Is it possible for a hospital to turn a small cybersecurity incident into a full-blown crisis based only on the words used and the approach to communicating about the event? What about the opposite – is it possible for a major incident to be mitigated and minimized with little reputational damage…just through effective communication?
The answer to these rhetorical questions is, obviously, yes.
That’s according to cybersecurity with Barry Mathis. Mathis is a principal at PYA where he draws on three decades of experience as a chief information officer, chief technology officer, and other roles to help healthcare clients plan, develop and implement complex IT solutions.
As part of that work, Mathis spends a lot of time advising healthcare organizations on how to reduce risk and avoid – or worst-case scenario, minimize – the fallout from cybersecurity incidents. For this conversation Mathis joined Dan Schlacter, a vice president in the Jarrard Inc. Health Services Practice and lead on much of the firm’s cybersecurity work, to talk about the best practices and the role of communications both before and after an incident.
- Be strategic about the words that you use to describe a cybersecurity attack: Avoid the word “breach,” and instead opt for a word like “incident,” to reduce exposure and dial down the temperature in communications about the event.
- Prioritize cybersecurity training and have a crisis response plan in place before an attack happens to ensure that your organization can respond to an attack quickly and efficiently.
- Loop in communications experts and legal counsel during the early stages of a cybersecurity incident. (And don’t take anything in this conversation as legal advice. We are not attorneys.)
[00:01:32] David Shifrin: Let’s talk about cybersecurity. An unfortunate but necessary topic of conversation. I think our audience overall is pretty familiar and pretty comfortable with what’s happening in the healthcare cybersecurity landscape these days.
But Barry, if you would, just take a minute to talk about anything that’s new and upcoming. Any nuances that may be different from where it was a year or two ago.
[00:01:58] Barry Mathis: It’s over the last couple of years, I’ve seen a huge uptick in just people being concerned. We’ve had too many hospitals go through a cyber-attack. We’re having to put better plans in place for those. Aside from that specifically, just in the last two years, I’ve seen a huge swing, as evidenced by what’s being reported and even what’s being discussed in the dark spaces, in the dark web, rural hospitals are a target. Some of it happened in a little uptick and bubble right after COVID was over. And, during COVID there was a gentleman’s agreement among thieves that, “we won’t attack hospitals because we may need those hospitals,” and, with the exception of the children’s hospital in Machek? (2:45) whom they saw fit to go ahead and attack immediately during COVID during their weakness, there wasn’t a ton of activity.
But, what I believe, is there were a lot of infiltrations where the bad actors were in place, but they hadn’t actually pulled the trigger. And then rural hospitals became a target right after that because rural hospitals had some money based on some of the relief funds that were going in so they could pay for ransoms.
They didn’t have some of the same tools, the expensive tools that some of the other hospitals had. They just were easier targets. That’s continuing, and to the point that we’ve seen two or three of the large, advanced, persistent threat groups come out and say that they’re turning towards healthcare.
They’ve been in other industries for years, and they’re now looking at healthcare as “this is a place that we can make some money,” because 95 or more percent, I can’t quote the Verizon report exactly, but it’s above 90%, are financially motivated. It’s all about the money, and those who are in the business to make money have determined that healthcare is a good space in which we can make money.
[00:03:45] Dan Schlacter: Adding a bit to the question of what may have changed in recent years, one thing that I’ll call out there is the proliferation of partnerships among healthcare providers and all points within the healthcare industry. And so, it’s highly unlikely at this point that we have a self-contained healthcare system.
You’re working with different vendors, you’re working with different partners, there’s a lot more parties involved in the process, and that means more access points, more need to protect your information, understand how that information is being shared, what is going to who, and also making sure that everyone is trained on how to be safe.
In terms of things that folks may be missing, I don’t think it is that different than your average patient with preventive health. It is not something that people want to think about in general, in terms of a cyber threat. It’s easy to avoid.
There’s plenty of other things going on in your day-to-day operations that do have very pressing demands on your time. And so, it’s easy to put to the side and say that “we will deal with it if and when it comes up.” And so, I think that’s probably one of the most common mistakes is just not prioritizing it ahead of time so that you can take the appropriate measures to be in a position where should something happen, you are able to react to it quickly and appropriately.
[00:05:10] Mathis: If I can add, the two most common areas that we see the biggest gaps is we go out and do risk analysis assessments. One, everybody knows education’s important, right? But for some reason a lot of providers are still stuck in their accreditation-type education. The IM chapter seven of JCO? says, “you must provide HIPAA education.”
The HIPAA rulebook says you must provide HIPAA education, and it’s the same HIPAA education. It hasn’t changed a lot. It doesn’t include some of the things that cyber attackers use as phishing lures, we call those. It doesn’t include, what do you do in the event of you suspect something.
If you’re within the sound of my voice and you’re a CEO or a COO or a CIO, and the answer to the question is yes, we do HIPAA education once a year, then you are woefully behind the eight ball on that one. It should be a weekly, if not a monthly sort of thing where there’s tons of reminders, somebody’s watching what’s going on in the industry and translating that into education, real-time education.
