Scripps CEO Chris Van Gorder Shares Ransomware Response
Episode 12123rd June 2021 • This Week Health: Newsroom • This Week Health
00:00:00 00:09:43

Transcripts

 This transcription is provided by artificial intelligence. We believe in technology but understand that even the smartest robots can sometimes get speech recognition wrong.

  Today in Health it we take a one day break from our chime review, our chime summer forum review of all the keynotes to look at a letter from the Scripps CEO, Chris Van Gorder on the recent ransomware attack. My name is Bill Russell. I'm a former CIO for a 16 hospital system and creator of this week in Health IT a channel dedicated to keeping health IT staff current.

And Engaged Health Lyrics is my company. I provide executive coaching advisory, interim leadership, and board participation for health leaders around technology and it. If you wanna learn more, check out health lyrics.com. Alright, here's today's story. As I said, I'm currently working through the rest of the talks for Chime, and you'll get a rundown on each of them starting again tomorrow.

Today we take a detour to the Scripps Ransomware attack and a letter that was written. In the San Diego newspaper, and it, it is a letter that you'd never want your CEO to have to write, or at least to enhance and approve the words that marketing, legal, and others have put together. So let's take a look at it real quick.

This is an opinion piece. It's the San Diego Union Tribune. Weed scripts health we're victims of rent, ransomware attack. Here's what we learned. Okay, so that's the title of the editorial piece. This past year we've witnessed doctors, nurses, and hospitals on the frontline of COVID-19 pandemic performing heroically in the face of the most difficult circumstances seen in a century.

Just as it seems, hospitals and healthcare systems may be rounding a corner on coronavirus. The cybersecurity threat has been covertly plaguing our hospital systems. And critical care facilities. I think this is top of mind. Now. They're just setting the groundwork for it. This isn't just us, it's a system-wide problem.

Not in, not only in healthcare, but across the board. They go on to say, in May Scripps Health IT teams detected unusual network activity on our systems. Yet another ransomware attack had fallen on a major US healthcare provider. Our team worked quickly to initiate an investigation and to take steps to contain the incident.

Computer consulting and forensic firms were immediately engaged to expedite the recovery and investigation process, and federal law enforcement was notified. That's the process people. That is exactly how it goes down. As part of the necessary containment, we took down our system's. Access to the electronic medical record was restricted.

This created operational disruption at our hospitals and facilities through it all, how our patient-centered care remained front and center while our teams worked around the clock to restore systems quickly and safely. We are deeply appreciative of the work and resilience of our physicians and staff and so forth.

All right, so that's how it goes down and that's how it feels. You have to take down your systems. You don't have a choice, even if they're functioning fine. And once you're infected with ransomware, you have to take 'em down to protect those systems from potentially getting infected. They go on to say, Hey, it's not just us.

According to a recent analysis from Compare Tech in 20 20 92, individual ransomware attacks affected more than 600 separate clinics, hospitals, and organizations, and more than 18 million patient records. I will say this about this, that's, that's not an excuse, and I don't think they're using it as an excuse.

We used to think . That there was, uh, protection in anonymity, protection in being small, but we're not seeing that anymore because they can shut down a hospital, and even if that hospital is small, they probably have half a million to a billion dollars in revenue. I. and in such a case they can get a million dollars out of you.

They can get $2 million outta you. Well, that's a fair amount of money. So small and anonymous should not be equated anymore. Even if it's clinics or other things they are going after. Anywhere they can get a nickel. Anonymity is not a potential protection against these ransomware attacks. Just something to keep in mind.

He goes on threats aside, Scripps is prepared and trained for emergencies as we all are. We have downtime procedures, and they went into those downtime procedures almost immediately. But the fact remains, despite the best possible efforts, our nation's healthcare providers and all organizations remain vulnerable to threat actors.

Okay, and this is what we've been saying. The American Hospital Association reiterated in a recent article that relying on victimized organizations to individually defend themselves against these attacks is not the solution to this national strategic threat. When the vast majority of these attacks originate from outside the United States where ransomware gangs are allowed to operate with impunity.

