Hospitals and health systems have their hands full coping with the scary reality of a ransomware attack, but there are also civil liability concerns that arise in the fallout of a health care cybercrime. In the second of this two-part conversation, John Riggi, national advisor for cybersecurity and risk at the AHA, and Chris Van Gorder, president & CEO of Scripps Health, explore the underdiscussed aspects in the aftermath of a cyber-attack, and the necessary support from the federal government.

00;00;00;20 - 00;00;23;16

Tom Haederle

Despite being educated, prepared and committed to doing everything it could to defend against a cyberattack, it happened anyway. When hackers breached the system of San Diego-based Scripps Health three years ago, the incursion forced Scripps to temporarily shut down some of its systems, leaving trauma surgeons, for example, wondering whether it was safe to treat patients without access to their electronic health records.

00;00;23;18 - 00;00;38;28

Tom Haederle

But even after the immediate attack was contained, cybercriminals caused a second set of problems.

00;00;39;00 - 00;01;00;11

Tom Haederle

Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA communications. Hospitals and health systems have their hands full coping with the scary reality of a ransomware attack. But on top of that, there are civil liability concerns that limit how much information hospital leaders may share with the public and the media about what's going on.

00;01;00;13 - 00;01;30;13

Tom Haederle

A false step could lead to lawsuits or government sanctions. In the second of this two-part podcast, Chris Van Gorder, president and CEO of Scripps Health, explores with John Riggi, AHA's national advisor for Cybersecurity and Risk, how his organization responded when cybercriminals attacked. They discuss the need for cybersecurity standards and safe harbor protection from the federal government, so that care providers can focus on mitigating cyber attacks and protecting patient safety without having to look over their shoulders.

00;01;30;15 - 00;01;58;11

John Riggi

Ransomware attacks targeting hospitals, health systems and our mission critical third party service providers such as Change Healthcare have increased over 300% over the last three years, according to HHS and the FBI. Today, I am so very pleased and privileged to have my good friend and colleague here with us today to discuss this issue. Chris Van Gorder, president and CEO of Scripps Health in San Diego.

00;01;58;14 - 00;02;08;26

John Riggi

Chris, so, again, I commend you for speaking publicly today. One of the things you have done recently is published an article. Is there any other perspectives you'd like to share from the article?

00;02;08;29 - 00;02;28;23

Chris Van Gorder

Well, again, I think my big ones are, you know, hospitals do need to be prepared. And we need to bring our systems up to the highest standards that need to be established for us as to what those are. And they need to flex with time. There's going to be new technology. The ASAC at the FBI said he says, look, he says bad guys, this is their fulltime job.

00;02;28;29 - 00;02;53;07

Chris Van Gorder

That's all they do. They're busy, you know, thinking how are they going to, you know, change their systems to be able to defeat everything you put in to protect yourself. Right. And he says, whatever you do, don't be mad at yourself. You could not have protected yourself from this attack. And from that point on, the FBI gave us enormous support, enormous advice, positive advice.

00;02;53;09 - 00;03;13;24

Chris Van Gorder

And they've stayed in touch with us over the years after that to let us know where they can...obviously they can't violate any kind of confidential information and share that. But they've allowed us to know that the information we shared with them was and has been useful. We dumped everything. You know, we told them right off the bat, you tell us what you want.

00;03;13;26 - 00;03;36;08

Chris Van Gorder

We will give it to you. Right? Because if this information helps protect another organization downstream, then that's what we ought to be doing. And so, you know, I think they're fabulous. That's the one agency I can tell you that, I felt had our back during the entire incident and afterwards. I can't say that for anybody else other than the people we hired to help us.

00;03;36;11 - 00;04;02;28

Chris Van Gorder

And there are some great companies, you know, Mandiant, CrowdStrike and others that were wonderful in terms of coming in and helping support my team to clean the systems up. And today we have literally, you know, not only do we have state of the art CrowdStrike and other things monitoring the systems, we keep obviously everything up to date, but we have individuals outside of our organization watching the activity inside our system for the behavioral things.

00;04;03;03 - 00;04;23;28

Chris Van Gorder

So all of those types of things so that if somebody does get in and we're watching how people are acting inside the system, which can be an indicator. So I don't know what else we could do to protect ourselves. And I'm not going to fool myself ever again to believe that it couldn't happen again. And so, I think we need to take this on as a country in a much bigger way than we have.

00;04;24;00 - 00;04;36;04

Chris Van Gorder

And it's happening every day. Our country is being attacked by criminals, protected by what I would call rogue countries. And we've got to do something about that.

00;04;36;06 - 00;05;02;17

John Riggi

Thanks, Chris. Totally agree with you. The attacks are continuing. It's pretty clear to me. I'll offer my opinion that Russia, China, North Korea and Iran are using criminal cyber groups as proxies for their own national interests. And quite frankly, as you said, when this is clearly a national security incident, a national security threat. When an attack occurs, broadly threatens public health and safety

00;05;02;20 - 00;05;23;12

John Riggi

that is an act of cyberterrorism, and we need to respond appropriately. Again, we can prepare as much as we possibly can, but ultimately we need the government to do much more on offense as well. Chris, is there - you know, again, we've had a great conversation. We talked a lot about your perspective. And thank you for being so candid and direct with us today.

