Appalachian Regional Healthcare (ARH), which operates two hospitals in West Virginia and nine in Kentucky reported over the weekend that it was the target of a cyberattack that forced staff to revert to paper.
No email, no electronic health records, no other electronic systems. Just paper.
The hospitals are assessing whether to transfer critically ill patients to other facilities.
ARH says it is working IT providers to restore their systems. They are also working with the Feds to figure out what happened.
What we have not heard is what happened. Was it a virus? Ransomare? A technical glitch? ARH is not saying.
Was patient or staff information compromised? Nope, don’t know that either.
Does ARH know what happened? We don’t know.
Given the FBI is reporting that there are about 4,000 ransomware attacks reported every day, it is certainly possible that this is a ransomware attack, but we don’t know.
Some patients are running out of patience. They want to know if there was a compromise and if there was, what was taken. But the answer to that might not be so easy if the hospitals’ log records are lacking, damaged or erased.
The Department of Health and Human Resources is telling patients to file complaints with the Office of Civil Rights at 800-368-1019. I am sure that the hospital is thrilled about that suggestion.
But, this points to the fact that the silent treatment will not work. You have to have an incident response plan in place and tested. You have to be able to figure out what was taken. And you have to be able to do that quickly. ARH seems to have failed on all counts.