I have been a part of many PR crises in my day – ranging from one of the state’s largest Chapter 11 filings to a client that had an employee involved in DUI that injured the parties in the other vehicle. Plain and simple, crisis communication is a necessary evil in the world of PR. Crap happens, and you have to be prepared for it, otherwise you will find yourself in deeper trouble.
I’ve witnessed many PR mistakes that have left me and many others scratching our heads. From my experience, here’s what not to do in a crisis:
- Not answering when the media calls or delaying in calling them back
- Not taking responsibility or ownership for the problem or deflecting it to someone or something else
- Taking a call from the media, but responding with an emphatic “no comment”
- Making a statement to the media when you have no idea what to say or what process should have been in place — you are woefully unprepared
If that sounds like your company, read on.
With Aloft’s heavy involvement in the healthcare IT industry, not a day has gone by in the last two months that I haven’t read something about the ransomware crisis. It all began back in February with Hollywood Presbyterian Medical Center, based in Los Angeles, who was “victim to a cyber attack”. (You may have seen the "Healthcare InfoHacks — A New Age in Cyber Security" blog post about it right here.) Though it sounded relatively harmless at first, in reality it left me and many others thinking that this may be the beginning of something really big. And not in a good way. Essentially, those elusive cyber bullies that we hear about in other contexts, figured out a way to hack into the hospital’s computers and held that data hostage while waiting for hospital executives to pay a fee to gain back access to the information.
“Data” sounds so impersonal, but when we are talking about a hospital’s data, we are talking about your own patient data — something very personal indeed. And, the repercussions are dangerous. It could be your friend or relative in the hospital, whose data cannot be accessed by the doctor because it’s being held for ransom. Just think about that for a minute. The doctor cannot see medical data to help a patient. This delay could be dire if we’re talking about an ICU patient, or another critically ill patient in which every minute matters.
The costs to a hospital or health system in a ransomware attack are mind boggling. We’re not just talking about the ransom itself, but all the other potential costs associated. According to a column entitled "Healthcare Organizations Must Consider The Financial Impact Of Ransomware Attacks" in Information Week written by someone from Intel who specializes in “threat intelligence research” the costs of a ransomware attack can span from legal costs, notification costs, overtime costs for IT personnel, lost trust among patients and the list goes on. And Hollywood Presbyterian is just the first hospital for this to happen to, as more and more hospitals are falling victim or are being targets. This problem is not going away.
Following the most recent attacks, the healthcare media became abuzz with ransomware stories and Twitter was filled with tweets about how to deal with #Ransomware. You know when there’s a hashtag, and it’s trending on Twitter, that everyone will take notice.
If you are in the PR department for a hospital, and you haven’t yet added the ransomware crisis to your overall crisis communications plan, you are in trouble. Here’s what to consider when developing your crisis plan, whether you are a hospital or not:
- Don’t sugarcoat anything: Let them know the bad things that have happened or might happen. Hospitals affected by ransomware shouldn’t tell the community everything is alright, because it isn’t for the time being. The public will respect you more if you tell it like it is. There’s nothing worse, or more transparent, than a company that is trying to save face.
- Take ownership: Admit that you could have had tighter controls in place. Don’t point the finger. You need to improve things and that starts from within. Again, the public will respect you more if you acknowledge that there’s a problem, but you are going to try to fix it.
- Keep communications forthright and consistent: Don’t come out at the beginning of the crisis and then refuse to offer the media any additional information. It will only keep them and the public wondering. You need to communicate consistently with the media in the bad times so they will be more willing to listen to you in the good times.
Your crisis might not involve valuable and sensitive patient information, but it’s still a crisis you must address. Though you may take some lumps for being honest and forthright, in the end, it’s worth your brand’s long term reputation and brand equity to be prepared to attack any problems head-on.