It’s not just Scripps Health — ransomware has become rampant during pandemic

A baby monitor used by health care workers at Scripps Memorial Hospital La Jolla is pictured in March 2020.
A household baby monitor used by health care workers at Scripps Memorial Hospital La Jolla to communicate outside a negative pressure room is pictured in March 2020.

Scripps uses equipment known to be a favorite vector for attacks in 2020.


On a local level, the ransomware attack that engulfed Scripps Health starting May 1, paralyzing digital resources from hospitals to outpatient clinics, was isolated. Other health care systems in the region were unaffected and were able to assist diverted patients with serious and immediate needs including heart attacks and strokes.

But look around and it is obvious that Scripps is not alone.

A recent report from software firm VMWare Carbon Black estimates that its health care customers experienced a 9,851 percent increase in hacking attempts in 2020 compared with the previous year. Activity intensified during the COVID-19 pandemic, with attempts spiking 87 percent from September to October.

The California Department of Public Health said it is monitoring the ransomware attack that severely impacted Scripps Health facilities throughout San Diego County, including in La Jolla, but has thus far determined that emergency procedures underway since May 1 have been adequate to ensure patients are safe.

Beau Woods, a senior advisor for the federal government’s Cybersecurity and Infrastructure Security Agency, confirmed that attacks like the one at Scripps metastasized in the past year.

“Ransomware is increasing in sophistication, it’s increasing in prevalence,” Woods said. “The purveyors of ransomware are generally reinvesting the fees that they collect from the entities they extort to acquire more capabilities.

“They’re getting better, they’re getting more frequent, particularly during the pandemic, where we’ve opened up more connectivity to allow more remote work.”

The predicament at Scripps — which, according to several sources, was unable to offer radiation treatments to its cancer patients until the proper equipment was able to be returned to service May 7 — follows an even more widespread attack late last year.

On Sept. 27, what is believed to be the biggest ransomware attack in health care, hit Universal Health Services Inc., a 400-hospital nationwide system with facilities in California.

It took three weeks for all UHS facilities to return to full operation, and the publicly traded company listed $67 million in negative financial impact from the attack in its fourth-quarter earnings report, though it has not said whether it paid the ransom that hackers demanded.

That impact included diversion of ambulances to other hospitals when electronic medical records were locked down and inaccessible.


Ransomware — malicious software that, once having gained access to a digital network can encrypt information and threaten deletion or worse if cash is not paid — is increasingly targeted at the health care industry, according to a recent analysis from IBM’s Security X-Force consultancy.

The write-up, based on IBM’s own consulting work with affected companies, found that 28 percent of attacks on health care in 2020 were ransomware, making the industry the seventh-most attacked, up from 10th in 2019.

And the attacks are getting nastier.

As noted in a report from the Office of Information Security at the U.S. Department of Health and Human Services, “double extortion” ransomware attacks exploded in 2020.

Eighteen different types of ransomware are double extortion, referring to an attempt to make it more difficult for hacked companies to refuse to pay ransoms and simply restore their systems from backups made before ransomware took hold. Hacker gangs, usually operating from overseas locations, have countered by downloading sensitive data from the networks they penetrate before making ransom demands.

Now, those demands include double threats to pay up or risk losing encrypted data and pay up or risk private information from one’s customers being leaked on websites the hackers operate.

One such double-extortion ransomware type called Ryuk was widely reported to have been the culprit in the UHS attack, though the company has not formally disclosed the digital pathogen involved.


Scripps Memorial Hospital La Jolla was affected by a May 1 cyberattack on Scripps Health’s computer network.
(Sam Hodgson / The San Diego Union-Tribune)

As of May 10, it remained unclear which type of ransomware was involved at Scripps. The region’s second-largest health care system, with a hospital group including Scripps Memorial and Scripps Green in La Jolla and a vast network of clinics, outpatient surgical centers and other assets, said last week that “malware” was detected on its systems. An internal memo obtained by The San Diego Union-Tribune clearly implicated ransomware but did not list the type. The California Department of Public Health confirmed in an email that ransomware was involved.

It is clear that the attack hit Scripps hard at a time when the nation’s health care workers were starting to recover from a year of fighting the pandemic.

The attack caused a widespread ambulance diversion from all Scripps hospitals, taking them out of the emergency medical response system when a boat capsized off Point Loma on May 2. Survivors were sent to eight hospitals throughout the region, but not to Scripps Memorial La Jolla, the closest trauma center, because its systems were down.

