In 2019 At least 72 U.S. school districts and/or educational institutions suffered ransomware attacks. In addition, 11 ransomware attacks have been reported since October 20, 2019 alone that affected 11 U.S. school districts. One of the most active campaigns in 2019, The Ryuk ransomware, hit more than 500 schools.
Cybersecurity Regulations for the Education Sector
FERPA – The Family Educational Rights and Privacy Act requires that students provide written consent prior to the releasing of any records and PII.
FISMA – Federal Information Security Modernization Act of 2014 falls under the e-Government Act. Although FISMA applies mainly to government agencies, it also applies to contractors and entities that collect or maintain any agency information. As some universities collaborate with agencies on research projects, it’s important that IHEs follow the National Institute of Standards and Technology’s (NIST) security controls.
GLBA – The Gramm-Leach-Bliley Act focuses on financial institutions; however, IHEs must also comply with the GLBA’s Safeguard Rule as these institutions deal with large inflows and outflows of money. The Rule addresses financial information and how to adequately protect it by assessing threats, preventing unauthorized access, and ensuring confidentiality.
HIPAA – The Health Insurance Portability and Assurance Act requires schools to protect student health information, whether it be insurance information or health issues while on campus. Just as a doctor’s office outside a school must comply with HIPAA, any medical center on campus falls under the same rules.
HEA – The Higher Education Act requires IHEs to implement information security measures if they accept federal financial aid granted to students (Title IV). In other words, any financial information related to a student’s financial aid must be protected by adequate security measures.