State regulator ‘actively monitoring’ Scripps Health ransomware attack

Scripps Memorial Hospital La Jolla was affected by a May 1 cyberattack on Scripps Health’s computer network.
(Sam Hodgson / The San Diego Union-Tribune)

The California Department of Public Health said it is monitoring the ransomware attack that severely impacted Scripps Health facilities throughout San Diego County, including in La Jolla, but has thus far determined that emergency procedures underway since May 1 have been adequate to ensure patients are safe.

The agency, which oversees all hospitals in the state, said Scripps notified it of the attack and that it is “actively monitoring” the situation.

“These hospitals are operational and caring for patients using appropriate emergency protocols in inpatient areas of the hospital,” a statement said.

A ransomware attack continued to plague Scripps Health on May 3, creating confusion for patients and their families, especially those who were scheduled for appointments this week.

CDPH noted that it has the authority to “involuntarily suspend” the licenses of facilities if it determines that the care being provided is unsafe. However, the fact that a hospital is operating under “emergency protocols” does not itself warrant such an action, the department said.

On May 5, the fourth day since the attack, ambulance services were still being diverted from most facilities, though a county emergency medical services director said the situation was not absolute. Depending on the need at any given moment, facilities might take trauma or other emergency cases if diversion was deemed impractical.

Other health systems in the area were helping to pick up the load shed by San Diego’s second-largest health system as measured by total patient discharges, behind only Sharp HealthCare, according to state data.

Dr. Christian Dameff, an emergency medicine specialist and cybersecurity researcher at UC San Diego Health, said the situation has been noticeable in the volume of patients arriving daily for treatment.

“What we’ve seen is an influx of Scripps patients into the UCSD system as their capacity to take care of patients has gone down a little bit,” Dameff said.

He said everyone in San Diego’s large medical community feels responsible to help in such a situation.

“We really are a giant ecosystem, and when one organization is attacked, it can impact all the others,” Dameff said. “Everyone’s kind of coming together in the greater San Diego area to try to help facilitate that care.

“Patients aren’t going to stop getting sick just because one of the health systems is under attack.”

The hospital system, which includes La Jolla, was hit in an attack that forced it to block patient access to online portals and divert some critical-care patients.

Patients have indicated that it hasn’t just been Scripps’ hospitals affected by the attack but also the information systems that serve its clinics and outpatient surgery centers.

The company issued a brief statement May 5 indicating that it has hired an independent cybersecurity firm to get to the bottom of the problem. That investigation, Scripps said, is “ongoing and in the early stages” but has been determined to be related to “malware” on its computer networks. Attempts to contain the threat, Scripps said, have forced it to take a significant portion of its data network offline “as a proactive security measure.”

“Scripps technical teams are working 24/7 to restore our systems as quickly and safely as possible and in a manner that prioritizes our ability to provide patient care,” the statement said.

As of May 5, Scripps had not put forth a timeline on how much longer the situation will last.

Dameff said he doesn’t know the exact nature of the attack at Scripps or how deeply it penetrated network resources. Recovering from the most severe ransomware attacks can take weeks.

Part of the problem, Dameff said, is that starting over isn’t just a matter of hitting reset buttons on the wide range of technology that modern medical facilities employ. Information technology teams must methodically verify that malicious software is truly gone before they can bring systems back online. And if it is necessary to reset large swaths of equipment to new condition, wiping out their previous configurations, getting everything reloaded and reset can take a long time.

“It needs to be done carefully, because if you start a system back up and you haven’t closed all the doors and the hackers can still get in, they’ll just do the same thing again,” he said. ◆