Chris Van Gorder, president and CEO of San Diego-based Scripps Health, which was hit with a ransomware attack in May 2021, discussed in an American Hospital Association podcast that healthcare organizations often hesitate to speak publicly about such incidents out of fear.
Mr. Van Gorder said this reluctance stems from fears of lawsuits and penalties imposed by government agencies.
"[Healthcare leaders are] afraid that either a comment they make will be used against them by a government agency or, somehow be used by class-action lawyers or in any way have repercussions for being transparent," he said. "And I think that's a problem. And I think we need to deal with that."
He also pointed out that there are no standards for hospitals to follow regarding cyber protection.
When Scripps was hit by the attack in 2021, Mr. Van Gorder said the organization had taken extensive measures to prepare, yet it remains unclear how the hackers managed to penetrate its systems.
"Despite thorough forensic analysis, we still don't know exactly how it happened," he said. "We assume it was a phishing attack where they gained access to admin credentials and were able to navigate the system to extract the data they wanted."
Mr. Van Gorder emphasized that the government must do more to protect hospitals from cybersecurity incidents.
"Even the president of the United States has said a cyberattack on a hospital is a terrorist act," he said. "We need to start treating it as such and take action against these rogue entities at the federal level."