full
How to Survive a Cyberattack with Scripps Health: Part Four
In the last of this four-part conversation, four leaders from Scripps Health — Chris Van Gorder, president and CEO, Todd Walbridge, senior director of corporate and system safety and security, Shane Thielman, corporate senior vice president and chief information officer, and Gerry Soderstrom, corporate senior vice president and chief audit, compliance and risk officer — discuss the future of cyberattacks on America's health care, the real-time threat to patients, and recovery efforts once an attack is over.
Transcript
Tom Haederle
Welcome to Advancing Health. Today we bring you the final segment in a podcast series featuring four leaders from San Diego-based Scripps Health, who discussed the need for business and clinical contingency plans to sustain patient care in the wake of suddenly losing all technology, as happened to Scripps Health after a dangerous cyberattack nearly four years ago. Your host is John Riggi, AHA national advisor for cybersecurity and risk. And his four Scripps Health
::Tom Haederle
guests are Chris Van Gorder, president and CEO, Todd Walbridge, senior director of corporate information systems, Shane Thielman, chief information officer, and Gerry Soderstrom, chief audit, compliance and risk officer. Let's join them.
::John Riggi
Chris, maybe I could start with you. What concerns you most about this continued evolution of ransomware and that we're seeing in the increased frequency and severity of attacks?
::Chris Van Gorder
I think there's a couple of things. One is communication. Basically, the answer is don't. That was very difficult. I was just meeting with a reporter, you know, before we did this podcast. And he was a reporter that was pretty angry at me during the course of our cyberattack and after, because I'm a pretty transparent individual. Our organization is a major community resource.
::Chris Van Gorder
And it was pretty frustrating for me to be told by every lawyer, internal lawyers, the external lawyers, the insurance company lawyers - that because of subsequent issues down the road, mostly the class action lawsuits that are sure to follow, that everything and anything we said would clearly be used against us. And I wasn't even able to communicate that to reporters until this morning.
::Chris Van Gorder
And he certainly understood the issue because there's been a lot more cyberattacks, of course, since ours took place. So we had to, I mentioned earlier, hire a communications company that assisted us with crisis communication. I remember one day I was I insisted on making a statement and it took, I think, about 25 people in two different organizations an entire day to write one paragraph that I was permitted to share.
::Chris Van Gorder
And the reason again for that is because the concern about regulatory agencies ultimately using that against us. Certainly the class action lawyers. And I think that's a real problem, because there have been a number of attacks since. And we're willing to reach out and offer our assistance. But there's a concern there that, you know, even though we were doing everything under attorney client privilege, every contract we made, everything went through our legal office.
::Chris Van Gorder
Once we start communicating to another organization that's going through this, they may in fact not be protected from the information that we share. And so I'm unable to even share our experience with our colleagues that are facing cyberattack for fear of class action lawsuits. So I think in the end, the government really does have to take a look at, you know, setting standards, in my opinion, just as we have standards in hospitals for virtually everything we do.
::Chris Van Gorder
You know, the Joint Commission and our state health departments and CMS, survey us to make sure that we are, in fact, compliant. And if an organization is compliant, in my opinion, they should be held free from future regulatory and class action lawsuits. And in so doing, we can actually share the information more freely and communicate and help each other during these attacks, instead of being silent and not being able to do so.
::Chris Van Gorder
I was advised initially not to talk to the FBI, not to release all the data that we had that could have been helpful in the investigation. And I chose because my law enforcement background and because of my relationship with the FBI, which started long before the cyberattack, that we had an obligation to the country, to the health care industry, and to our own organization and community to share as much information as we possibly could
::Chris Van Gorder
and that's what I insisted on doing, despite legal recommendations otherwise.
::John Riggi
helped get passed in January: ::John Riggi
that does provide a measure of regulatory relief, if you can, as Chris said, demonstrated adherences to basic cybersecurity protocols. But the missing element, as you said Chris, is there's no civil litigation protection there, especially when it comes to the impact that he attacks. Todd, maybe I could go back to you, based on your investigative background, to wrap this question up.
::John Riggi
Where do you see ransomware going, especially where we have this kind of hybrid threat, nation/state involvement, this murky world. Where does criminality end and really intelligence operations or terrorism begin?
