The unprecedented rise of cyberattacks on the nation's health care system has hospitals and health systems deploying multitudes of cyberdefenses. Yet, even with the most innovative shields, cybercriminals can still pierce through. In the third of this four-part conversation, three experts from Scripps Health, Chris Van Gorder, president & CEO, Shane Thielman, corporate senior vice president and chief information officer, and Gerry Soderstrom, corporate senior vice president and chief audit, compliance & risk officer talk through the day the organization experienced a cyberattack, the preparation playbook that leaders rapidly deployed, and what comes first in responding to these types of critical situations.

Tom Haederle

Tom Haederle

Shane Thielman, chief information officer; and Gerry Soderstrom, chief audit, compliance and risk officer. Now, to John.

John Riggi

Chris Van Gorder

Thank you, John, and I certainly can do that. As you noted, Scripps Health is a regional health care system, headquartered in San Diego. We have five hospitals, 30 ambulatory sites, two level one trauma centers. So we are an academic teaching organization. And we have obviously a number of specialty centers, cancer center, cardiac and stroke centers, orthopedic center.

Chris Van Gorder

Chris Van Gorder

At that point not all the information, of course, was known, but our system automatically sets up our incident command systems and local incident command centers to be able to manage disruption of service or any other kind of disaster. Our information services people were on top of it immediately, and based on protocol ultimately shut down all of our systems, including our electronic health record and ultimately, shut down access to the internet.

Chris Van Gorder

So even though we test these systems from time-to-time for short periods of time when we're, you know, bringing on new software, this was not a short time. This ultimately lasted three and a half weeks. We had to go completely to paper. We had to go to our own personal cell phones for communication because our phone system also had to be shut down.

Chris Van Gorder

And we began a period of three and a half weeks of being able to try to take care of our patients safely. There was a risk of harm to patients. There was a risk of death to patients. And there was no way to really evacuate all of your hospitals under these circumstances because there's not even capacity in the marketplace to be able to absorb all those patients.

Chris Van Gorder

In situations like this, we allow the local hospitals to really make the patient care decisions. So all of our hospital emergency rooms initially went on ambulance diversion. They did not shut down, and they did continue to take in walk ins. And of our two level one trauma centers, one decided to shut down for trauma. The other one remained open for trauma based upon what they felt comfortable doing.

Chris Van Gorder

California Department of Public Health obviously notified, among others. They made daily visits to our hospitals to make sure that the patient care that was being delivered was safe, and they assured the public every day that it was safe. But it was a challenge on paper. Again, every lab report we had to shut down our clinics and a lot of the clinic employees went in the hospitals to become runners.

Chris Van Gorder

Based on that, we were able to continue operating in a very different capacity for a number of weeks.

John Riggi

Thanks for that, Chris. Clearly, a very significant decision that had to be made to prevent ransomware from spreading throughout your organization. Shut down networks, disconnect from the internet. And it sounds like there are a lot of perhaps unanticipated cascading effects on patient care services. And I think you really captured the essence here when we talk about how these attacks, these foreign based cyber attacks that disrupt and delay health care delivery, absolutely risk patient safety and pose a threat to life on these issues.

John Riggi

These aren't data theft crimes. These aren't white collar crimes. These are threat to life crimes. Shane, if I could turn to you for a moment. As the chief information officer, now you're faced with this issue here. You have a very unique perspective on technology and cyber risk in your role. Could you elaborate for us on the steps you took when this really debilitating, high impact ransomware attack occurred?

Shane Thielman

So as Chris mentioned, the ransomware-like behavior was first identified on Saturday evening, May 1st as first reports came in. There was a continuous assessment to try to understand if it was more of a technical issue or malware. It became apparent almost immediately that we had a malware situation and the impact, frankly, was instantaneous. The malware propagated laterally across the entire scripts environment.

Shane Thielman

It was windows based ransomware or windows based organization. And as you heard from Chris, our hospitals, declared code white - disruption of services. And within about an hour of all of this information streaming in, we implemented a comprehensive isolation and containment strategy. We disconnected all of our sites from each other and our two data centers. We disabled the internet at each of our business units.

Shane Thielman

We disabled all remote connectivity, including our phones. And then finally, we, disconnected from the internet at our data centers. One, to prevent the further spread of malware. Two, we wanted to ensure as we were gaining a better understanding of what had transpired, that we didn't allow the perpetrators any sort of control externally from our organization into our environment.

Shane Thielman

And so part of the purpose of disconnecting from the internet was really to cut off any command and control communications that would have been occurring externally and back into scripts. But then lastly, to really level set our environment and really take control of the environment, and really to alleviate the pressure of any ongoing threats that the IT and the information security teams were working to resolve as part of the remediation process.

