Published by The Lawfare Institute
in Cooperation With
Maryland is a tiny state. Geographically, it’s the 42nd biggest state and ranks only 18th in population. But despite its small size, the Dec. 4, 2021, cyberattack on the Maryland Department of Health (MDH) had a global impact. At first blush, the MDH hack may seem like a local-to-Maryland problem. After all, the network security incident affected only MDH and some of its external partners—including local health departments. However, the hack impaired MDH’s ability to report accurate COVID-19 data; and nearly a month after the initial outage, only 90 percent of state-level surveillance data have been restored. But who cares? After all, the department is a state-level organization that includes MDH and 24 local health departments—one each in Baltimore City and Maryland’s 23 counties—and whose vision is “lifelong health and wellness for all Marylanders.” So why would someone in Indiana or Nevada care about county-level transmission rates in Maryland? Or to be even more expansive, why would someone in Zimbabwe or Japan care?
I argue that the MDH hack points to a concerning development at the nexus of cybercrime and data supply chains: Maryland’s COVID-19 stats may not be of direct interest to nonresidents, but MDH’s state-level data is one step in the global COVID-19 data supply chain that aggregates at the World Health Organization. In the current era of great power competition, adversaries seek to influence, manipulate, and obfuscate the information environment to degrade or deny America’s ability to respond and react to crises, making it necessary for the United States to focus on protecting the integrity of data supply chains to ensure readiness for resilience. With all the hallmarks of a ransomware attack, the MDH hack exposes how vulnerabilities in public data supply chains have the potential to affect the information available to decision-makers in times of national and international crises and normal, day-to-day operations. Ultimately, when Maryland’s numbers are off, the whole world’s numbers are off, and everyone should be concerned about that.
To be honest, not much is publicly known—the attack has the characteristics of a ransomware scheme, but Maryland officials have yet to publicly discuss the cause or type of attack and say there is no evidence that data has been compromised.
On Dec. 4, network administrators detected “unauthorized activity involving multiple network infrastructure systems” and quickly implemented countermeasures, taking the affected servers offline to protect the broader network. Their response proved mostly successful. Key services, along with most MDH core functions (such as Medicaid information and assistance), went back online the next day. Other services, such as state medical licensing, remained unavailable through the new year. However, MDH’s COVID-19 surveillance website—specifically, the tracking of COVID-19 cases and deaths across the state—remained unable to report accurate data for weeks. From Dec. 4 through Dec. 23, county-level reporting data was largely unavailable. The MDH website still indicates that the organization is dealing with the hack fallout and its impact on accurate reporting. The timing of the cyberattack was horrible—just as the omicron variant was spreading, Marylanders, and travelers to the state, could not access up-to-date information about high transmission areas to assess risk and make informed choices about holiday travel.
Once the cyberattack and its fallout was made public, federal agencies in the Washington, D.C., metro area told their employees that the MDH outage meant the Centers for Disease Control and Prevention’s (CDC) COVID-19 heat map was inaccurately reflecting most counties in Maryland as areas of low community transmission. The hack and the resulting site outage prevented Maryland state health officials from reporting new infection data to the CDC, which rendered the national-level database inaccurate. The actual COVID-19 numbers for Maryland told a very different story, meeting the criteria as an area of high community transmission and were in fact reflective of the COVID-19 surges happening across the country. Ultimately, when MDH partially resumed its reporting on Dec. 21, the number of positive cases in Maryland had jumped by more than 28,500 and the seven-day average testing positivity rate had nearly doubled from 5.4 percent to 10.3 percent. Over the Christmas holiday weekend, Maryland’s numbers spiked even higher, with more than 25,000 new cases being reported and a testing positivity rate of more than 15.85 percent. New Year’s Eve holiday statistics were not available until after the holiday weekend.
But it’s just Maryland, so why does it matter?
