Scripps CEO Reveals Lessons Learned from Ransomware Attack

June 15, 2021 - Ransomware attacks can be both costly and dangerous for those impacted. But for the healthcare industry in particular, patient data is put at risk and taking EHR systems offline can delay critical care. In a recent opinion piece published in the San Diego Union-Tribune, Scripps Health president and CEO Van Gorder revealed lessons learned from its large-scale ransomware attack in May.

“This past year, we’ve witnessed doctors, nurses and hospitals on the front lines of the COVID-19 pandemic performing heroically in the face of the most difficult circumstances seen in a century,” Gorder wrote.

“Just as it seems hospitals and health-care systems may be rounding a corner on coronavirus, the cybersecurity threat has been covertly plaguing our hospital systems and critical care facilities.”

The attack occurred on May 1st, causing EHR downtime and appointment cancellations. Some patients, including all trauma patients, were diverted to other hospitals. After four weeks of disruption, Scripps restored its network and brought its EHR system back online by June 1st.

In a June 1st announcement on its website, Scripps alerted individuals of the ransomware attack and its implications for patients. Social Security numbers and drivers’ license numbers were affected for less than 2.5 percent of patients, but some documents contained names, addresses, health insurance information, and medical records, among other sensitive information.

“Maintaining the confidentiality and security of our patients’ information is something Scripps takes very seriously. We deeply regret that this incident occurred and any concern this may cause,” the announcement stated.

“To help prevent something like this from happening again, we are continuing to implement enhancements to our information security, systems, and monitoring capabilities. We also continue to work closely with federal law enforcement to assist their ongoing investigation.”

In the opinion piece, Gorder wrote that although EHR systems were down and some patients were diverted, patient care remained the number one priority.

“As frustrating and challenging as this situation has been for our patients, physicians, nurses and staff, the unfortunate reality is Scripps is yet just another example in the ongoing trend of ‘threat actors’ extorting the nation’s health-care systems,” he wrote.

Citing analysis from Comparitech, Gorder pointed out that 92 ransomware attacks were inflicted on over 600 healthcare organizations in 2020 alone, making 18 million patient records vulnerable. In addition, hospital systems in New Zealand and Ireland were also facing EHR downtime from recent ransomware attacks.

“One of the clearest lessons from the recent spate of attacks on critical U.S. institutions is the need for public-private partnerships to manage and combat this issue,” Gorder wrote.

The White House and the Department of Justice recently launched the Ransomware and Digital Extortion Task Force and announced its intention to increase investigations into ransomware attacks.

“In the face of difficult circumstances, those on the front lines of our [healthcare] system continue to rise to the occasion and provide the quality and continuity of care that patients deserve,” Gorder continued.

“Just as protecting the public’s health during a once-in-a-century pandemic takes a village, so will protecting our hospital systems, critical infrastructure, schools, businesses and government entities from criminals who exist in the shadows.”