The California Department of Public Health confirmed Wednesday, May 5, that it is monitoring the ransomware attack that has severely impacted Scripps Health facilities throughout San Diego County, but has thus far determined that emergency procedures under way since Saturday, May 1, have been adequate to ensure patients are safe.
The agency, which oversees all hospitals in the state, said that Scripps notified it of the “ransomware attacks” and that it is “actively monitoring” the situation.
“These hospitals are operational and caring for patients using appropriate emergency protocols in inpatient areas of the hospital,” a statement said.
CDPH further noted that it has the authority to “involuntarily suspend” the licenses of facilities if it determines that the care being provided is unsafe. However, the mere fact that a hospital is operating under “emergency protocols” does not, in and of itself, “warrant such action.”
Wednesday, May 5, was the fourth day of the attack, and ambulance services were still being diverted from most facilities, though a county emergency medical services director said late Tuesday, May 4, that the situation was not absolute. Depending on the need at any given moment, facilities might take trauma or other emergency cases if diversion was impractical.
Other health systems in the area were helping to pick up the load shed by San Diego’s second-largest health system as measured by total patient discharges, behind only Sharp HealthCare, according to state data.
Dr. Christian Dameff, an emergency medicine specialist and cybersecurity researcher at UC San Diego Health, said Wednesday, May 5, that the situation has definitely been noticeable in the volume of patients arriving daily for treatment.
“What we’ve seen in an influx of Scripps patients into the UCSD system as their capacity to take care of patients has gone down a little bit,” Dameff said.
He said that everyone in San Diego’s large medical community feels responsible to help in such a situation.
“We really are a giant ecosystem, and when one organization is attacked, it can impact all of the others,” Dameff said. “Everyone’s kind of coming together in the greater San Diego area to try to help facilitate that care.
“Patients aren’t going to stop getting sick just because one of the health systems is under attack.”
The current status of the attack at Scripps remained uncertain. Patients have indicated that it has not just been Scripps’ four hospitals affected by the attack but also the information systems that serve its clinics and outpatient surgery centers.
After saying nothing about the situation Tuesday, May 4, the company issued a brief statement late Wednesday afternoon, May 5, indicating that it has hired an independent cybersecurity firm to get to the bottom of the problem. That investigation, Scripps said, is “ongoing and in the early stages” but has been determined to be related to “malware” on its computer networks. Attempts to contain the threat, Scripps said, have forced it to take a significant portion of its data network offline, “as a proactive security measure.”
“Scripps technical teams are working 24/7 to restore our systems as quickly and safely as possible, and in a manner that prioritizes our ability to provide patient care,” the statement said.
Wednesday afternoon, May 5, Jason Cabot, an attorney from Normal Heights, lay in a bed at Scripps Mercy Hospital in Hillcrest recovering from surgery earlier in the day.
It was not clear until the very last minute whether the procedure, which Cabot said he preferred not to disclose, would go forward. Schedulers had been unable to access his medical record or the surgical schedule when he called.
But the procedure proceeded pretty much as planned. Some might wonder, why not just postpone until things are running normally again? In his case, the surgery had already been significantly delayed due to COVID-19 restrictions.
“I don’t think it’s as easy as people think to reschedule given the large backlog of surgeries already due to COVID,” he said. “Most surgeries had been on hold for the better part of the year as it is.”
He said there were some signs of progress visible at Mercy Wednesday afternoon, May 5. Electronic telemetry systems were back online, after having been initially part of the shutdown, causing one family who gave birth at Scripps Memorial Hospital Encinitas to have a nurse in the room to hand-record vital signs on paper Sunday, May 2, and early Monday, May 3.
The patient medical record, though, was still being written out in ink rather than typed into a computer. That situation, Cabot said, comes with its own obvious issues.
“The biggest concern from the patient care standpoint is that things could fall through the cracks like patient orders, allergies, record of medication administration and so on … in some ways, this is reminiscent of ‘90s experience or even ‘80s,” Cabot said.
But he added that the people delivering the care were far from retro in their approach.
“Ultimately, the staff did a great job, although it was obviously a bit of an unfamiliar process for them,” he said.
That was the experience of Judy Nauta, a downtown resident who had an echocardiogram scheduled for Thursday, and a chemical stress test set for Friday.
Though scheduling information has often been unavailable, she said the attitude of employees has remained professional.
“I found that everyone I’ve spoken to has been so kind and helpful,” she said in an email.
Surely the question on everyone’s mind is: How much longer will the current situation last?
Scripps has not put forth a timeline, making the answer to that critical question anyone’s guess.
Dameff, the UC San Diego cybersecurity researcher and physician, said he does not know the exact nature of the attack at Scripps or how deeply it penetrated network resources. It can take weeks to recover from the most-severe ransomware attacks.
Part of the problem, he said, is that starting over is not just a matter of hitting reset buttons on the wide range of technology that modern medical facilities employ. Information technology teams must methodically verify that malicious software is truly gone before they can bring systems back online. And, if it is necessary to reset large swaths of equipment to new condition, wiping out their previous configurations, getting everything reloaded and reset can take what seems like forever.
“It needs to be done carefully, because, if you start a system back up and you haven’t closed all of the doors and the hackers can still get in, they’ll just do the same thing again,” he said.
— Paul Sisson is a reporter for The San Diego Union-Tribune