Tip Sheets

Tips on covering health system ransomware attacks

By Paul Sisson

Ransomware and other types of digital attacks are becoming increasingly common in the health care world. What better target than an organization that must operate around the clock, handles large amounts of money, and operates a highly complex business full of computers and humans often working under stress and time pressure?

San Diego recently learned just how serious such an attack can get. On May 1, Scripps Health announced that a cyberattack had forced the shutdown of its four major hospitals serving the San Diego region. It quickly became apparent that the malicious software incursion was much broader than it first seemed. Doctors’ offices, outpatient surgery centers, and pretty much every other type of location operated by the $3 billion health care system were affected.  

Health care providers were forced to revert to paper record-keeping for nearly one month before systems were able to be brought up safely again, and the true impact of the attack is still unknown.  

This was my first time covering a big ransomware attack. Word came in from Scripps on Sunday, May 2, and it was a scramble to piece together what happened. We quickly learned, via an internal memo and a corroborating anonymous source, that ransomware was involved, a fact that it would take Scripps three more weeks to acknowledge.  

I had to learn the ins and outs of ransomware coverage on the fly, so I was delighted when AHCJ asked for a tip sheet on the topic.  

Here are 10 things that stand out when thinking back on the situation:  

  1. Don’t beat your head against the wall. Understand that you’re likely going to get what you’re going to get from the organization that is under attack. Generally, insurance companies are calling the shots behind the scenes and your contacts, from executives to PR representatives, will be very, very limited in what they can say. So, it’s good to reach out and ask for a statement, but don’t waste your time demanding more. Lawyers are likely reviewing and approving all communications, especially if a ransom demand is active. 

  2. Work your sources. Health care is a very connected industry, and health information security even more so. Generally, when a serious attack occurs, the chief information security officers, or individual security personnel, will have some sort of back channel conversation going on at some level. So, just ask around off the record and see what you can learn — even from IT experts at competing health systems. 

  3. Reddit is your friend. For some reason, this news-focused social media platform tends to become a quick clearinghouse for information. Recent attacks against hospitals have quickly spawned active subreddits with employees, patients and others all sharing their immediate experiences. It should be your first stop in trying to figure out what is going on. 

  4. Check the company’s own social media feeds. Even if they’re not giving answers to your questions, the statement they do put out will likely be on Facebook or another forum that allows comments. This will provide a gold mine of folks with cancelled appointments or things to say about how they’re being treated inside facilities experiencing the ransomware attack. 

  5. Go dark. Today’s ransomware attacks tend to be of the “double extortion” variety. This means that cyber criminals will siphon off sensitive data before they deliver their ransom demand. They threaten to publish that stolen information on their own “news” sites if a company refuses to pay up. So it pays to keep an eye on these sites. Lucky for you, you don’t actually have to go on the dark web to get a peek. A site called ransomwatch.org takes regular screenshots of all the ransomware news sites, allowing you to see what’s popping up without having to visit sketchy sites yourself or learn how to do so safely. 

  6. Remember that this is health care. Hospitals are responsible for saving lives 24/7 seven days a week, and most have become very, very reliant on their electronic systems for everything from storing digital patient charts to performing and transmitting X-rays and other forms of imaging. If a hospital is shut down, as occurred in San Diego, ambulances will be diverted, appointments will need to be rescheduled, prescriptions will need to be filled. EMS coordinators, pharmacists and many others outside the organization will be affected, and you should be talking to them. 

  7. Don’t forget the regulators. If health care facilities are operating without key services, their regulator (in California it’s the California Department of Public Health) should be paying attention to make sure that the quality of care being delivered is still up to snuff. You should ask regularly about the regulator’s role. If they’re not on-site inspecting, that’s a story. 

  8. Familiarize yourself with the bigger picture. The Cybersecurity & Infrastructure Security Agency is a key clearinghouse on all cybersecurity information. The organization's website has a useful “Ransomware Alerts and Tips” section where you can see which kinds of attacks have popped up most recently. This can be useful in analysis pieces where you need to paint a picture of the landscape when your editor wants something and the compromised organization is saying nothing. They may even grant you an interview.  

  9. Find some data. Strangely, CISA doesn’t publish reports on cyberattack trends even though actual attacks are often reported directly to them. For that kind of stuff you’ll want to head over to the Health Sector Cybersecurity Coordination Center (HC3). Their “Ransomware Trends 2021”  and “2020: A Retrospective Look at Healthcare Cybersecurity” reports are pretty good. At the moment, you can find those items on HC3’s Products page, but you may need to dig around a bit. The google site: tag is your friend. 

  10. Know the timeline. The Health Insurance Portability and Accountability Act (HIPAA) Breach Notification Rule says that all affected parties must be notified within 60 days after discovery for breaches that impact more than 500 people. Media notification is also required. It is generally considered best practice in the IT world to make a public notification very quickly after a breach is detected so that others have a fighting chance of protecting their own systems. 

Paul Sisson covers health care for the San Diego Union-Tribune. He has been a member of AHCJ since 2012.