HIMSS: Plan now for crisis communication
ORLANDO, Fla.--Security breaches, stolen laptops, destroyed servers: the news in health IT security is rarely good. But don’t worry—your turn is coming, said Mark Pasquale, BS, MBA, vice president and CIO of Piedmont Hospital in Atlanta, and Steve Bennett, BA, MA, vice president of Kirby Partners, a heath IT recruiting firm in Heathrow, Fla., speaking at a session on crisis communications at HIMSS11 last week.
When trouble hits, they have some advice for health IT leadership: Have a well-rehearsed crisis management plan in place—on paper and online. And doing nothing is not an option.
“You can never foresee with absolute certainty the events that will cause a crisis in your facility. It will happen, when you least want it to, and in ways you least expect,” said Pasquale. Every department should be involved in developing the plan, including the IT person responsible for operations and IT compliance manager, as well as the facility’s legal team, media relations and communications director, according to Bennett and Pasquale.
Their advice:
Plan ahead. Accept that a crisis can and will happen at some point, and that planning is a prevention strategy.
Conduct risk and vulnerability assessments to find and stop IT-related problems before they can escalate. Categorize and prioritize threats and develop mitigation strategies for fire, weather, theft, loss of Protected Health Information and critical application failures. Be proactive, use your crisis management team to ask tough questions, and look at what works and what doesn’t.
Learn to recognize a crisis—identifying vulnerabilities through risk assessments can help, and there are plenty of examples in the news. If you think you’re in a crisis, move to solve it even if it’s not yours, said Pasquale.
Write the manual—spell out procedures and responsibilities in a crisis situation, and put it on paper, make copies and know where the manual is located in case power or computer systems are lost, he said.
Conduct training. All staff members need to know their roles in a situation. This includes press management training for designated spokespeople.
Know your objectives. Public safety and public interest come above those of your organization; lessening or preventing damage to your organization as a whole is the second goal. An effective crisis communication plan shows the organization is not afraid to confront a situation head-on while minimizing damage. The early response to a crisis will define the future of the event.
Assess the situation. Verify all facts in a situation, and get as much actual information as quickly as possible before issuing a response. Be as honest and as open as you can with the information released.
Communicate. Preselect a spokesperson, usually the top person within the organization who has credibility and visibility and credence, and designate an alternate. Depending on the nature of the crisis, outside resources might be an option. Establish a presence and be there. Tell the truth with “no geekspeak,” said Bennett. Give updates as promised—show you’re doing what you can to resolve the situation.
Have the right communication, and let the team do its job. Use outside resources: Call centers, electronic forensics investigators and public relations firms can help when a crisis hits, said Pasquale. Your reputation is on the line—the truth will be challenging and can get lost in emotion, but "when you lose your integrity, you’ve lost all credibility,” Pasquale said.
Listen. In addition to being as open as possible to stakeholders, customers and staff for insights and suggestions. Solicit ideas from other hospitals and talk to peers.
Finally, hang in there. No matter how well prepared you are or how well you responded, there will be one or more unhappy stakeholders who are not satisfied. Take a deep breath and debrief with your team. Could an outside resource have handled things better? Rewrite the manual. “Keep doing this over and over again,” said Bennett.
When trouble hits, they have some advice for health IT leadership: Have a well-rehearsed crisis management plan in place—on paper and online. And doing nothing is not an option.
“You can never foresee with absolute certainty the events that will cause a crisis in your facility. It will happen, when you least want it to, and in ways you least expect,” said Pasquale. Every department should be involved in developing the plan, including the IT person responsible for operations and IT compliance manager, as well as the facility’s legal team, media relations and communications director, according to Bennett and Pasquale.
Their advice:
Plan ahead. Accept that a crisis can and will happen at some point, and that planning is a prevention strategy.
Conduct risk and vulnerability assessments to find and stop IT-related problems before they can escalate. Categorize and prioritize threats and develop mitigation strategies for fire, weather, theft, loss of Protected Health Information and critical application failures. Be proactive, use your crisis management team to ask tough questions, and look at what works and what doesn’t.
Learn to recognize a crisis—identifying vulnerabilities through risk assessments can help, and there are plenty of examples in the news. If you think you’re in a crisis, move to solve it even if it’s not yours, said Pasquale.
Write the manual—spell out procedures and responsibilities in a crisis situation, and put it on paper, make copies and know where the manual is located in case power or computer systems are lost, he said.
Conduct training. All staff members need to know their roles in a situation. This includes press management training for designated spokespeople.
Know your objectives. Public safety and public interest come above those of your organization; lessening or preventing damage to your organization as a whole is the second goal. An effective crisis communication plan shows the organization is not afraid to confront a situation head-on while minimizing damage. The early response to a crisis will define the future of the event.
Assess the situation. Verify all facts in a situation, and get as much actual information as quickly as possible before issuing a response. Be as honest and as open as you can with the information released.
Communicate. Preselect a spokesperson, usually the top person within the organization who has credibility and visibility and credence, and designate an alternate. Depending on the nature of the crisis, outside resources might be an option. Establish a presence and be there. Tell the truth with “no geekspeak,” said Bennett. Give updates as promised—show you’re doing what you can to resolve the situation.
Have the right communication, and let the team do its job. Use outside resources: Call centers, electronic forensics investigators and public relations firms can help when a crisis hits, said Pasquale. Your reputation is on the line—the truth will be challenging and can get lost in emotion, but "when you lose your integrity, you’ve lost all credibility,” Pasquale said.
Listen. In addition to being as open as possible to stakeholders, customers and staff for insights and suggestions. Solicit ideas from other hospitals and talk to peers.
Finally, hang in there. No matter how well prepared you are or how well you responded, there will be one or more unhappy stakeholders who are not satisfied. Take a deep breath and debrief with your team. Could an outside resource have handled things better? Rewrite the manual. “Keep doing this over and over again,” said Bennett.