If you were a patient at Scripps Health in San Diego last weekend you might have lost access to the patient portal containing your health records and appointments.
On Saturday May 1, Scripps was hit with ransomware forcing its Electronic Health Record system into downtime and a switch to paper records. But they also had to postpone appointments and transfer critical care patients to other hospitals. The cyberattack affected not only the four San Diego hospitals, but also the Scripps backup servers in Arizona. Scripps noted that its outpatient urgent care centers, HealthExpress locations, and emergency departments remained open and were accepting patients.
Scripps Health is a nonprofit health care system with four hospitals and 19 outpatient facilities, treating a half-million patients annually. The system also includes clinical research and medical education programs.
As of today, Thursday May 6, the Scripps.org website is still down.
Ransomware in healthcare skyrocketed last year, largely due to vulnerabilities caused by COVID-19, and the trend continues upward in 2021. This attack method can be devastating for patient care and is costly for the organizations who are hit.
The Cost of Ransomware
The obvious and frightening cost of ransomware in healthcare is disrupted patient care. One study has even linked ransomware to increased mortality.
Beyond patient care suffering there are the costs of downtime and recovery. According to a recent report from security company Comparitech, last year 92 ransomware attacks affected more than 600 separate clinics, hospitals, and organizations, and over 18 million patient records. In total, the estimated cost is nearly $21 billion. Downtime varied from minimal impact due to frequent data backups to weeks or months of paper-only systems.
The report went on to note:
There has also been a growing trend of double-extortion attempts in which hackers not only lock computers with a message demanding a ransom but also contact victims with proof of the data collected. Posting the stolen data onto their websites, this increases the pressure on organizations to pay the ransom fee.
While the estimated total cost of $21 billion may seem high, the report showed that it’s actually in line with costs organizations have voluntarily disclosed, for example:
- Universal Health Services reported that it lost $67 million after its Ryuk ransomware attack in September 2020. It took 3 weeks for the organization to get its 400 US health system sites back online.
- Erie County Medical Center didn’t pay the $30,000 ransom to have its patients’ data released back to them but did spend almost $10 million recovering from the attack of April 2017.
- Park DuValle Community Health Center revealed how its ransomware attack in June 2019 cost $1 million. This included the $70,000 ransom the center paid after being unable to access data for two months.
NOTE: The FBI recommends against paying ransom, since 1) it encourages more ransomware attacks and 2) payment does not ensure the data won’t also be resold. The criminals aren’t to be trusted. For more FBI tips see Ransomware.
Prevent the Worst Effects of Ransomware
There is plenty of advice about how to prevent ransomware, or if it can’t be prevented, how to minimize the costly outcomes and ensure the fewest days of downtime. All the tips offered by the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) are mirrored in a strong HIPAA Risk Management plan. Following HIPAA is a blueprint for defense against cyber crime of all types, including ransomware.