Communications leaders can play a vital role in helping health systems prepare for cybersecurity threats by updating crisis communication plans with specific cybersecurity contingencies. Review your plan today and consider making updates to address the following strategies:
1. Plan for dual scenarios. Make sure your plan addresses both how the organization would communicate in response to a data breach (through a phishing attack or other means) and a complete disruption or data loss (through malware and other attacks against in-house computer systems or local infrastructure).
2. Define the response team structure. Establish teams to lead both the incident response and the communications response – internal and external. Identify specific roles within executive leadership, IT, legal, compliance, communications and other areas that should participate in the response. Agree on a cadence for team calls and reporting.
3. Streamline the communication cascade. Establish a streamlined process for cascading information to internal audiences and to external stakeholders. Determine the most efficient vehicles for reaching each audience and the order in which the communications would be distributed.
4. Establish back-up channels and procedures. Prepare for potential system disruptions and data loss and identify alternate communication channels and procedures for communicating critical information as appropriate.
5. Identify external resources and partners. Maintain a list of external resources and partners who might need to be notified or mobilized in the event of a significant cybersecurity incident, including media contacts, government agencies, technical experts, legal counsel and call center or printing operations.
6. Understand required notifications. Work with your compliance team to understand the rules on notifications to government agencies, the media and the general public. Bookmark links to the HIPAA Breach Notification Rule and other relevant requirements for quick reference.
7. Commit to transparency. Emphasize the importance of being transparent during a data breach or other cybersecurity incident. Highlight the need for sharing clear and concise information on the incident and remind leaders that health care data breaches are reported publicly on the Office of Civil Rights Breach Portal, which is closely monitored by the news media and other industry monitors (including plaintiffs’ attorneys).
8. Train and test. Communicate updates to the crisis communication plan and train leaders and essential personnel on the changes to the plan. Consider conducting a tabletop exercise on a cybersecurity scenario to test and refine the updated plan.
Don’t have a crisis plan? Or need help improving your existing plan? Contact Lovell to learn how our Crisis Communications Practice can help.
What does your Form 990 say about your nonprofit hospital? Read more for communications guidance on what to say — and what to do when there’s not enough spa...