Passengers said they paid $15,000 to $18,000 to be smuggled into the United States on the boat, according to an affidavit.

As computers remained offline last week, the diversion softened, according to Dr. Eric McDonald, recently appointed to serve as San Diego County’s chief medical officer in the absence of Dr. Nick Yphantides, who was put on administrative leave early this year.

Scripps hospitals, while not operating at usual efficiency levels, have been able to continue serving patients, receiving some ambulance traffic when required, McDonald said.

“This is another significant stress on what has been a long-standing level of stress on our entire hospital system,” McDonald said. “You really have to give kudos and support to the doctors and nurses and many other kinds of workers who are continuing to deliver care while this is going on.”

Patients generally have said they have found Scripps workers to be competent and cordial, though some patients were feeling frustration with the situation, especially what they called lack of communication regarding previously scheduled appointments.

Kyle Long said he had a scheduled bone marrow biopsy that was delayed with only last-minute communication from Scripps.

“As far as I am concerned, Scripps receives an F for how they handled this breach,” Long said in an email.


Scripps has provided little detail into which of its systems, beyond its electronic medical records, were taken down by the attack. And it has not said whether some of its sensitive patient records were siphoned out of its systems and into cyberterrorist servers under threat of disclosure or sale to the highest bidder.

That uncertainty left many Scripps customers demanding answers on the company’s Facebook page. Many wondered whether they should freeze their credit reports and hire reputation-protection services in case information leaks out.

Dr. Christian Dameff, an emergency medicine specialist and cybersecurity researcher at UC San Diego Health, said that, although he is not familiar with the details of what exactly happened at Scripps, protecting oneself in those ways generally makes sense even if an attack is not underway.

In general, he said, it is difficult for companies to know immediately whether and how much private information has left the building. Locked-down systems are not easy to analyze, and outside experts generally must be brought in to conduct forensic examinations of impacted systems to determine how deep the damage goes.

“I’m sure that work is ongoing at Scripps, but it’s complicated, tedious work that requires very specialized expertise to figure out exactly what they took and when they took it, and then to give recommendations as to what patients should do moving forward,” Dameff said.

Many, though, are surely wondering how this could have happened to an organization with a multibillion-dollar budget and named one of the “most wired” organizations in American health care as recently as 2019.

Attack paths

The IBM X-Force report indicates that recent attacks, whether they deliver ransomware or facilitate record theft, have been exploiting a flaw in the software than runs servers made by Citrix Systems Inc. The company boasts that 100 percent of the nation’s 10 largest health care organizations use its technology, especially to host electronic medical records systems such as the Epic software employed by Scripps and many others across the region.

In 2019, the company issued a security bulletin on a vulnerability in one of its products called an application delivery controller that it formerly called NetScaler. A case study posted on Citrix’s website says the product was employed at Scripps.

Citrix provides instructions on how to fix the vulnerability, but it seems clear that many organizations aren’t getting that maintenance work done before hackers gain access. The X-Force report estimates that 8 percent of all incidents the X-Force team handled last year involved the Citrix vulnerability.

Is that how hackers found their way onto the Scripps network? The company isn’t saying.

“Because this is an ongoing investigation, we are limited in what we can say. We will share more information as we are able,” Scripps spokesman Keith Darce said in an email.

But scanning for and exploiting equipment vulnerabilities is only one of many ways hackers gain the access they need to unleash digital destruction.

Duping employees who already have access is among the most common methods. A process called phishing is often employed to get employees to share logins and passwords on dummy websites that look like those run by their companies or to open email attachments said to be from trusted sources that turn out to be malicious programs. Once inside a company’s digital defenses, it’s easier for software to reach out to remote servers and download a more damaging payload.

Dameff said there are plenty of ways to make phishing attacks less likely to succeed. Two-factor authentication, a process that requires employees to verify their logins not just with passwords but also with a program that runs on their smartphones, can help a lot. But it can be cumbersome in situations where life and death are on the line.

“Multifactor authentication, password managers and good password practices like choosing complex passwords, email attachment scanning, endpoint security — I’m sure they had all of that,” Dameff said. “It just takes one person in the enterprise clicking a link to have something like this happen, regardless of all the great security controls you put in place.” ◆