Allison Savage waited years for surgery to remove the elongated bones at the base of her skull that have compressed her jugular artery, making her vision blur and head spin every time she leaned over to garden, fold laundry, or look at her computer.
“I have to rest up before I brush my teeth, and I have to rest up after,” said Savage, 54. Covid-19 postponed a second surgery to remove the bone on the right side of her neck; during the 14-month delay, her symptoms became “a nightmare.” “It feels literally like someone is strangling me,” Savage said.
Earlier this month, anxious about the upcoming procedure, Savage tried to check in with her doctors using her online patient portal with Scripps Health, a San Diego hospital and clinic system. It was shut down. Then, two of her appointments were cancelled last-minute. She called her doctors, but they, too, were locked out of patient record systems.
Scripps Health had been hit with a ransomware attack that led to an IT network outage and forced its staff to divert critical care patients to nearby hospitals and revert to pen-and-paper recordkeeping. For Savage, the outage couldn’t come at a worse time. “I just needed reassurance, and no one from Scripps would talk with me or help me,” she said. “It’s scary.”
Her experience — being left in the dark by a medical provider paralyzed by ransomware — is increasingly common. Experts say existing regulations effectively offer a black box for health care organizations to hide when they’ve been hit with attacks like the one that has plagued Scripps for almost three weeks and running.
“There’s a lot of secrecy when it comes to cybercrime,” said Larry Ponemon, a privacy and data protections expert. “You’re not proud of the fact you’ve become a ransomware victim, so a lot of this is swept under the carpet.”
Consumers might assume their health care providers are securely maintained, HIPAA-guarded fortresses. They might also expect to be made aware if and when those protections were breached, especially by criminals. But under federal law, providers are only required to publicly report breaches of protected health information impacting more than 500 people.
According to the federal health department — which maintains a database of reported breaches experts have dubbed the “Portal of Shame” — the health records of 23 million individuals were breached in the U.S. last year, with another 16.6 million so far in 2021. Experts say those figures are almost certainly an undercount.
“It’s an unknown fraction of what’s actually occurring,” said health care cybersecurity expert Nick Culbertson, “a fraction of a sliver of a slice of a piece.”
What’s clearly true: Our medical system’s mandate to provide uninterrupted lifesaving care 24/7 has made it an increasingly vulnerable — and valuable — target for cybercriminals. According to one industry estimate, ransomware assaults on health care facilities grew by 35% from 2016 to 2019. “If you are so critical that you cannot stand any downtime, you’re more likely to pay,” said Mike Hamilton, a cybersecurity consultant and former chief information security officer for the city of Seattle.
But patients pay a price, too, when attackers paralyze a health care system’s infrastructure. Since the outage began, Scripps patients have taken to social media to ask administrators whether their scheduled surgeries are still on and when they’ll find out the results of biopsies and bloodwork. “Scripps has been sent back into the Stone Age with this ransomware attack,” one person commented on Facebook. “For the sake of patients, PAY THE RANSOM,” posted another.
One Scripps patient, who requested anonymity out of concern for their privacy, said they were only able to reschedule an appointment after days of calls and over fax. “There has been no communication with patients outside of social media posts or news articles,” they said. “It just feels as if they are intentionally withholding the full scope of the truth from their patients.” Another patient, Caitlyn Smith, said she constantly uses her Scripps patient portal to manage her ulcerative colitis. She discovered the outage after not being able to log in. “It’s unsettling,” she said, “like having a really important part of your life paused.”
Scripps did not respond to a request for comment, but said in a public statement Wednesday it was “continuing to work diligently to restore our systems as quickly and as safely as possible.”
“I understand their hands are tied. But their silence is causing more stress.”
Allison Savage, Scripps Health patient
Savage said she knows Scripps is being held ransom. But the thought of not being able to access years worth of medical records or of having to start over with a new team of specialists leaves her feeling much the same. “I understand their hands are tied. But their silence is causing more stress,” Savage said. “I’m stuck. I do feel like I’m being held, like I’m captive.”