Everything today is interconnected. A local public health threat can quickly become a public health threat elsewhere. Diseases, like COVID-19, exploit even the smallest gaps in human defenses to spread through the population. Therefore, in addition to its local public health implications, the MDH cyberattack has a surprisingly far-reaching impact because of the COVID-19 data supply chain. MDH reporting feeds into the surveillance data for the entire U.S. and, ultimately, the world. How? Local and county-level case surveillance data—the type of data affected by the MDH hack—and reporting are the initial steps in the broader, national-level case surveillance apparatus run by the CDC. Information fed into the data supply chain is aggregated into statistics and information designed for health research and for public consumption. Additionally, the CDC shares its deidentified, national-level data for public health events of international concern, like COVID-19, with the World Health Organization (WHO). WHO convenes its 194 member nations, including the U.S., to direct and coordinate global health strategies, tactics and priorities. If CDC numbers are inaccurate, the national and global response priorities may also be off.
Figure 1. A depiction of the CDC’s COVID-19 data supply chain.
- Hospitals, healthcare providers, and laboratories transfer data for case reporting to state, local and territorial public health departments as required under state disease reporting laws.
- State, local and territorial health departments move data for case notification to the CDC through its National Notifiable Diseases Surveillance System. This step is voluntary, and all data is deidentified before transmission to the CDC.
- The CDC reports national COVID-19 case surveillance data to the World Health Organization, as required under the International Health Regulations. The CDC also publishes COVID-19 national case surveillance data for public use.
The U.S. needs to maintain a strong global health presence to ensure America’s health security, but the domestic impact of inaccurate reporting data also has several implications for readiness across the federal government and private sector.
Maryland is really important for national readiness!
With more than 15 percent of the entire federal civilian workforce located in the Washington, D.C., metro area, Maryland’s public health information is a national concern. The state is home to 350 research centers, 20 military facilities, more than 60 federal civilian agencies and 78 federal laboratories (twice the number of any other state). The Department of Defense employs more than 400,000 workers in Maryland, representing a little over $20 billion in total wages earned. Fort George G. Meade is the largest employer in the state, with more than 50,000 employees, and is the third largest workforce of all U.S. Army facilities. The military industry in Maryland generates $57.4 billion and constitutes 17 percent of the state’s total economic output. Additionally, Maryland is home to 15 of the nation’s top 20 aerospace and defense firms, and the more than 9,000 aerospace and defense contractors in the state generate over $33 billion in earnings each year. Per capita, Maryland ranks first for research and development federal obligations worth over $15.4 billion. And in 2020, Maryland was home to 176,000 businesses, along with corporate headquarters for well-known businesses such as McCormick, Lockheed Martin, Under Armour, DAP, Phillips Seafood, T. Rowe Price and Goetze’s Candy.
COVID-19 statistics and data are just one piece of information that leaders use to assess the risks associated with their workforce and operations during the ongoing pandemic. Even under normal conditions, leaders must assess and account for local conditions (such as snowstorms or power outages) and public health concerns (like an outbreak of the Zika virus) to accurately make workforce readiness decisions—data supply chain security matters all the time, not just during moments of crisis. Since the onset of the pandemic, large corporations, businesses, federal departments and agencies, and the U.S. military have had to assess local COVID-19 conditions and their impact on broader, national-level readiness. For the military specifically, large-scale exercises have been canceled or postponed, avoiding the massing of thousands of people to one concentrated location. Social-distancing protocols have been instituted everywhere —including federal workplaces, military bases, public transportation and private businesses. Basic training and permanent change of station moves were suspended, or scaled back, as the then-new screening and testing protocols were implemented. But, even as most aspects of work are returning to normal, cases caused by the omicron variant are spiking and local conditions such as transmission rates, positive cases, and hospitalizations remain critically relevant to major federal and national-level movements, training, exercises and overall readiness. County-level case surveillance data is needed by federal leaders to determine force posture and staffing requirements at military bases and federal campuses and to determine if, when, and where employees can safely travel—for work or pleasure.
Hostage-taking is not a new phenomenon.
