How to Survive a Cyberattack with Scripps Health: Part One

00;00;00;19 - 00;00;35;04
Tom Haederle
In response to the sharp rise in recent years of ransomware attacks targeting hospitals, health systems and third party service providers, caregivers have been urged to stay alert, play defense, have a mitigation plan in place and keep lines of communication open with federal law enforcement. Smart steps and good advice. But even when it's followed, there's no guaranteed immunity against criminal cyber mischief.

00;00;35;07 - 00;01;01;19
Tom Haederle
Welcome to Advancing Health, a podcast from the American Hospital Association. I'm Tom Haederle with AHA communications. San Diego-based Scripps Health did everything right. It anticipated, planned and devoted significant resources to guarding against cyberattacks. Yet in May of 2021, a serious incursion occurred anyway, forcing Scripps to temporarily shut down some of its systems and potentially compromising patient care.

00;01;01;21 - 00;01;23;21
Tom Haederle
In part one of this two-part podcast, Chris Van Gorder, president and CEO of Scripps Health, explores with John Riggi, AHA’s national advisor for cybersecurity and risk, how his organization responded when cybercriminals attacked and breached the defenses even of a well-prepared health system. And be sure to tune in on Wednesday for part two of this important conversation.

00;01;23;24 - 00;02;03;26
John Riggi
Thank you, Tom, and thank you to everyone listening in to another one of our Advancing Health cybersecurity podcasts. Ransomware attacks targeting hospitals, health systems, and our mission critical third party service providers, such as Change Health Care, have increased over 300% over the last three years, according to HHS and the FBI. These ransomware attacks, perpetrated primarily by Russia-based ransomware gangs, which are provided safe harbor by the Russian government, continue to result in the delay and disruption to health care delivery, ultimately posing a broad risk to patient safety.

00;02;03;29 - 00;02;30;15
John Riggi
Bottom line: when hospitals are attacked, lives are threatened. Today, I am so very pleased and privileged to have my good friend and colleague here with us today to discuss this issue. Chris Van Gorder, president and CEO of Scripps Health in San Diego, is president and CEO of Scripps Health since 2000. Chris has been instrumental in positioning Scripps among the nation's foremost health care institutions.

00;02;30;18 - 00;03;03;17
John Riggi
With 70 locations, 17,000 employees, and 3000 physicians. Interesting to note for this discussion: Chris is a former police officer. In January 2023. Chris retired as reserve assistant sheriff for San Diego County after 20 years of service. Chris also wrote a book, The Frontline Leader, where he candidly shares his own incredible story, from police officer to CEO and the leadership philosophy that drives all his decisions and actions.

00;03;03;23 - 00;03;18;03
John Riggi
People come first. Chris, I know you have had, unfortunately, direct experience in dealing with a ransomware attack against Scripps Health May of 2021. What can you tell us about that attack?

00;03;18;05 - 00;03;42;06
Chris Van Gorder
Well, I'm actually happy to be able to talk to you about it now because for so many years, our attorneys and others that I really couldn't talk to anybody about it, literally starting on the very first day of the incident. But it was May 1st, 2021, as you said. All of a sudden I got notified at home, actually, that it appeared that we had a hacking and that our systems were compromised and that we were basically shutting everything down.

00;03;42;08 - 00;04;09;05
Chris Van Gorder
Of course, then I made a beeline to our headquarters. We quickly determined that the bad guys had entered our systems and they were compromised, and we had no choice but to shut them all down. And my initial reaction is, how could it have happened to us? I mean, we were prepared. We had not held back on any expenditure for information security.

00;04;09;07 - 00;04;33;15
Chris Van Gorder
And yet somehow we had been victimized. And so my first reaction, obviously, I knew our IS people were doing the right things by shutting the systems down, notifying all the hospitals, moving to our emergency paper systems, which we're very good at using for an hour or two when we have a temporary down time. But not literally, what ended up being weeks at a time.