That’s how you’re going to stop a lot of these attacks; by simply cutting it off before it happened.
[00:06:17] Schlacter: I like your comments there, Barry, especially around this concept of we have maybe checked some boxes in terms of preparation. Maybe it’s HIPAA training or what have you, or even we have a crisis response plan on the shelf. However, communications has not been engaged there to involve all of the appropriate parties in understanding that we have this plan available, and how are we putting it into practice over time, such that it is normalized and built into our day-to-day, and we’re all familiar with it, should we need it. And hopefully we’re so familiar with it that we’re doing the small things and the big things on a daily basis that will help to prevent us from needing it.
I know from the communications side, clients are always looking for content to feed your channels. You have your CEO messages, you have newsletters, you have intranets, you have all of these different channels and vehicles to share information internally, and the communications team is usually hungry for stuff to put in there. Sharing security information, HIPAA updates, what to do with certain types of emails should you receive them, tips and tricks, we have a lot of opportunity to keep all of this fresh in everyone’s minds, but it only works if that plan is not stuck in a drawer somewhere with the only intent to bring it out should it be needed.
[00:07:41] Mathis: Excellent points. We see a lot of testing for plans, and these are the folks who they’ve done planning. It’s there. And so now we’re moving into, okay, let’s see how they’re testing it.
And tabletop exercises are very common either to review the documentation or participate and even facilitate. But it’s interesting how many tabletop exercises, when you get an hour or two into it, you ask the question, “where’s communications in this?” And I’m not a communications expert, I’m telling you this as just a disinterested third party that sees this as a problem. And the answer is we let our marketing/public relations people, they’re part of this, they have a message that they have put out. I said, “how do they know if they have canned messages?”
Yes. Okay, well, who do they work with? Well, no, that’s internal. And I’m always a little confused and somewhat concerned for those clients because if my plumbing breaks at the house, I call a plumber. If my air conditioner goes out, I call an HVAC person. If I have a landscaping or foundation issue, I call a civil engineer.
It’s somewhat puzzling sometimes that someone feels like they don’t have to reach out to a third party to say that, “this is what we do as an expert, we communicate. We help you develop your message and things.” So that’s a gap I think in even some of the plans that we see.
[00:08:56] Shifrin: I want to use the opportunity to pivot a little bit into something that we talk a lot about at Jarrard, which is the idea of the appropriate level of transparency. And so, with the very big disclaimer and caveat that nobody here on this call is an attorney, and we’re not delving into the legal issues with that, how do we think about the appropriate level of, what do you say? What do you not say?
When it happens, that is a massive trust breaking moment potentially. So how do you work through that and communicate in a way that stabilizes and potentially even repairs that trust?
[00:09:35] Mathis: Dan’s going to be more of an expert on this, so I’ll let him fill in all the gaps for me. This goes back to what I just said, and that is you don’t want your CIO or your CEO, you certainly don’t want anybody in the IT department determining on what message is out there. And sometimes legal needs to be there, but legal may not always be the best person for deciding what that message is or maybe when it goes out, but they should be involved.
So, I think it’s a team of people, but in that team, you’ve got to have some people who are experienced in both compliance, what you have to communicate. And the one thread that I lean on through that communication is from a compliance standpoint, what are you allowed to do in terms of determining what your communication is versus what you must communicate?
So, understanding the compliance piece with legal speak, but then having somebody who’s experienced with communication, I think is also key. And again, I’m saying this as a former CIO, CTO, compliance person and auditor. I’ll give you two quick stories. One where I think the mistake was made, and that is a rural hospital who had an incident. Wasn’t a breach.
And I think afterwards, anybody who looks at it, professionals would say it wasn’t a breach. But they called it a breach. In their email communications, it was a breach. Even legal said, “we’ve got to deal with this breach.” And on a scale of one to 10, it was really a two, but because of how they handled the communication, they themselves exacerbated it to… it felt like a 10.
And they had OCR and a lot of other people involved. And from a community standpoint, it looked like it was a place falling apart, when in reality, it was just a business email compromise.
The second story I’ll tell you is one that was a huge breach. 600 devices. The hospital didn’t see a patient for weeks. But if you asked the community today, they’d say, “Yeah, I remember that. That was a few years ago. They just had some computer issues,” where the communication was handled the right way.
It was never called a breach. It was called an incident. The right people, they had a war room. Things didn’t go outside that war room. They had people guiding them in that, and it was a massive breach from my opinion, but somewhat quiet around the community and even in the industry.
Ultimately, it came out. They got some fines, they got some attention, but nothing like what it could have been if they had handled the communication wrong.
[00:11:49] Schlacter: In terms of responsible transparency in these issues, and I’m glad we’re covering the need to have legal counsel at the table early, and to remain in for all parties to remain in lockstep coordination with them, that really is the foundation. I think a coordinated working team that is guided by an objective and understanding. The level of transparency, as Barry mentioned, is going to be influenced by the specifics of the incident and the due diligence that goes into understanding what that is.
