Bracing for Cyber Attacks

Reputation Management is Key

If Target suffers a cyber attack, customers’ credit card information may be at risk. But if a hospital or health system is struck by ransomware or a denial of service (DOS) assault, not only could patient health information be compromised, but quality of care can suffer, and indeed, lives could be at risk.

In a recent webinar by the New England Society of Healthcare Communications (NESHCo), of which SPRYTE is a member, Diana Pisciotta, president of Boston PR agency Denterlein, explained why healthcare providers need to be hyper-vigilant about protection from cybercrime.

Ransomware, which blocks your access to your own files until you pay a cash ransom, can send a healthcare facility back to the Stone Age, as happened at Hollywood Presbyterian Medical Center in Los Angeles last year.  In 2014, Boston Children’s Hospital suffered a DOS attack which crashed its server, rendering its website and intranet useless.  And a data breach can not only put patients’ medical information at risk, but open them up to potential ID theft because of the highly personal information in their records.

With so much at stake, maintaining your good reputation means healthcare communications professionals have to be ready to respond, reassure their audiences, and mitigate any potential negative reaction.  As in any crisis, they need to do it quickly, transparently, and with authority.  And as in other corporate crisis situations, it is helpful to do all you can do to prevent a disaster before it occurs.

This means PR staff should communicate with the IT department to make sure all that can be done to protect the organization is being done.  According to Pisciotta, some of the questions to ask include:

  • Are protections up to industry standards?
  • Are they doing spot checks or audits to ensure the network is safe?
  • Are policies and procedures updated routinely?
  • Are they pushing outside vendors for ideas to strengthen firewalls and protect personal info
  • Are there official agreements with third-party vendors to protect data?


But even with those precautions, the worst may occur.  It’s already happened in other health systems.  So we always advise our clients to scenario plan for any potential adverse scenario and develop messaging and standby statements for those with the highest probability.

During the webinar, Pisciotta stressed that if there is an incident, the basic crisis communications rules apply:

  • Maintain confidence: Let patients know they will continue to get the same quality of care to which they’re accustomed, if that’s the case.
  • Share information: If some part of your operations is down, or you can’t provide a certain treatment as usual, tell patients before they arrive at your facility, so they can make other arrangements. If data were lost, share what kind of information was breached, and what you’ll do to support affected patients.
  • Reach out directly: Contact affected patients directly to mitigate negative feelings and blunt any negative social media posts.
  • Limit the scope of concern: Ascertain exactly what happened, then communicate the scope of the impact. For example, in a DOS attack there is no actual breach, so give patients confidence that their information is not at risk.

Community outreach messages should include:

  • “We are open for business,” but be forthright about limited service, if that’s an issue.
  • “Impact contained,” but don’t be premature in saying this.
  • “We are prepared to move forward.” Lay out what patients should expect, and how you’re going to improve systems in the future.
  • Even if the organization wasn’t at fault, it should apologize for the inconvenience the incident has caused.

Keep in mind that a cyber attack carries certain challenges that other crises do not.  Full transparency may not be possible, because speaking publicly about how you were compromised or what fixes you plan to put in place could increase your future vulnerability.  And if your network is down for an extended period, you might have to turn to other means to get your messages out, like using personal devices that aren’t on the network, or deploying people on foot to inform patients.

Being prepared to respond is vital, so start the conversations now.

Employee Ambassadors in Healthcare

The Key Considerations

Congratulations! Your organization agrees that leveraging key employees as brand ambassadors will lead to better reach, credibility and engagement than your own company channels can achieve.

Scenario planning, creating guidelines, training and selecting the right employees and the best content to share are the key considerations in designing and launching an Employee Ambassador program.

Developing clear guidance: It goes without saying that you must get the buy-in of senior management – particularly because of its potential impact on corporate reputation. After their buy in, your next meeting will be with your legal/regulatory and medical team to create an issues preparedness plan and program guidelines.

The development process may take several months to a year. But when completed, it will serve as the working guidebook for employee ambassadors and the internal team that manages the program.

  • Issues preparedness: Working with your legal, medical, social media, communications and HR team, identify potentially negative scenarios and issues related to employees engaging in social media on your company’s behalf. Use these findings to develop a “Regulation Roadmap.” This roadmap will provide communications guidance and responses – including messages and social media copy aligned with Food & Drug Administration (FDA), Federal Trade Commission (FTC) and Health Insurance Portability and Accountability Act (HIPAA) regulations – for the most likely scenarios.
  • Employee guidelines: Your employees need to abide by clearly articulated rules. The purpose of these rules is to influence employees’ content without telling them exactly what to say. Their content is liked and shared by others because they inject their own character and personality into posts.

