Cybersecurity breaches may be unavoidable, but they don’t have to harm reputations. Healthcare organizations should take proactive steps, maintain transparent communication, and address stakeholders’ concerns thoughtfully.
The cybersecurity challenge
As technology improves, cybercriminals are finding new ways to launch attacks. Tools like artificial intelligence and deepfakes make it easier for them to target hospitals, medical devices, health insurers, and pharmaceutical companies. The MOVEIT breach shows how third-party vendors and connected healthcare systems can become weak spots.
Healthcare is the second most targeted industry for cyber claims, according to a NetDiligence study. Ransomware, human error, and hacking are common causes of data loss, but there’s a growing risk of attacks that block medical professionals from their systems, disrupting care even if patient data isn’t leaked. With growing risks, it’s increasingly important for healthcare organizations to protect their systems and handle reputational risks carefully.
Best practices for managing communication during breaches
Response time matters
Delaying breach announcements increases the chances of lawsuits and reputational harm. Regulatory bodies like the Securities and Exchange Commission (SEC) now require public companies to disclose significant cyberattacks within four days, setting a clear expectation for timely reporting.
Michigan Medicine showed how prompt communication can make a difference. The hospital disclosed a breach and shared investigation results within 65 days of detecting unusual activity. As a result, only 1.25% of online discussions about the hospital focused on the breach in the following six months—a surprisingly low figure. In contrast, CommonSpirit Health, which delayed communication, saw 55% of online conversations revolve around its breach, keeping the issue in the spotlight.
Leverage social media for transparency
Social media can largely shape public perception during a breach. Organizations that fail to discuss breaches or use their platforms risk being perceived as evasive. CommonSpirit Health’s dedicated webpage about its breach provided useful information, but the organization did not amplify this messaging on social media, leaving many unaware of where to find updates. The resulting lack of transparency amplified criticism and eroded trust.
In contrast, organizations that actively share updates on social media strengthen their reputation by demonstrating accountability and openness, ensuring affected individuals have easy access to information.
Consistent, clear updates build trust
Timely and detailed communication can alleviate the uncertainty and frustration breaches victims often experience. HCA Healthcare exemplified this approach during a data security incident in 2023.
On July 5, HCA Healthcare disclosed that patient data had been published on an online forum and outlined what information had and had not been accessed. Despite delays in notifying patients directly and opening a call center, HCA’s transparency in the initial disclosure prevented confusion and minimized criticism. The organization’s proactive communication approach fostered trust, demonstrating the benefits of clarity in crisis management.
Turning crisis into opportunity
As cybersecurity analyst Gregory Westover aptly stated, “The organizations that respond with honesty and efficiency are the ones that retain public trust and even strengthen their reputation in the long run.” By integrating these best practices, healthcare providers can mitigate reputational risks and emerge stronger from cybersecurity incidents.
FAQs
How does HIPAA affect breach notifications?
HIPAA requires notifying affected individuals, HHS, and sometimes the media within 60 days of discovering a breach of unsecured PHI.
How does HIPAA compliance reduce reputational risks?
Following HIPAA’s safeguards and notification rules shows accountability, helping maintain trust and reduce criticism during a breach.
Can social media be used during a breach without violating HIPAA?
Yes, social media can share updates and direct individuals to secure resources, as long as no PHI is disclosed.
Related: How to stay HIPAA compliant on social media
Farah Amod
