One month after a crippling ransomware incident, Greater Baltimore Medical Center is beginning to restore the Towson hospital’s electronic medical records, officials said this week.
GBMC previously disclosed little about the Dec. 6 cyberattack, which disrupted the health care system’s communication and data-keeping infrastructure and forced it to take systems offline and reschedule some procedures. The incident also impacted Gilchrist Hospice Care.
“We were attacked, and all our tightly connected computer systems went down. In addition, we have telephones that work via computers; they went down, as well,” said Dr. John Chessare, GBMC’s president and CEO, in a note and video message to patients Wednesday. “So, if you are our patient, let me extend our sincere apology to you, as you are not able to access your own medical record, you are not able to communicate with us through our patient portal, which is called MyChart.
“And probably most importantly, when you called us on the phone, you got either a dead signal, or you were on hold for very long periods of time. We have brought all of those systems up. You can look at your own medical record on your patient portal or MyChart, you can make appointments through MyChart for primary care, and you can call us on the phone.”
After the attack, Dr. Harold J. Tucker, GBMC’s chief medical officer, said in an email to patients that hospital administrators did not detect that any data had been misused and were collaborating with law enforcement. In the Dec. 9 email, Tucker acknowledged that “many systems” had gone offline, but said GBMC had workarounds in place to ensure continuity of care.
John Lazarou, a GBMC spokesman, said this week that the center’s electronic medical record system was taken offline as a precaution after the hack. This is considered a best practice following cyber breaches, he said.
“While GBMC regrets the incident caused some procedures to be rescheduled, this step was the prudent thing to do,” Lazarou said in an email. “We are confident we are on the right path.”
The cyberattack is the latest in a series of ransomware incidents targeting area entities in the past few years. In 2019, a crippling ransomware incident disrupted Baltimore City government’s email systems and prevented city residents from paying for services. Officials said the city had fallen victim to hackers demanding payment to unlock encrypted files in city computers, and spent millions remediating the problems.
In November, Baltimore County Public Schools also experienced a debilitating ransomware attack that forced it to cancel classes for several days. The school system said no personal information was stolen in the attack. School officials said Thursday that they have gained access to files that were feared lost, including student transcripts, first-quarter grades and vital records for children in special education programs.
GBMC has not specified the type of ransomware used in the attack or named a suspected perpetrator, and has declined to discuss the ransom demanded. Lazarou declined to comment on whether GBMC had paid the ransom due to the continuing investigation.
Officer Jennifer Peach, spokesperson for the Baltimore County Police Department, said officers were dispatched to the medical center shortly before 10 a.m. the day of the incident for a report of a possible ransomware attack. County police shared the report with the FBI, to whom Peach referred questions.
Joy Jiras, a Baltimore spokeswoman for the FBI, declined to comment on the incident.
Cybersecurity professionals and experts said the incident should be viewed as a severe attack on a private entity. GBMC does not have an obligation to disclose every detail surrounding the attack, nor should it, from a business standpoint, said Gloria Phillips-Wren, an information systems professor at Loyola University Maryland’s Sellinger School of Business.
“You don’t want to let people know you’re a soft target. That’s going to undermine confidence in your organization from a public point of view,” Phillips-Wren said. “But there are so many unknowns here: We don’t know how deeply they penetrated the system; we don’t know if it was designed to shut off critical functions. Did it affect the medical equipment?”
A 2019 study conducted by a researcher at Vanderbilt University’s Owen Graduate School of Management found that data breaches in health care systems may cause as many as 2,100 deaths a year in the U.S.
Patient data and medical history can be more lucrative for hackers than banking and credit card information, said Derek A. Smith, president of the Intercessors Investigative and Training Group in Bowie.
The Morning Sun
Some attacks are so successful that they interfere with life support functions or compromise test results or other medical records, Smith said. Email systems or fax machines tend to be especially vulnerable, he added.
“Everyone still has to keep paper files for this reason. You can’t just rely on IT systems,” Smith said. “Now, they’ve got to pay for security protection, reports into what happened — it can take millions of dollars to take care of.”
Smith speculated that GBMC had not paid the ransom, and may have been restoring lost patient files using backup systems. He likened taking every system offline to “stopping the bleeding” during a traumatic injury, preventing more data to be lost in the chaos.
Health care systems, scrambling to contain the coronavirus pandemic, can be particularly vulnerable. Ransomware attacks tend to be most successful when they generate inefficiency and urgency, said Kent Wilson, vice president of customer experience at Bricata, a Columbia-based cyber analysis and response firm.
Wilson said Bricata has seen an increase of cyberattacks on health systems during the pandemic.
“This is the new war-fighting domain,” Wilson said. “We’ve been working on it for 15 years or 20 years — that’s not a lot of time to figure out all the ways that things can go sideways.”
Dr. Chessare, in his video message to patients, said GBMC’s phone lines, while functional, were busy due to patients’ pent-up demand to talk to their providers. He asked for patience as the center works to resume its normal workflow.
A previous version of this story misspelled Bricata.