John Riggi

Thank you, Shane. Clearly, decisions that are not made lightly. You know, often when these attacks occur we hear commentary from the field is why did they disconnect from the internet? Why didn't they just contain the spread? And the reason is the victim is unable to contain it. And as you said, disconnecting from the internet helps prevent exfiltration of data and helps prevent command and control instructions coming in from overseas.

John Riggi

Gerry, if I could turn to you for a moment. As you know, we in health care sometimes act in silos. How prepared were you at the time of the attack, and what were your information security capabilities at that time?

Gerry Soderstrom

Thanks, John. We were very prepared. You know, we had a highly skilled, highly capable team of internal resources that were dedicated information security. We were subject to and we had external assessments done frequently, regularly, both to look at our internal and external vulnerabilities in terms of having pen test. So most organizations undergo those. If they don't, they should.

Gerry Soderstrom

It's really an opportunity for you to identify gaps or issues and be able to fix those before your adversary takes advantage of that. We also had program assessments done. You know, we were viewed as being certainly above the benchmark in terms of our overall information security capabilities. And when Shane and I spent time analyzing the amount of money that the resources that the organization was committing to information security, it was also way above benchmark at that time.

Gerry Soderstrom

So there was a significant investment. As a matter of fact, when it was clear that it was ransomware, we pulled out our ransomware playbook that we had built specifically for the purpose of a ransomware attack. And so we were very well prepared.

John Riggi

Thanks for that, Gerry. And again, I think any organization is potentially vulnerable to a ransomware attack. No organization, how well prepared, how well funded they may be can 100% prevent attacks. So that's why a lot of the focus should also be on resiliency as well. And again, I know, Chris, you and your team had prioritized cybersecurity very highly within your organization prior to the attack.

John Riggi

I want to just pivot a little bit and ask a general question to all of you here. And then I'll start with Chris, perhaps on the response. What do you believe was most helpful during those first days of the attack, and what did you learn during that time, and what would you tell others to do now based upon what you've learned?

Chris Van Gorder

Well, maybe a couple of things. First of all, you really do have to be prepared to allow critical decisions, particularly as it relates to patients, to be handled at the point of service. There's no way at a corporate headquarters, even though we were managing the cyber attack or in information systems, can they make decisions about patient care.

Chris Van Gorder

And we were very well prepared to do that. As a result, nobody was hurt and nobody died, which could have happened. And we had decentralized leadership to take over clinically. Second, according to the playbook, of course, we reached out - we had cyber insurance. We reached out immediately to that company and they used their expertise to be able to advise us as well, including identification of an external law firm that is expert in this area.

Chris Van Gorder

And they helped guide us. The third component was reaching out to law enforcement and in this case, the FBI. And I have to tell you, of all the agencies we dealt with, the FBI was by far the most supportive. And they gave us very good counsel. And there was excellent follow up to that. The other agencies. With all due respect to them, look to punish more than they do to help.

Chris Van Gorder

Now, as Gerry will tell you, the Office of Civil Rights ultimately gave us a clean bill of health, after the fact, after the reporting. So I got to give them some kudos for being objective about this. That's not necessarily true in the case of the state of California, who ultimately fined us, a fine that we are still appealing because we do believe that the OCR was right in this case.

Chris Van Gorder

But there were external individuals and organizations that were very, very helpful on this. And I will never forget, because I think you just made a very important point, that no matter how well prepared they believe they are - as I believed at the time we were completely free of vulnerability - it's not the case. You can be a victim at any time.

Chris Van Gorder

And that was the first thing. The special agent in charge here in San Diego told me when I was talking to him: Chris, he said, I know you're going to blame yourself as the leader of the organization. He says, don't do that. He says, there's no way you could have stopped this attack. The bad guys are professionals. They do this full time.

Chris Van Gorder

They are experts in exploiting systems. Who knows how they got in? And in the end, our forensics never gave us a complete answer to that. But despite the fact that we believe we were prepared to prevent, we ultimately became victimized. And as you said, the organization better prepare for that and be resilient because they impact might have to do that as many other hospitals have had to go through over the last several years after our attack.

John Riggi

Thank you for that perspective, Chris. And again, your point being, the FBI was there to help, truly to help. So as a law enforcement agency, not a regulatory agency, their role is not to lay blame. So FBI, CISA, even Secret Service - they can respond and their role is to help the victims do the investigation, attribute the attack, and then help warn the rest of the nation.

