Writing for The San Diego Union-Tribune, Scripps Health CEO Chris Van Gorder details his health system's experience fending off a ransomware attack last month and calls for increased collaboration between the federal government and hospitals to prevent further cyberattacks.
Ransomware attacks results in weeks-long EHR shutdown
Scripps first detected the ransomware attack on May 1. The system immediately suspended access to IT applications and notified federal law enforcement. They restored its website access on May 20, and access to its Epic EHR system and online MyScripps patient portal were restored on May 27.
During the roughly four weeks it was offline, Scripps said it continued to deliver patient care "safely and effectively" across all its facilities via "established back-up processes, including offline documentation methods." Meanwhile, the system's technical teams and vendors worked "around the clock" to resolve the issue.
On May 24, Van Gorder provided an update for patients on the status of the patient portal and EHR, but he said he could not share details on the attack since doing so could put the system "at an increased risk of coming under further attack, and of not being able to restore (its) systems safely and as quickly as possible."
On June 1, Scripps said it was starting to "mail notification letters to approximately 147,267 individuals" whose personal information appears to have been accessed by the hackers "so they can take steps to protect their information." Of those affected, about 2.5%—or 3,700—are said to have had their Social Security Numbers and/or driver's license numbers stolen, the system said. The system plans to provide those individuals with complimentary "credit monitoring and identity protection support services."
According to La Jolla Light, Scripps noticed that while the hackers had "managed to acquire copies of some of our documents before deploying ransomware," they were not able to access Epic. Additionally, the health system noted that so far as it is aware, there is "no indication that any of [the stolen] data has been used to commit fraud."
A frontline perspective
Writing in The San Diego Union-Tribune, Van Gorder expounded on how Scripps responded to the attack, quickly "initiat[ing] an investigation," engaging "[c]omputer consulting and forensic firms," and notifying federal law enforcement. As part of that recovery process, Van Gorder wrote, the health system also "took down our systems" and restricted access to the EHR.
However, although this response "created operational disruption at our hospitals and facilitates," Van Gorder notes that "patient care remained front and center" by deploying "well-practiced downtime procedures." Nonetheless, Van Gorder notes that "[w]hile there was no unauthorized access to Scripps’ electronic medical record application, Epic, and there is no evidence to date that Scripps patient information was used for fraudulent purposes, we deeply regret the concern this incident has caused for our patients, employees and physicians."
The need for public-private collaboration
"There are important lessons to be learned," Van Gorder writes, noting that the health system is "taking further steps to enhance the security of our information security, systems and monitoring capabilities, and adapt to this evolving cyber-threat landscape."
According to Van Gorder, one of the "clearest lessons" from the attack on Scripps and "the ongoing trend of 'threat actors' extorting the nation's health care systems … is the need for public-private partnerships to manage and combat this issue."
He explains that the "health-care industry is not alone in being hit with these threats that are increasing in complexity, volume, frequency and intensity—we're seeing these issues arise in critical infrastructure, our food supply, government agencies, K-12 school systems, universities, financial services companies, and more." And while Scripps responded quickly to its own ransomware attack, Van Gorder notes that "despite the best possible efforts, our nation's health care providers—and all organizations—remain vulnerable to threat actors."
According to Van Gorder, the American Hospital Association agrees, stating in a recent article "that relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat, when the vast majority of these attacks originate from outside the United States where ransomware gangs are allowed to operate with impunity."
As cyberattacks continue to escalate, there is an increasingly critical need to establish public-private partnerships to "safeguard our essential institutions and critical infrastructure," Van Gorder writes, praising a recent initiative at the Department of Justice to elevate ransomware attack investigations to a priority level similar to that of terrorism.
"Just as protecting the public's health during a once-in-a-century pandemic takes a village, so will protecting our hospital systems, critical infrastructure, schools, businesses, and government entities from criminals who exist in the shadows," Van Gorder writes (Sisson, La Jolla Light, 6/1; Drees, Becker's Health IT, 5/28; Sisson, The San Diego Union-Tribune, 5/27; Drees, Becker's Health IT, 5/3; Van Gorder, The San Diego Union-Tribune, 6/11).