A ransomware attack at the Maryland Department of Health crippled its systems last month and forced many of its services offline, the state agency confirmed Wednesday.
For weeks, the department described the event as a “network security breach” and offered few other details about the nature of the incident. Services ranging from the reporting of daily COVID-19 surveillance data to basic local health department functions were rendered unavailable, and officials declined to say definitively when such operations would be restored.
Due to an ongoing investigation, health department officials said they still can’t say much. They said employees noticed a downed server Dec. 4 and immediately took action, preventing unauthorized access or the acquisition of sensitive information.
“At this time we cannot speak to the motive or motives of the threat actor,” said Chip Stewart, Maryland’s chief information security officer, during a news media briefing Wednesday. “That said, both law enforcement and cybersecurity authorities have observed that health and hospital systems are increasingly being targeted by malicious actors during the pandemic.”
Stewart said the threat actors demanded payment, but he and other department officials declined to specify the amount. They did not give in to the payment demands, he said.
The attack came right as the new and highly infectious COVID-19 omicron variant began circulating in Maryland. Without the daily COVID metrics, public health experts, hospital leaders and state residents only had a fuzzy picture of the new strain’s grasp. Several functions, including some licensing services at the state Board of Nursing, remain unavailable due to the attack.
This ransomware attack followed others on local entities in recent years, including at Greater Baltimore Medical Center, the University of Maryland, Baltimore, Baltimore City government and Baltimore County Public Schools. Cybersecurity experts said it points to a growing sophistication of threat actors as more services turn digital, with every state and city vulnerable.
“These problems are not out of the ordinary on a nationwide basis … not only from the states but at the county level as well,” said Michael Greenberger, an attorney and founder and director of the University of Maryland Center for Health and Homeland Security. “Across the country, more needs to be done. On a nationwide basis there needs to be hard work done on defending these systems.”
Health officials declined to count how many services were impacted by the attack or name them, saying the list was too long to go over. They said they are working to restore all services quickly and are instituting “workarounds” to some functions as needed.
They also asked for patience as they restore what was lost.
“In cybersecurity incidents, there can be pressure to reconstitute services quickly, and sometimes too quickly,” Stewart said. “All too common are stories of organizations that had to restart recovery efforts because of this, sometimes more than twice.
“We are recovering with deliberate action to minimize the likelihood of reinfection. I cannot stress how important this point is — in order to protect the state’s network and the citizens of the state of Maryland, we are proceeding carefully, methodically and as expeditiously as possible, to restore data and services.”
The health department this week declined to fulfill a records request about the attack filed by The Baltimore Sun under the state’s Public Information Act. Officials said that the responsive documents either “contain information about the security system” or “are part of an investigatory file compiled for law enforcement purposes” and their release would interfere with the investigation.
After the attack, health department officials activated an incident response plan that looped in members of the state’s cyber response team at the Maryland Department of Information Technology, the Maryland Department of Emergency Management, Maryland State Police, the governor’s Office of Homeland Security and the Maryland National Guard.
Stewart said he notified the FBI and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. He said he also activated the state’s cybersecurity insurance plan that brought in forensic resources and advisers considered “as the best in the industry” for these matters.
Employees at the health department were instructed to use their personal devices and stay off the department’s Wi-Fi system following the attack, according to an internal memo shared with The Baltimore Sun. Employees now have a new wireless system, officials said, and the agency is phasing in new devices and platforms.
The decision to “contain” the health department’s service, or take them offline, was a deliberate one, Stewart said, and “the responsible thing to do.” He said the state is “hardening” its information technology infrastructure and defenses to prevent similar attacks from occurring in the future.
Maryland health officials are scheduled to give a briefing Thursday on the ransomware attack to state lawmakers, who have been pressing for more information. It’s likely, however, that some or all of the briefing may be closed from public view due to the sensitive nature of the incident and the ongoing investigation.
A soon-to-be released report from the Maryland Cybersecurity Council recommends that the state consolidate the management and funding of all of its IT operations — currently scattered across state agencies — under the supervision of the state IT office, as well as increase “vigilance” by prioritizing risk assessments and monitoring sensitive information. The report also suggests creating a state fund that would give money to local governments to help them improve cybersecurity.
With continued cybersecurity threats, “the need has never been greater” to protect government IT systems, wrote Sen. Katie Fry Hester and Ben Yelin of the University of Maryland’s Center for Health and Homeland Security, who co-chaired a committee that worked on the report.
Hester, a Democrat who represents Carroll and Howard counties, said an attack on the state’s health department was inevitable given its vulnerabilities and “blind spots.” Health departments, especially small, local ones, tend to be underfunded and understaffed and may not use modern systems or devices, she said.
She has several goals for this year’s legislative session, which kicked off Wednesday. Among them are to centralize and consolidate the state’s information technology systems, update the legacy systems and make sure the best practices for safeguarding against future attacks are widespread within state government.
“It’s unfortunate, but not surprising,” Hester said about the attack. “We’re on board, we’re much more engaged for passing something and knowing what the solutions are.”
Officials declined Wednesday to provide a timeline of how long the ongoing issues related to the attack could take to resolve.
Baltimore Sun reporters Alex Mann and Pamela Wood contributed to this article.