A Month After Cyberattack, Health Officers and Lawmakers Detail Continued Outages

For nearly six weeks, the Maryland Department of Health and its 24 local government partners have struggled to recover from an attack on the agency’s computer system.

Although state officials have thus far declined to describe in any detail the impacts of the “incident” (as they insist on calling it), anecdotal reports have made it clear that the attack has broadly undermined the sprawling agency’s day-to-day operations at perhaps the worst possible time.

Interviews with county health officers, union officials and state legislators offer a much broader glimpse into how the Dec. 4 incursion is affecting the state’s top health care decision-makers at the height of the omicron surge.

Those impacts are many and varied.

For more than two weeks, COVID’s reach wasn’t known in the state as case data wasn’t released publicly; the number of deaths was unreported for nearly the entire month of December.

For two weeks, state officials were unable to issue death certificates. And license renewals for health professionals slowed to a crawl.

Even as parts of the system are eased back into operation, some Marylanders with HIV are struggling to access life-saving medications.

Patients at state psychiatric hospitals can’t access their bank accounts to pay for necessities like shampoo or haircuts.

Following the reinstatement of the state’s COVID-19 dashboard — which had been the most publicly apparent sign of a breach during the weeks it wasn’t updated — the Department of Health and the Department of Information Technology have been virtually silent about the agency’s recovery.

“The investigation into this incident is ongoing and, to date, we have found no evidence at this point that data was accessed or acquired,” Maryland Department of Health Secretary Dennis R. Schrader told the Senate Vaccine Oversight Workgroup at a briefing last week.

Schrader, along with other top officials at the departments of Health and Information Technology, either declined to be interviewed for this story or did not respond to interview requests.

During a news conference Tuesday, Gov. Lawrence J. Hogan Jr. (R) said that House Speaker Adrienne A. Jones (D-Baltimore County) and Senate President Bill Ferguson (D-Baltimore City), Comptroller Peter V.R. Franchot (D), State Treasurer Dereck E. Davis (D) and the Maryland congressional delegation have received detailed briefings about the nature of the attack.

He added that the Department of Health “may have more to say” publicly later this week. “I can’t share a lot more information or detail about it today because it’s an ongoing investigation of criminal activity that I can’t compromise,” he said.

Hogan gave no indication when all of the agency’s downed systems would be back online.

“It’s a little slow to get some of the systems up and they’ve had to do workarounds,” he said. “It’s not a great situation, but it’s a lot better than it could be.”

On Thursday, state lawmakers hope to learn more about the attack.

Two panels — the House Health and Government Operations and Senate Education, Health and Environmental Affairs — will hold a joint hearing online at 1 p.m.

Although portions of the hearing may be held in a closed session to protect the ongoing investigation, Sen. Paul G. Pinsky (D-Prince George’s), chair of the Senate panel, said he is determined to have as much of the dialogue as possible held in public view.

“We’re going to try to keep as much in public (as we can),” he said. “There are some things they have to respond to and explain and justify.”

‘Totally run off the rails’

Because of the state’s lack of communication, Sen. Katie Fry Hester (D-Howard) reached out to members of the American Federation of State, County and Municipal Employees Council 3 who told her that staff at several state-run psychiatric hospitals, local health departments and the Department of Health headquarters are still without access to their work computers.

Both Hester, co-chair of the legislature’s Joint Committee on Cybersecurity, Information Technology and Biotechnology, and AFSCME Council 3 President Patrick Moran said that COVID-19 tracking is currently being done by hand.

Moran said that the department has issued a “very limited amount of laptops” for certain staff members and, in some cases, have set computers up at work stations for multiple employees to use.

But there still isn’t enough to go around, so some employees who feel comfortable working from their personal computers are doing so.

One of Moran’s members at Springfield Hospital Center, a state-run psychiatric hospital, doesn’t have a functioning personal computer. She is an administrative assistant, but has only been able to access hard copies of files because the attack has left her without a work computer.

“No one has received any communication on when it’ll be restored or resolved but folks are preparing to operate this way for the next several months,” he said.

Moran said the admission and discharge processes at state hospitals have “totally run off the rails.”

“​​Without access to shared drives, which contain patient information and the clinical notes, they can’t do it effectively and they don’t know what this person might need, or someone that’s coming in, what they’re gonna need or what the prescription is for them,” he said.

And patients are suffering, too. Moran said that many of them don’t have access to their accounts to buy necessities like shampoo.

“None of this is helpful for a population that skews towards paranoia and has severe psychological issues,” he said.

Hester described a visit to Springfield Hospital Center in mid-December, where she said she watched staff run around the complex to access food and prescriptions for patients.

“They’re like 40% understaffed anyways, and they’re working overtime for salaries that have fallen behind inflation by about 20% and now they can’t use their laptop,” she said. “It sounds really chaotic and very demoralizing.”

Hester has also been contacted by constituents about the lasting repercussions of the attack on the Department of Health. One told Hester that participants in Maryland’s AIDS Drug Assistance Program have been having issues accessing HIV medicine because computer systems are still offline from the attack.

“My feeling, quite frankly, is that the department has put all of the high-profile, public-facing materials — like gotten those kind of up and running — but the stuff behind the scenes that the healthcare workers need to actually do their jobs are still down,” said Hester. “And so we may have other health issues because they don’t have these surveillance systems and the surveillance data.”

“I mean, eventually that’s going to be a problem,” she said.

