Security Incident Leads Scripps Health to Postpone CareNews Reports: Apparent Ransomware Attack Also Results in Diverting Emergency Patients
San Diego-based Scripps Health, which operates four area hospitals, has been forced to postpone some patient care - and reportedly divert some patients seeking emergency treatment - as a result of what local news outlets say is a ransomware attack.
In a statement provided to Information Security Media Group, Scripps Health says that it detected "an information technology security incident" late on Saturday.
"As a result of this cyberattack, we suspended user access to our information technology applications related to our operations at our healthcare facilities," according to the statement. "While our information technology applications are offline, patient care continues to be delivered safely and effectively at our facilities, utilizing established back-up processes, including offline documentation methods."
Outpatient urgent care centers, Scripps HealthExpress locations and emergency departments remain open for patient care, the statement adds.
Some patient appointments scheduled for Monday, as well as for the next several days, however, were postponed. "We are working on how best to notify these patients about the need to reschedule," the statement says.
Scripps Health says its technical teams and vendor partners are working "around the clock to resolve these issues as quickly as possible." Law enforcement agencies and various government organizations have been notified, Scripps Health adds.
A Scripps Health spokesman declined to comment on whether the cyberattack involved ransomware. But the San Diego Union-Tribune, citing a Scripps Health memo, says ransomware apparently was involved.
NBC San Diego reported that the San Diego County Office of Emergency Services said ambulances were being diverted over the weekend from Scripps' facilities to other hospitals in the area as a precautionary measure.
The Scripps Health spokesman would not comment on whether some of its emergency care patients were being diverted to other area hospitals. The San Diego County Health and Human Services Agency did not immediately respond to ISMG's request for comment.
Transplant Network Hit
In another recent attack in the healthcare sector suspected of involving ransomware, Westwood, Kansas-based Midwest Transplant Network reported to federal regulators a hacking incident affecting nearly 17,600 individuals.
In a Friday statement, the organization said it recently detected a "data security incident." MTN worked with outside experts "to stop and remove the threat," the statement says.
"Some historical organ donor and recipient information was involved," MTN says. "Where necessary, MTN will notify individuals regarding this incident and the resources MTN is providing them."
Law enforcement officials have been notified, but MTN says "there is no evidence that the exfiltrated data has been misused or distributed by the cybercriminals."
MTN’s IT team and technical consultants are reviewing the organization's security practices and electronic systems, implementing security and threat detection tools and enhancing IT policies and procedures, the statement says.
MTN did not immediately respond to ISMG's inquiry on whether the incident involved ransomware, as was reported by local news media outlet KCUR.
Ransomware and other cyberattacks clearly are beginning to have an impact on the quality of care, some experts say.
"We know that degraded and delayed healthcare affect mortality rates for latency-sensitive conditions, such as heart attacks, strokes, cancer treatment and car accidents," says Josh Corman, chief healthcare security adviser at the Cybersecurity and Information Security Agency. He spoke at ISMG's recent Virtual Cybersecurity Summit: Healthcare.
Research from the New England Journal of Medicine has shown that even a 4.4-minute delay in emergency treatment for heart attack patients can result in higher mortality rates or other negative outcomes, he says.
"Time-sensitive care delivery is paramount," Corman says. "So admitting we have a problem is a prerequisite to fixing a problem."
Threat analyst Brett Callow of security vendor Emsisoft notes that ransomware attacks on healthcare providers have been worsening since the start of 2019.
"The attacks aren’t simply an expensive inconvenience; they actually put lives at risk, and the fact that people haven't died as a direct result of them is simply down to good luck," he says.
So far this year, 18 attacks on healthcare providers have disrupted patient care at 47 or more locations, he says.
"Dealing with this problem isn’t going to be easy and, unfortunately, I don’t think there’s any quick fix," he says. "Action on multiple fronts is required, including policy measures to disincentivize the countries which shelter cybercriminals, to boost the [law] enforcement rate and, of course, to help ensure providers’ systems are better protected."
Sarah Powazek, cyber analyst and program manager of the ransomware task force at the nonprofit group Institute for Security and Technology, says that for cybercriminals, "the success of an attack is directly related to how much pressure a criminal can inflict on a victim."
This makes hospitals that provide critical, time-sensitive care highly attractive targets for ransomware attacks, she notes.
"The immense need to regain operations gives the criminals leverage to extort ransoms in the millions of dollars. We’ve already seen the short-term effects - the rerouting of urgent care patients and cancellation of appointments."
Even if the ransom is paid, she notes, "There is no guarantee these hospitals will be able to get back to normal patient care any time soon."
IST's ransomware task force recently issued a framework with recommendations for mitigating ransomware attack risks.
"Critical entities need help to increase their cyber hygiene, which is why the RTF report recommends updating and expanding grant programs and other financial incentives to encourage stronger defenses," she says.