RECALIBRATE YOUR HEALTHCARE STRATEGY
Learn 4 strategic pivots for 2025 and beyond.
Learn more

Daily Briefing

Scripps CEO: What we learned from being attacked by ransomware


Writing for The San Diego Union-Tribune, Scripps Health CEO Chris Van Gorder details his health system's experience fending off a ransomware attack last month and calls for increased collaboration between the federal government and hospitals to prevent further cyberattacks.

The White House is raising the ransomware alarm. Here’s how you should respond.

Ransomware attacks results in weeks-long EHR shutdown

Scripps first detected the ransomware attack on May 1. The system immediately suspended access to IT applications and notified federal law enforcement. They restored its website access on May 20, and access to its Epic EHR system and online MyScripps patient portal were restored on May 27.

cybersecurity
Infographic: How to be a cybersecurity sentinel

During the roughly four weeks it was offline, Scripps said it continued to deliver patient care "safely and effectively" across all its facilities via "established back-up processes, including offline documentation methods." Meanwhile, the system's technical teams and vendors worked "around the clock" to resolve the issue.

On May 24, Van Gorder provided an update for patients on the status of the patient portal and EHR, but he said he could not share details on the attack since doing so could put the system "at an increased risk of coming under further attack, and of not being able to restore (its) systems safely and as quickly as possible."

On June 1, Scripps said it was starting to "mail notification letters to approximately 147,267 individuals" whose personal information appears to have been accessed by the hackers "so they can take steps to protect their information." Of those affected, about 2.5%—or 3,700—are said to have had their Social Security Numbers and/or driver's license numbers stolen, the system said. The system plans to provide those individuals with complimentary "credit monitoring and identity protection support services."

According to La Jolla Light, Scripps noticed that while the hackers had "managed to acquire copies of some of our documents before deploying ransomware," they were not able to access Epic. Additionally, the health system noted that so far as it is aware, there is "no indication that any of [the stolen] data has been used to commit fraud."

A frontline perspective

Writing in The San Diego Union-Tribune, Van Gorder expounded on how Scripps responded to the attack, quickly "initiat[ing] an investigation," engaging "[c]omputer consulting and forensic firms," and notifying federal law enforcement. As part of that recovery process, Van Gorder wrote, the health system also "took down our systems" and restricted access to the EHR.

However, although this response "created operational disruption at our hospitals and facilitates," Van Gorder notes that "patient care remained front and center" by deploying "well-practiced downtime procedures." Nonetheless, Van Gorder notes that "[w]hile there was no unauthorized access to Scripps’ electronic medical record application, Epic, and there is no evidence to date that Scripps patient information was used for fraudulent purposes, we deeply regret the concern this incident has caused for our patients, employees and physicians."

The need for public-private collaboration

"There are important lessons to be learned," Van Gorder writes, noting that the health system is "taking further steps to enhance the security of our information security, systems and monitoring capabilities, and adapt to this evolving cyber-threat landscape."

According to Van Gorder, one of the "clearest lessons" from the attack on Scripps and "the ongoing trend of 'threat actors' extorting the nation's health care systems … is the need for public-private partnerships to manage and combat this issue."

He explains that the "health-care industry is not alone in being hit with these threats that are increasing in complexity, volume, frequency and intensity—we're seeing these issues arise in critical infrastructure, our food supply, government agencies, K-12 school systems, universities, financial services companies, and more." And while Scripps responded quickly to its own ransomware attack, Van Gorder notes that "despite the best possible efforts, our nation's health care providers—and all organizations—remain vulnerable to threat actors."

According to Van Gorder, the American Hospital Association agrees, stating in a recent article "that relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat, when the vast majority of these attacks originate from outside the United States where ransomware gangs are allowed to operate with impunity."

As cyberattacks continue to escalate, there is an increasingly critical need to establish public-private partnerships to "safeguard our essential institutions and critical infrastructure," Van Gorder writes, praising a recent initiative at the Department of Justice to elevate ransomware attack investigations to a priority level similar to that of terrorism.

"Just as protecting the public's health during a once-in-a-century pandemic takes a village, so will protecting our hospital systems, critical infrastructure, schools, businesses, and government entities from criminals who exist in the shadows," Van Gorder writes (Sisson, La Jolla Light, 6/1; Drees, Becker's Health IT, 5/28; Sisson, The San Diego Union-Tribune, 5/27; Drees, Becker's Health IT, 5/3; Van Gorder, The San Diego Union-Tribune, 6/11).


Learn more

Access our cybersecurity resource library

breach

To get started, use this resource page to guide you through the following 5 steps for becoming a cyber resilient organization:

1. Understand the full cybersecurity ecosystem to build cyber resilience through layers

2. Engage senior leaders in security efforts to advance the organization’s security maturity

3. Optimize the effectiveness of your Chief Information Security Officer (CISO)

4. Prepare in advance

5. Manage and learn from incidents that do happen


SPONSORED BY

INTENDED AUDIENCE

AFTER YOU READ THIS

AUTHORS

TOPICS

INDUSTRY SECTORS

MORE FROM TODAY'S DAILY BRIEFING

Don't miss out on the latest Advisory Board insights

Create your free account to access 1 resource, including the latest research and webinars.

Want access without creating an account?

   

You have 1 free members-only resource remaining this month.

1 free members-only resources remaining

1 free members-only resources remaining

You've reached your limit of free insights

Become a member to access all of Advisory Board's resources, events, and experts

Never miss out on the latest innovative health care content tailored to you.

Benefits include:

Unlimited access to research and resources
Member-only access to events and trainings
Expert-led consultation and facilitation
The latest content delivered to your inbox

You've reached your limit of free insights

Become a member to access all of Advisory Board's resources, events, and experts

Never miss out on the latest innovative health care content tailored to you.

Benefits include:

Unlimited access to research and resources
Member-only access to events and trainings
Expert-led consultation and facilitation
The latest content delivered to your inbox
AB
Thank you! Your updates have been made successfully.
Oh no! There was a problem with your request.
Error in form submission. Please try again.