Scripps cyberattack highlights patient safety risks during breaches

May 14, 2021 01:11 PM



Last Tuesday, Jason Cabot prepped for an abdominal surgery: he fasted for 24 hours and drank three tablespoons of intestine-cleansing milk of magnesia. But until he showed up at 5:30 a.m. the next day at Scripps Mercy Health in San Diego, he had no idea if the surgery was going to happen.

Scripps Health, a large health system in California, on May 1 experienced a “disruption” to its IT systems, which has since been tied to malware discovered on the health system’s computer network. To contain the malware, Scripps said it took a portion of its network offline, disrupting access to the health system’s email servers, patient portal and other applications.

So far, Scripps has shared limited details of the malware attack. But the California Department of Public Health last week described the incident as caused by “ransomware attacks.” In a ransomware attack, a hacker will typically deploy malware—or “malicious software”—that encrypts a victim’s computer files and only releases files in exchange for payment. Recently, criminals have also been removing data from systems and threatening to release the files if the victim doesn’t pay.

While patient privacy has been a key concern for recent cyberattacks, patient safety and quality are rising in prominence when health providers can’t access electronic health records or scheduling information.

Cabot, 34, came up against a potentially serious patient safety error that resulted from the Scripps attack. Though he said Scripps pre-op staff triple-checked the type of surgery he was having, his medical conditions and medications, issues sprung up after the surgery. He said a nurse tried to administer blood-thinning medication Heparin, not realizing another nurse had already given him his only-needed dose pre-surgery.

“Obviously accidentally administering twice the intended dose of a blood thinner could be problematic,” Cabot said. “It’s things like that that scare me from a patient safety point of view, with no physician access to patient records, incomplete paper trails and unfamiliar processes.”

The American Hospital Association has argued that ransomware attacks against hospitals should be prosecuted as threat-to-life crimes, not economic crimes. That’s because when a ransomware attack brings down a hospital’s IT systems it not only disrupts internal business processes, but also patient care, as ransomware often hits critical medical systems.

If a hospital’s EHR system is down, that may mean that clinicians are not able to access a patient’s medical history before a procedure. Even if clinicians are familiar with downtime procedures — procedures also used during natural disasters and maintenance on IT systems, as well as cyberattacks — it can be challenging for systems to go down unexpectedly.

“When hospitals are the victim of a ransomware attack, everything from patient records to scheduling appointments are impacted,” Tapan Mehta, global healthcare strategy and solutions leader at cybersecurity company Palo Alto Networks, wrote in an email.

EHR shutdowns can cause medical errors. EHRs include reminders and alerts for almost every function within a hospital. In Cabot’s case, a post-op nurse likely would have seen that the medication was already administered if the system was working. If she didn’t, a safety alert would have popped up on the EHR system.

“As you introduce decision support, you can reduce errors and injury to patients, but if you take it away, the opposite will happen; It’s the logical thing,” said Dr. Christoph Lehmann, a clinical sciences professor in the department of bioinformatics at The University of Texas Southwestern Medical Center. “So until they have their systems back up and running, it’s going to be more dangerous to go to that hospital.”

There’s not much research on the link between cybersecurity attacks and impact to safety and quality. One study, co-authored by Lehmann, found that in the three years following a cybersecurity attack, mortality from heart attacks goes up, and it takes substantially longer for emergency department staff to initiate an EKG after a patient presents with chest pain.

That’s not because of the cyberattack itself. When two-factor authentication and longer passwords were implemented post-attack, it took more time to get care to these chest pain patients, according to the researchers.

“If you do all these security measures, it’s more cumbersome to go in and do the things that are needed right away for patients,” Lehmann said.

The immediate aftermath of an attack, when the system is down, is much less studied. That’s in part because hospitals have in the past few years entered into a new era of cybersecurity risk: previous iterations from hackers were mostly focused on obtaining patient records for old-fashioned financial fraud or medical identity theft, rather than holding data for ransom.