About a decade ago, as health care organizations nationwide were rushing to adopt digital systems, a majority of breaches erred on the side of human error: employees falling for email phishing schemes, billing statements sent to the wrong recipients, documents thrown into the trash instead of the shredder. But in recent years, the risks of cyberattacks have grown as hospitals introduced more connected devices — often with outdated software and without proper security — while being slow to adopt sophisticated privacy protocols or train staff in “cyber hygiene.” Today, hacks or IT incidents account for 70% of the 773 breaches currently under investigation by HHS, data show, some of which have wrought evident and immediate harm.
Last September, for example, a ransomware attack froze a chain of more than 250 U.S. hospitals and clinics, forcing staff to restore critical heart rate and oxygen monitors with ethernet cabling. In 2021, ransomware attacks have already caused network outages at health systems from Washington to North Carolina. “I expect this to get worse before it gets better,” said Vanderbilt University information technology professor Eric Johnson. “The truth is health care is really not ready for it.”
At the same time, the health care system serves as a recordkeeper of our most deeply valuable information, which can be easily exploited by criminals. “Health care has one of the richest, most valuable datasets in the world,” said cybersecurity expert Dan Dodson. “We’re trying to protect this enormously valuable data and we’re doing it in a budget-constrained environment.”
On the black market, a single medical record can sell for upward of $1,000. And medical identity loss can be far more difficult for consumers to recover from than a financial theft, Culbertson said. “You can freeze your credit, but you can’t freeze your medical history.”
For those that do pay the ransom, it can easily cost five or six figures. Austin Berglas, a former cyber crimes coordinator with the FBI, estimated between 60% and 70% of the investigations he now oversees as a consultant are resolved with extortion.
Some can’t survive the financial realities of such attacks. Two months after a ransomware attack blocked access to records of 5,800 patients in 2019, Wood Ranch Medical clinic in California closed its doors. “Unfortunately, the damage to our computer system was such that we are unable to recover the data stored there and, with our backup system encrypted as well, we cannot rebuild our medical records,” the clinic wrote in a final farewell.
Even those that don’t pay up face expensive consequences. Last year’s attack on a Vermont hospital system ultimately cost at least $63 million in lost revenue from postponed services and the expenses needed to recover from the attack.
Experts say that in 2020, criminals ramped up their efforts to steal data and disrupt medical care during Covid-19. As hospital administrations focused resources on the pandemic, rigorous security protocols or plans to beef them up fell by the wayside. “It becomes management by landmine: When it blows up, we’ll fix it,” Hamilton said. “It’s a bit of a gamble.”
The upward trends show no sign of slowing, according to industry reports and available HHS data. “Attempted attacks are happening every day, thousands of times a day,” cybersecurity consultant Drew Schmitt said. “We only hear about the ones that are so bad they’re unignorable,” he said. “I think there would be a benefit to the public to have a little more transparency.”
Over time, he and others worry, cyberattacks will take a toll on one of health care’s most valuable assets — patient trust — if the industry continues to cling to secrecy until the worst comes to pass. “There is a reckoning on the horizon,” Culbertson said.
A recent survey of more than 1,000 U.S. patients found that 27% said they would switch providers if their health care records were breached in an attack. A slew of recent lawsuits against providers disrupted by ransomware tap into that growing distrust.
There has also been some pressure to update federal regulations so they require more public reporting of ransomware attacks and payments, Berglas said. “Most organizations would err on not reporting if they don’t have to,” he said. “That’s not going to change until it’s mandatory.”
In a memo last week, Scripps Health CEO and President Chris Van Gorder addressed the issue of transparency in an internal staff memo, blaming the extended silence on the ongoing investigation into the incident. “My philosophy and Scripps’ philosophy is to be as open and transparent as possible. I will continue to do that but I want you to know this is a different kind of situation which limits what and when I can say things.”
But online and in interviews, Scripps patients say the lack of communication has amplified their suffering during the outage.
One patient said she’s spent the last week playing phone tag to get the results of blood work done in response to her high white blood cell count. “From someone that you trust with care that is so personal,” she said, “The lack of transparency is pretty frightening.” She plans to switch providers as soon as she can access her records.