Chairman Griffith, Vice Chair Lesko, Ranking Member Castor, and distinguished members of the Committee, it is an honor to testify before you today on the Department of Health and Human Services’ (HHS) efforts to strengthen the Healthcare and Public Health (HPH) critical infrastructure sector’s preparedness for and response to malign cyber activity.
I am grateful for this opportunity to address this subcommittee and appreciate your continued support in this important area for national and health security. My testimony today summarizes (1) the growing cyber threat facing the HPH sector; (2) the role of HHS and the Department’s Administration for Strategic Preparedness and Response (ASPR) as the Sector Risk Management Agency (SRMA) in addressing this threat; and (3) our current approach to strengthen the sector’s cybersecurity today and into the future.
As you are all too aware, the HPH sector continues to experience an array of increasingly sophisticated cyberattacks that exploit complex, interconnected hospital infrastructures, historically underfunded cybersecurity functions, and an often-unwieldy number of vulnerable legacy systems and network-connected medical technologies, including medical devices. These cyberattacks against the HPH sector are growing both in numbers and severity, with the frequency of cyberattacks on hospitals and health systems more than doubling from 2016 to 2021.1 Specific to ransomware, according to the Federal Bureau of Investigation’s (FBI) Internet Crime Reports, the HPH sector experienced a 42 percent increase in ransomware attacks compared to 2021.2 There are, on average, six or more significant cyber incidents impacting the sector every week. Ransomware is currently the largest threat to the HPH sector and the Administration has identified it as a key sector, alongside the transportation, banking, and water sectors.3 The bad actors conducting these cyberattacks against the HPH sector generally have a few known motivations influencing their actions, including financially motivated crime; state- sponsored attacks for the purposes of exfiltration of sensitive information or to generate currency; and hacktivism to influence or inflict reputational impacts.