A new Marin County civil grand jury report recommends that county supervisors consider creating a cybersecurity joint powers authority.
The report, titled “Cyber Preparedness: Are We There?”, is a follow-up to the committee's 2020 report, “Cyber Attacks: A Growing Threat to Marin Government.”
According to a 2020 report, the county suffered at least five cyberattacks between July 2017 and August 2018. The first four were primarily phishing attacks that resulted in security breaches but no actual data theft.
However, in the fifth attack, the hackers were able to trick the county's finance department into transferring $309,000 to the hackers' bank account. After the fraud was discovered, the county was able to recover about $63,000, but lost $246,000.
The report also said six Marin County municipalities had been targeted by various cyberattacks over the past three years.
According to the new report, 11 Marin County municipalities have already implemented or are in the process of implementing more than 90% of the cybersecurity best practices recommended in the 2020 report, including mobile device management, automated malware detection, monitoring systems, the use of expert resources and firewalls.
“Since the 2019-2020 Grand Jury Report, no municipalities have reported a cyberattack severe enough to warrant public disclosure,” the new report states.
The federal Office for Civil Rights requires reporting of any breach involving the health information of 500 or more people.
“The grand jury found that two cyber attacks had been reported by two other public agencies, but neither incident resulted in any significant loss of data or money,” the report said.
Marin County Chief Information Officer Lisa Massey said there has been one breach since 2020.
“This was caused by employee actions and did not rise to the level of being made public,” Massey said. “Most breaches are caused by human error.”
Massey declined to comment on the new report's recommendations.
According to the grand jury, an oversight and investigative committee empowered by local law enforcement agencies, global cyber attacks have become more sophisticated since the 2020 report.
The Center for Internet Security's National Cybersecurity Review noted that it found that malware attacks increased 148% year-over-year in the first eight months of 2023, while ransomware incidents increased 51% over the same period last year.
The grand jury also quoted security awareness company SoSafe as saying that cybercriminals are attracted to public sector websites because their technology and security measures are outdated.
Following the 2020 report, Marin County created what is now known as the Marin Security and Privacy Council (MSPC). Initially created to provide cybersecurity information and best practices to Marin County municipalities, the council has expanded to include nonprofits and other private organizations.
MSPC, in collaboration with the County's Information Services and Technology Office, sends out monthly security awareness newsletters to Marine agencies and MSPC members, as well as alert notices about active cyber threats.
“We have newsletters that are available not only to businesses, but also just to Marin County residents,” said Jason Valderrama, the county's chief information security officer.
However, the grand jury reported that interviews with Marin County municipalities and agencies found that many were unaware of the security newsletter and “they appeared to be generally unaware of the existence of the MSPC.”
The grand jury said the county supervisors should consider creating a cybersecurity joint powers authority “to increase cyber preparedness among its members and to acquire and maintain a perimeter defense protection system to prevent and eliminate ransomware and more sophisticated cyber attacks.”
The grand jury also asks the county supervisors to hire three new employees to strengthen cybersecurity: one who will work in the county's IT department and assist other county agencies with cybersecurity awareness, training and the implementation and monitoring of cybersecurity systems;
The remaining two new hires will fill a “systems engineering” role that will involve conducting security risk assessments, providing recommendations and implementing cybersecurity solutions for Marin County's public agencies.
The grand jury's list of 10 recommendations is fairly technical, including a proposal to require Marin agencies to include business continuity plans in any contracts they enter into with third parties for information technology services. Business continuity plans aim to protect personnel and assets and enable rapid functioning in the event of a cyberattack or natural disaster.
The grand jury found that many, if not all, of the county's municipalities and special districts outsource information technology and cybersecurity services to third parties due to a lack of in-house expertise or budgets, but after reviewing the contracts, the grand jury found no language related to business continuity plans.
The report comes as MarinHealth Medical Center is still recovering from the effects of a February ransomware attack on one of its vendors, Change Healthcare.
“This disruption affected more than 5,700 hospitals across the U.S., including MarinHealth. As a result, MarinHealth was forced to withhold billings to payers for approximately 30 days,” hospital spokeswoman Jennifer Churchill said in an email. “While patient care was not compromised, the attack disrupted our cash flow.”
Change Healthcare is a unit of Optum Inc., which is owned by UnitedHealth Group Inc. Churchill said Optum offered interest-free loans to Change Healthcare clients to help cover short-term cash flow shortfalls for hospitals and health care providers affected by the attacks.
“Marin Health has been approved by the Marin Healthcare District Board for an option to access up to $32 million in interest-free loans, if needed,” Churchill wrote. “We cannot disclose the details of the transaction. At this time, we have not received any reports that patient information has been compromised.”
