On Friday, the California Department of Public Health (CDPH) described the ongoing situation at Scripps Heath as a case of “ransomware attacks.”
Ransomware typically works by introducing software that encrypts a user’s data and holds the decryption key until the ransom is paid. Once that happens, a typical recourse is to reformat and restore the system from backups, a SDSU cyber warfare and cyber terrorism expert Steven Andrés told NBC in 2018
The local health-care provider, which operates five hospitals in San Diego, along with a series of clinics, was hit by a cyberattack over the weekend. Patients and staffers have been unable to access records, email and other technology for six days.
NBC 7’s Dana Griffin spoke to a patient whose wait for surgery has been extended by the cyberattack.
During that time, Scripps Health and county officials have been tight-lipped about the situation, other than to say that experts were working on the situation and that governmental agencies were aware of the incident. Scripps said it had proactively taken part of it’s systems down: “Upon discovering the outage, we immediately initiated an investigation and took steps to contain the outage, including by taking a significant portion of our network offline as a proactive security measure.”
In that same statement, Scripps described what was happening as “a network outage that resulted in a disruption to our IT systems.” On Friday, however, an official with the California Department of Public Health sent NBC 7 the following statement:
“The ransomware attacks were reported to the department. As required by state and federal law, hospitals are required to provide proper patient care at all times, including in any emergency situation. CDPH is actively monitoring the hospitals impacted. These hospitals are operational and caring for patients using appropriate emergency protocols in inpatient areas of the hospital. The department has authority to involuntarily suspend facility licenses in extreme circumstances that pose immediate risk to patient safety. Facilities reliance on emergency protocols does not automatically warrant such action.“