Mr. Garcia. Certainly. Thanks for that question, Senator. I 
mentioned previously a resource that the health care industry, 
our Council, and HHS together produced called Health Industry 
Cybersecurity Practices, which is intended to provide the top 
ten cybersecurity best practices that health systems need to 
implement to be cybersecure. This is a strong partnership 
between HHS and the sector, and we look to CISA with the 
technical support. They have regional cybersecurity advisors 
all over the country and they do provide assistance, technical 
assistance, not just to health systems but to many other 
industry sectors.
    We would like to see them use the HICP in their engagement 
with health systems around the country, because CISA does not 
itself have health care expertise. They need to rely on their 
sector risk management agency, HHS, as the guiding force for 
the technical support that CISA should provide. We believe that 
the HICP and the HICP which is based on the NIST Cybersecurity 
Framework, which is by now a de facto standard, that is the 
best way to provide focused level of controls to the health 
care industry and try to remove some of the noise around too 
many choices to implement.
    Senator Rosen. That is right.
    Mr. Dresen. Thank you, Senator Rosen. I would call two 
examples of opportunities I think could demonstrate how we 
could be more effective collaborating together. The first is an 
organization in the State of Michigan called the Michigan 
Healthcare Cybersecurity Council, and it is an organization 
that has been together for about 10 years, and originated with 
the sponsorship from the Governor's Office at the time. It 
brought together all the health care entities in the State of 
Michigan to create an environment where we could have a 
collaborative discussion around cybersecurity issues, we could 
share best practices. It connected large systems with small 
systems so that you gave that connectivity and access to 
expertise to everybody in the State to help improve the State 
of the health care sector overall.
    Connecting programs like that to CISA, as Mr. Garcia 
suggested, is an excellent way to connect the knowledge with 
the ability to deliver that information to the people who most 
need it.
    The other example I would share is an organization in Grand 
Rapids called the West Michigan Center for Arts and Technology, 
and they have an innovative program, and Senator Peters had a 
chance to visit last year, and we thank you, Senator Peters, 
for you doing that. It is a program to train diverse students 
who are interested in entering the cybersecurity field, and is 
a tuition-free program that puts them through education 
delivered by a partner entity out of California. They come out 
of that program with certifications and employability in the 
cybersecurity field, which enables them to have a living wage 
for them and their families and provides a well-needed access 
to talent that is needed in the health care sector.
    Advocacy for and sponsorship of those types of programs at 
the Federal level can help local entities deliver that talent 
where it is most needed.
    Senator Rosen. Thank you. Collaboration amongst entities 
and building the pipeline through apprenticeships, those are 
some of my future questions, so we will collaborate and get the 
information from Chair Peters.
    But also we have been talking a lot about our medical 
device cybersecurity. It is very important people have the test 
of pacemakers, all kinds of things. You just call in on your 
phone and they get all of those results. I did have a bill last 
year to strengthen medical device cybersecurity, the updated 
the Food and Drug Administration (FDA) guidance, and it was 
included in last year's FDA package and became law as part of 
the omnibus. I do hope, in conjunction with the other things we 
are working on, that this legislation becomes a platform for 
FDA and CISA to work together going forward. You have spoken a 
lot about it, but we are beginning to give those tools.
    But I want to build out a little bit about your, in the 
minute I have left, Senator Padilla's question and everyone's 
question, is building and expanding our workforce because there 
are nearly 800,000 cyber jobs. In every single sector we are 
facing these same challenges. I have introduced a bill with 
Marsha Blackburn, the Cyber Ready Workforce Act, to surge up 
capacity with the Department of Labor (DOL) to award grants to 
increase access to things like a registered apprenticeship 
program that is going to lead to an industry-recognized 
certification, encourage those stackable and portable 
credentials so people can get into the system.
    Mr. Garcia, since Mr. Dresen already talked about it, can 
you explain how we could improve and expand these 
apprenticeship programs through public-private partnership, 
through a community college, that will really help get people 
working in the industry and then they can move up where they 
need to?
    Mr. Garcia. There are lots of ideas to that effect, and one 
that could even be modeled the medical profession itself, that 
is there is a loan forgiveness or some other kind of subsidies 
for medical students when they go into small to rural settings, 
that they will be forgiven some medical school debt.
    Senator Rosen. I have some of that legislation myself I 
have sponsored.
    Mr. Garcia. That is perfect. The same can be done for 
cybersecurity, and we have that with the National Security 
Agency Centers for Academic Excellence in Cybersecurity, 
scholarship for service by National Science Foundation (NSF). 
There are various ways that we can incentivize students to 
study cybersecurity and then go into the workforce where it is 
most needed and get some level of compensation for that.
    Senator Rosen. Thank you. I see my time has expired. Chair, 
you are back, Chair Peters. Thank you.
    Chairman Peters [presiding.] Thank you, Senator Rosen.
    Senator Sinema, you are recognized for your questions.