All right, and this is what we've been saying. I did a piece on today in Health It where I talked about the fact that there's carriers parked off our coast and they're launching attacks on a daily basis, and we wouldn't normally look at California and say, okay, you defend yourself in Oregon, you defend yourself, but it's even worse than that.

In this case, we're looking at individual hospitals with individual hospital budgets and saying, you defend yourself and you defend yourself. You have organizations and potentially competing organizations trying to defend themselves. And not sharing as much information as we really should in this case, and not really having enough of the protection that the federal government should provide.

And so that's one of the cases the A HA is making. I think he goes on to talk about that later in the letter as well. These are not excuses, as I said earlier, they're not holding these out as excuses, but while there's no unauthorized access to Scripps electronic medical record. Application Epic and there is no evidence to date that Scripp's patient information was used for fraudulent purposes.

We deeply regret the concern this incident has caused for our patient employees and physicians. I assume the forensics went in there, looked pretty hard. I. At the environment to determine that there was no access. I don't think you can rule out access at this point. There's a lot of ways to access the record and not have it logged correctly.

Again, it depends on how sophisticated this was. Some of the other ones we've looked at in healthcare, were not overly sophisticated, and if that is the case here, there's a good chance that the, the medical record was not accessed in any way. There are important lessons learned here, Scripps, like other healthcare systems.

Are taking further steps to enhance the security of our information security systems. That is, that goes without saying. One of the clearest lessons from our recent spate of attacks on critical US in institutions is the need for public-private partnership to manage and combat this issue. Absolutely. The US Department of Justice recently shared that is elevating investigations of ransomware attacks to similarly priority as terrorism.

Given that the growing threat that ransomware and digital extortion posed to the nation and they applaud that effort, I applaud that effort. It should be elevated to that. He goes on to say, we are encouraged that the a HA noted in a recent advisory that the association is urging the US government. To use all diplomatic financial law enforcement, intelligence and military cyber capabilities to disrupt these criminal organizations.

Absolutely. Amen. Amen and amen. They should absolutely do that just as protecting the public's health during a once in a century, pandemic takes a village, so will protecting our hospital systems, critical infrastructure, schools, businesses. And government entities. I like the letter and I appreciate them writing the letter.

I think at some later date it would be nice to hear from them in a closed setting where it's just healthcare organizations around where they can share as much about what actually happened and give us the benefit of their learnings through this process. So what's my so what on this? As you try to end all these podcasts with a So what?

And I've done about seven episodes on ransomware in the last two to three weeks. So if you're a frequent listener, you already know my so what on this? Detect, respond, recover. Don't stop until you can detect activity within minutes. Respond within 10 minutes and recover as quickly as possible. Know your vulnerabilities and mitigate as much as possible.

Design for the concept that they are already in your network, meaning know what is going on on your network. Know the vulnerabilities of those you share services with and you share data with. Have a playbook that you follow. Build in the recovery of systems into the design before you buy a new system.

Think about how you're gonna recover this system before you buy a new system. How does it fit into your security architecture? Start with security by design, rethink and reimagine your architecture for the new world that we live in. That is a lot of concepts, but you can listen to any number of the podcasts to get more information on each one of these.

Uh, the most recent one I did was with Carl West, former CSO from Intermountain on uh, Monday on a Newsday show, and we took a look at the Sky Lakes Medical Center ransomware attack in detail. And it's important to note that the world has changed the network that you're residing on. May not be adequate or appropriate.

The hardware that you have may not be adequate or appropriate. The processes that you have may not be adequate or appropriate. I did say about three weeks ago now that ransomware was the highest priority I. For any health system across the country at this moment in time, it won't be forever, but it is right now.

It needs to be elevated to uh, the same level that the pandemic was during the peak of the pandemic. Alright, that's all for today. If you know of someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week, health.com, or wherever you listen to podcasts.

Apple, Google Overcast, Spotify, Stitcher. You get the picture. We are everywhere. We wanna thank our channel sponsors who are investing in our mission to develop the next generation of health leaders, VMware Hillrom, Starbridge Advisors, McAfee and Aruba Networks. Thanks for listening. That's all for now.

Chapters

Video

More from YouTube