Cybersecurity Concerns Grow In Hospitals Across Maryland

Maryland hospitals are seeing an uptick in ransomware and other cybersecurity threats, mirroring a national trend, and a federal agency is investigating a dozen breaches among healthcare providers in the state.

There are seven breaches currently under investigation from this year alone but there are 12 current investigations regarding Maryland healthcare providers in the last 24 months.

Ransomware attacks and other cybersecurity threats have become a great concern for public health organizations and healthcare facilities nationwide, according to an October 2020 Cybersecurity and Infrastructure Security Agency, FBI and Department of Health and Human Services joint statement.

“We are attacked on an hourly, not just daily, basis by phishing attempts and people trying to get into our network in a variety of ways,” said Dr. Joel Klein, senior vice president and chief information officer at the University of Maryland Medical System.In healthcare ransomware attacks, hospitals’ critical medical records could be seized and encrypted, which could cripple their ability to provide services to patients, until the ransom is paid, according to a 2020 Comparitech analysis.

Klein told Capital News Service he has seen a rise in cyberattacks since the pandemic started, signaling that a problem that affects so many where they are most vulnerable is only getting worse.

“It could be a life-or-death situation. You could sustain critical injuries if you get misdiagnosed or don’t have the correct information at the doctors,” said state Sen. Susan Lee, D-Montgomery.

More than one-third of health organizations surveyed were hit with a ransomware attack last year and 65% of those affected claim the cybercriminals successfully encrypted data, according to a May 2020 Sophos report on ransomware in healthcare based on data from 328 healthcare respondents worldwide.

Lee recently saw SB623 go into law. The new state law prohibits a person from impairing or interrupting computer services of an organization and specifically mentions health care facilities.

FIN12, the name of a cyber threat actor, has recently been highlighted for its aggressive use of ransomware attacks against healthcare facilities, and particularly among businesses with revenue in the hundreds of millions of dollars, according to a Mandiant report on Oct. 7.

But the cyberattack trend has slowly snowballed steadily for years, and the University of Maryland Medical System is not alone.The Kent County Health Department experienced telephone issues due to a cyberattack on their phone provider in September.

The outage lasted six days and resulted in the health department changing its phone number, according to Bill Webb, health officer for Kent County.

Webb spoke on Sept. 29 on behalf of the Maryland Association of County Health Officials at a Maryland legislative Joint Committee on Cybersecurity, Information Technology and Biotechnology.

At the meeting, Webb explained the need for greater funding beyond the current “patchwork funding system” for qualified information technology staffing and training in the local healthcare industry.

At least seven Maryland-based data breaches from this year are under investigation, according to the Office for Civil Rights of the U.S. Department of Health and Human Services.

From local centers like The Tree House Child Advocacy Center of Montgomery County, where 514 individuals were affected, to medical enterprises like The Centers for Advanced Orthopaedics, with several locations in Maryland, where 125,291 individuals were affected, according to HHS Office for Civil Rights data.

The Greater Baltimore Medical Center was the victim of a ransomware attack in December 2020.The hospital system took its electronic medical records offline as a precautionary response to the attack, according to a hospital press release. The Greater Baltimore Medical Center declined to comment further.

Hospitals and organizations should have a full-fledged cyber incident plan that establishes a clear response in the event of a ransomware attack, according to the University of Maryland’s Center for Health and Homeland Security director, Markus Rauschecker.

Rauschecker also advises what he calls “good cyber hygiene,” like installing software patches and cybersecurity training for staff.