05.18.22

Senator Murray: Protecting Schools and Hospitals Against Cyberattacks is a Matter of National Security

Senator Murray: “We can’t just call it a day after we make technology easy to use and access. We need to make sure it is also safe and secure. We need to address cybersecurity attacks and ensure they are treated like the national security threat they are.”

 

***WATCH: SENATOR MURRAY’S OPENING REMARKS***

  

(Washington, D.C.) – Today, U.S. Senator Patty Murray (D-WA), Chair of the Senate Health, Education, Labor, and Pensions (HELP) Committee, led a hearing on strengthening cybersecurity in the health care and education sectors to ensure that the technologies people increasingly rely on to meet with their health care providers virtually, get lab results, teach and attend classes, and so much more are safe and secure—and protected against devastating cyberattacks from hackers, organized crime, and hostile state actors like Russia, China, Iran, and North Korea.

 

“Every day, students, educators, patients, and health care providers across the country rely on countless programs and IT systems to learn with online tools, get a prescription, do a telehealth appointment, and so much more,” said Senator Murray. “And during the past few years, COVID-19 has made technology even more central in health care and education as patients and providers have made greater use of telehealth services to make care accessible, and schools are helping close the digital divide by connecting students to the internet and devices …. But we can’t just call it a day after we make technology easy to use and access. We need to make sure it is also safe and secure. We need to address cybersecurity attacks and ensure they are treated like the national security threat they are.”

 

During the hearing, Senator Murray made clear that cyberattacks are on the rise and can have serious—and even life-or-death—consequences. Senator Murray highlighted that in 2020, 70% of hospitals surveyed said they had faced “a significant security incident” in the last year and noted that there were at least 1,300 school cybersecurity incidents in the U.S. from 2016 to 2021. In Washington state, there were at least 44 breaches in the health care sector and 35 in the educator sector last year alone.

 

“The fallout from these attacks can be devastating and wide-ranging. Hospitals can get locked out of the electronic health records they need to understand a patient’s conditions, or software needed to schedule surgeries, track prescriptions, get lab results, and divert ambulances,” said Senator Murray. “These kinds of challenges don’t just cause major headaches, lawsuits, and expenses for hospitals. They put patients in danger. They undermine our national security. And in some cases they even cost lives.”

 

“Meanwhile, schools are at risk of getting locked out of the online programs that students use to get and turn in assignments, teachers use to post and track grades, and administrators use to lay out courses and schedules for the semester. Hacks can also disrupt routine functions like payroll, and can leave patients, students, and staff exposed to identity theft. And that can be especially concerning for K-12 students—as it often isn’t clear to students or parents that a child’s identity has been stolen until they open a bank account, or request student aid,” added Senator Murray.

 

Senator Murray also stressed that cyberattacks against our nation’s hospitals and schools are a serious national security threat—and highlighted the importance of protecting against them. During the hearing, Senator Murray asked cybersecurity experts about best practices, necessary investments and defenses, and steps to protect against these attacks.

 

“This is a serious national security threat, and families need to know we are taking action to keep them safe from our enemies here. Because we know our biggest global adversaries—like Russia, China, North Korea, and Iran—have been putting resources into sharpening their cyberattack capacity,” said Senator Murray. “Cyberattacks also have huge implications for our country as a whole. They can undermine our competitiveness on the world stage. And the possibility of a cyberattack coordinated by our enemies to take out health care facilities—especially at a moment of crisis—is a serious threat. So we have to make sure we are ready and vigilant.”

 

Senator Murray’s remarks, as prepared for delivery, are below:

 

“Every day, students, educators, patients, and health care providers across the country rely on countless programs and IT systems to learn with online tools, get a prescription, do a tele-health appointment, and so much more.

 

“It’s easy to take for granted how critical technology is to fundamental tasks like collecting and protecting the personal data of students and patients, keeping track of course requirements, lesson plans, and student financial aid, or providing information about prescriptions, allergies, and surgeries—information with potentially life-and-death consequences.

 

“And during the past few years, COVID-19 has made technology even more central in health care and education as patients and providers have made greater use of telehealth services to make care accessible and schools are helping close the digital divide by connecting students to the internet and devices.

 

“With that increased reliance on technology, we must also increase the attention given to the challenges technology presents.

 

“A critical part of that is closing the digital divide, and ensuring all of our communities have access to the internet—which is why I fought so hard to invest in universal broadband and digital equity in our bipartisan infrastructure law.

 

“But we can’t just call it a day after we make technology easy to use and access. We need to make sure it is also safe and secure. We need to address cybersecurity attacks and ensure they are treated like the national security threat they are.


