WASHINGTON – U.S. Senator Bill Cassidy, M.D. (R-LA) today sat as the Republican lead for the Senate Committee on Health, Education, Labor, and Pensions (HELP) hearing on cybersecurity in the health care and education. Cassidy highlighted the growing importance of a strong cyber defense and the effect cyberattacks can have on vulnerable populations.
“As a doctor, I cannot express enough the importance of timeliness in care,” said Dr. Cassidy. “Cyberattacks that delay that care cost American lives, especially during a pandemic.”
“A strong cyber defense to protect our country from virtual threats is becoming just as important as a strong military and police force to defend from physical threats,” continued Dr. Cassidy.
Last year, Cassidy’s bipartisan K-12 Cybersecurity Act, which provides enhance cybersecurity assistance to K-12 education institutions, was signed into law. Earlier this year, Cassidy introduced the Protecting and Transforming Cyber Health Care (PATCH) Act and the Healthcare Cybersecurity Act to improve cybersecurity practices and protect cybersecurity infrastructure in the health care industry.
Click here to watch Cassidy’s full opening remarks.
Click here to watch Cassidy question witnesses.
Cassidy’s opening remarks as prepared for delivery can be found below:
Good morning and thank you all for attending today’s hearing on cybersecurity in the health and education sectors. Thank you to our witnesses for taking time to testify today.
In April 2020, the Federal Bureau of Investigation (FBI) announced that it expected cyberattacks to increase as a result of the shift to virtual environments during the pandemic. That prediction came true.
While cyberthreats impact nearly every aspect of our daily lives—today—we are discussing just two.
According to data from the K-12 Cybersecurity Resource Center, K-12 schools have experienced an 18% increase in cyberattacks in 2020 compared to 2019. Specifically, 377 school districts across 40 states suffered 408 publicly disclosed cybersecurity incidents in 2020. Microsoft Security Intelligence found that 61% of nearly 7.7 million enterprise malware encounters reported in May of 2020 came from the education sector, making it the most affected industry.
With regard to health care, nearly 50 million people in the U.S. had their sensitive health data breached in 2021, which is more than triple the 2018 numbers. Just last month, U.S. federal agencies, led by the Cybersecurity and Infrastructure Security Agency (CISA), issued the strongest warning yet of cyberattacks on critical infrastructure by Russian government security and intelligence services in retaliation against any organizations providing support to Ukraine.
So what exactly are these cyber threats and incidents? In both health and education, the industries are being hit by ransomware and phishing attacks.
In the health industry, patient care is time-sensitive. As a doctor, I cannot express enough the importance of timeliness in care. Cyberattacks that delay that care cost American lives, especially during a pandemic. A September 2021 CISA report found that ransomware cyberattacks on hospitals lead to significant and sustained hospital strain and related consequences, such as IT network failure, ambulance diversion, strain on ICU bed utilization, and increased mortality. We must talk today about stopping our adversaries from denying our patients the care they need. Cyber-attacks are never a victimless crime.
In K-12, phishing attacks stealing data about our youngest children are especially concerning because it can take years to discover that a child’s identity has been stolen. In the meantime, these bad actors can open credit cards and rack up large debts with a child’s identifying information.
Ransomware attacks, on the other hand, show themselves immediately and can result in significant disruptions in the classroom. Ransomware attacks come at a high cost—both in ransom paid and the work it takes to restore systems. In one higher education example, the University of California, San Francisco medical school paid $1.14 million to hackers who encrypted and threatened to publish sensitive information stolen from the institution. In one health care example, Universal Healthcare Services, or UHS, experienced a cyberattack in October 2020 costing UHS $67 million in lost revenue and recovery efforts.
Collaboration with and among the private sector is essential to solving this problem. Existing partnerships with organizations like some of the ones some of you represent, as well as closer collaboration among federal agencies, are key ingredients as we pursue a long-term solution to our cyber vulnerabilities.
A strong cyber defense to protect our country from virtual threats is becoming just as important as a strong military and police force to defend from physical threats. From the Bipartisan Infrastructure Bill to military aid for Ukraine, nearly every comprehensive piece of legislation has to consider and address the importance of cybersecurity.
Continuing that discussion in regards to Americans’ health and education is also needed. It is important that the committee is doing this today.
With that, I look forward to hearing from our witnesses about how we can improve our cybersecurity protocols at the federal level.