More than a month after a ransomware attack hit Scripps Health and disrupted its IT systems for weeks, CEO Chris Van Gorder has penned an op-ed in The San Diego Union-Tribune to detail the events and call on greater collaboration between the government and hospitals to thwart attacks.
The San Diego-based health system discovered unusual network activity affecting some of its IT systems on May 1, prompting Scripps to take its information systems, including its Epic EHR, offline. During nearly one month of EHR downtime, the health system operated using established backup processes, including offline documentation methods and continued care at its outpatient urgent care centers, Scripps HealthExpress locations and all its emergency departments.
While Scripps' EHR was not compromised, and there is no evidence that the health system's patient information was used for fraudulent purposes, Mr. Van Gorder wrote "we deeply regret the concern this incident has caused for our patients, employees and physicians."
"There are important lessons to be learned.Scripps, like other healthcare systems, is taking further steps to enhance the security of our information security, systems and monitoring capabilities and adapt to this evolving cyber-threat landscape," he stated.
Mr. Van Gorder pointed to the "unfortunate reality" that Scripps is "yet just another example of the ongoing trend of 'threat actors' extorting the nation's healthcare systems." He cited a recent analysis from Comparitech, which found that 92 individual ransomware attacks affected more than 600 separate clinics, hospitals and organizations in 2020.
Scripps quickly implemented incident response protocols and downtime procedures upon discovering the cyberattacks, but "despite the best possible efforts, our nation's healthcare providers — and all organizations— remain vulnerable to threat actors," Mr. Van Gorder wrote.
"The American Hospital Association reiterated in a recent article that relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat, when the vast majority of these attacks originate from outside the United States where ransomware gangs are allowed to operate with impunity," he wrote.
As the number of cyberattacks on critical U.S. institutions continues to escalate, there has become a critical need for public-private partnerships to manage and combat the issue, according to Mr. Van Gorder, who applauded the U.S. Justice Department's recent initiative to elevate investigations of ransomware attacks to terrorism priority.
"Just as protecting the public’s health during a once-in-a-century pandemic takes a village, so will protecting our hospital systems, critical infrastructure, schools, businesses and government entities from criminals who exist in the shadows," Mr. Van Gorder wrote.