              OPENING STATEMENT OF SENATOR SINEMA

    Senator Sinema. Thank you, Mr. Chairman, and thank you to 
the witnesses for joining us today.
    Last year, when Yuma Regional Medical Center fell victim to 
a ransomware attack, 700,000 patients were notified that their 
personal health data had been stolen. But when a hospital is 
hacked it is not just Arizonans' sensitive data that is placed 
at risk. Particularly in rural communities where alternative 
hospitals may not be available, crippling cyberattacks can 
literally be matters of life and death.
    This is also true in other health care contexts. Last year, 
the National Suicide Hotline was brought offline by a 
cyberattack, resulting in an entire day where Arizonans facing 
mental health emergencies could not call 988 and receive the 
support they needed.
    My first question is for Mr. Dresen. Imagine looking in the 
eyes of a parent whose child may have called the Suicide 
Hotline on December 1st but was not able to get through due to 
the cyberattack. I am committed to ensuring that our nation's 
suicide prevention system is better prepared for the next 
attack. The question for you is, what lessons should other 
public health stakeholders take from the hack on the 988 
lifeline?
    Mr. Dresen. Thank you, Senator, for your question. It is 
unfortunate. The event on the 988 attack was a sobering 
reminder of the impact to critical health care services when 
cyberattacks have successful outcomes. It reminds us all of the 
importance of being very aware of the risks we face as a health 
care sector to deliver those services, the need to have an 
adequately funded and staffed team that can implement the 
protections to protect us, and the understanding that we can 
only do so much to protect us and cannot eliminate all risk. It 
requires the partnership of the government to help us provide 
additional protections, increasing risk and consequences for 
those who attack us, and the understanding and the support when 
we are attacked that we are the victims, and help us work 
through that process and do not penalize us for being attacked.
    Senator Sinema. Thank you. Ms. Pierce, a few years ago 
hackers took Wickenburg Community Hospital, the only hospital 
in a small Arizona community, offline. Fortunately, the 
talented IT team in Wickenburg had backed up the hospital's 
data and then worked around the clock to quickly rebuild their 
system from scratch. But not all community hospitals or other 
rural or tribal health care providers are so fortunate. Many 
simply do not have the resources or the cybersecurity expertise 
to quickly recover.
    Given your experience with the rural health system, can you 
discuss some of the unique cybersecurity challenges that are 
facing smaller hospitals?
    Ms. Pierce. Thank you for the question. I think that 
smaller hospitals have a varying degree of ability to recover 
from those attacks. One of the things that is imperative is 
that the attacks are identified and remediated quickly. I am 
not aware of the particular attack you are speaking of, but I 
would imagine that they identified quickly that there was an 
issue, took things offline immediately, and were able to 
restore from backup.
    Frequently cyberattackers have been within the network and 
been able to not only compromise existing systems but have also 
compromised the backups. The challenges can be extensive in 
recovery to that type of attack and we have seen some health 
systems, even larger systems, take weeks, if not months, to 
recover.
    I would say that there is no one answer to that question. 
There is a wide range of abilities and talent within rural 
communities. I think that your particular hospital was the 
exception, not the rule, when it comes to cyberattacks.
    Senator Sinema. Thank you. Mr. Garcia, today ransomware 
attacks against hospitals are mostly financially motivated, but 
tomorrow cyberattacks may target specific patients with the 
intent to kill or injure them. As more Arizonans receive 
wireless medical device implants, the possibility that a hacker 
could disable a pacemaker or manipulate an insulin pump is 
something we need to take seriously.
    How could public and private sectors get ahead of this 
threat and ensure that wireless medical devices meet the most 
rigorous cybersecurity standards?
    Mr. Garcia. Yes, that is a very good question. Thank you, 
