Resident Eagle: Lessons From a Cyberattack

Resident Eagle is a monthly column profiling the work of top EMS physicians and medical directors from the Metropolitan EMS Medical Directors Global Alliance (the "Eagles"), who represent America’s largest and key international cities. For information on the Gathering of Eagles 2022, see useagles.org.

Technology has made life easier for most people, businesses, schools, and government agencies. During the pandemic, of course, many turned to technology to help keep things operating. First responders and healthcare providers naturally rely heavily on technology to communicate during various phases of emergencies. 

Yet technology can fail and, even with the strongest cybersecurity measures in place, be vulnerable to those with nefarious intentions. Healthcare providers and first responders in San Diego found out firsthand this past spring how technology going offline has lasting ripple effects—including, in this case, an effect on managing medical emergencies. 

Scripps Attack

On May 1, 2021, Scripps Health, one of the largest healthcare providers in San Diego, detected a ransomware attack on its computer network. Officials immediately took down vulnerable systems, including restricting access to patients’ medical records and even shutting down systemwide e-mails.

The shutdown impacted outside entities, including EMS providers who were forced to shift several aspects of their operations as they responded to emergency medical calls.

Christopher Kahn, MD, MPH, chief of the Division of Emergency Medical Services and Disaster Medicine for UC San Diego Health and the medical director for San Diego Fire, said the ransomware attack resulted in four hospitals going offline, including two of the region’s five trauma centers. 

All four of Scripps’ hospitals were closed to ambulance traffic for four days. E-mails and patient portals were shut down, and other hospitals took on increased patient volume during those four days and intermittently throughout the next few weeks. 

Scripps reverted to paper charting and ordering and even basic measures like pinning the results of radiology images to their patients. 

“It was a full hard diversion for four days,” Kahn says, “and the system wasn’t completely back up for a few weeks. After a few days we fortunately were able to take some trauma patients, because they brought that back first. The hospitals had to use paper charts and read diagnostics in real time. For example, the radiology information systems were down, so they could only do readings in real time instead of sending them to individual work stations electronically. They were writing down the results by hand.”

The San Diego region is home to 18 hospitals (including one children’s hospital). Six are trauma centers—five for adult patients and one for children, but two of those adult trauma centers are part of the Scripps system that were put on diversion. The good news was that during the entire ransomware crisis, actual patient care was not adversely impacted.  

The Aftermath

Since the attack, IT departments for San Diego Fire and other first responders, along with their hospital counterparts, are working to ensure network systems are secure and protected as much as possible from similar threats.

“For EMS, we had four hospitals not taking our patients,” Kahn says. “That left us 14 hospitals to take adult patients to, but only three trauma centers. We still had the same number of patients but fewer hospitals to take them to, because it took out a large amount of capacity for trauma.” That’s why Scripps prioritized getting back online for trauma patients first. 

“The entire emergency health system is already incredibly stressed on a normal basis, and it really heightened that when the Scripps network systems weren’t working,” Kahn adds. “We also could not transmit information electronically to the hospitals to read for us while we were still in the field or ambulance.”

Instead San Diego County officials actually delivered radios to help crews with calls to and from Scripps-based hospitals.

Kahn says he has not yet seen a plan on the regional level to address better preparedness for future cybercrises.

“I know Scripps got together with their individual emergency management departments,” Kahn says. “But I know this incident will get people thinking about, What if this happens to us? From the EMS standpoint, we are meeting and looking at redundancies we have in place. Do we have paper charts? Do we have GPS backups such as paper maps? And does everyone know how to read a map these days? We will have to teach that. Some systems, like our narcotics boxes, are electronically locked. They go to a server to be unlocked. What’s our backup if the electricity, our server, or the network goes down? What if our radio communication goes out? 

“We are not immune to this in EMS. We need to look at backup plans now that we have a real-life example. We need to put some redundancies back in place. With every new technology introduced, we need to make sure we also have the capability to revert back to nontechnological, basic things. The best time to become aware of potential problems is now, before we have to deal with it.”

Kahn says he even heard that some young medics were not aware of the proper use of the now-archaic carbon copy forms.

“They apparently were asking why they had to write it all out three times,” Kahn says. “They didn’t know you just write on the top copy and push hard—it was something they had never seen before! 

“Twenty-five years ago in San Diego County, charting was done by filling in bubbles and putting it in a Scantron. We had to literally bubble in each number such as systolic and diastolic readings. We got pretty good at filling out bubbles and went through a lot of pencils. I know we still have some of those forms molding in the basement, but if people don’t know how to use these types of things and how to use the machine to read them, it does no good. We have to bring back some of those redundancies.”

And, given this ongoing threat, have the discussions and Plan Bs drafted now.

“That’s what emergency management is all about,” Kahn adds. “You have to have contingency plans. And then you have to practice them, go back and tweak them, and practice again. And usually we have a lot of sharing of information with our neighboring agencies. Borrow, adapt, and use—that’s happening in larger EMS systems. They look at the issues they’re facing and see what worked and what didn’t. Not everyone has to start from scratch necessarily. We can share our knowledge.” 

Susan E. Sagarra is a writer, editor, and author based in St. Louis, Mo.