Disruption to Services at Maryland Department of Health Continues One Month After Ransomware Attack
Maryland Chief Information Security Officer (CISO) Chip Stewart has issued a statement confirming the disruption to services at the Maryland Department of Health (MDH) was the result of a ransomware attack.
A security breach was detected in the early hours of December 4, 2021, and prompt action was taken to isolate the affected server and contain the attack. Stewart said the Department of Information Technology successfully isolated and contained the affected systems within a matter of hours, limiting the severity of the attack. “It is in part because of this swift response that we have not identified, to this point in our ongoing investigation, evidence of the unauthorized access to or acquisition of State data,” said Stewart in a statement issued on January 12, 2022.
According to Stewart, there was an attempted distributed-denial-of-service (DDoS) attack shortly after the ransomware attack; however, that attack was not successful. Evidence gathered during the investigation of the ransomware and DDoS attacks indicates they were conducted by different threat actors.
Stewart said he reported the incident to the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI), activated the state’s cybersecurity insurance policy through the State Treasurer’s Office, and engaged third-party forensic investigators to assist with the investigation and response and recovery efforts. “The companies and personnel provided by the insurance policy are widely regarded as the best in the industry,” said Stewart.
The response to the ransomware attack required systems to be taken offline, sites on the network were isolated from each other, and external access to resources over the Internet and by third parties was blocked. The containment approach limited the ability of state employees to use computers and access shared resources and more than a month after the ransomware attack some services continue to face disruption. While the response and recovery approach has resulted in ongoing disruption, Stewart said this approach was necessary to protect the state’s network and the citizens of the state of Maryland and was important to prevent reinfection.
Atif Chaudhry, MDH Deputy Secretary for Operations, said a major focus in the aftermath of the attack was to ensure business and service continuity, which involved implementing the FEMA Incident Command System (ICS). “Under this ICS system, we formed a Unified Command Structure to address the incident. This permits MDH and DoIT to jointly collaborate to manage and address all incident-related matters. DoIT provides the technical expertise and is taking the lead on network security and IT system recovery efforts,” said Chaudhry.
MDH faced a shortage of equipment in the aftermath of the attack, which meant employees have had to share computers at work. To address the problem, Chaudhry said MDH ordered an additional 2,400 laptop computers and a further 3,000 will be ordered this week. Additional IT equipment such as wireless access points and printers have also been ordered to ensure employees have the equipment they need to do their jobs. Further, alternative processes have been implemented to ensure staff can serve the most urgent needs of the public, which include migration to Google Workspaces. Google Workspaces has provided employees a suite of online tools that are unaffected by the ransomware attack ensuring employees can collaborate and save and share critical files.
The attack has caused disruption to the state’s pandemic response. On Thursday, January 12, 2022, MDH said it had restored around 95% of state-level surveillance data and it is working to restore the complete COVID-19 dataset. Reports will be updated at the earliest opportunity.