On December 5, Maryland Department of Health authorities reported that they had taken the department’s website offline in response to a cyberattack, according to CBS Baltimore (WJZ-13).
Local news website DCist.com reported that many of the Department of Health’s essential services, including Medicaid applications, nursing home safety data, and Covid-19 metrics, were unavailable because the department took its servers offline “out of an abundance of caution.”
Cyberattacks like this one are becoming more common in the healthcare industry. For example, on November 11, hackers launched a cyberattack against an Ohio hospital, causing disruptions to service and temporarily shutting down patients’ access to their electronic health records.
SEE ALSO: HIPAA compliant email
From the beginning, the Maryland Department of Health characterized the cyberattack as a “network security incident.” Some news outlets speculated that the cyberattack was a ransomware attack, but Maryland officials have not verified this.
The department’s IT professionals were able to restore the Department of Health’s website by the evening of December 6, but they continued to keep some servers offline while they investigated the situation and looked for data breaches.
Department of Health officials kept the public up to date via the department’s Twitter feed. On Thursday, December 9, Governor Larry Hogan announced at a press conference that the cyberattack was “much, much less intrusive” than officials had initially predicted. Hogan mentioned that it appears that no data, including protected health information (PHI), was stolen, although investigations would continue.
Why was the Maryland Department of Health’s website attacked?
Threat actors are increasingly targeting covered entities. Healthcare organizations are vulnerable to ransomware attacks as well as data breaches because these organizations possess information-rich data files, including PHI, and cannot afford to shut down operations when patients’ health is at stake.
Government entities such as state and city departments are also in hackers’ crosshairs. In May 2019, hackers attacked the city of Baltimore’s computer systems, demanding a ransom to release the city’s computers and restore critical systems. The city refused to pay the ransom and instead spent over $18 million mitigating the attack.
SEE ALSO: To pay or to not pay for stolen data
Healthcare organizations’ email systems are especially vulnerable to attack, which can lead to stolen data, compromised PHI, and ongoing malware issues.
Healthcare employees can be stressed and tired, especially during the holiday season, and they might not be aware of the latest cybersecurity best practices, creating additional vulnerabilities.
SEE ALSO: Why holidays are a cyberattack gold mine
What are the consequences of this cyberattack?
While the full extent of the cyberattack on the Maryland Department of Health is not yet known, it is already clear that citizens and government agencies could not access critical resources while the department’s website was shut down. Anyone wishing to learn about Covid-19 transmission rates, nursing home safety, vaccinations, and other public health concerns had to wait until the website was restored to full functionality.
Cyberattacks like this one clearly indicate that healthcare organizations and covered entities cannot wait to strengthen their network security, email systems, data protection efforts, or backup and recovery procedures. Now is the time to protect your patients’ PHI and secure your data.
Prevention and protection are key to guarding against cyberattacks
Robust email protection is critical for any healthcare organization. Paubox Email Suite allows users to write and send HIPAA compliant email according to their normal procedures, using a laptop, desktop, or mobile device. Recipients view email messages and attachments without needing to log into a separate portal, download a mobile app, or enter multiple passwords.
Paubox has achieved HITRUST CSF certification, demonstrating that our email solutions have met regulatory and industry-defined requirements and are appropriately managing customers’ risk.