Time is of the essence, so advanced planning is crucial
The specific circumstances surrounding the breach will dictate how quickly the first message needs to get out. That said, it's important for providers to have plans in place for a variety of scenarios. As Sasha Boghosian of Revive Health notes, "If providers need to start the healing process from scratch, it can take weeks to get a single message out."
The experts we spoke with note three ways providers can prepare for data breaches: outline response protocols, organize messaging strategy, and drill the protocols.
According to experts at Lovell Communications, at minimum, provider organizations' response protocols should include an outline of who should be notified and who will take the lead in making decisions and approving communications. Boghosian adds that while there's no one-size-fits-all approach, health care organizations should develop an overall structure for their messaging, which may include message templates or checklists. Finally, Ellis notes it's important for provider organizations to practice their protocols to ensure the crisis team is prepared to act when crisis strikes.
The first outreach sets the tone for the organization's overall response and ability to bounce back
Years ago, a data breach could have devastated an organization's reputation; now, providers' reputations hang not on the breach, but on the response. Boghosian explains that as data breaches have become more commonplace, consumers are less concerned with long-term negative impacts and more preoccupied with how they're made aware of the issue.
Experts recommend a few key features for the first communication. Boghosian suggests that providers project honesty and reassurance by sharing, to the best of their ability, the most accurate explanation of the situation and note that there is a plan in place for dealing with the crisis. If they plan to offer services to affected patients (e.g., credit monitoring, identity theft compensation), they should share those as well.
Importantly, providers should show compassion for those impacted—acknowledge that people have suffered and avoid casting off blame. Experts at Lovell Communications note that in crisis situations, hospitals are often tempted to communicate in an "overly technical, hyper-legal manner, leaving patients feeling confused and, many times, unnecessarily concerned." The importance of tone cannot be overstated, as providers must ensure their outreach addresses not only patients' concerns, but is also expressed using patient-centric language.
Beyond initial outreach, long-term communication strategy is crucial for rebuilding trust
While most organizations tend to focus on the first 48 hours, Ellis contends that providers must continue to communicate with affected individuals in a deliberate manner if they want to restore their brand. He further explains how many hospitals share a common misunderstanding that "the end of the headlines means the end of the crisis; on the contrary, the crisis is not over until the providers' brand has been restored." Experts at Lovell echo this sentiment, noting that follow-up interactions must be "flawlessly executed through consistent messaging and strong customer service."
In addition to keeping patients informed, Ellis recommends that providers use ongoing communication as an opportunity to emphasize their strengths and remind patients of the reasons they chose their facility in the first place.
Related StudyRansomware Incident Response: Managing in Minutes
Providers' internal communication strategies are of equal—if not greater—importance than their external communication strategy
While it's tempting to sweep a negative incident under the rug, staff education is an important aspect of breach preparedness and response. Thus, experts at Lovell believe that providers should "talk about the incident openly with employees [and] use it as a learning and culture-building opportunity for the organization."
Ellis agrees, explaining that one of the most common mistakes provider organizations make is failing to keep internal audiences aware of the crisis response strategy. Health care organizations' brands are built and maintained through employees' interactions with patients –staff must be kept up to date so they are equipped to answer patients' questions and concerns.
Bringing it together, experts' four tips for breach communication are as follows:
- Plan ahead to ensure the first message can get out as quickly as possible
- Focus on the content and the tone of the first message
- Beyond the first outreach, rebuilding trust requires ongoing communication
- From start to finish, don't overlook the importance of communicating with internal audiences
A four-step plan to prevent ransomware attacks
Paint a picture of a cyber-resilient organization
Historically, cybersecurity preparation efforts have been isolated to the IT department, but the new quickly-evolving and sophisticated threat landscape demands an enterprise-wide and holistic approach. C-suites and boards must work in collaboration with IT and security leaders to ready their organizations to withstand and combat cyberattacks.
Download this infographic to explore the ecosystem of preparation efforts required for cyber resilience, key actions for IT leaders, and top lessons for non-IT leaders.