00;04;33;17 - 00;04;54;12
Chris Van Gorder
I reached out very quickly to our local FBI office. That was my first call. I had a relationship with them having a law enforcement background. And I called the agent in charge and he basically said, Chris, he says, you know, we'll do everything we can, we'll deploy our resources to help you.

00;04;54;14 - 00;05;14;25
Chris Van Gorder
He says you need to reach out to organizations like CrowdStrike and others, to help you with this. And of course, I already had my team reaching out to our cyber insurance company, who immediately gave us the advice to call the attorneys that they use and that we used during the entire event.

00;05;14;27 - 00;05;33;26
Chris Van Gorder
It was Baker Hostetler. And from that point on, I was basically told I couldn't talk to anybody. It wasn't long before the, you know, somebody from the hospital had called the media. The media was reaching out because we're a pretty big system here in San Diego, and when we're impacted, obviously in this case, we have to go on

00;05;33;26 - 00;05;51;19
Chris Van Gorder
emergency diversion. My trauma docs had to decide whether or not it would be safe to be able to care for patients on paper without access to their electronic health records. In the case of our Mercy Trauma Center they decided they could do that. In the case of our La Jolla trauma center they believed that they could not do that.

00;05;51;21 - 00;06;10;25
Chris Van Gorder
And so we allowed a lot of our frontline physicians and clinicians to make some critical decisions early on about whether or not we could safely care for patients or not. And of course, we're obviously activated then, can we care for the patients we have in the hospital? Do we need to consider transferring those patients to other health care organizations?

00;06;11;02 - 00;06;30;27
Chris Van Gorder
We did not in the end have to do that. Everybody thought we could end up taking care of the patients that we could. But it was a disruption to the entire community. The media, of course, was reaching out. And for the very first time, I'm not able to talk to them. And we had some pretty negative media coverage early on because we were not being transparent like we usually are.

00;06;30;29 - 00;06;49;18
Chris Van Gorder
We obviously got our operations going and discovered all sorts of little things. I mean, number one, our young residents, had no idea how to write a prescription. They didn't even know how to use the abbreviations on a paper prescription. But the big thing is patient safety, right? Trying to clean the systems up. Identify what the problem was.

00;06;49;24 - 00;07;11;07
Chris Van Gorder
Deal with a ransomware request which ultimately came in and see if we could get ourselves back to normal. But everything was attorney-client privilege. Everything. All of our meetings were attorney-client privilege. And it wasn't that we were trying to hide any information from government. Obviously, we were going to be as truthful and transparent as we could to government at the right time and place.

00;07;11;09 - 00;07;48;18
Chris Van Gorder
This was all to protect us from class action lawyers, the lawyers that within days of the announcement of the cyberattack were already filing lawsuits against us that were waiting to take advantage of us. And of course, the concern from day one is whatever you, say publicly or otherwise, it's going to be used against you and it's going to cost you even more money downstream in that class action lawsuit, even though if you if you actually carried it all the way to the end, they probably could not win, because these days it would be virtually impossible to tell what information came from what cyber attack across the country and across the world.

00;07;48;20 - 00;07;57;11
Chris Van Gorder
And it has to be tied right back. But that's just immaterial. It was still going to cost a fortune to deal with that. And then we started dealing with it day by day.

00;07;57;14 - 00;08;27;06
John Riggi
You know, you bring up an interesting point. I know you and I have had discussions, sidebars on this about the civil liability concern, which limits comment, public comment, and sometimes limits cooperation, even with federal agencies that are really, truly vested with the mission to help the victim, help understand, how the attack occurred and take that information and issue national bulletins to help warn the nation without attribution to the victim.

00;08;27;08 - 00;08;56;00
John Riggi
And these ransomware vultures inhibit cooperation and limit that information flow to the detriment of, really, the entire sector and the nation, quite frankly. So I think that's something we really have to look at in terms of national policy level. We at the AHA advocating strongly for safe harbor to be extended not only for threat information sharing, but in terms of the impact of the attack.

