“The loss of confidential information is a big news event,” said Bennett, a former newspaper reporter who led a session on crisis management in the event of a data breach at the College of Healthcare Information Management Executives' 2013 Fall CIO Forum Wednesday.
The good news, such as it is: “The news media has a very short attention span.”
Kelly Styles, vice president and CIO at Connecticut Children's Medical Center, Hartford, had some tips for attendees. The first was to “be prepared when that inevitable day comes.”
Create a crisis management team to begin the planning process, with the goal of creating a crisis communication manual, Styles said.
“Do your best to have a plan in place for every possibility imaginable,” Styles said. Include in it which staff members are assigned to which tasks; who needs to be called and who needs to be called in to work in the event of a breach; and the names and contact information for each potentially affected health IT vendor as well as state and federal regulators and the news media; and what steps need to be taken, he said.
Then make sure copies of the call and e-mail list are stored in multiple locations, including on paper. Nothing's worse, Styles said, than having a call list that's inaccessible because the computer system on which it was stored has gone down.
In the event of a breach, “The main objective is patient safety,” Styles said. “The second objective is to lessen or minimize damage to stakeholders and organization. Make sure you know what success will look like.” That will guide you in crafting your message, and also help you realize when your messaging has been successful, he said.
Also, avoid “no comment,” when dealing with the media. “People associate guilt with this response.” If a CIO is asked to communicate about a breach, “Don't try to baffle the audience with 'geek speak,' ” Styles said. Get your point across succinctly in ways that can be understood by the layperson.
Finally, “Keep the entire hospital staff in the information loop about what's happened and what's being done to fix it,” Styles said. Employees have neighbors, some who may be affected by the breach and may ask that employee about it “across the backyard fence.”
Follow Joseph Conn on Twitter: @MHJConn
More [email protected] Coverage