With the recent news of Anthem’s cyber attack still hanging heavy in the air, many of our clients find themselves asking, “Is my organization prepared should we fall victim?” Shaping up to be the largest data breach in the healthcare industry, the hard, cold truth surfaces: even the biggest, most sophisticated companies, with perhaps some of the best cyber security systems in place, are vulnerable to cyber attacks.
As we continue to grow deeper into the digital age, cyber attacks are increasingly common. According to a March 2014 report by data security research firm, the Ponemon Institute, criminal attacks on healthcare companies have risen 100 percent since its first study in 2010. Precaution must be taken to ensure your organization is prepared to take the appropriate action and quickly. When dealing with a cyber attack, as with any crisis, time is of the essence. Every minute spent preparing once a crisis has happened is a potential hit to your brand and reputation.
While it is ultimately Anthem’s responsibility to address this issue with its members, patients may look to your clinical and administrative staff for guidance. As we continue to closely follow this story, we wanted to share some thoughts on proactive steps your organization may take should you be brought into the discussion or begin to receive questions from your community.
- Familiarize yourself with the issue via Anthem’s dedicated website, including checking its FAQs for impacted plans.
- Issue an internal statement and develop standby materials for external communications, such as talking points and FAQs, to help prepare clinical and administrative staff to respond to patient questions regarding the incident.
Anthem’s data breach should be viewed as a warning and an opportunity. Now is the time to fully prepare across all fronts – clinical, communications, legal, government affairs, etc. – should your organization face a similar situation. Here are a few steps you may take to start the preparedness process:
- Evaluate your own IT security measures, including protocols for spotting and reporting suspicious activity. This way, even if you can’t prevent them, you can minimize the spread of a cyber attack across records. A recent Becker’s Health IT & CIO Review article aptly titled “5 cybersecurity trends in healthcare” highlighted that hospitals and health systems are increasingly targeted by cyber attackers looking to gain personal and identifiable medical information, which is up to 10 times more valuable than financial information (credit card numbers) on the black market. Additionally, medical identity theft isn’t always immediately apparent, unlike stolen credit cards.
- Assess your ability to respond to a data breach of this kind and/or other possible IT security and workflow issues. Do you have the right team assembled? Do you have legal counsel identified and engaged? Do you have communications counsel that specializes in preparing for and handling crisis situations and planning?
- Develop a plan of attack that outlines your strategy, timing, tactics and template materials that you can quickly and easily deploy.
Issues will continue to arise. The potential for a crisis situation is there for every organization. Having a game plan (and the right team) at the ready won’t ensure against a cyber attack or any other potential crisis, but it will make you better prepared to handle it when it does.
By Nicole Mraz, Senior Vice President at ReviveHealth