::Todd Walbridge
The benefits that Scripps provided to the United States intelligence community were immense. I don't think the intelligence community realized
::Todd Walbridge
the damages that can be caused
::Todd Walbridge
to a community through a ransomware attack when you hit a hospital. And we were able to, at a high level, let the United States intelligence community realize the impact of an attack on our hospital system.
::Todd Walbridge
And as Chris opined previously, that
::Todd Walbridge
people can die as a result
::Todd Walbridge
of systems being offline. So I think the United States government needs a combined approach. And that was one of the things that we were able to do with Conti, where it's not just the FBI, it's the FBI and the intelligence community, whether that's the CIA, the NSA, and even working with
::Todd Walbridge
cybercomm for offensive capabilities.
::Todd Walbridge
Defending is going to be a cat and mouse game. We've seen some of these groups go after other industries, get out of the health care industry,
::Todd Walbridge
only to find some of these other industries tightening
::Todd Walbridge
their security defenses and returning
::Todd Walbridge
back to the health care industry, because health care equipment
::Todd Walbridge
that touches the internet is really hard to defend against.
::Todd Walbridge
when you have a vast array of devices
::Todd Walbridge
that touch the internet, from imaging machines to IV drip machines to just computers. Your average business has servers and desktop computers and laptops that they have to secure. It's different from securing medical devices that touch the internet.
::Todd Walbridge
So this sort of attack on a hospital system is always
::Todd Walbridge
going to be beneficial to a ransomware actor unless we start to take away their incentives or unless we're able to impose some sort of consequence on them.
::Todd Walbridge
And some of those
::Todd Walbridge
consequences require the U.S. government to punch a little bit further than the FBI can.
::John Riggi
Yeah. Understood, Todd. Again my role, you know, from years at the Bureau counterterrorism, we've got to increase risk and consequences for the bad guys and use all of U.S. government's capabilities, both military and intelligence capabilities, to degrade the bad guys' capability to attack us utilizing those offensive cyber operations. Chris and Shane, to that point, you know that I, on behalf of the AHA - all of us here at AHA have been very vocal in the media and with Congress and with policymakers that these attacks against hospitals not only threaten the hospital as an organization, they threaten the patients within the walls of the hospital, and they threaten the safety of the entire community
::John Riggi
that depends on the availability of that hospital. And ultimately, these are truly threat to life crimes. Chris, maybe I'll go back to your - I think you touched on this a little bit. Could you elaborate a little further on how ransomware attacks affect patient care?
::Chris Van Gorder
Well, we've been calling them cyberattacks and ransomware attacks. These are terrorist attacks, and they have the potential of killing just as much as a bullet or a bomb could. And it's not just the patients that are in the hospital. Remember, when you go on diversion, you're bypassing people who need emergency care and they have to go elsewhere in the community for that, which cost time and time could be lives.
::Chris Van Gorder
So these are very significant threats to our country, our communities and our patients. And I know there's a, you know, expectation that somehow hospitals just make themselves safe. But I think that you've heard through the expertise of the people on my team and Todd, internal and external expertise is that there's no 100% way to protect yourself 100% of the time.
::Chris Van Gorder
And so the key now is for our country to step up and help support its medical and health care industry with expertise and resources, if necessary. If this is important to them as much as it is to all of us, and frankly, to go after our adversaries who are in fact, international terrorists. We have done that before in response to 9/11 and elsewhere.
::Chris Van Gorder
This is no different. Every single one of these attacks across the country - every time my heart breaks when I see another hospital victim of a cyber incident - most of those are ransomware attacks with flat out criminals and terrorists that are taking advantage of the health care system. And we need, I think, to do a better job. And certainly for regulators and legislators to be far more understanding about hospitals as a victim and not the bad guy when there's an attack.
::John Riggi
Totally agree, Chris. We are not going to win this battle, this war, on defense alone. There's got to be an equally aggressive offensive side to this as well. Shane, what are your thoughts on that? How did this ransomware attack impact patient care from your perspective?
::Shane Thielman
Yeah, Chris has touched on a few significant observable impacts to our community. I actually sort of see this as an exercise each time that a cyberattack is announced on a hospital or health care system as really an exercise in resilience of our clinical community and those that are providing patient care. The mission doesn't change. The tools and the access to data and information are vital to delivering high quality and safe care.
::Shane Thielman
But what ends up happening in the absence of access to information that's expected or anticipated when someone shows up for their shift, is an incredible amount of ingenuity and a focus on each and every patient, and ensuring that the care is of equal quality and is delivered in a safe and effective way. I think as much as we talk about the impact patient care, we have to consider the clinical community and the impact on the community as well.
