How healthcare organizations can build on their operational readiness to protect their reputation in a crisis

With every data breach that makes the news, healthcare organizations – and their patients – are reminded of the industry’s heightened risk for cyberattacks. So far in 2024, there have been 491 data breaches of 500+ records and 67% of healthcare organizations have experienced a ransomware attack.

No one is immune from a cyberattack or other reputational crisis. But your preparation and state of readiness today are the best way to protect your company’s reputation when that crisis hits. Here’s where to start:

Identify your gaps in readiness. When you see a news story chronicling how another organization responded to their cyberattack (or other applicable crisis), take the opportunity to evaluate what worked, what didn’t work, and how those strategies fit with your current plan.

• If the same event affected your organization today, how would you respond? What would your weaknesses be – and can you make changes to strengthen them? Crisis planning is a 24/7 continuous improvement process.
• One of the biggest mistakes I see organizations make is to develop a robust crisis communications plan – and then put it on a shelf. Your plans are only as good as the latest update and your team’s ability to deploy those strategies.

Pressure-test your communications plan alongside your operational drills. Healthcare organizations typically have robust, refined operational crisis plans that are tested with regular drills. If there’s an active shooter, natural disaster or electronic breach, there’s a plan to keep staff and patients safe and continue attending to urgent medical needs. But too often, there’s not a tested plan to communicate with your key stakeholders in that same event.

• The most prepared organizations have evolved their operational crisis protocol to include – and drill – a communications strategy for reaching frontline staff, patients and other stakeholders when standard communications channels are disrupted.

Make sure all stakeholders are represented in your plan. Organizations have typically mapped out how and what they need to communicate to their key clients, customers or patients – but it’s common to underprepare communications for the rest of their stakeholders.

• Employees are often overlooked, but they will become your frontline ambassadors when a crisis hits. Front desk workers and medical staff will be talking to patients every day and will often be the first line of contact during a crisis. It’s critical to plan how to deliver important information at the right time and equip them with the tools and details to appropriately answer questions or direct them to the right contact.

Review your toolkit. I can tell an organization is prepared when they have a well-written statement, microsite and Q&A launched within hours of a crisis hitting.

Your ready-to-go toolkit should include things like draft statements and an offline microsite, as well as hard copies of policies, contact information, a strategy for making decisions and basic checklists for communicating across your organization.

Build credibility and goodwill today. You’ll need to draw upon a lot of trust and loyalty to weather a crisis, so it’s critical to take every opportunity to invest in those now with reliable, trustworthy communication and initiatives that authentically reflect your values.

When a crisis strikes, you’ll reinforce your reputation with communications that are:

• Fast – If you can’t match the speed of information on the internet, someone else will define you in your moment of crisis and your reputation will be at risk.
• Accurate – This must be carefully balanced with the need for speed, as the initial understanding of a crisis is often wrong. A good strategy is to quickly acknowledge the situation, assuring stakeholders that you are on top of it (investigating, working with authorities, etc.) and will provide more information as soon as you can.
• Empathetic – If your company screwed up, acknowledge it. Bad things happen, even to good organizations. And if your patients/clients/customers experience harm as a result, empathize with them and commit to making it right as best you can.
• Authentic – A crisis is when your company values are on display. Lean into the trust and credibility you’ve built and make sure your response matches your values.

Don’t forget to listen. Every crisis communications plan should have a strategy for engaging on social media, which is where your patients, partners and other stakeholders are getting information about you. But remember that listening – understanding what people are saying about you and monitoring engagement – is an equally critical part of that strategy.

• Look at the velocity, engagement and tone of posts about your crisis. Whether the conversation is speeding up or quieting down – and how people are reacting – will influence when and how you release additional information.

While there are no shortage of potential crises to plan for, cyberthreats present a uniquely specific scenario. You can guarantee that within any given timeframe, your organization will likely be attacked – even if it’s not successful – and you even have a roadmap of what it could look like, thanks to the all the stories from organizations that have already weathered data breaches and ransomware attacks.

While we help companies navigate crises in the immediate, near-term and potential future, I can’t overstate the value of taking the time during a “blue-sky” season to prepare for a potentially stormy day. Investing now in your crisis readiness could have a dramatic impact on your organization and reputation when it’s time to put your plans into action.