What communicators can learn from the largest healthcare cyberattack to date

Just three months into the year, 2024 is already shaping up to be a cybersecurity stress test.  Communicators are tasked with assuring stakeholders that their organization is protecting proprietary information and keeping such breaches from happening again.

While deepfakes of politicians are on the rise as the U.S. nears its presidential elections, AI-generated personas have also been used to impersonate CFOs and trick employees into forking over millions.

These are the latest reminders that cyberattacks are not only here to stay, but are growing more sophisticated. All communicators, but especially those in regulated and vulnerable industries, must pay attention to the nuances of their scenario planning and be prepared to share holding statements that provide context, address core concerns and identify the next steps.

No one knows this right now quite like communicators working in healthcare. Last month, Chicago’s Lurie Children’s Hospital was hit with a cyberattack. A couple of weeks ago, Change Healthcare, a healthcare tech company that processes 15 billion transactions annually and touches one in every three patient records, was also hit with a ransomware cyberattack that disrupted its mission-critical systems and services. It’s widely viewed as the largest cyberattack on the healthcare industry to date.

A closer look at this attack and response offers cybersecurity protocols and communications best practices to follow should something similar happen to your organization.

The incident log

Change shared time-stamped messages about the attack, which the organization initially identified as an outage at 2:15 a.m. Another update, eight hours later, let audiences know that the company expected the issue to last throughout the day. Nearly 12 hours after the first notice, Change updated its report again to identify the issue as a cybersecurity issue. Two hours after that, the company explained the steps it had taken in more detail:

Change Healthcare is experiencing a network interruption related to a cyber security issue and our experts are working to address the matter. Once we became aware of the outside threat, in the interest of protecting our partners and patients, we took immediate action to disconnect our systems to prevent further impact. The disruption is expected to last at least through the day. We will provide updates as more information becomes available.

This message was reposted periodically until a new post at 11:32 a.m. the next morning, when a sentence was added explaining that Change believed this incident did not affect other systems in its parent company,  UnitedHealth Group.

The trade group becomes the watchdog

Change’s initial response, as captured chronologically in its incident log, did a few things right. It kept the updates constant. It also ended with the evergreen holding statement promise of providing updates when more information became available. But a quick glance also reveals that many of these updates did not, in fact, contain new information.

What’s more, the fact that Change claims it took immediate action to disconnect its systems once it became aware of the threat creates a new question: When did Change actually become aware? Was it 12 hours after the initial notification, or earlier? Half a day is a lifetime in crisis years. When your incident compromises critical systems, those details matter.

Thankfully, the American Hospital Association (AHA) stepped in to set an example of how these communications could have been handled better. Its written statement, published three days after the attack, broke down the size and scope of this incident, warning with no ambiguous language how the interruption “could have significant cascading and disruptive effects on the health care field within revenue cycle, pharmacy, certain health care technologies, clinical authorizations and other services.”

This upfront language about the impact of the issue also scores points for addressing use cases and stakeholders up top. Elsewhere in its advisory, the AHA also calls out Change its failure at that time to provide “a specific timeframe for which recovery of the impacted applications is expected”.

While Change no doubt felt overwhelmed by this situation, this incident demonstrates how trade groups can simultaneously serve as advocates and watchdogs by calling out your lapses in communications and setting a better example. In this case, AHA’s mission and shared audience prompted it to shoulder some of the efforts to educate and inform stakeholders. But the best-case scenario here would have seen Change offer similar resources and tips on its own.

Minimizing impact

In a separate cybersecurity advisory, the AHA recommended that all disrupted or potentially exposed healthcare organizations disconnect from Change until it is deemed safe to reconnect. It offered several preventative measures that can help any organization prepare for an attack:

• Organizations should use this opportunity to test the security, redundancy and resiliency of their network and data backups ensuring they remain offline. AHA  recommends backup technology that renders the backups “immutable” — unable to be deleted, altered or encrypted.
• Ensure that all high criticality, known and exploited vulnerabilities have been patched, especially any which are internet-facing.
• Review and test cyber incident response plans, ensure they are well coordinated and integrated with emergency management plans. Test callout for activation of incident command structure and backup communications plans should email and VoIP communications fail.
• Review business and clinical continuity downtime procedures to ensure mission-critical and life-critical functions could sustain a loss of information, and operational and medical technology for up to 30 days.
• Consider designating clinical downtime “coaches” and “safety officers” for each shift. These would be individuals who are experienced and adept at working with downtime, manual procedures should there be a loss of access to the EMR and other medical technology, and who could guide and lead other less experienced staff in the implementation of downtime procedures to ensure continuation of safe and quality care.
• Increase threat hunting and monitoring tools and techniques. Although no specific threat actor has been identified, the joint government agency advisoryregarding “living off the land” cyber technique serves as a good general guide.

Homing in on specific downtime procedures recalls advice shared by a member of Ragan’s Communications Leadership Council who worked for a member hospital network Sharing challenges and learnings during a past cyberattack, the member explained how email and digital signage became essential for addressing employees and frontline workers alike during a past incident.

The member now has an audio bridge ready, a sort of phone tree that can keep communication flowing even if public platforms and websites go dark. They also experimented with building a backup web page that’s ready to deploy should primary sites go under attack, allowing them to get a message to patients and other stakeholders.

Slack and Teams shouldn’t be underestimated here, either — one member even has a dedicated Teams channel for outages that has all key internal leaders and is only used in an emergency.

Keeping the support going

Late last week, the AHA continued to show Change how crisis comms are done with an update outlining all the communication steps it took and resources it shared — including a letter it sent advocating for increased federal support as the disruption persists. That letter suggests guidance to providers, extensions on prescription regulations and filing requirements for health plans and more.

To its credit, late last week Change also announced a temporary loan program that would help provide relief to healthcare providers affected by the attack. The page includes clear language on who is eligible, how it will work and even includes an FAQ at the bottom.

It’s a shining example of the sort of effective, considerate and anticipatory messaging approach that should have been deployed much earlier.

We’ll be unpacking more crisis comms case studies that can help you future-proof your role and protect your brand next month during Ragan’s Employee Communications and Culture Conference at Chicago’s Fairmont Hotel on April 16-18. Register now!

One Response to “What communicators can learn from the largest healthcare cyberattack to date”

Jeffrey Carpenter says: March 7, 2024 at 1:35 pm

This is an extremely insightful blog post. I have recommended it to my cybersecurity incident response colleagues.