::Shane Thielman
And so we really have heroes. They're heroes when we're not dealing with cyberattacks, but they are elevated even more in the midst of addressing a significant outage that's caused by a cyber event. And so I really think that as much as we talk about patient care, I don't think that our clinicians get up when they are dealing with a cyberattack and think differently about the mission that they are serving on behalf of the organization.
::Shane Thielman
And I think in many ways, we need to be thinking about how do we create the safeguards for them to practice and deliver care in the best way that they can under duress and under challenging circumstances, and then ensure that after the fact that we have mechanisms in place to continue to care for our care providers in a way that allows them to work through that very stressful event and the effects of that stress on them individually, so that once we're back to, you know, restoration of all of our systems and to a degree back to normal, that we don't forget about the effect that's also had on our clinical community.
::John Riggi
That's a great point. Clinical staff, as you said, our frontline health care heroes have so much to deal with. And then to try to continue providing care without technology is just immense, especially during Covid. Along those lines, we've talked about the attack, the impacts. Let's talk a little bit about resiliency and recovery now. And then Chris, I'll go back to you and then over to Gerry.
::John Riggi
So in the face of this attack, how was your organization prepared to continue to deliver care without technology for an extended period? When I do many, many presentations across the country, I talk about the need to prepare not just business continuity, but clinical continuity plans to sustain a loss of technology during ransomware attacks for up to 30 days or longer.
::John Riggi
So, Chris, maybe I could start with you on this.
::Chris Van Gorder
Yeah, again, we relied on our frontline people to identify whether or not we could continue taking care of patients, and if not, we would transfer those patients. In the case of radiation oncology patients that needed to have therapy every single day, we were not certain that we could do that. And so a number of those patients ultimately were referred to outside radiation oncology centers so that they could continue their therapy.
::Chris Van Gorder
There were other practices that we were able to continue. There were some x rays and other devices that continued to be used, but not necessarily connected to the electronic health record or to our PACs system or those types of things. And so everything had to be done more manually. I mean, literally with physicians, you know, and others going to the old imaging reading room and with the radiologist, you know, a surgeon, radiologist, and maybe other clinical staff, reading the X-ray and then going back and being able to take care of those patients.
::Chris Van Gorder
Certainly only emergent and urgent cases, continued elective cases were put off, obviously, until we were back up and operational. But you think about blood banks, lab work, all the enormous amount of paper that has to be generated so that when we do go back up - and this has been touched on by Shane and Jerry already - that, you know, our business continuity program, you know, and people are looking right from day one.
::Chris Van Gorder
And so what are we going to do with this with all of this paper? How are we going to ultimately get it back into the electronic health record and into our business billing systems, so that in fact, we would be able to have income coming in. Understand payroll, Kronos, all of those systems that we used for payroll were down.
::Chris Van Gorder
And so we had to come up with HR, people with a methodology to continue to pay our employees and track time or, in the end reconcile payments to employees that we continued to make after the fact. I recall one of our older physicians was thrilled that the electronic health record was down and loved it being on paper, but we discovered that our residents didn't know how to write prescriptions on paper because they never had to do that before.
::Chris Van Gorder
And so those were kinds of things that we had to manage as we did. And of course all along thinking, how are we ultimately going to comply regulations, where Gerry came in and really handled, you know, our operators, our health information people lab and others worked for literally months on reconciling and bringing back that information.
::Chris Van Gorder
By the way, handwriting became a big issue because we moved away from handwriting, and now we couldn't read patient names on a lab report or couldn't read the order properly. And so there had to be a whole process set up to reconcile when you couldn't understand the information. And literally I remember going in and there's dozens and dozens of people that are reconciling all of this handwritten information.
::Chris Van Gorder
In the end, how many, you know, records were exposed and how are we going to manage the notifications? And that required - and Jerry can elaborate on this, you know, - literally outside companies going through a huge amount of data and information, reconciling duplicates and triplicates and all of those types of things identifying the number. Well, people were frustrated, calling us in on a regular basis
::Chris Van Gorder
going, was my information exposed? Our doctors, they were getting little hacks at home, had nothing to do with this, assuming all of a sudden that had to do with the ransomware attack and therefore Scripps had to be responsible for that. And in the end, setting up outside call centers so that there were enough people to take the calls and internal staff to be able to handle the issues that were coming up that the call centers couldn't handle.
