Traditional approaches to mitigating cyber events—even ones that have been successfully implemented on behalf of other sectors—are falling short of the vulnerabilities being created by criminals in the healthcare field. Cybercriminals continue to stalk the healthcare landscape to disrupt, break, and contaminate its interwoven, highly digitized landscape for gain.
They’ve attacked the data collection of clinical trial research from pharmaceutical companies seeking cures for disease. They’ve disabled health systems’ ability to care for their patients. They’ve targeted executives who sit atop and within payers and providers in the hopes of holding both their personal and professional profiles captive. Combined, they are having a lasting effect on the reputation of the healthcare sector and the safety and durability of its products and services. So how should marketers prepare?
1. Understand the Risks
A recent JAMA study1 found that the number of ransomware attacks against healthcare organizations doubled in the last five years. Clinics—some of the smallest players in the industry—are often on the front lines. Another study2 suggested upwards of 10% of the American population has been directly impacted by a cyber event in the health space. Almost half of the cyber events created a disruption in care delivery.
If successful, cybercriminals gain access to valuable information. It is highly confidential, personalized, and time sensitive. Furthermore, the ability to control, remove, manipulate, and hold the data hostage for money is added incentive, making for a lucrative ransomware payoff or future sale on the dark web even years later. Data breaches in the healthcare industry come at a high price with the average healthcare data breach costing $10.93 million. Factor in additional data that is often compiled alongside health information, such as personally identifiable information (PII), insurance, and financial data, and it’s clear the feeding frenzy has only just begun.
2. Adapt Your Organization’s Off-the-shelf Cyberattack Response Playbooks
Traditional playbooks are falling short, especially as it relates to timing and reporting. These playbooks should not only include technology service restoration and business continuity planning but also communication protocols. Cybercriminals exploit the ability to disrupt care to put pressure on compromised parties to pay ransoms who are more than likely to cave to demands. Saving a life within the golden hour gets that much harder when a cybercriminal can now move laterally at machine speed within the same time span.
Plans need to be informed by artificial intelligence (AI), machine assisted, and updated to reflect modern threats. Ensure your plans include how your organization will communicate with patients and other stakeholders to tell them what happened and what your organization did about the incident to prevent the same failure from happening again.
3. Communicate Early, and Often
Reporting cyber events from a legal and compliance perspective is also more complicated in the healthcare space. While most companies allow themselves the maximum amount of time to study an intrusion prior to disclosing it publicly, healthcare companies don’t have the luxury of waiting. The ethical standard of putting patients first urges a more prompt and immediate disclosure.
Imagine if a health system chose to pause or slow down an audit of impacted patient files following a data breach for fear it would trigger a regulatory disclosure. Or if a pharmaceutical company chose to move forward with clinical data they knew could have been compromised in the interest of being first to market with a new drug. With lives in the balance, the healthcare sector requires faster, broader, and more comprehensive disclosure. From an impacted individual perspective, the longer their data sits in the hands of a cybercriminal, the more it can be traded, manipulated, and disseminated on the dark web.
4. Don’t Forget About the Impact on Employees
In healthcare delivery, employees are your frontline ambassadors for every interaction with key stakeholders from the emergency room to the pharmacy line. Consider launching all communications with an employee-centric/employee-first mindset. They will be your strongest advocate and communications champion, be the first to roll out and evolve enhanced technologies and online security protocols, and should be empowered with information on how you plan to mitigate future threats. Your external messaging needs to be informed by what you are hearing from employees and other key audiences—so ensure communications goes both ways.
5. Stay Ready, So You Don’t Have to Get Ready
The practice of crisis plans and “one and done” events is over. The interwovenness of culture, conscience, and crisis merits a different set of skills, tactics, and approaches to protect reputation. While technology, financial, and healthcare are consistently the top three industries under attack by cybercriminals, healthcare especially requires acute nimbleness, planning, and preparedness to enable it to continue to deliver on its promise to consumers and patients. Conduct a cyber simulation, tabletop, or workshop at least once a year with a cross-functional response team.
It’s critically important that healthcare marketers and communicators create proactive communications plans so when you need response teams to act, they are empowered to move quickly with military-style precision. Learning and constant adaptation must become part of the corporate culture of readiness. These are the best lines of defense in the ongoing cyberwar against the healthcare sector.
References:
1. Neprash HT, McGlave CC, Cross DA, et al. “Trends in Ransomware Attacks on U.S. Hospitals, Clinics, and Other Health Care Delivery Organizations, 2016-2021.” JAMA Health Forum. 2022;3(12):e224873. doi:10.1001/jamahealthforum.2022.4873.
2. U.S. Department of Health and Human Services Office of Information Security. (2022, February 17). Electronic Medical Records in Healthcare. https://www.hhs.gov/sites/default/files/2022-02-17-1300-emr-in-healthcare-tlpwhite.pdf.