Just like a person may be taken hostage by a criminal outfit, data can be taken hostage and held at risk—and the number of data hostages is increasing. Hacks that lock up, wipe, or block data access to private and operational information are on the rise. Typically, attackers target devices, databases, and servers that have—or are likely to have—critical data that forces a quick decision from the owner, because access to that data is critical to the organization’s mission or health. Hospitals and health departments, like MDH, are frequent targets since their data is necessary for patient care and public health—and could mean life or death—making those entities more likely to negotiate (or pay for) a data release quickly and quietly. Data hostage incidents are important for many reasons. In the past, criminal statistics showed the contagious effect of hostage-taking, and the severity of outdoing someone else in the sense of hostage-taking is also on the rise in cyberspace. Ransomware statistics show an escalation in ransom fees and in the types and quantity of data held hostage with some early indications of a slowdown after a 30-nation ransomware task force met in 2021 to address the transnational impact of the threat. But with each cyberattack, the probability of the next hack’s being more severe, bold, or costly gets higher.
Data supply chains, like the CDC’s COVID-19 data supply chain, are therefore increasingly at risk of malfunction and inaccuracy. Local organizations—at the bottom of a data supply chain —are often underfunded and underresourced for cybersecurity. Guidance for baseline security measures is also outdated and varied—even at the federal level. For example, the U.S. Department of Health and Human Services (HHS) has a fact sheet for ransomware and Health Insurance Portability and Accountability Act (HIPAA) compliance intended to assist health-related organizations to meet minimum security standards and compliance with HIPAA while also protecting data and networks from ransomware—but the fact sheet was last updated in 2016. An HHS cybersecurity checklist is also provided on the agency’s website, but it is from 2017, and the National Institute of Standards and Technology (NIST) and HIPAA Security Rule crosswalk was last updated in 2016. The guidance stated in the HIPAA Security Rule is general and minimal and requires the following from organizations and agencies that deal with patient health information:
- Reasonably protect patient privacy by setting up safeguards on all equipment, data storage devices, administrative software, and computer systems, as well as proper cybersecurity protection.
- Prevent unauthorized disclosure of private information.
- Prevent unauthorized access to private information.
- Remain compliant to the HIPAA Security Rule requirements within their employee organization.
But, for example, there is no security rule standard or implementation specification that mandates a public or private entity to update the firmware of network devices as part of their risk analysis and management process, or a standard requirement for entities to identify and mitigate the risks to data created by using network devices running on outdated firmware.
So, what does it all mean?
The MDH hack highlights how data problems are not just a federal-level aggregation and operationalization problem. Another state-level data issue of note had nothing to do with malicious cyber actors but was instead the result of poor software design. In January 2021, public health officials in California noted that the state’s vaccine numbers were lagging despite a successful vaccine rollout and positive feedback from health workers in the field. But according to the data, “California was slower than other states in administering the still-meager supplies of vaccines being shipped by the federal government.” The problem was not one of vaccine hesitancy or vaccine logistics. Instead, “on one of the computer programs the state was using to feed records into a central database, the ‘submit’ button was buried at the bottom of the screen and easy to miss.” Within days of finding the oversight and telling health workers to click “submit,” California’s vaccination numbers turned around.
Recently, Robert Redfield, CDC director during the Trump administration, spoke out about the data problems at the federal agency, namely how long it takes for the agency to receive data from the states (70 jurisdictions feed data to the CDC), curate it (validate, double check and triple check the primary data sources relied on for the data—a process that takes weeks and months), and confirm accuracy. The delay in getting data into a usable format for public health only compounds the problems encountered after a downstream supply node—like MDH—is disrupted. But, within the context of great power competition, the MDH hack shows how fragile data supply chains can be and signals how easy it is to disrupt even the most critical data flows by stopping the upstream flow of data that provides the insights and statistics on which the nations’ decision-makers rely. Ultimately, adversaries can easily disrupt critical information flows to confuse, manipulate, and influence public, private, and personal readiness. If key leaders are unable to accurately assess conditions in a crisis, resources may be prioritized incorrectly, response efforts vectored to the wrong regions, recovery funding and assistance sent erroneously—in short, the list of potential impacts to national readiness and resilience is endless.
The views expressed are those of the author and do not reflect the official position of the United States Military Academy, Department of the Army, Department of Defense, U.S. government or any organization with which the author is affiliated.