Cyber threats to health, education sectors rise with ransomware and limited security resources
The healthcare sector and supporting critical infrastructure sectors “can no longer look at challenges through a simple cyber and/or physical lens, but must consider all threats to operational resilience”, while the Education suffers from equity issues reflected in reduced cyber protection capabilities in underfunded K-12 districts and colleges, experts have told lawmakers.
“With the rise of digital healthcare, the proliferation of technological advancements, and the efficiency of connecting devices and data, the surface of cyber threats in healthcare has exploded and threat actors have followed,” Health Information Sharing and Analysis Center (H- ISAC President and CEO Denise Anderson, who also represents the Health Sector Coordinating Council’s Cybersecurity Task Force, said at the hearing of the Senate Committee on Health, Education, Labor and Pensions on May 18 that it was examining cyber threats to the health and education sectors.”The focus has traditionally been on data and confidentiality, but if providers cannot provide services or if data is manipulated or destroyed, patients’ lives may be at risk.”
Ransomware, she pointed out, “has had a significant impact on the healthcare industry”, with Ryuk ransomware being linked to more than 200 ransomware attacks affecting healthcare institutions that have inflicted near revenue loss. of $100 million and remediation costs of $500 million.
Ireland’s national healthcare system was hit by Conti ransomware in May 2021, causing all IT systems to crash, resulting in canceled surgeries and delayed medical care. Recovery from the attack took four months.
“The other impact of ransomware is the downstream effects when vendors are attacked,” Anderson said. “When a human resources company was attacked in December 2021, hospitals were forced to manually manage payroll and staff scheduling during a spike in COVID-19 infections. In January 2021, a key manufacturer in the supply of packaging for COVID-19 treatments was attacked and pharmaceutical manufacturers experienced slowdowns in the production and shipment of packaging during a vital period of the pandemic.
The COVID-19 pandemic “has caused several incidents,” she added. “Threat actors assessed sensitive documents for a COVID-19 vaccine at the European Medicines Agency where the documents were stored. Actors attacked and blocked access to an Italian COVID-19 vaccine reservation system and organizations offering cold storage and delivery processes to maintain vaccines at safe temperatures have been targeted.A concerning trend of threat actors has been the intent and ability to target the IT supply chain, such as the SolarWinds attack to gain access to a larger group of victims.
Noting the fear of repercussions such as those following the Petya attacks in 2017 which affected more than 300 companies and cost more than $10 billion, Anderson stressed that “eEven if health care is not directly targeted, the cascading impacts such as access to communications and electricity can be significant.
“The health sector is highly interconnected. Sensitive patient information must pass between entities to facilitate proper patient care and history. Hospitals use tens of thousands of medical devices,” she told senators. “Expensive devices are not easily replaced and run on software that is no longer patched or supported. Additionally, many of these devices operate 24/7/365, it is therefore complicated to put them offline or to correct them.
Joshua Corman, founder of I Am the Cavalry, a volunteer group of hackers “trying to save lives through security research”, said they had “compromised insulin pumps to deliver a lethal second dose of insulin without authentication”.
“We found that bedside infusion pumps that were expected to deliver a three-hour dose of a calcium channel blocker could empty the contents in 30 seconds,” he said. “And we’ve been doing it through clinical ER hacking simulations in consultation and working with federal agencies, with doctors, with doctors to see if we can handle these disruptions to technologies that we take for granted. “
Cybersecurity program director Amy McLaughlin of the Consortium of School Networking told senators that K-12 school districts “face increasing attacks and threats” from broadly organized crime, nation-state actors and terrorist organizations.
“The most common threats facing K-12 schools are ransomware attacks designed to encrypt and block access to computer system data until a ransom is paid, phishing attacks flood employees education with fraudulent emails attempting to trick them into responding with sensitive data, distributed denial of service attacks that flood target networks rendering them inaccessible, and cyberattacks on vendors providing services to multiple districts that drive large-scale impacts,” she said.
“The impacts of cyberattacks on school districts, teachers, and K-12 students include lost instructional time, reputational damage to schools, high financial costs of cyberincidents, increased cybersecurity insurance costs, financial and credit hardship for students and employees from the loss of their personal data, and growing mental health impacts, including increased anxiety and depression” , she added.
In Toledo, Ohio, and Fairfax County, Virginia, McLaughlin noted, cyber attackers have threatened to release personal information about students and educators, and ransomware has crippled school districts in Baltimore and Hartford, in Connecticut.
“And on the first day of classes, public schools in Florida’s Miami-Dade County, the fourth-largest U.S. district, saw their networks overwhelmed by denial-of-service attacks,” she continued. “K-12 schools and districts have faced significant challenges in protecting themselves from cyberattacks. Most districts view cybersecurity as a technical issue and it is not. It is an issue that requires everyone in an organization to understand and be part of the solution and understand their role in protecting the organization.
“Backup technologies are expensive, and the primary funder of K-12, the E-rate program, does not fund cybersecurity or network defenses. School districts are struggling to hire cybersecurity professionals. With nearly 500,000 vacancies in cybersecurity in the United States, districts cannot compete with salaries and opportunities in the private sector. »
McLaughlin pointed out that “digital equity is a significant challenge because cybersecurity issues disproportionately impact our school districts who have less funding available to support and secure their technologies, and adding IoT devices to networks requires additional protections that districts are unable to fund and unprepared to deliver.”
K-12 school systems are taking “many steps” to strengthen cybersecurity, from training staff to implementing multi-factor authentication, “but other federal steps should be taken to help our schools and our districts to improve their cybersecurity defenses,” including additional funding for the Multi-State Information Sharing and Analysis Center (MS-ISAC) “to provide their fee-based K-12 services free of charge” as well as fund universities and colleges to run security operations centers that can simultaneously provide cost-effective services to K-12 schools and train new cybersecurity professionals.
“Our K-12 districts are on the front lines of protecting their data and systems from much larger, better-funded organizations and a rapidly changing cyber threat environment,” McLaughlin said. “They need access to staff and technical resources to continue to provide safe education. Thank you for your time and I look forward to your questions.
Helen Norris, chief information officer of Chapman University, told senators that threats to higher education include ransomware, phishing, hacking and social engineering, and that universities that include medical centers and teaching hospitals “have even more difficulty managing individuals’ personal health information.”
“Our systems have evolved into complex environments that include large data centers and a growing set of third-party partners,” she said. “The scope and intensity of our operations present challenges in keeping them safe. And we know that bad actors always seek to turn our difficulties into opportunities. »
Countering cybersecurity threats “is expensive,” Norris noted, and the investment varies by type of institution. A smaller university or community college with fewer financial resources “will be challenged to do this even if it has to protect sensitive student data in the same way…the complexity of this job is enormous.” Institutions are also “challenged by the growing number and complexity of cybersecurity regulations, which generate costs that divert resources from risk management.”
“Many security incidents occur when an individual falls into a trap set by a hacker,” Norris said. “So much of our work is educational, ensuring our students and others have the tools they need to protect themselves. Colleges and universities are also addressing cybersecurity by joining forces through collaboration to protect the entire ecosystem. We share information on new threats, best practices and tools from community sources. »
“We also work closely with federal and state agency partners, particularly the FBI and CISA. The institutions want to continue to rely on our response to the threats that exist and we consider that the partnership at the federal level is essential in this respect. We encourage continued and growing collaboration between our community and federal agencies.