Bracing for Cyber Attacks

Reputation Management is Key

If Target suffers a cyber attack, customers’ credit card information may be at risk. But if a hospital or health system is struck by ransomware or a denial of service (DOS) assault, not only could patient health information be compromised, but quality of care can suffer, and indeed, lives could be at risk.

In a recent webinar by the New England Society of Healthcare Communications (NESHCo), of which SPRYTE is a member, Diana Pisciotta, president of Boston PR agency Denterlein, explained why healthcare providers need to be hyper-vigilant about protection from cybercrime.

Ransomware, which blocks your access to your own files until you pay a cash ransom, can send a healthcare facility back to the Stone Age, as happened at Hollywood Presbyterian Medical Center in Los Angeles last year.  In 2014, Boston Children’s Hospital suffered a DOS attack which crashed its server, rendering its website and intranet useless.  And a data breach can not only put patients’ medical information at risk, but open them up to potential ID theft because of the highly personal information in their records.

With so much at stake, maintaining your good reputation means healthcare communications professionals have to be ready to respond, reassure their audiences, and mitigate any potential negative reaction.  As in any crisis, they need to do it quickly, transparently, and with authority.  And as in other corporate crisis situations, it is helpful to do all you can do to prevent a disaster before it occurs.

This means PR staff should communicate with the IT department to make sure all that can be done to protect the organization is being done.  According to Pisciotta, some of the questions to ask include:

  • Are protections up to industry standards?
  • Are they doing spot checks or audits to ensure the network is safe?
  • Are policies and procedures updated routinely?
  • Are they pushing outside vendors for ideas to strengthen firewalls and protect personal info
  • Are there official agreements with third-party vendors to protect data?

But even with those precautions, the worst may occur.  It’s already happened in other health systems.  So we always advise our clients to scenario plan for any potential adverse scenario and develop messaging and standby statements for those with the highest probability.

During the webinar, Pisciotta stressed that if there is an incident, the basic crisis communications rules apply:

  • Maintain confidence: Let patients know they will continue to get the same quality of care to which they’re accustomed, if that’s the case.
  • Share information: If some part of your operations is down, or you can’t provide a certain treatment as usual, tell patients before they arrive at your facility, so they can make other arrangements. If data were lost, share what kind of information was breached, and what you’ll do to support affected patients.
  • Reach out directly: Contact affected patients directly to mitigate negative feelings and blunt any negative social media posts.
  • Limit the scope of concern: Ascertain exactly what happened, then communicate the scope of the impact. For example, in a DOS attack there is no actual breach, so give patients confidence that their information is not at risk.

Community outreach messages should include:

  • “We are open for business,” but be forthright about limited service, if that’s an issue.
  • “Impact contained,” but don’t be premature in saying this.
  • “We are prepared to move forward.” Lay out what patients should expect, and how you’re going to improve systems in the future.
  • Even if the organization wasn’t at fault, it should apologize for the inconvenience the incident has caused.

Keep in mind that a cyber attack carries certain challenges that other crises do not.  Full transparency may not be possible, because speaking publicly about how you were compromised or what fixes you plan to put in place could increase your future vulnerability.  And if your network is down for an extended period, you might have to turn to other means to get your messages out, like using personal devices that aren’t on the network, or deploying people on foot to inform patients.

Being prepared to respond is vital, so start the conversations now.