Three hospitals in Brooklyn, NY, are facing backlash over a lack of transparency regarding a November 19 cyber incident. Patients and physicians have expressed frustration that three hospitals in the One Brooklyn Health System have not been forthcoming about the cause of the incident. Other area hospitals are concerned that they could fall prey to the same attack and would like more information from One Brooklyn; the area hospitals are also seeing an unexpected increase in patient load likely as a result of the incident.
- NIST, CISA and ENISA all have good guidelines for best practices in incident reporting. They all recommend what ENISA calls “…quick dissemination of information among interested parties.” That doesn’t mean telling the world you are vulnerable before you have stemmed the bleeding, but lack of transparency usually just increases the amount of blood spilled.
- I repeatedly say, “Today you will not be judged for being the victim of a security incident, but you will be judged on how you respond.” It is vitally important that organisations ensure their incident response plans include how they clearly and transparently communicate details of a security incident to various stakeholders such as management, regulators, media, staff, and the public. It is also important that as defenders we share our experiences so that together we can all work to make our systems more robust and secure.
- While sharing can be scary, your peers really do want to know if what happened to you can happen to them, and this is not about making you look bad. Establish communication channels, leveraging your sector ISAC, CISA or other organization, to include agreements on disclosure, anonymization and retention. Remember this is a two-way street: all parties will benefit, not just by information sharing but also potential resources, tools and references you will need.
- Liability concerns are likely part of the reason for lack of transparency in sharing attack details. That said, cyber defenders benefit from understanding attack details; to include the defenses that were in place at time of attack.
- Better to be criticized for lack of transparency than to put others at risk by premature disclosure. That said, one should be able to share safely with one’s peers and colleagues. That is what ISACs are for. Most of these are doing a good job of sharing safely. Belong.
Read more in