00;05;23;13 - 00;05;45;04

John Riggi

I think it will be very helpful for our members. By the way, I is a former FBI agent and the FBI appreciate your comments. And there is no doubt, Chris, I have no doubt that the information you provided was instrumental in the publication of National Threat Intelligence in the weeks and months following your attack. And without attribution, of course, to you

00;05;45;06 - 00;06;17;26

John Riggi

I have no doubt that information helped prevent other attacks. So again, the example you set, leadership example, is really something that I wish many others would emulate. And others are trying to do the right thing, but often they are hindered by advice from outside counsel. Chris, last question. Knowing what you know now, having gone through the experience that you did - painful, years long - what are some of the things you wished you had known beforehand?

00;06;17;28 - 00;06;20;01

John Riggi

You wish that someone had told you?

00;06;20;03 - 00;06;40;27

Chris Van Gorder

Maybe it's good, maybe it's bad. Health care workers are heroic. This is the positive side of it. I mean, any time we see bad things that happen: COVID, we had doctors and nurses and technicians afraid for their own lives, and they came to work every day in those early stages, not knowing whether or not the protective gear would protect them or not.

00;06;41;00 - 00;07;04;09

Chris Van Gorder

We saw the same thing in the cyber attack. The doctors, nurses, they all rallied. Not only during the time of the attack, going to paper, using runners to get information from one place to another, running lab specimens to our central lab, waiting for the lab results, and then driving them back to the hospital. Everything slowed down.

00;07;04;11 - 00;07;24;21

Chris Van Gorder

But the patients were cared for. Well, I was invited to a meeting at the local FBI office to just talk to them about that. And the one thing they were saying, they flat out asked they could people have died in this attack? And I said, yes, they could have. And that seemed to elevate the entire issue for them to a much higher level than just a property crime attack.

00;07;24;24 - 00;07;47;19

Chris Van Gorder

This could be murder, international murder. And, you know, I don't think I ever thought about it quite that way until we were victimized. For months afterwards, because everything we had on paper now, we had to put back into the digital. And the cost implications were absolutely enormous. If we were not a financially strong organization, it could have bankrupted us easily.

00;07;47;19 - 00;08;05;26

Chris Van Gorder

And I would tell you, if the same thing happened to a small rural hospital, they would never have opened up again. They would have gone bankrupt and not been able to open up. So, the resources need to be available for smaller organizations that just don't have the capabilities of a health care system like Scripps. There needs to be funding made available. As it is right now

00;08;06;03 - 00;08;28;16

Chris Van Gorder

we're underfunded, as we know, by Medicare and Medicaid nationally. Right? And if you happen to have a poor payer mix, there's no way in the world you're investing in the necessary cybersecurity, in the systems and people to be able to protect your organization. You will eventually be a victim. Those resources we truly want to protect those hospitals, and we want to save lives.

00;08;28;22 - 00;08;50;05

Chris Van Gorder

The resources have to be made available, particularly to the smaller hospitals and rural hospitals. The systems and facilities that just don't have the resources to be able to do that. We have to take this on. If we want to defeat this, we have to take it on as a country and not as an individual hospital, trying to find the best way it can to protect itself.

00;08;50;07 - 00;09;09;06

Chris Van Gorder

And so maybe my last comment to you, John, is to thank the American Hospital Association and you for bringing attention to this on a daily basis to Congress, to our executive branch, And, you know, doing a podcast like this and keeping it going because everybody out there that hasn't been attacked is sitting there going, I hope it never happens to me.

00;09;09;08 - 00;09;28;23

Chris Van Gorder

So one thing I learned maybe that I should have is I should have had the mindset of it will happen to me and I need to do whatever is necessary to make sure the system's prepared. The drills. You know, I wish we'd done more drills ahead of time on paper. I wish we had extended the downtime from an hour or two to 12 hours

00;09;28;25 - 00;09;49;27

Chris Van Gorder

so that we had more practice doing that. I wish we thought through what do we do if we're down for three weeks, four weeks, five weeks, you know, how are we going to treat patients to make sure that nobody dies on our watch? If I had the knowledge of the experience I had beforehand, there's no doubt I would have done some things differently during the attack.

00;09;49;29 - 00;10;14;12

Chris Van Gorder

And I wish we had ability now to be able to share this experience more widely and safely so that, you know, when there is a victim out there that organizations like ours who have gone through it could provide help to them without them fearing additional liability, without me feeling like I'm risking our own organization, getting involved somehow in litigation because we just went out there to try to help.

00;10;14;19 - 00;10;24;09

Chris Van Gorder

There needs to be some form of attorney-client protection or government protection for organizations like ours to share and help each other when they're in trouble.

00;10;24;11 - 00;10;51;14

John Riggi

Thank you. Chris. One, I appreciate your kind and gracious comments. We are working very hard and the government has taken action. Now the FBI and DOJ officially classify ransomware attacks against hospitals as threat to life crimes. And DOJ classifies these attacks at the same investigative priority as terrorist attacks. Thank you again for your words of wisdom as a victim, as a victim organization to share and help others learn.

00;10;51;17 - 00;11;13;28

John Riggi

And finally, Chris, thank you for your leadership on this and so many other issues. And again, ultimately trying to, as we do in law enforcement, trying to protect and serve at the same time. So we want to close out this podcast in a special thank you to all our frontline health care providers, our frontline health care heroes who every day care for patients and serve their communities.

00;11;14;04 - 00;11;26;12

John Riggi

And thank you to all our network defenders, for what you do every day to protect our health care organizations. This has been John Riggi, your national advisor for cybersecurity and risk. Stay safe everyone.

00;11;26;15 - 00;11;34;25

Tom Haederle

Thanks for listening to Advancing Health. Please subscribe and rate us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.