At least six major health systems across the country have suffered debilitating cyberattacks this year, including most recently Columbia-based MedStar Health. The rate has unsettled health system information technology administrators who are now working together to block future attacks.
The constant threat of a breach — as well as a hack at the University of Maryland, College Park in 2014 — moved systems security chiefs at the University of Maryland, Baltimore and related hospitals and medical schools to organize a collaborative effort to fend off outsiders intent on infiltrating the institution's electronic systems.
"This is extremely important because we all connect to a single electronic backbone," said Peter J. Murray, chief information officer and vice president for information technology at the University of Maryland, Baltimore, before introducing a panel of university-affiliated IT officials who gathered Friday for a cybersecurity conference on campus.
Until last year, when the formal collaboration began, IT departments operated independently at the university's hospitals, medical school, physicians offices and academic health programs. The officials now meet regularly and share updates or patches and other best practices that could make the whole stronger than the parts.
It's a defense that officials hope will stave off the kind of recent attacks seen in Maryland, California, Kentucky and elsewhere in which medical records and other data were locked up and held for ransom. The health systems have acknowledged that patients were affected, with some temporarily prevented from receiving care.
The FBI considers these invasions a fast-growing threat to critical infrastructure at hospitals and other institutions. The agency says the goal typically is not gaining access to data but to extort money. Hacking victims in the United States have paid $209 million in ransom in the first three months of this year, compared with $25 million in all of 2015. The FBI has reported no arrests.
In MedStar's case, hackers reportedly demanded $19,000 in a hard-to-trace electronic currency called bitcoin in exchange for releasing the data. The system, which operates 10 hospitals and hundreds of other health care facilities in Maryland and the District of Columbia, did not respond to a request for comment but has said that all of its systems are back online.
The University of Maryland IT experts said they continually update their systems and now meet monthly with their counterparts to ensure that they have the latest defenses. They also work to educate — and warn — users, including medical staff, students and others, about how to recognize a potential problem.
"If you can't ascertain if it's from a legitimate sender, ask yourself if it's worth the risk," said Kevin Crain, information security officer for the University of Maryland Medical Center, about opening an email or Web link.
That won't stop all breaches, but it would help, said Matthew Kramer, director of information security at the university's School of Medicine and Faculty Physicians Inc. He said 70 percent of attacks initially go undetected. They take an average of 200 days before they are discovered, and by then the damage might be significant.
"We don't want an attack to sit out there for a long time and turn into a much larger incident, like we saw down the street last week," Kramer said of the MedStar attack.
The University of Maryland collaborative is not just trying to foil hacks, the IT experts said. They also are working to make the overall system perform better.
A fire last month in a building that houses physician offices led to two days of email and phone outages because the facility also served as a data center. The outages could have lasted longer if the physicians' IT department was on its own, but the group was able to tap the collaborative's resources and get the systems back up and running sooner, said Charles W. Henck, chief information officer of Faculty Physicians Inc.
Health systems might be an attractive target for hackers because they are increasingly digitizing records but do not necessarily have all the protections in place yet, security experts say.
"The problem is that hospitals aren't very mature when it comes to cybersecurity and dealing with robust, sophisticated online attacks," said Eduardo Cabrera, vice president for cybersecurity strategy at the security company Trend Micro Inc., based in Irving, Tex. "A hospital needs health data in order to treat its patients. Hackers know there are major consequences if [hospitals] don't act quickly."
The hackers, many from Eastern Europe or Russia, have found ransomware to be so profitable that they set up call centers, said Cabrera, who investigated underground hacking rings as chief information security officer for the U.S. Secret Service. English-speakers with the hacking group will talk to victims over the phone or online and "help" them through the process of converting dollars into bitcoin and settling the ransom, he said.
The health systems, however, are not the only vulnerable institutions. Government officials are concerned about the digital networks that run electrical grids, as well as oil and natural gas lines, according to Andy Ozment, assistant secretary of cybersecurity and communications at the Department of Homeland Security.
Ransomware attacks likely are increasing because people are willing to pay, he said.
"It's safe to assume if criminals continue to do it, they are making money from it," he said.
Tribune Newspapers contributed to this article.