Health care systems and hospitals need to have response plans at the ready in the event of a cyberattack, including how to get clear, timely and factual information to the public and to patients, says Jon Conradi, a veteran crisis communicator.
"Failure to address a crisis can, of course, result in operational response and communications breakdowns, longer turnaround to bring about full resolution and mitigation of the issue, negative impact on long-term reputation and actual harm to being able
to provide care," Conradi warned during a discussion in early December for communications staffers from across the Catholic health care ministry. CHA sponsored the online discussion.
As a partner at the firm PLUS Communications, Conradi leads public affairs campaigns, provides strategic counsel and manages media relations for clients, including national organizations.
Conradi noted that health care is "an industry that is so often targeted by cyber criminals and other bad actors online." While cyberattacks require systemwide responses, he said health care communicators have a specific role to play in ensuring that
patients and other stakeholders in the health care system receive timely and transparent updates.
Positive potential
Handled well, Conradi said, the communications response to a cyberattack can even become an opportunity to frame the system's response in a positive light. He said that can be done by spotlighting the system's
quick and thorough action to counter the attack, its efforts to inform the public and to protect anyone affected, and its cooperation with law enforcement to find the source of the attack.
To stay in the know, Conradi said it is vital for communicators to be in the room when others — such as administrators, information technology leaders and legal team members — are detailing what occurred and making decisions about how to respond.
He offered lists of what to do and what not to do for cybersecurity response. This to-do list included:
- Be transparent about what you do and do not know
- Provide regular updates
- Ensure all entities across the system are delivering a consistent message
The list of no-no's included:
- Stay silent
- Delay notification of public or affected parties
- Hide information
Conradi stressed that communicators must stick to verified facts as they release information on a cyberattack. "You don't want to get ahead of your skis and put out something that then later has to be corrected or walked back," he pointed out.
He also emphasized the need to have a ready go-to online site that can be activated as a clearinghouse for public- and patient-facing resources.
Quick response
Sam Taylor, a managing director at PLUS Communications who specializes in media outreach, legislative advocacy, coalition building and strategic communications, also offered advice during the online discussion about
responding to a cyberattack.
Taylor cited the International Committee of the Red Cross as a good example for how to communicate after a breach. That charity's sprawling operations were compromised in 2021 by hackers who accessed a database with personally identifiable information
of more than half a million people, many of whom were fleeing war zones and disasters.
The Red Cross immediately acted, Taylor said. Its response included taking the compromised section of its database offline; deploying enhanced security measures; and contacting those potentially affected through various means, including in-person visits.
The charity's director general also went public with his fury over the attack, calling it an affront to humanity and pleading with the hackers not to use the stolen information.
"It's obviously a very sensitive situation, but really importantly, I think this case study shows the Red Cross didn't try to hide it, they didn't try to minimize it, they didn't try to sweep it under the rug," Tayor said. "They responded really quickly,
and quite frankly, the director general was pretty outraged in his initial public statement."
Poor response
He contrasted that example to how Equifax responded when it was hit by hackers in 2017 who compromised data on 143 million Americans. The credit reporting agency's missteps included waiting six weeks to tell the public
about the breach, posting a poorly designed informational web page and offering those affected free credit monitoring but only if they waived the right to sue.
Taylor said Equifax had to revise several steps of its response. "You don't want to be backtracking or taking back information after you've already put it out and offered it," he advised.
Conradi and Taylor urged communicators to be proactive by creating strategies and doing drills on their plans so they are ready in the event of a hack. "Any kind of small cybersecurity incident can quickly balloon to a major public relations headache
if not handled properly at the outset," Taylor said.
CHA members can watch a video of the webinar here.