Senator. There is a lot of work being done in ensuring the 
security of a variety of connected medical devices--wireless, 
wired, and otherwise. The idea of pacemakers and such, the one 
issue about that is it is one of those low probability, high 
impact kinds of events. You have to be right next to somebody 
with a phone to actually communicate with the pacemaker.
    Senator Sinema. Right now.
    Mr. Garcia. Yes, right now. What we are concerned about, 
however, is a much broader attack, where patient data can be 
corrupted in a much broader scale within a hospital system, so 
that anybody who is being treated in a hospital can be given 
the wrong dose of medicine, or the wrong treatment based on 
corrupted data about their specific patient data.
    That is the much higher risk that we need to be concerned 
about. Meanwhile, the medical device industry, through the 
Sector Coordinating Council, is working hard to develop 
standards of practice for how you design, develop, manufacture 
cybersecurity into medical devices, connected wirelessly, 
Bluetooth, whatever, from the ground up, so that they are 
secure by design. That is an ongoing and long-term program that 
the medical device community is acutely aware of.
    Senator Sinema. Thank you. Mr. Dresen, if a ransomware 
attack affects an emergency room, even if we are able to 
restore those systems within one hour, some patients may not 
live that long. This sense of urgency incentivizes hospitals to 
pay ransoms to hackers, something, of course, that the Federal 
Bureau of Investigation (FBI) and CISA advise against. Although 
paying may protect specific patients in hospitals in the short 
term, it also, of course, guarantees and perhaps incentivizes 
that hackers will continue targeting hospitals in the future.
    How do you believe that hospitals should navigate the 
decision of whether or not to pay a ransom, and how can the 
Federal Government help hospitals enhance their cyberattack 
prevention and mitigation capabilities so that the question of 
whether to pay or not to pay becomes irrelevant?
    Mr. Dresen. It is our policy to align with the FBI guidance 
to not pay ransomware, and so we do everything we can to 
mitigate the risk that that is going to happen. We do that by 
evaluating the risk we have to our organization of a 
cyberattack, making investments with our leadership support to 
ensure we have protections in place to reduce the likelihood 
that that is going to happen.
    The support we can gain from the government to help further 
mitigate that risk is improved threat intelligence sharing that 
is actionable and near real-time, so we can have the most up-
to-date information available to us to help protect us, as well 
as, again, reinforcing educational programs that can help train 
qualified staff that we can have work with us to ensure we can 
implement the best practice recommendations to protect our 
organization.
    Senator Sinema. Thank you. Thank you, Mr. Chair.
    Chairman Peters. Thank you, Senator Sinema.
    I would like to thank our witnesses for joining us here 
today and for your contributions to what is a very important 
conversation. As we heard today, cyberattacks against our 
health care sector can result in tragic consequences and can 
cause serious disruptions to patients' lives.
    As Chairman of this Committee, I have worked on a 
bipartisan basis to significantly strengthen our nation's 
cybersecurity, and I hope that we can build on those efforts by 
making sure the Federal Government can provide additional 
support for our most frequent targets of ransomware, including 
the health care sector. I urge my colleagues to join me in 
these efforts to ensure our nation can continue to combat these 
threats and build resiliency into our critical infrastructure. 
Our witnesses' testimony today will help inform the Committee's 
future legislative activity as well as oversight on this issue.
    The record for this hearing will remain open for 15 days, 
until 5 p.m. on March 31, 2023, for the submission of 
statements and questions for the record.
    This hearing is now adjourned.
    [Whereupon, at 11:34 a.m., the hearing was adjourned.]

                            A P P E N D I X

                              ----------                              

[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                 [all]