00;08;56;02 - 00;09;22;02
John Riggi
And, Chris, so, again, I commend you for speaking publicly today. And as you've been always a leader at the forefront trying to help organizations. As you continue to speak publicly and share lessons learned, one of the things you have done recently is published an article, Four Ways Forward in the aftermath of the change Healthcare Attack. What prompted you to write this article

00;09;22;02 - 00;09;37;09
John Riggi
when so many leaders of ransomware victim organizations are reluctant to make any public statements about their attack, someone else's attack, but just offering your perspective? Why do you think that is again, that so many leaders are reluctant?

00;09;37;12 - 00;09;57;21
Chris Van Gorder
Well, I think they're afraid that either a comment they make will be used against them by a government agency, or, somehow be used by class action lawyers or have any way have repercussions for, being transparent. And I think that's a problem. And I think we need to deal with that and I think you've touched on it.

00;09;57;24 - 00;10;27;17
Chris Van Gorder
Number one, there are no standards, for hospitals to comply with right now in terms of cyber protection. And one of the beliefs, I mean, I saw the change, cyber attack, a massive attack and a terrible attack. I actually feel for United Healthcare and Change, having gone through it myself, I know exactly what they were going through, why they didn't initially come out and talk, and why it literally is going to take them months to determine how many individuals were impacted by this, and they'll have to notify all of them.

00;10;27;19 - 00;10;53;09
Chris Van Gorder
The same thing happened to us. It'll take months. We did everything we knew to prepare for a cyber attack, and yet somehow they were able to penetrate. We still don't know exactly how. After having all sorts of forensic analysis, we still don't know exactly. We assume a phish, and somehow they were able to get access to admin credentials and then able to phish around into the system and get the data that they wanted to get.

00;10;53;12 - 00;11;15;24
Chris Van Gorder
That's how we believe it happened. We were able to cut them off. They were never able to get into our electronic health record, but they were able to get into business records. They had all sorts of information, Social Security numbers in some cases, driver's license numbers, identification, etc. and that's terrible, right? And obviously we have an obligation after the fact to do what we can to protect those individuals whose data was stolen.

00;11;15;26 - 00;11;52;29
Chris Van Gorder
But the hospital - our health care system - was victimized by international terrorists, criminals protected by basically a rogue state. Where does the federal government come in in terms of its responsibility to protect us? So, you know, what it struck me is there's kind of in some way we've got to develop some form of protection for our organizations. By the way, we're nowhere near like a big insurance company that makes billions in profit, or a med tech company that makes, you know, millions and billions potentially in profit and probably have a lot of money they can spend on cyber protection and liability and all those kinds of things.

00;11;53;01 - 00;12;11;05
Chris Van Gorder
My health care system lost money from operations last year, right? I mean, if we're doing well we got a 3% operating margin. And as I said last year, we lost money from operations. We'll turn that back around. But we are a small margin business for a $4 billion health care system. What about the small rural hospital

00;12;11;07 - 00;12;30;08
Chris Van Gorder
that has even fewer resources? What I think is, number one, the government has to do something about protecting us. Even the president of the United States has said a terrorist attack or a cyber attack on a hospital is a terrorist act. Well, we need to start acting like that and doing something with these rogue countries, whatever we can do from the federal level.

00;12;30;11 - 00;12;58;01
Chris Van Gorder
Now let's establish standards. I have no problem. Joint Commission establishes standards for us on a variety of different things. CMS established standards, and if we comply with the standards, we're compliant. Then let's establish those standards for cybersecurity that the government wants us to do. And if we are compliant, then protect us from the downstream vultures that are waiting to take advantage of a criminal act, you know, perpetrated on a health care system.

