Incident response shouldn’t include threatening the media, Saturday edition
As I commented to someone recently, a security incident involving Appalachian Regional Hospital facilities in Beckley and Summers County struck me as a really serious one because it was impacting patient care. While ARH responded promptly and initiated its emergency operations plan after detecting that its system was infected, it seemed clear that shifting to an older manual system would introduce delays in processing and in care, despite employees’ best efforts.
Since the cyberattack was first announced, some patients have complained that ARH has been less than forthright about the situation and about whether their protected health information or identity information has been acquired by bad actors. A statement by ARH on August 30 indicated that they had no indication that patient data was stolen, but I guess people want that confirmed and want updates. ARH has issued two updates since August 30, but the updates do not address whether there was any ransom demand, and do not provide any update on whether there is any evidence that PHI or PII was accessed or exfiltrated.
As I noted even before the August 30th press release was issued, my initial impression was that this was likely to be a case where the data or systems were locked up for ransom but no data had been exfiltrated. I continue to hypothesize that that’s the case, but in this day and age, it’s understandable that patients want answers quickly so that they can take steps to protect themselves.
And while I appreciate the great stress that everyone at ARH must be under during this difficult time, threatening the press who have been reporting on what is, indeed, a matter of public concern, does not strike me as an appropriate response.
The Register-Herald has been all over this story since the beginning, and it appears they’ve been threatened over their coverage. Daniel Tyson reports today how operations are still impacted. He then reports all the entities and offices the paper has contacted trying to get information about the breach and current status, and how the paper could get no response from any of the many individuals and offices they reached out to. Then… wait for it …
However, an email from ARH Chief Legal Officer Rick King Friday afternoon stated if The Register-Herald continues to “deliberately publish statements which defame ARH, or cast it in a false light, we will have no other recourse but to consult with our attorneys in WV, to determine appropriate legal action.”
Threatening the press for reporting that some people are complaining or that the hospital has not yet answered questions the public wants answered should not be part of incident response. Maybe ARH would like to see more coverage from patients who are understanding and supportive or from patients who experienced no delay in care, but the solution is to issue a statement saying what delays patients should still expect at this point and what operations are fully restored already. And while they’re at it, perhaps they should explain why they were unable to just fully restore operations from backup.
One way to restore trust and confidence is by being more transparent. Threatening the media to attempt to chill some speech is counterproductive and inappropriate.