::Chris Van Gorder
And then ultimately, the notifications, that whole process that took place. I mean, literally, we're talking about three and a half weeks, but we're talking about, well in excess of a year to manage all of these pieces appropriately.
::John Riggi
Thanks, Chris. Jerry, if you could further elaborate on all of those recovery process and those issues that you had to deal with.
::Gerry Soderstrom
You bet. The recovery, as Chris mentioned, has a very long tail. Addressing the privacy requirements alone was a significant and I would say, as Chris noted, a Herculean effort. You have to look at all of the documents or any piece of information that may have been accessed by the threat actor, and make sure that you properly notify the patients who are impacted. Now
::Gerry Soderstrom
again, you know, one of the benefits for us at Scripps was that the threat actor never got into our electronic health record. They never got into Epic. However, most organizations put a significant amount of operational data, right, on their different storage areas around the company. So in our case, it was on our network servers. So those network servers had daily census.
::Gerry Soderstrom
And so the type of information was pretty limited, right? It may have had a patient's name. It may have their physician's name. It may have had their location or their time for the procedure or the treatment. And that was it. But that alone gave rise to a notification requirement that we need to have under HIPAA and any organization has.
::Gerry Soderstrom
And again, as most of you are aware, if it's over 500, then you've got additional requirements and responsibilities that you need to attend to. This isn't just a single document with a single patient name. It could be a spreadsheet with hundreds of patients' names. And so you need to go through all of those and understand what is the required notification to each of those patients?
::Gerry Soderstrom
How are we going to do that as timely as possible? We need to demonstrate right to ourselves, to the public and to the regulators that we met the expectations that we have for the community that we serve each and every day. I was going to mention, you know, as we went through the recovery, our focus was and always is, even when all of our systems are online, is to focus on supporting our patient care, supporting our physicians, our clinical teams, right to do the work that they do each and every day.
::Gerry Soderstrom
But as Chris mentioned, there's also the business of health care. And that business of health care is also making sure taking care of them means paying them. And so, as Chris mentioned, when our systems were down and our internet connections and our network connections between systems were no longer working because Active Directory was impacted, so we're no longer able to communicate as easily internally
::Gerry Soderstrom
and those business systems didn't communicate with anyone, we needed to find alternative ways to deal with that. And so one of the pieces that I'd also just encourage people is to set up those different teams that are available to support that ingenuity that's happening on the fly to make sure that those legal considerations, the privacy considerations, compliance considerations, all of those other things are being addressed in real time so that we can deploy that.
::Gerry Soderstrom
I think Shane talked about the importance of bringing back online those clinical systems that were prioritized, that are required for delivering the patient care that we needed to. And so there were a lot of people that said, I want the payroll system up. Well, the payroll system was important in that we needed to pay our employees, and we did that, but we needed to prioritize other systems ahead of that
::Gerry Soderstrom
once we were able to find a way to meet payroll. There are certain things, right, when you run a business that are not options. One is for us delivering safe, high quality patient care, and the other one is paying those individuals that do that work. But it is a long tail, you know, having to address the class action lawsuit, having to address your privacy requirements both at the state and federal level, and making sure that you're doing those notifications takes an enormous amount of work.
::Gerry Soderstrom
And as Chris said, I even maintained the log because there was no shortage of individuals that were convinced - whether it was our patients, our own employees, physicians that we work with - that somehow their information was caught up in this. I think, you know, the world continues to evolve. I think every week or once a month, all of us get notified that our information was compromised somewhere.
::Gerry Soderstrom
But again, you're always thinking of what's happening in the moment. So I maintained a log and I made sure and scrubbed that log to see if there was any instance that was connected. Fortunately, we did not identify any connections to our event.
::John Riggi
Thank you for that. Gerry and Chris, thank you and your team for your leadership and courage to come forward and tell your story. I have no doubt you will help defend health care in America against these type of attacks. And I also want to thank, of course, all our frontline health care heroes for everything you do every day to care for our patients and serve your communities.
::John Riggi
On behalf of the American Hospital Association, this has been John Riggi, your national advisor for cybersecurity and risk. Stay safe everyone.
::Tom Haederle
Thanks for listening to Advancing Health. Please subscribe and rate us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.
