The case for security breach communications in healthcare


My research and writing embeds me in a world of frighteningly smart healthcare security professionals. At a recent HIMSS cybersecurity conference, I sat horrified to learn how complicated the challenges of protecting healthcare records really are. I also learned that even the most complex security firewalls like Blockchain are still untested over long periods of time in the healthcare sector.

In my interviews with CSOs and CSIOs it was interesting to learn that there is a healthy degree of skepticism about cutting edge technologies that don’t have track records, even if they’re developed by the most reputable vendors. There was a consistent theme of installing trusted products that might be tested, trusted and “better” (as opposed to “best” but with fewer use cases).

But the CSOs also made it very clear that security platform investments were meaningless unless there was a culture of security at every level of the healthcare enterprise. One speaker put it very well, “we can develop a culture of using hand sanitizer every time clinicians enter a patient’s room, but it’s incredibly difficult to develop the same culture for security hygiene.”

As part of my time at the conference I had the chance to visit a well-known vendor in the healthcare AI segment’s “cybersecurity range.” The range was essentially a simulation control center for instances of major security breaches in a multi-national corporation. The tripped-out room had screens showing stock market prices, diagrams of the hack’s proliferation across the enterprise, broadcast news feeds, and tons of other eye candy. The first two rows of the control center auditorium seating had telephones in front of the participant.

The exercise started with the first sign that a breach occurred in one of the fictitious enterprises facilities.  And then the fun began!

The phones in front of the CSOs in the audience starting ringing off the hook. One call was CNN asking if the reports of a breach were true. Another was from the receptionist saying that reporters with cameras were in the lobby asking about the breach. Calls from other subsidiaries started pouring in about how to handle the technological aspects. Doctors called from the operating room asking if the data they were getting was reliable. Livid customers called in droves wanting to know if their personal information had been stolen. There were even suspicious calls from people that could have been the hackers themselves.

One of the large screens showed the stock price of the company for every hour that the mayhem was occurring. Needless to say, the line on the graph wasn’t a hockey stick. The grid that showed the actual spread of the breach across the enterprise was lighting up like a Christmas tree.

What started as simulation turned into one of the most hair raising and anxiety producing experiences I’d seen in my business and academic career.

What did I learn?

Technology fixes are but such a small part of security breach crisis management structure.

An enterprise wide communications strategy is an imperative — starting with a religious adherence to talking points from the receptionist to the chairman. As any law enforcement official or beat reporter will tell you, people will say really crazy things under extreme pressure.

This messaging strategy becomes extremely challenging considering the varying levels of communications skills across the myriad of professions in the modern healthcare enterprise. Most are not trained external communicators.


Small mistakes, big data breaches

What is the key to lowering the high cost of a data breach?

Criminal healthcare data breaches on the rise


  1. […] The case for security breach communications in healthcare […]

Speak Your Mind


This site uses Akismet to reduce spam. Learn how your comment data is processed.