Is this a cautionary tale for the industry or a call to action?
Scripps Health’s Epic EHR system and online patient portal were restored May 27, nearly four weeks after a ransomware attack knocked the San Diego-based health system’s network offline, The San Diego-Union Tribune reported.
A Scripps nurse told the Tribune that the EHR returned to service at 4 a.m. on May 27. Scripps regained read-only access to Epic last week, which let staff look up past test results, clinician notes and other records created before the May 1 attack.
Scripps said it is unsure whether any patient data was affected by the incident and that it will notify any affected individuals if their data was exposed once the investigation ends.
They gained access, they likely had access over an extended period of time and they got to the crown jewels, the EHR. The security posture was not what they thought it was, architecture was not as well thought out as we needed it to be, and the resilience of technology platforms was easily compromised. 4 weeks is not on anyones RTO – Recovery Time Objective.
What did we learn? How are we talking about this around healthcare?
Today in health. It, this story is scripts EHR back online, four weeks after ransomware attack. My name is bill Russell. I’m a former CIO for a 16 hospital system and creator of this week in health. It a channel dedicated to keeping health it staff current. And engaged. VMware was the first sponsor of this week in health it, and now they are the first sponsor of today in health. It they’ve committed to our mission of providing relevant content to health it professionals, since the start.
They recently completed an executive study with MIT on the top healthcare trends, shaping it, resilience, covering how the pandemic drove unique transformation in healthcare. This is just one of many resources they have for healthcare professionals for this and several other great content pieces. Check out vmware.com/go/healthcare.
All right. I did a lot of reading over this Memorial day weekend, and my gosh, I’ve got like 20 stories. Teed up to talk about, but this one is probably the most relevant. For us in health, it, and that is Scripps EHR back online nearly four weeks after ransomware attack. I chose to go with the Becker story because it is the most succinct.
And I just want to share the notes on it and then really go into the, so what in a lot more detail. So here’s the excerpts from the story scripts, health epic EHR system and online patient portal. We’re restored May 27th, nearly four weeks after ransomware attack knocked the San Diego based health systems network offline.
According to the San Diego union Tribune, script’s president and CEO, Chris van Gorder pen, a letter to patients May 24th, updating them on the situation, but wrote that scripts is limited in the amount of information it can share with patients. Since it could put the system at an increased risk of coming under further attack.
And of not being able to restore its system safely and as quickly as possible. And an update Mr. Van Gorder confirmed that. The May 1st cyber attack involved ransomware. And he told patients that scripts. Would have it’s EHR back online this week, the health system restored its website May 20th. A script’s nurse told the Tribune that the EHR returned to service at 4:00 AM on May 27th.
The scripts were gained. Read only access to epic. Last week, which led staff look up, test results, clinician notes, and other records created before May 1st attack. Script’s said is unsure whether any patient data was affected by the incident and that it will notify any effected individuals. If the data was exposed once the investigation and.
All right. Here’s my, so what on this, this is a significant event in healthcare, and I think we’re going to be talking about this for years to come. As one of the first. Major health systems, large major health systems to be attacked by ransomware and really taken offline for the better part of a month.
A ransomware attack is different than a breach. In several ways, a breach is like a robbery. They come into your home, they take your stuff and then they leave. You feel violated, unsafe and unsure of yourself. Anyone who’s ever been robbed understands what I’m talking about. Ransomware is more like an armed robbery.
They Rob you while holding a gun to your head. This comes with a different level of emotional trauma and subsequent second guessing of the things that you’ve put in place. Life at scripts right now is beyond difficult for everyone. And especially for the people associated with the technology systems. There will be second guessing, a strong inclination to place blame somewhere and a loss of confidence in any progress that was made with regard to the use of technology at scripts.
This has to be combated in confidence, restored as quickly as possible while still learning the lessons that this incident provides. What did we learn? They gained access. They likely had access over an extended period of time. And they got to the crown jewels of the health system, which is the EHR.
Our security posture was not what we thought it was. Our architecture was not as well thought out as we needed it to be. And the resilience of our technology platform was easily compromised. Four weeks is not on anyone’s RTO, which is a recovery time objective.
And we don’t know what the RPO, the recovery point objective really was. How much data did we actually lose? Did they restore to a system a couple months ago or a couple of minutes before the breach? We have no idea at this point.
There’s a couple of potential responses to this breach. You can stay quiet and inward focused or you can go public. One is strong. The other is fairly weak.
I’m not really talking about right now, but after the analysis has been done. And the lessons learned and have been accumulated. How are we going to treat this situation? Are we going to treat it like if we don’t talk about it, people will soon forget, or they will focus on the next organization that’s it comes to a ransomware attack or our breach is a time for us to step up and out in leadership. We will become a leader in cybersecurity and response. Our experience will be a platform to solidify our commitment to cybersecurity as a culture, cement, a culture that is committed to safety. First in the clinical setting.
And technology setting and established scripts as an organization that had an incident. Which proved to be a catalyst for change. There’s going to be forces for sure that push against this. The FBI will be one that will want the information to be held as close to the vest as possible for as long as possible.
Your internal legal team will want to limit exposure by not saying anything. Of substance to the public heck even PR and marketing may want this to fade from memory. I’m not arguing that they are wrong for a period of time. Speaking educates attackers as well as the industry.
Going public is going to give those who are planning class action, lawsuits information. They need to make the case.
PR and marketing aren’t wrong either. Some events, you want people in the community to forget, but if you stay quiet and take a nothing to see here, approach, you’re going to miss an opportunity for leadership. My recommendation to script’s leadership is to go public, go as public as you possibly can, as quickly as you possibly can share your experience and your findings with the world.
Shine a light into the crevices of your system and share them with an industry that is loaded with crevices. Let this incident act as a rallying point for scripts to become a leader.
Let this moment of weakness become a starting point for a new strength for scripts that’s offered today. If you don’t have someone that might benefit from our channel, please forward them a note. They can subscribe on our website this week, health.com or wherever you listen to podcasts, apple, Google, overcast, Spotify, Stitcher.
You get the picture. We are everywhere. We want to thank our channel sponsors who are investing in our mission to develop the next generation of health leaders. VMware Hill-Rom 📍 Starburst advisers McAfee. And aruba networks thanks for listening that’s all for.