Officials from the health care and education sectors called on Congress Wednesday to provide better Federal aid to state and local governments to not only respond to ransomware attacks, but also to help prevent them.
In June 2021, Judson Independent School District – which includes nearly 30,000 students and staff in San Antonio, Texas – was attacked by adversaries using ransomware, and according to the district’s Assistant Superintendent of Technology, “no state or Federal agency ever visited or offered recovery assistance.”
Lacey Gosch urged lawmakers during a joint House Oversight Subcommittee hearing on Sept. 27 to provide funding for solutions for schools to prevent cyberattacks, protect data, and upgrade equipment. She also recommended formal recovery and mitigation programs for cybersecurity within schools.
“Our recovery took more than a year, and the district continues to make improvements,” Gosch said. “Thankfully, there are companies and school district partners who saw our situation as an opportunity to learn – we learned that the cavalry does not come, and we must rely on our own resources.”
The district leader said that Judson Independent School District made the difficult decision to pay the $547,000 ransom demand, but between upgrading old IT systems and hiring legal help, the district spent in total between $3 million and $5 million in the aftermath of the attack.
“Schools are often forced to balance the needs for student curriculum, personnel resources, facilities, and other operations on limited budgets,” Gosch said. “Therefore, funding for solutions to prevent attacks and protect data and upgrade equipment is pushed aside for more visible and tangible items.”
“Recovery and mitigation programs for cybersecurity have not been formally developed for schools, but we would recommend potentially discount programs similar to things like E-Rate and other Federally supported programs,” she continued. “Additionally, there are other measures such as standards for network security requirements for making social security numbers masked in all systems. Training, educational programs, and social emotional programs for affected individuals is also needed.”
The joint hearing of the House Oversight’s Subcommittees on Cybersecurity, Information Technology, and Government Innovation and Economic Growth, Energy Policy, and Regulatory Affairs also featured a witness from The University of Vermont Medical Center – which suffered a ransomware attack in October of 2020.
The medical center’s President, Stephen Leffler, said during the hearing that the cyberattack was by far much more difficult than what his staff had to deal with during the COVID-19 pandemic.
The attack took the hospital offline for 28 days and cost the organization $65 million, he said.
“It was a 24 hour a day, seven day a week job for our IT staff,” Leffler said. “We’re very fortunate the state of Vermont realized how important this was and gave us National Guard workers to help.”
Leffler agreed with Gosch in that the health sector needs help from Congress with grants, funding, and cheaper ways to implement cybersecurity and protect important data.
“In every budget that we build, as a doctor, I want to spend all the money on patient care, technology, new equipment there,” Leffler said. “Prior to the cyberattack, usually cybersecurity stuff would fall down the budget – oftentimes come off.”
He continued, adding, “Having ways to more cheaply buy programs and have those programs be current and new and upgraded or grants to bring your hospital up to standards, have a strong backup so you don’t have to pay the ransom would make a huge difference.”
