IOTW: Scripps Health Malware Attack Could Cost Lives

Add bookmark
Lisa Morgan
Lisa Morgan
05/21/2021

The Scripps Health website remains down more than two weeks after a malware attack. At the time of this writing, only a network outage announcement appears on the company's main site, and patients want to know whether their PHI was stolen.

High-risk patients such as heart attack, stroke and trauma patients have been funneled from Scripps Memorial Hospital La Jolla to other hospitals nearby. Some patients are complaining that they are having trouble making appointments with other doctors and that Scripps is not referring patients to other doctors. 

Patients are also uncomfortable with the fact that Scripps is not discussing the attack, nor is it providing any meantime to recovery (MTTR) estimate. The uncertainty and tight-lipped nature of the incident is not a surprise to anyone in the cyber security industry, but the incident illustrates the ripple effect of a cyberattack. This time, patients' health.

For now, Scripps employees must do their jobs to the best of their ability, the traditional, manual way using paper.

With more than 140,000 members, Cyber Security Hub is the vibrant community connecting cyber security professionals around the world.

The Facts

On May 1, Scripps Health IT systems were shut down as a result of a malware attack. Scripps Health is a nonprofit health care system based in San Diego, Calif. That includes five hospitals and 19 outpatient facilities. It treats a half-million patients per year through 2,600 affiliated physicians.

In a statement issued on Wednesday, May 1, Scripps Health said its IT systems had been hit by a malware attack that affected its hospitals and other facilities. The company temporarily suspended user access to IT systems, including the patient portal and immediately engaged consultants and government agencies for forensic assistance.

Patient appointments and surgical procedures were cancelled temporarily, and business has resumed, albeit not as usual yet. Scripps Health facilities have emergency response protocols in place, which helps with business continuity. In an internal memo, CEO Chris Van Gorder said the company had planned for this scenario but also acknowledged the need for enhanced security. Meanwhile, neighbouring healthcare facilities have been impacted by patient volume spikes.

Though Scripps Health has not said whether patient or employee information was stolen or not, it's likely the case given that stolen patient records command a higher price than stolen credit card information, for example. If patient data has been stolen, it hasn't been posted for sale yet on the dark web yet though more ransomware attackers are threatening to publish the information if victims fail to pay a second ransom to keep that from happening. The potential loss of patient and/or employee data may be the reason why Scripps referred to the attack as a "malware" attack versus a ransomware attack. 

Lessons Learned

Hackers will target what's weak and what's lucrative. Healthcare organizations fit both criteria because they handle highly sensitive personal data, they have the money to pay ransoms, and they may lack adequate cyber security resources that would help them defend against or mitigate the impact of an attack.

The two easiest ways to exploit a healthcare organization is to exploit loose permissions settings and to gain access to accounts through phishing campaigns. 

Key Takeaways

Ransomware attacks are becoming more prevalent across industries. The best defense is a combination of proactive and reactive strategies that can minimize the impact, if not the risk:

  • Adopt Zero Trust.
  • Educate employees about cyber hygiene on an ongoing basis so it remains top of mind.
  • Patch hardware and firmware.
  • Monitor applications and the network for unusual behavior.
  • Ensure that employees' cyber credentials are retired at the time of their departure.
  • If the data center is compromised, consider moving to a secure cloud environment.
  • Have an incident response plan that include the names and contact information of internal cyber security experts and others (e.g., consultants or vendors) whose assistance would be required to recover from the incident.