00;12;58;03 - 00;13;18;25
Chris Van Gorder
Defend us from that. I don't have a problem giving information to government agencies. Allow us to be transparent so that we can share the information without fear of additional litigation or attack, even by some government agencies. In the end, no agency said that we did anything wrong, nor have we been fined. we're still waiting for the California Department of Public Health to respond.

00;13;18;26 - 00;13;33;21
Chris Van Gorder
We don't know if they'll ever respond or not. We know they ask us a lot of questions. They may or may not respond, but we've decided at this point, this is years afterwards. It's time for us to get out and at least tell people about our experience. And when I saw again what I heard coming out of Congress,

00;13;33;28 - 00;13;56;28
Chris Van Gorder
we need to speak out and talk about our challenges, right. Our recommendations. We have an obligation. We have an accountability to prepare our organizations, no question about it. If we are breached, we have an obligation to let our patients know that they've been breached and provide some protection for them if we can do that. But major fines, you know, major class action lawsuits

00;13;56;28 - 00;14;17;08
Chris Van Gorder
in the end, it costs us $113 million, right? That's money that could have gone to health care, could have gone to increasing our systems. A lot of that went to class action lawyers. The victims, and there were over a million of them, as it were. The those patients or those individuals that data over a million, they got their protection.

00;14;17;08 - 00;14;40;20
Chris Van Gorder
They got $100 each. Those class action lawyers made a lot more than $100 each. That's money again, that could go back into our health care systems and should if we were compliant. The standards established by the federal government and the hospitals, therefore, then should be protected from that outside liability that we're facing today. And you get a lot more collaboration and cooperation.

00;14;40;20 - 00;14;54;02
Chris Van Gorder
And I know a health care system was recently attacked, and their lawyers flat out said, do not call the FBI. Do not call a law enforcement agency. Do not talk to the media. Do not share any information with anybody.

00;14;54;03 - 00;14;56;22
John Riggi
It's terrible advice. I mean, that's just bad advice.

00;14;56;29 - 00;15;05;06
Chris Van Gorder
It's bad advice. But they were trying to protect their client because of all the risk that's out there that surrounds a cyberattack for the victim.

00;15;05;09 - 00;15;30;06
John Riggi
Thanks for all that. And clearly, your point about this is not purely a defensive issue. You could invest your entire budget in cybersecurity and you still wouldn't be safe. I testified before Congress, the Energy and Commerce Committee two weeks ago, and I made that point that hospitals, in the end, are not cybersecurity companies. And no organization, including federal agencies, can be 100% immune from cyberattack.

00;15;30;09 - 00;15;56;18
John Riggi
So we need to recognize that. And again, organizations are victims. We should not revictimize especially when not appropriate. We have an obligation to protect data, protect our patients. You know, it's really interesting, your point on Change UnitedHealth Group and even the American Hospital Association has found many areas where the response from United could have been better.

00;15;56;21 - 00;16;19;27
John Riggi
And because the difference between them and your organization is they are systemic. They affect every hospital and health system in the country. But even when we were offering different viewpoints and criticism quite frankly, we always reminded whoever we spoke to that they were still a victim, that they were a victim of a foreign entity, foreign criminal organization.

00;16;20;00 - 00;16;44;16
John Riggi
As I remind my colleagues, quite frankly and quite often across government, we need more from an offense from the federal government, offensive cyber operations going after these bad guys like we used to do in counterterrorism. You got good groups being provided safe harbor by hostile nation states like Russia, China, North Korean, Iran, law enforcement operations. Chris, you and I are both law enforcement professionals.

00;16;44;19 - 00;16;53;20
John Riggi
We know the FBI can't get over there and put handcuffs on these folks. We've got to look at all our capabilities like we did in counterterrorism.

00;16;53;23 - 00;17;09;11
Tom Haederle
Thanks for listening to part one of this podcast. Be sure to tune into part two of this conversation this upcoming Wednesday. Thanks for listening to Advancing Health. Please subscribe and write us five stars on Apple Podcasts, Spotify, or wherever you get your podcasts.