Guidelines should include background on the company and what it stands for, program goals, the brand voice, how to stay compliant with regulations, responsible social media strategies and how to handle questions on their posts. They should also include information about who to contact in case of a question or issue.

Choosing the right employees: Recruiting employees to become advocates isn’t as difficult as you may think. You can start with enthusiastic employees who already share your company’s message. Or just ask for volunteers and triage the employees who opt in. Prioritize those who have large online followings and an online voice consistent with that of your organization. No matter your method, you’ll need to audit their social media channels to identify any red flags or opportunities. The audit will also help inform your training program.

  • Training: The employees who volunteer as ambassadors will probably be social media savvy. Still, you need to ensure they are savvy about the rules and expectations of your program, so we always recommend conducting a formal training program for all participants.

Content: Employee ambassadors should be viewed by their followers as healthcare influencers, not as a mouthpiece for your company. Therefore, most of the content you provide should focus on general health and wellness; only a third to a half should be about your company.

Before making content available, seek your employee ambassadors’ input on the type of content they like to share. The more relevant the content, the more likely they are to use it.

Via the company intranet or another easily accessible online storage unit, curate a variety of approved articles, visuals and video they can easily share and continually encourage feedback. Health and wellness content may include tips, recipes, photos or infographics developed by your company for your own channels or by third parties. While expensive to produce, video and visuals are more frequently shared than articles, so try to include some in the mix.

Keep content fresh by ensuring that future corporate initiatives and marketing programs include development of ambassador materials as part of the plan. Communicate with your ambassadors first about updates and changes, new products and other company news.

Measurement and analytics: There are many ways to measure the success of your employee ambassador program and the metrics you choose will be based on your goals. At a minimum, you should be analyzing the following:

  • Program reach: How many people did your ambassadors reach with company related content? How many posts contained the company hashtag?
  • Traffic on company sites: Was there an increase in traffic on your owned and shared sites during the program?
  • Ambassador engagement: What percent of employee ambassadors participated in the program and how frequently did they participate? Who were the most and least active ambassadors? Which ambassador’s posts had the most engagement (likes, comments, shares)?

These metrics will help you understand how active your employees are and the type of content with the most engagement – information fundamental for continuing the program – and hopefully for the program’s continued success.

Employees are Best Ambassadors

Enjoy Awareness, Credibility and Endorsement

The healthcare industry is governed by rules under a whole host of government agencies, including the Federal Trade Commission (FTC), Food & Drug Administration (FDA) and Health & Human Services (HHS). You’re already challenged with getting content approved for your brand or company’s own channels. Knowing the implications of a Health Insurance Portability and Accountability Act (HIPAA) violation or FTC misstep, why would you consider asking your employees to advocate for your company?

The short answer? The right employees are the best brand ambassadors, providing the kind of awareness, credibility and endorsement for your company or brand that can’t be bought. Consider the following:

  • Increased reach: Employees can reach patients in their social graph who might not be considering your brand – and might never seek out your website or social channels. Employees’ social media posts reach 561 percent further than the same posts shared by a company’s social and owned channels. Once that content is posted, it’s shared 4.5 more times than social influencer posts.
  • Authenticity and credibility: Today’s health consumers shop for healthcare services the way they shop for other expensive purchases. Regardless of how healthcare evolves under the new Presidential administration, consumers will continue to have a lot more choice in who provides their healthcare. They are researching healthcare the way they do other services – seeking information online and soliciting the opinions of others. Half of all consumer buying decisions are influenced by word of mouth and according to one study, 92 percent of people trust recommendations from people they know.
  • Engagement: Across all industries, consumers are increasingly less interested in what companies have to say, favoring instead the opinions of influencers and the people behind the brand. A study released last year by Altimeter Group found that 21 percent of consumers said they “liked” employee posts about companies — an engagement rate comparable to or better than other social advertising campaigns at a much lower cost.
  • Addressing risks upfront and providing clear guidance to employees considerably mitigates risk: The biggest question is how to manage risk. And it should be. Once management buys into an employee ambassador plan, your first step will be partnering with your legal and medical team to anticipate possible negative scenarios and developing guidance on how to handle each one. You will need to make sure, for example, that programs comply with FTC regulations by having employees include a hashtag in all posts to make it clear that they are employees. You also will want to develop clear direction on adhering to HIPAA guidelines.

Getting your employee ambassador program up and running will take some work. But once you create guidelines and identify and train employees, our hope is that you will find the benefits far outweigh the risks.