‘It’s almost like the Pony Express’

In the state’s six largest counties and Baltimore City, health officers use computers issued by the local government — and they get email through county government platforms. The “Big 7” have been able to keep operating normally, albeit with far less data than they normally receive.

The 17 smaller counties rely on laptops and email systems provided by the state health department, making the attack especially debilitating.

“For the small counties, when it first hit, they couldn’t even operate,” said Nilesh Kalyanaraman, the newly elected president of the Maryland Association of County Health Officers. “They couldn’t get onto the computers because they had to make sure that everything was secure and safe, and it wasn’t going to propagate.”

“They had to put in place paper records, paper systems, for any care that they were delivering,” he added. “And that was certainly a huge challenge.”

Kalyanaraman, the top health official in Anne Arundel County, said more of the hardware issues have been resolved, at least temporarily. In some counties, he said, health officers are traveling to other state agencies, such as the Department of Social Services, to share computers with employees there.

“Obviously the timing was brutal,” he said. “As omicron was surging, we lost access to data.” Local health departments in rural parts of the state have been particularly challenged by the pandemic because of their higher-than-average infection rates and lower-than-average vaccination rates.

In addition, local health officials still don’t have access to multiple non-COVID reports they receive on a regular basis, from various health data systems, prior to the attack, among them:

• NEDSS — The National Electronic Disease Surveillance System, which reports communicable disease data.
• ESSENCE — The Electronic Surveillance System for the Early Notification of Community-based Epidemics.
• BRFFS — The Behavioral Risk Factor Surveillance System, which the CDC describes as “the nation’s premier system of health-related telephone surveys that collect state data about U.S. residents regarding their health-related risk behaviors, chronic health conditions, and use of preventive services.”
• STARLIMS — a lab results reporting system.

“I have a saying that we’re data-driven and evidence-based,” said Dr. Maura Rossman, Howard County’s health officer. “I don’t have real-time data to be evidence-based, and that’s a problem.”

She said the delays in transmitting lab tests mean nurses at county-run health clinics must manually input them into electronic health records. “So it’s a lot of labor. And that’s direct care. That effects an individual person.”

“The results are currently written on the requisition form and being sent to us by a courier,” she added. “It’s almost like the Pony Express.”

Rossman, who served as interim president of the Maryland Association of County Health Officers, said she is sympathetic with the challenge state Department of Health is dealing with. “I know they’re doing the best they can.”

But she said the agency could help local health officials by providing more guidance.

“I’m frustrated with MDH in that there could be better communication with us about what is going on,” she said. “I don’t understand why (if) it’s impacting a certain report, (they) couldn’t send a .pdf.”

Although MDH is again able to update data on COVID-19 infections, case rates, hospitalizations and vaccinations, local leaders still don’t have complete details about those dying of the virus in their jurisdictions, they said.

While health officers previously received reports about where COVID victims lived, whether they were vaccinated and the treatments they received, among other details, that granular information hasn’t been available since the attack.

“When we all feel like we’re in the dark — whether or not we are — that’s when anxiety comes in,” Rossman said. “They don’t tell us, and it’s not for a lack of asking.”

‘The Department of Health is a victim’

On Dec. 31, Schrader sent a letter to department employees providing an update on the “network infrastructure security incident.”

According to the letter, the Department of Health “implemented immediate countermeasures to contain the incident,” including isolating each of the agency’s websites from each other, other state agencies and “the Internet as a whole.”

“Because of the state’s aggressive cybersecurity strategy … the incident did not affect many of the department’s core functions,” the letter reads.

But some say the state should’ve seen this coming.

According to Hester, who sits on the General Assembly’s Joint Audit and Evaluation Committee, auditors completed 77 reports covering 69 units of state and local government between 2016 and 2019. Those reports found 84 instances of weak data loss prevention controls, “which translated to about 40 million records [that] were susceptible to improper disclosure,” she said.

“It’s definitely an area that … nobody wants to invest in it until something bad happens,” Hester said.

Attorney General Brian E. Frosh (D) attempted to intervene years ago.

In 2018, Frosh sent a letter to Hogan recommending that he increase state funding for cybersecurity measures to $28.9 million, with inflation-adjusted sustainment budget of $14 million to $15 million each year.

At that point, the Department of Information Technology’s budget for cybersecurity was only $3.8 million.

While the department’s budget is smaller than some lawmakers think is needed, Hogan has taken action in the realm of cybersecurity. In July 2021, he convened a cybersecurity summit in Annapolis where he established an advisory partnership on best practices with the NSA and enacted an executive order to establish the state’s first chief privacy and chief data officers.

Hester said that Frosh’s 2018 recommendation has not been met, and that the General Assembly’s Joint Spending Affordability Committee has recommended allotting an additional $150 million for cybersecurity in the 2022 budget “as a good starting point.”

Later this month, the Joint Committee on Cybersecurity, Information Technology and Biotechnology is expected to recommend that legislative spending committees modernize the state’s outdated IT systems. Hester, who co-chairs the committee, said the 50-page report will be released in the coming weeks.

She said that approximately 40% of state departments are operating with systems that “don’t meet current cybersecurity standards.”

“You can’t blame somebody for being attacked …The Department of Health is a victim,” said Hester. “However, there have been various indicators for the past so many years that we need to invest more, we need to manage it better, we need to take this seriously.”

“So, the Department of Health is not at fault,” she continued. “But the state may be.”

Republish