“What we’re seeing now is what I would say, version 2.0, which is to hold an organization hostage, either because of a disruption, or because of fear of release of private data, and to extort money out of the organization,” said Eric Johnson, dean of Vanderbilt University’s Owen Graduate School of Management.

Health systems are especially at-risk of cyber attacks, compared to other institutions in the financial sector. Doctors and other healthcare providers have seen security measures like proximity sensors, where computers shuts down when a worker walks away, as an impediment to care and a hassle.

“When I talk to doctors about security, a lot of times they’re very negative,” Johnson said. “So they’re pretty far behind, and at this point, incredibly vulnerable.”

Delays in care that can create big problems for patients. Scripps patient Lisa Van Hook, 66, said her doctor recently found a lesion in her throat. She’s optimistic that it’s nothing serious, but she does need a biopsy.

“I think it’s [the biopsy order] just protocol, but at the same time I keep touching my neck,” Van Hook said, who’s been a patient of Scripps for 40 years. “This is a big deal and we have heard nothing. I’ll give them some time, but we really need an advocate.”

Van Hook was one of hundreds of people on Scripps Health’s Facebook page inquiring about whether or not their appointments were still scheduled, how to get prescriptions refilled while the patient portal is offline, and complaining that they couldn’t get through to hospital or provider offices by phone. After messaging Scripps through Facebook and calling the hospital multiple times, Van Hook still doesn’t know when she’ll be able to get a biopsy.

Having a contingency plan to continue treating and diagnosing time-sensitive ailments, and communicating clearly with patients, is key when experiencing a cybersecurity shutdown.

“There are things in medicine that just don’t allow you to be doodling around,” said Lehmann at UT Southwestern. “An outreach campaign to their patients should include, ‘If you have the following conditions, don’t wait on us to be back in business. We can refer you to other good places.'”

To date, responses on Scripp’s Facebook page direct patients to their individual providers. In some cases, Scripps asks patients to direct message them personal information to confirm appointments. But interacting with patients on social media is an area where hospitals should be cautious to not run afoul of federal privacy laws, according to legal experts.

“Social media is a blessing and a curse in these situations,” said Valerie Montague, a partner at law firm Nixon Peabody who focuses on health information privacy and security issues.

Social media provides an avenue for a hospital to post updates and let patients know where to call or reach out with questions. But hospitals’ communication teams or other staffers managing social media pages also have to be careful not to accidentally disclose health data that’s protected by HIPAA.

If a patient publicly posts a question or complaint on a social media page, Montague suggests that the hospital acknowledge seeing the message but ask to continue the conversation privately, such as in a direct message or phone call. It’s also important to verify the patient is who they say they are before discussing their appointment, even in private.

“The healthcare facility has to balance being responsive to their patients with not doing anything to disclose the information that they’re required to protect,” Montague said. Hospitals shouldn’t publicly confirm that the individual posting is a patient or that they’re receiving care at the organization, even if the patient posts that information first.

In a video from Scripps CEO and President Chris Van Gorder to staff on May 10, Van Gorder said that the California Department of Public Health visited all five hospitals and validated that care being delivered is safe. He added that the staff is now operating on manual backup procedures.

“Phsyicans and clinical staff are making decisions about who should have surgery and who should be delayed, and in the very rare occasion, patients that might need to be cared for by one of our community partners,” Van Gorder said in the video provided to Modern Healthcare from Scripps. “Over the last few years, obviously everything has become automated and we have those backup procedures only for rare a occasions and usually only for an hour or so. But this is an unfortunate situation where it is literally taking days to be able to bring the system back up.”

Scripps has not publicly shared whether it’s received a ransom demand from the attackers, and if so, what types of data the hackers were able to encrypt or exfiltrate.

Under HIPAA, health systems aren’t required to notify patients or HHS about a breach of health data until 60 days from when the entity discovers the incident.

In a note to employees on Monday and provided to Modern Healthcare, Scripps CEO Van Gorder said that while he strives to be “as open and transparent as possible,” he’s limited in what he can share about the attack.

“We need to let our investigation proceed and work with our consultants and outside governmental agencies, and when I can share, I will,” he wrote.