“Because cyberattacks are on the rise.

 

“In 2020, 70 percent of hospitals surveyed said they had faced a ‘significant security incident’ within the past 12 months.

 

“And between 2016 and 2021, there were over 1,300 school cybersecurity incidents in the U.S.—and that’s just counting those that were publicly disclosed.

 

“Back in Washington state we know there were at least 44 data breaches in the health care sector last year, and at least 35 in education. And the number of cyberattacks in our state overall increased significantly from 2020, with the number of large-scale attacks affecting over 50,000 people having tripled.

 

“During this pandemic, we also saw hackers infiltrate our state’s unemployment insurance system, a breach that exposed the information of over a million people across the state.

 

“These attacks can come from a wide variety of sources individual hackers, organized crime, and even hostile state actors as we have most recently seen in Russia’s invasion of Ukraine.

 

“This is a serious national security threat, and families need to know we are taking action to keep them safe from our enemies here.

 

“Because we know our biggest global adversaries—like Russia, China, North Korea, and Iran—have been putting resources into sharpening their cyberattack capacity.

 

“And cyber attacks can also take a wide variety of forms.

 

“Data breaches that expose sensitive information—from health information adversaries might use to threaten national security to private financial information about patients, students, and staff.

 

“Distributed-denial-of-service attacks that can be used by hostile countries, and others, to make computers and networks unresponsive, and shut down services.

 

“Or ransomware attacks where foreign actors or other dangerous organizations hold essential services and data hostage unless a large financial ransom is paid.

 

“And even when a hospital or school is doing everything right there are always new threats they may not be able to be prepared for and every organization is still vulnerable to attacks on the tech vendors they rely on.

 

“For example, a 2019 cyberattack on Pearson affected over 13,000 students, and a breach at another education vendor last year, Blackbaud, exposed the financial information of 17,000 students—just from Washington state alone.

 

“The fallout from these attacks can be devastating and wide-ranging.

 

“Hospitals can get locked out of the electronic health records they need to understand a patient’s conditions, or software needed to schedule surgeries, track prescriptions, get lab results, and divert ambulances.

 

“I’ve even heard from health departments back in Washington state about how responding to cyberattacks has pulled resources and staff from their COVID vaccination efforts. 

 

“These kinds of challenges don’t just cause major headaches, lawsuits, and expenses for hospitals.

 

“They put patients in danger. They undermine or national security. And in some cases they even cost lives.

 

“Meanwhile, schools are at risk of getting locked out of the online programs that students use to get and turn in assignments, teachers use to post and track grades, and administrators use to lay out courses and schedules for the semester.

 

“Hacks can also disrupt routine functions like payroll, and can leave patients, students, and staff exposed to identity theft.

 

“And that can be especially concerning for K-12 students—as it often isn’t clear to students or parents that a child’s identity has been stolen until they open a bank account, or request student aid—which may not happen for several years.

 

“Cyberattacks also have huge implications for our country as a whole.

 

“They can undermine our competitiveness on the world stage.

 

“And the possibility of a cyberattack coordinated by our enemies to take out health care facilities—especially at a moment of crisis—is a serious threat.


“So we have to make sure we are ready and vigilant.

“That’s why I’m glad President Biden has signed into law legislation we passed to require more reporting of cyber incidents, and to study the impact of cyberattacks on K-12 schools.

 

“It’s why I’m watching closely as HHS works to strengthen its information security systems, and as ED works to help protect K-12 schools from cyberattacks.

 

“And it’s why today’s hearing is so important. I want to hear from all of our witnesses about how we can address urgent challenges like:

 

“How do we recruit, train, and retain more cybersecurity experts? Especially in the health and education sectors where there is a big shortage.

 

“What are some best practices schools and health care providers should be implementing? And how can we better connect organizations to share information like this that will help prevent, mitigate, and respond to cybersecurity incidents?

 

“How can we improve disclosure of cybersecurity incidents, so people will know when and how they are affected by a hack, what they might do about it, and how they can protect themselves?

 

“And what are we doing to prepare for attacks from hostile foreign actors? How do we make sure we don’t just keep up, but keep ahead of Russia, China, North Korea, Iran, and others here?

 

“It is especially critical to me that we are treating cyberattacks like the national security threat we know they are.

 

“These are incredibly important questions for families back in Washington state—and across the country, whose privacy, finances, futures, and even lives depend on making sure we have good answers, and take clear steps to put them into practice.

 

“And now I’ll turn it over to Ranking Member Burr for his opening remarks.”

 

###