Healthcare News & Insights

Making cyber crises less terrifying

No hospital wants to experience a cyber breach. But hospitals should prepare for one in advance so they aren’t scrambling last minute and make matters worse. In this guest post, Eden Gillott, president of a strategic communications and reputation management firm, details how to prepare for a cyber emergency.


You’ve all seen patients who either don’t know or forget to mention relevant family history – but still expect the doctor to effectively diagnose them.

The same is true when you’re in the thick of a crisis, speculation and facts are coming at you a mile a minute, and you have no clue what to do. You need all your information at your fingertips, and you need your best team at your side. No time for hesitation. No room for error.

Being prepared is preventive medicine. But be selective.

You don’t have the time or money to invest in a plan that comes in thick three-ring binders. They pretend to be comprehensive but are usually ineffective. No one reads them. They sit on shelves, gather dust and get outdated. They can’t imagine every possible contingency.

Better to invest your time, effort and expense in a concise plan that provides general guidance that lets everyone know the roles they’ll play, who’s authorized to speak, and how to stay on top of a tense, fast-breaking situation. If you don’t control it, it will control you.

Understand these simple concepts, and defusing a crisis seems less terrifying.

Start now. You never know when the unexpected will occur.

Build a team

Don’t end up like Abbot & Costello’s “Who’s On First?” routine.

You need to know at every moment where everyone is and what they’re doing.

Each team member must know his or her role. It should be something each person’s great at. If anyone hesitates about the idea of dealing with a crisis, get someone else who’s comfortable with it. It only gets worse during an actual crisis, and you need your strongest people watching your back.

Besides in-house staff, you’ll need:

  • An outside attorney who specializes in privacy and cybersecurity. Laws and requirements are constantly evolving, and you’ll need to adhere to different rules for different jurisdictions.
  • An IT security consultant. The head of your IT department may not be as familiar or comfortable dealing with such matters, and
  • An insurance agent who’s familiar with your cyber insurance policy. He or she can ensure you don’t do something that voids your coverage. This can save a lot of money and headaches.

Create an action plan

First, take a deep breath. Never let the public see you’re nervous. Never let the media see you sweat.

You really can’t know what to say until an event happens. But you can understand the broad rules and messaging: Reassure. Don’t alarm. Be positive and strong, not negative and unsure. Demonstrate you’re in control. Be empathetic. At all costs, avoid cookie-cutter statements because they’re perceived as insincere and weak.

Practice, practice, practice

Don’t create a plan, then forget about it. To stay fresh and effective, you must rehearse.

Periodic tabletop exercises are best, but they too often slip by the wayside. Too much else is demanding your attention. Preparedness seems low on the list of priorities.

If you let this happen, it’s at your peril. At the very least, plans should be reviewed as team members come and go and when major operational changes occur.

Communicate with purpose

Before taking any actions or making any comments, you must know what you want to achieve. Where you want to go. The best path there. Making sure your message strikes the right chord.

The sooner you communicate, the better – even if the scope of the breach doesn’t mandate disclosure. If the media breaks the story and you’ve said nothing, it’ll look like you were covering up. If you’re hit with ransomware that causes your hospital’s operations to go down, the media will be all over the chaos.

If everything has gone awry, you must start reassuring your audiences ASAP. Each affected group needs to know you’re handling the matter and what it means for them. The emphasis for each audience may differ. But your core message must be consistent for everyone.

Reporters love sound bites. So be concise. Stick to two or three talking points that are most important to you. Don’t stray beyond them.

Employees: Your best friend – or worst enemy

Even though they aren’t authorized, employees often can’t help speaking to the media. When a reporter sticks a microphone in their face, the allure of 15 seconds of fame is just too great. They speculate and say whatever comes to mind – no matter how inaccurate or uninformed it may be.

Employees are easy targets, and the media knows it.

What can you do?

Keep your employees informed. The more accurate information they have, the more reassured they will be and less likely they will repeat rumors.

Remind them that all media inquiries should be directed to your designated spokesperson.

That may not stop all leaks, but it should plug most.

Eden Gillott is president of Gillott Communications, a strategic communications and reputation management firm, and is the author of A Lawyer’s Guide to Crisis PR (Second Edition) and A Board Member’s Guide to Crisis PR.


Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.

Speak Your Mind