The U.S. Department of Health and Human Services’ Office for Civil Rights reports 454 cyber-breach cases under investigation this year involving health organizations. At this rate, the U.S. healthcare industry once again trends as a top target for cyberattacks, pressing the federal government to issue a warning for the health sector to “take timely and reasonable precautions to protect their networks.” Taking form of a cyber crisis response plan, these precautions must prioritize rapid and effective communications to help avoid a damaged reputation, lost revenues and mitigation costs.
So, how prepared are health organizations for impending cyberattacks? A 2020 report by cybersecurity firm Herjavec Group found that only four to seven percent of a health system’s IT budget is in cybersecurity even though most hospital administrators consider data security a top priority. What’s more, cybersecurity and anti-virus provider Kaspersky reported 24 percent of U.S. healthcare employees had not received cybersecurity training and 40 percent were unaware of their employer’s cybersecurity policies.
Although the industry has acknowledged the rise in cyber threats, health organizations still lack a proper response strategy. A comprehensive communications plan prepared ahead of a data breach will save time and stress for when stakes are high. Here are key items your organization should consider when crafting its cyber crisis response plan:
Create a task force and internal communications process. Identify and delegate responsibilities to a team of trusted individuals – senior business, legal, communications and IT executives—who are invested in the organization’s data security and possess working knowledge of the organization’s security policies and procedures. This task force should include a trained spokesperson (e.g., Chief Executive Officer) who can confidently speak on behalf of the organization when a cyberattack occurs.
It is also important to educate all employees of organizational security policies and protocols and establish an internal communications system that aims to control the narrative around an incident, internally, before news breaks publicly.
Learn the law. Many health organizations are bound by the federal Health Insurance Portability and Accountability Act (HIPPA) Privacy Rule and Security Rule—national standards intended to help protect certain health information. Many states also prescribe their own cybersecurity requirements over health information and mandate specific security breach notification laws. Organizations should coordinate with their legal and PR teams to ensure that all prepared crisis response messaging and materials meet regulatory and fiduciary responsibilities.
Practice makes perfect. Risk assessments are critical to ensuring that all pieces to an effective cyber crisis response are ready when the time comes. Crisis simulation tools like APCO’s emPOWER, gives organizations the unique opportunity to test and evaluate their cyber crisis preparedness in a way that transcends traditional tabletop exercises. Nevertheless, whatever method of scenario testing your organization chooses, the only way to secure the best chances for success in responding to a breach is through practice.
Timely and detailed notice is key. When a data breach occurs, several things must happen in order to comply with the law and for the sake of good business practice. Once your organization becomes aware of the incident, those impacted by the breach should be promptly notified in accordance with governing law. The sooner people know about a breach of their sensitive information, the sooner they can protect themselves against identify theft and fraud.
Breach disclosures are typically required to include important items such as facts surrounding the incident and the type of information that was compromised. Organizations should also articulate remorse as well as assurance that actions have been taken to remediate the situation.
Some cases require organizations that experience a breach of health information to notify law enforcement, government agencies and/or the media. Legalities aside, an effective strategy also includes the timely dissemination of holding statements, FAQs, press releases and social posts via various channels of communication. In any event, health organizations should focus on having a plan prepared that prioritizes the speed, content and tone of their internal and external messaging.
Now, more than ever, the integrity of the healthcare industry depends on resilient proactive and reactive cybersecurity measures. Assembling a cyber crisis communications plan is a business decision that represents an organization’s commitment to its customers and reputation.
