This content was republished with permission from WTOP’s news partners at Maryland Matters. Sign up for Maryland Matters’ free email subscription today.
Gov. Lawrence J. Hogan Jr. and top Maryland Department of Health officials acknowledged for the first time Wednesday that the perpetrators of the attack on the agency’s computer system sought a ransom payment from the state.
The state has not paid those responsible for the attack, Hogan (R) said.
“Unlike Texas and I think a couple of other dozen states, we haven’t lost hundreds of millions of dollars, and we haven’t compromised millions of peoples’ data,” he said. “But it’s a big issue. It’s a ransomware attack and they’re targeting health departments across the country.”
Prior to Wednesday’s announcement, officials would only refer to the Dec. 4 attack on the agency’s network as an “incident.” On Wednesday morning, Maryland Matters published a report on the broad impacts the outage continues to have on the state health department and the 24 local health departments who work closely with MDH.
“While the investigation is ongoing — and occurring on a parallel track to our restoration efforts — we can confirm this much today: this was, in fact, a ransomware attack,” said Maryland Chief Information Security Officer Chip Stewart in a statement. Stewart described the unidentified attackers’ demand as “an extortion payment.”
Ransomware attacks, which frequently originate overseas, prevent government agencies and businesses from accessing their own information and data systems until the entity under siege makes a payment.
Stewart said that the state has not made any such payment and, at his recommendation “after consulting with our vendors and state and federal law enforcement, will not be doing so.”
Law enforcement and cybersecurity authorities have observed that health and hospital systems are increasingly being targeted by malicious actors during the pandemic, Stewart said.
For nearly six weeks, the Department of Health and local health authorities have been struggling to recover from the ongoing repercussions of the attack. Hogan and state health and cybersecurity officials have been tight-lipped about the investigation.
Atif T. Chaudhry, the deputy secretary of operations for the Department of Health, said that the agency and the Department of Information Technology are working closely to resolve the remaining problems caused by the attack, and are coordinating with the federal government.
Stewart said Wednesday that “to this point” in the ongoing investigation, there has been no evidence that state data was compromised.
On Thursday, the House Health and Government Operations and Senate Education, Health and Environmental Affairs — along with the Joint Committee on Cybersecurity, Information Technology and Biotechnology — will hold a hearing online at 1 p.m. to learn more details about the attack. Some of the hearing could be held offline, to avoid the release of sensitive details.
Detailing what happened
According to Stewart, the Department of Health’s network team detected a malfunctioning server in the early hours of Dec. 4 and immediately began troubleshooting the problem.
After identifying issues they felt warranted deeper investigation, the problem was passed on to the agency’s IT Security Team which alerted the chief information security officer for the Department of Health, Stewart said.
He was notified shortly after and launched the state’s cybersecurity incident response plan, which triggered alerts to Maryland’s Department of Information Technology, the Department of Emergency Management, the State Police, the Governor’s Office of Homeland Security and the Maryland National Guard.
Stewart said that he also notified the FBI and the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, and activated Maryland’s cybersecurity insurance policy through the state treasurer’s office. The insurance policy allows outside resources to advise the state on its recovery process.
At this point, Stewart said, the agency’s websites on its network were ordered to be isolated from each other, other state agency sites and the internet as a whole.
He said the network isolation has continued to render some systems unavailable.
“I want to be clear: this was our decision and a deliberate one, and it was the cautious and responsible thing to do for threat of isolation and mitigation,” Stewart said.
Since the attack began, some public-facing databases — notably the state’s COVID-19 data dashboard — have come back online.
Many others, including resources that report communicable disease data and lab results and systems that support participants in Maryland’s AIDS Drug Assistance Program, are still not operational, sources told Maryland Matters.
Stewart warned against recovering services too quickly, which can lead to agencies needing to restart recovery efforts multiple times.
“I cannot stress how important this point is — in order to protect the state’s network and the citizens of the state of Maryland, we are proceeding carefully, methodically, and as expeditiously as possible, to restore data services,” he said.
In the meantime, Chaudry said that the Department of Health’s business units have been operating on continuity of operations plans to allow its programs to keep “performing essential functions in the event of an emergency or interruption of services — such as an attack.”
According to Chaudry, continuity of operations plans were implemented on Dec. 4. The agency has since prioritized certain functions.
“In this instance, we are using a tiered system that is focused on mission critical and life-safety business functions,” Chaudry said. “This prioritization of the Department’s affected functions has led to the development of a Critical Path for recovery and bringing systems back online.”
Union officials have blown the whistle, saying that their members employed through the Department of Health have been without their work computers since the attack began.
According to Chaudry, agency employees have been using Google Workspaces to share and save files online, and the department has procured printers, wireless hotspots and 2,400 laptops with plans to secure 3,000 more.