Scripps Health Remains Plagued By Weekend Cyberattack
KPBS Midday Edition Segments / May 4, 2021
Saturday, computer access to patient records, scheduling and critical electronic systems such as vital sign monitoring have been unavailable. The software malfunction is believed to be part of a cyberattack affecting Scripps Health system in San Diego as well as the system’s backup servers in Arizona.
Speaker 1: 00:00 The last update from script's health about the cyber attack that has crippled it's access to digital information is that facilities remain open and technical teams are working to resolve the issue since Saturday computer access to patient records, scheduling and critical electronic systems such as vital sign monitoring have been unavailable script says it remains in the process of examining the extent of the attack. But law enforcement has been notified. It's suspected that the incident may be a ransomware attack where digital information is held hostage for a substantial payment. Joining me is Mark Heckman, a computer science professor and cybersecurity expert at the university of San Diego. And Mark. Welcome. Thank you. How can you tell the difference between a cyber attack and an electronic malfunction of the school?
Speaker 2: 00:54 When a system malfunctions, it tends to be a single point of failure. It's rare that every single computer on your network would suddenly have the same kind of problems. Also, there's a certain pattern to the symptoms that you notice in the case of a tack like a, a ransomware attack. You would notice for example, that suddenly you're unable to get access to all of your files because they've been encrypted. And even more clearly, there'll be a pop-up on your screen that says you've been hacked. We've encrypted all your files send us money, or if you want them back, that typically doesn't happen with the random failures
Speaker 1: 01:29 Clue. So why would script's health system be a target of a ransomware attack?
Speaker 2: 01:35 Well, w we don't know for certain that they were a, a direct target, it could have been a completely undirected attack. There are people out there trying to, uh, get money from whomever they can. And the malware spreads pretty much randomly. It says a crime of opportunity. However, that being said, hospitals have a lot of valuable data. People's personal health records are quite valuable, much more valuable than, than credit cards. For example, the records could be used for a medical fraud. They could also be used for blackmail. If people have conditions that they don't want publicly known.
Speaker 1: 02:09 Now, script's officials, aren't saying much about this. Why not? Why aren't they, why aren't they giving out more information to you?
Speaker 2: 02:17 Well, I can only hypothesize, I really don't know anything more than what has been published so far. And you alluded to that in the beginning. They've been very tight-lipped, but I can hypothesize that they don't know all the details yet. They don't know exactly what the extent of the damages. They, for example, don't necessarily know if health information was exfiltrated was stolen. And if they don't know the extent of that, then they can't really comment on and give you much more information about whether a particular person's records might've been stolen. And also they don't necessarily know how the attack happened. It takes, it can take days or weeks sometimes to trace back and try to find the actual original source of a malware infection. Should scripts assume that
Speaker 1: 03:00 Their information has now been compromised.
Speaker 2: 03:02 I don't think they can make that assumption. It's possible that it was there's two kinds of ransomware attacks or two types of, of crimes that we call ransomware. And the one case the information is stolen. And then the, the column of the bad guys will say, pay us money or we'll release it. And that's one type of ransomware. The other type of ransomware, the much more common one these days is where a malware gets on a system and starts encrypting all of the files on that system. And it doesn't steal any data. It just makes that data inaccessible to anyone who legitimately has need of it. And, um, I don't know which type of attack happened here. Huh?
Speaker 1: 03:43 Do you think this is potentially for scripts? How long could it take scripts to recover?
Speaker 2: 03:48 If this is the type of malware attack where a malicious code gets into a system inside the network and then start spreading itself to any other system, it can reach inside that same network potentially we're looking at, at, at, uh, hundreds or more of workstations and other systems infected inside of script's network. And to clean that up requires taking everything off the network. And then one by one, you have to replace all the software on that system with a clean copy of the operating system and, and it's essential software so that you can be sure that you've eliminated the malicious code. And that is a very time consuming process. And in fact, if you haven't figured out exactly how it happened in the first place, if you just clean up one system and put it back into service, it could just be reinfected again. So to do this in a way that is most effective, you have to be very careful. And that takes time.
Speaker 1: 04:41 What kind of track record does law enforcement have in finding these hackers?
Speaker 2: 04:45 Well, we don't hear about it all the time. Of course, it's not impossible to hide your tracks on the internet. Let's say, however, we have agencies that are quite good at tracking people down. It may take several years sometimes, but in many cases we can identify the culprit, the person behind a particular attack. And if they are someplace reachable, then we can arrest them. But they may be foreign nationals. They may be residing in a country that doesn't have an extradition treaty with the United States. In which case we, we can't touch them until they travel someplace that, uh, law enforcement can. But we find that that in many cases, crimes of this type are run by call it foreign entities, whether they're organized crime or even nation States. And we have limited resources, limited ability to bring the culprits to justice.
Speaker 1: 05:34 I've been speaking with Mark Heckman, a computer science professor and cybersecurity expert at the university of San Diego and Mark. Thank you very much.
Speaker 2: 05:43 Well, it was my pleasure. Thank you.
Speaker 1: 05:46 Oh,