OFFICIALS LEGISLATION INTEREST GROUPS PUBLIC STATEMENTS COMMITTEES VETOES

Mrvan Opening Statement for Technology Modernization Subcommittee Hearing on Cybersecurity

Press Release

Date: May 20, 2021
Location: Washington, DC
Issues: Technology and Communication Veterans Health and Health Care

Washington, DC - Congressman Frank J. Mrvan convened a hearing today with the House Committee on Veterans' Affairs Subcommittee on Technology Modernization entitled Cybersecurity and Risk Management at the VA: Addressing Ongoing Challenges and Moving Forward.

A video of the hearing is available here and the text of the opening statement as prepared for delivery is below.

This afternoon, the Subcommittee will be reviewing the Department of Veterans Affairs' cybersecurity posture. We will also be reviewing the findings in the annual Federal Information Security Modernization Act or FISMA audit. Our goal here today is to assess how VA manages its cybersecurity program--including its cyber supply chain, how it controls access to confidential data, and how well it safeguards its information technology assets.

At today's hearing we will hear from VA leadership about the broader cybersecurity landscape, the challenges, management's approach to tackling these challenges, and what resources may be needed.

Last Congress, the Subcommittee on Technology Modernization held the Committee's first ever hearing to examine VA's cybersecurity. I am pleased that we can continue this important work and explore the ongoing cybersecurity management challenges at VA.

Cybersecurity is not a new challenge in the federal government. The threats to our information systems have only increased since the Federal Information Security Management Act (FISMA) was first passed in 2002.

Major cybersecurity breaches earlier this year--especially of SolarWinds' Orion software, the zero-day Exchange server hack, and other incidents--highlight the risks to our information systems. As our reliance on electronic personal data increases, and the sharing of that data increases, so do the risks. Our dependence on electronic systems to support healthcare, e-commerce, and public service delivery is growing--all the more so during the pandemic as government and industry shifted life online.

We need to only look back a few weeks to see how dangerous a cyber incident can be. The recent ransomware attack on Colonial Pipeline crippled fuel supplies up and down the east coast, adding unnecessary uncertainty and increased costs for countless individuals.

Unfortunately, the health sector is not immune to these attacks. In 2017, WannaCry ransomware, created by hackers working for the North Korean government, spread across the world and infected the U.K.'s National Health System. In May 2020, Blackbaud, a cloud software provider used by many healthcare companies, was the victim of a ransomware attack. So far, more than 6 million individuals have been impacted.

Many experts estimate that the value of medical records on the darknet is higher than that of passwords and credit cards. According to security company Comparitech--in 2020 at least 92 individual ransomware attacks affected more than 600 separate clinics, hospitals, and organizations, and over 18 million individual patient records. Ransomware attacks may have contributed to 40,056 hours (1,669 days) of downtime to healthcare organizations in 2020. The average time lost to downtime is increasing--up to 21 days during Q4 of 2020. On average, healthcare cyberattacks cost $1.4 million in recovery.

VA prides itself as being the nation's largest integrated healthcare provider. In that role, VA should be at the forefront of addressing many of these risks and should be a leader in healthcare cybersecurity. As VA continues the process of modernizing its IT systems to deliver healthcare, adjudicate disability claims, and provide educational benefits, information security management should be a key component from the outset.

The Subcommittee is still concerned that VA has not done enough to assess risk and develop long-term information security strategies. Numerous Inspector General and Government Accountability Office reports continue to cite management failures and lack of internal oversight.

They also repeat recommendations year-after-year--seemingly without adequate progress in resolving them.

I look forward to hearing from leadership within VA's Office of Information Technology about the Department's overall cyber program and cyber strategy. We will also hear from the Office of Inspector General about its recent FISMA audit, outstanding issues, and how VA's cybersecurity posture has evolved over the last several years. Finally, we will hear from the Congressional Research Service, whose expertise can help us contextualize some of these issues and understand cybersecurity within the federal government.

As the Technology Modernization Subcommittee, we must ask--is VA ready? Is VA's information security management system up to the task? Is VA ready to prioritize cybersecurity? America's veterans should be able to access VA healthcare with the peace of mind that their data and privacy will be protected. I hope VA can get this right.

I thank the witnesses for being here, and I look forward to their testimony.


Source
arrow_upward