Building Redundancy into Your Crisis Communications Plan

Regardless of your industry or type of business, there can be any number of potential crises that you should be planning for. One crisis that we’re hearing all too much about are cyber and ransomware attacks. The number of ransomware attack claims rose 74% worldwide in 2023 (U.S. Department of Health and Human Services), and in the healthcare sector specifically, worldwide ransomware attacks have nearly doubled since 2022 (Cyber Threat Intelligence Integration Center).

The threat of cyberattacks against healthcare organizations is greater than ever before, with vast amounts of data being digitized and shared every day – leading to more opportunities for sophisticated attacks that can compromise personal data and have dire consequences on the safe provision of care. Patients and staff are left worried about the security of their personal and medical information, and already struggling organizations with enormous financial burdens.

Ascension Hospitals, one of the United States’ largest healthcare systems with 140 hospitals in at least 10 states, recently fell victim to a cyberattack. Hackers secured thousands of patient records and locked providers out of systems that track and coordinate nearly every aspect of patient care: health records; phone systems; systems to order tests, medications, and other procedures; etc. (National Public Radio). It took a month to restore the records – a much longer timeframe than many healthcare organizations are prepared to weather.

When you’re in the business of providing lifesaving care, your organization needs to be equipped to respond in the event of a crisis. And what we can say with some confidence is that cyberattacks on healthcare organizations are no longer an “if”, it’s a “when”.

A crisis communications plan that clearly lays out the processes, teams, channels, and messages in place to respond when something happens is a critical part of being prepared. And, according to Public Safety Canada, many companies and agencies that run critical infrastructure in Canada from sectors such as banking, telecom, food, health services, and transportation, are underprepared (The Logic).

Key components of your crisis communications plan are the articulation of how you’re going to mobilize your core response team and how you’re going to communicate to your stakeholders in the event of a crisis.

But what do you do in a cyberattack scenario where your IT systems and normal channels of communications aren’t accessible to you?

The solution to this – not improbable scenario – lies with ensuring your crisis communications plan and protocols have redundancy built-in. With this in place, your crisis response team can function in the absence of normal communications channels.

To build this kind of resilience, you might consider:

• Identifying an alternate physical crisis headquarters where your team can assemble. Choose a location where you’ll have access to, or the ability to quickly assemble, basic IT infrastructure needed to work as a team.
• Have a back-up cloud-based system for critical email communication, video collaboration, and messaging that is independent of your organization’s primary IT system.
  • Prepopulate accounts for your core crisis response team and maintain this as a dark system that can be activated on a moment’s notice.
  • Mirror your crisis communications plan and draft crisis materials in this alternate cloud environment so they are always accessible.
• Identify software-as-a-service or communications applications that you will adopt should it be necessary. For example:
  • Establish a crisis-response text messaging group with your crisis leadership team that can be adopted immediately. WhatsApp is a good option as it is designed for cross-platform communications.
  • Maintain at least one license for an alternate video conferencing service like MS Teams, Google Meet, and Zoom.

Communicating with your stakeholders

With resilience built into your crisis management systems, it’s also important to think about resilience in the operational execution of communicating with your stakeholders.

Some additional redundancies to have in place:

• Maintaining comprehensive stakeholder and distribution lists that are stored offline or in your dark cloud-based system.
  • This should include contact information for employees; local media; regulatory bodies; community partners; local community organizations, volunteers, donors, etc.
• A multi-channel communications approach that considers both traditional and digital alternatives to your typical communications channels. If you plan the ability to execute against using these channels ahead of a crisis, you can activate them in the worst-case scenarios:
  • Automated phone calls out to teams and community lists – quickly deliver pre-recorded messages to those without text or email access.
  • SMS alerts – particularly useful for reaching staff (especially if you have their phone numbers stored offline somewhere accessible!).
  • A dark website – a paired back version of your organization’s normal website that prioritizes key contact information, directions to any care sites, and a news section for timely updates.
    • In the event of a cyberattack, your website is likely to be unaffected unless the website is hosted from the same internal IT environment. Many organizations have an external hosting provider, but if you don’t, this should be a top priority.
• Keep up with your relationships with local media – broadcast and print outlets can be great avenues for publicizing critical information and in the event of a crisis and would likely be more than willing to share updates with the community on your organization’s behalf.
• Store login credentials for all social media accounts securely offline and in a backup secondary cloud-based system. Make sure your key team members – typically Communications resources – can log in to these accounts using secondary email addresses that are separate from your organization’s primary email accounts.
• Set up a crisis hotline that community members can call in with questions. These systems can convert speech to text to email and notify identified key team members as required.

Consider what redundancies are needed for your organization and the stakeholders you need to reach. Not every organization requires all these fail-safes, but the absence of any back-up in a crisis could be a serious failure that’s easily avoided.