“Local health system says recent outages are likely the result of a cyberattack.” Sound familiar? In the ever-increasing digital landscape, healthcare companies, especially hospitals and health systems, are leaning heavily into online services to provide and manage patient care. Whether it’s the adoption of electronic health records over the past decade or the presence of telemedicine, patient information has never been more accessible to patients, and unfortunately, cybercriminals looking to extort healthcare providers for a quick buck.
Quick Stats:
- On average, the cost of a cybersecurity breach in healthcare is $10.93 million, the highest among the 16 nationally-recognized critical infrastructure sectors in the US.
- This average is double the cost of the second most targeted industry, finance.
- As of November 17, 2023, more than 100 million patient records have been breached.
Why is hospital data so valuable for cyber criminals?
During a cyberattack, a hospital must choose between protecting their finances or succumbing to the pressure of resorting access to lifesaving technology and care services.
Patient data has increasingly become one of the most coveted pieces of information globally. Without access to the proper health information and patient files at their fingertips, hospitals more or less have their hands tied behind their back when tending to patient needs – What medicine has this patient been taking? How do I access a patient’s medical history when our systems are locked?
Also, the possibility of cybercriminals not only sharing protected patient data publicly, but possibly gaining access to change treatment plans is something that keeps providers and hospital leaders up at night.
Communications should be leveraged to help hospitals fight back.
In today’s world, everyone can be a critic, influencing the media and spreading misinformation across a variety of social media platforms. In these instances, hospitals will be judged for both its operational response to a cyberattack and how it communicates with key stakeholders as the situation evolves.
To avoid confusion and the spread of misinformation, healthcare organizations must be prepared to respond swiftly and issue timely, clear communications in the moment to maintain trust and credibility and avoid scrutiny given the sensitive nature of the data being held hostage. To best position your organization for success in the event of a cyberattack, we recommend:
- Reviewing cyberattack crisis communications plans. Your crisis communications plan should clearly articulate procedures and protocols to inform audiences of the situation and the steps you are taking to address it both at the outset and with new developments. Also, review and refine stakeholder maps routinely to ensure you can reach the right audiences with the right message at the right time.
- Reviewing and/or implementing plans for alternative communication channels. Ensure you have alternatives in place to communicate quickly with key stakeholders, provide regular updates, and control the narrative if your systems are down (e.g., dark sites, push notifications, encrypted messaging).
- Conducting scenario planning. Managing communications around cyberattacks is a complex and sensitive process. To prepare your organization to navigate these dynamic situations quickly and successfully, it is crucial to develop scenario plans for the different types and phases of cyberattacks. They should include the process to manage an incident and provide baseline messaging and materials for adaptation based on details of the incident. The sequencing and timing of communications by audience are critically important and dependent on a variety of factors, from regulatory requirements and customer contract provisions to the status of the forensic investigation.
- Conducting annual or bi-annual crisis simulation drills. Cyberattacks can lock physicians out of patient information systems, compromise protected data, shut down hospital equipment, and delay patient care. They can also trigger lawsuits, penalties, negative media coverage and heightened political scrutiny. To mitigate risks, ensure that your operational response plans match your communications response plans and pressure test them regularly through simulation drills that give communicators a seat at the table. A lack of timely communication can result in life-impacting struggles.
Want to talk more about our learnings and work in this space? Reach out to our team to learn more.