John Riggi

On this same question, I'm going to turn to Shane and then Gerry is well. What would be your advice to the field now that you've gone through this and you've learned a lot of good lessons and hard lessons?

Shane Thielman

That probably goes without saying, but one of the operating principles that we embraced was that we knew we needed to recover as quickly and as efficiently as possible, but we needed to do it in a safe and secure manner, particularly given the circumstances. Chris mentioned in some of his earlier comments the establishment of our corporate command center and the relationship between that command center at the system level and the local command centers.

Shane Thielman

And one of the activities that we undertook to help support that, of course, was a daily operations call that was led by our chief medical officer to really promote two way communication and best practice sharing and information sharing that could be useful to help us resolve issues predominantly around access to information early on. But then as we moved through our recovery phase and prepared to restore access to systems and approach to communicating and setting expectations, there was another committee structure that was set up that was specific to our technical recovery activities and really brought together both information security and IT. And we had a 24/7 technical triage and threat remediation process that we

Shane Thielman

were undertaking. When we had real time visibility into our progress, we could surface issues and we could bring together the right leaders and subject matter experts to address issues and concerns. With that, we also had a 24/7 bridge call with operations that was supporting the daily operations call. Again, it enabled us to have a stream of communication that became very valuable in helping to spread some of the best practices that we were developing as we were responding to the event and make sure that we were doing everything possible to support our frontline staff.

Shane Thielman

We were very proactive as well. We had a business continuity committee that was stood up early on prior to us restoring access to our systems, really in anticipation that we were going to have a lot of paper documentation, that we needed to get back into some semblance of a medical record that we ultimately could use to bill for services.

Shane Thielman

And so we were very proactive in standing up that committee so that we could really begin to think through, as we had fully recovered our systems, what our processes would be to round out the medical record and ultimately allow us to deliver those services. And then as well, there was a daily privacy call, as well as a crisis communication group that came together to help us manage communications, not only internally but externally to our community as well.

Shane Thielman

And so I think the emphasis here on the immediate organization of those key workstreams and leaders that were appointed by Chris to take lead in each of those key areas to really ensure a comprehensive and methodical response to the event.

John Riggi

Thank you. Shane. Gerry. Same question to you.

Gerry Soderstrom

Well, I think you got, you know, excellent responses from both Chris and Shane in terms of what those first couple of days looked like. I'm not sure that I would add a lot to it, except to say, you know, when you're doing your tabletop exercises, when you're doing your scenario planning, right? Make sure, as Chris noted, we had a lot of outside resources that we were able to connect with immediately through our insurance carrier.

Gerry Soderstrom

And I would extend those tabletop tasks to include them. Right? And to understand that, you have to listen to them, right. That command and control structure and making sure that things are being done through them. They're there to get as much information as they can right out of the gate before some of that information gets lost. And I'm talking in this case around technical data. We're so focused on, first and foremost, always taking care of the patient for supporting all of our patient care teams, our clinical teams.

Gerry Soderstrom

But we're also supporting the restoration of our systems. And so there was a lot of coordination that needed to happen. And I really appreciate Shane bringing out the bridge lines. Those bridge lines became the lifeline through the organization, in addition to the command and control structure that came out of the incident command structure, with Chris leading it and then each location having their own structure that rolled up the corporate.

Gerry Soderstrom

Those bridge lines provided a communication channel that was what was most important, right? As somebody innovated a response or a way to better manage labs or better manage pharmacy, prescription writing or anything else. We wanted to spread that quickly, but we wanted to do it in a way that was organized and well-thought. And so there was a lot of clinical solutions that were being driven, but they needed to involve a lot of the core teams that support the organization: the legal team, the compliance and risk teams, you know, IS in terms of what was possible and capable.

Gerry Soderstrom

And again, we were in varying levels, degree in terms of our restoration. The other thing I will share that became very clear to me is that we had a bunch of stuff on our roadmap for our information security plan. I mean, every organization should. You should be thinking about once we get done with this, what's the next thing we want to do to continue to evolve our capability and try to stay ahead of our adversaries?

Gerry Soderstrom

We took advantage of the time we were down to load a bunch of that in. Because as you know John, and we certainly experienced here at Scripps, you need to shut down many of those systems when you apply those changes. And so now we had this perfect opportunity to fast track a number of things and take advantage of an otherwise very difficult situation.

John Riggi

It's a great point, Gerry, again, leveraging that crisis, but again, extracting the opportunities from it.

Tom Haederle

That's it for now. But part two of this great conversation continues on Wednesday. Please stay with us and hear more about how our hospitals and health systems are advancing health in America each and every day. Thanks for listening to Advancing Health. Please subscribe and write us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.