And it’s also highly likely that over the course of an investigation, of course, new information is going to come to light and there will be some additional understanding of how we need to respond because of that. And all parties need to have access to that information in order to operate appropriately.
And that’s not going to happen unless you’ve got the right folks at the table. But when it comes to the level of transparency, that also can be a cultural question for an organization. How much information are people accustomed to receiving from them? Are their clients and customers accustomed to hearing from them at all or are they accustomed to hearing from some other entity?
So, we need to understand those voices and channels in order to dictate our role in transparent communications, because when it happens successfully, people see themselves reflected in the information that they receive.
When it comes to a data incident, people tend to have a relatively visceral reaction. It’s a scary thing. You hear personal health information, personal identifiable information, and the wheels start spinning and you imagine the worst.
Now, however, if we appropriately provide the information that says, “here’s what we know, here’s what it means to you, and here’s what to do next,” and that information is tailored to that audience’s role and level of engagement, then we have answered a lot of their key questions, even if it’s just that they’re going to receive some additional information in the coming weeks, and here’s where to go, because their first response is going to be, “what does this mean to me? Why are you telling me and what do I need to do next?”
[00:14:20] Shifrin: Alright, so Barry, understanding what Dan’s talking about here, what you’ve talked about, knowing the level of transparency that we need to have in any given situation, how to coordinate all the different messages and all the different people involved, you know, that takes a plan. So, we kind of danced around the idea of you’ve got to have a plan in place for a crisis, but you had mentioned before we started recording that you’ve got a specific story that sort of exemplifies how this works. I’d love for you to jump in and talk about that a little bit.
[00:14:43] Mathis: There was a period of time for a year or so that I was the Chief Technology Officer for Ochsner Health system down in New Orleans, and I came on within a year or so after Katrina. And as the CTO, obviously, I wanted to know about the disaster recovery plan that had gone through some drastic changes based on lessons learned through Katrina. And the CIO, we talked about that big plan, and you could not have planned for what happened in New Orleans with Katrina. There was no plan for that. But what they learned was because they had gone through a plan, and they had a disaster recovery plan, they learned things going through that plan that were absolutely instrumental in their communication amongst the other teammates as they went through. A lot of it, they did on the fly. The bottom line is, when something like that happens, you’ll figure it out if you’ve got the right people around you.
But because they had put some thought into it, they had developed a written plan, they had a very good start on where to go and what to do and who to call.
It was not a play-by-play book. It was not used as a play-by-play book. But the value of going through creating that came into play as they figured it out. And they did a great job.
[00:15:52] Schlacter: Something else that we’ve not covered yet is that I think there’s a common misconception that preparing for a data incident is a highly specific and only highly specific endeavor. And while it is, because data incidents are highly specific scenarios, because it touches every corner of your organization, it also allows you to uncover other areas to improve.
And what you see is a lot of value add from going through the process because, as Barry has mentioned, you literally and figuratively bring everyone, all the key players to the table for a conversation around, “what would we do in this incident? How would we make it through?” And that’s going to lead to optimizing of practices, higher understanding of who is doing what, where our stress points are, where our friction points are, and what we see often is that solutions that are deployed, either in preparation for or during response to a data incident are often retained for just standard communications and operations afterwards because we are identifying efficiencies, we’re identifying opportunities to improve, and we’re getting a lot of feedback from key players on our team within and without the organization, and that allows us to operate at a higher capacity moving forward.
[00:17:16] Shifrin: As we wrap up the conversation is there anything else that we’ve missed?
I’ll give you the last word, Barry, you’re the guest. So, Dan, you’re up.
[00:17:26] Schlacter: One thing we’ve not discussed, and I don’t know if it would be news to your average healthcare administrator, is that your physicians are probably your biggest source of gossip. And so, if you are wondering how informed they need to be when there is a data incident, they need to be informed cause they’re going to be talking and they’re going to be likely talking to a lot of influential people inside and outside of your system.
So, we want to make sure that they are on message and that any information that they might be sharing is stamped for approval by legal counsel and others. Go ahead Barry.
[00:18:04] Mathis: I was going to ditto on that exact comment. There needs to be a protocol. If you wait till this happens and try to figure it out, it’s not going to happen in any way that’s going to make you feel good towards the end.
What kind of preventive measures are you taking? But I tell people all the time, you could spend millions of dollars on some of the most advanced tools out there to prevent a cyber-attack, but all that it really takes is the right kind of an email that goes to the right person in the organization, and they click it, and you’re going to have something that happens.
Now how far it goes, ask 10 people, you’ll get 10 different answers depending on what’s involved in your other protective measures. But educating your staff is the single biggest gap that I see out there, and it’s one of the best ways to prevent it going forward because if you look at the vast majority of the breaches that occur today, they don’t occur because somebody in a basement hacked into a computer system. They occur because somebody ran a very good social engineer and phishing campaign, gained access to an email and or an ID, and then used that to exploit the rest of the incident. So, educating your staff is, in my opinion, the single best thing you can do, and it’s, and by far the cheapest of the other options.