crisis communicationsWe live in a world of instant communications.  During a crisis, our normal standards of communications can be very limited.  How many different issues have you addressed for communications in a crisis in your plans?  We mention the business continuity and disaster recovery plans that everyone should have often in episodes. This is just one element of the plan that can make or break the business in a crisis.  If you can’t communicate effectively with each other the chance of you being able to keep things running drops significantly.

HIPAA For MSPs by David Sims Crisis Communications
00:00:00 00:00:00

As we mentioned in the last episode, a fight in OK is making headlines that relate to access during an internet outage.  This episode isn’t so much about the political mess but more about what the political mess is all about.  The entire brouhaha is about how the staff had access to information and communications were handled during a planned internet outage.

From what we can find on the topic, the CISO involved did exactly what they should have done.  The politicians are turning it into something it shouldn’t be.  However, it does bring up a very good point.  Having a proper plan that is well thought out and everyone understands is extremely important during a crisis.

A story many people have heard about BC plans comes from NOLA during Katrina.  One facility reported that after several days they noticed a problem with the plan.  They had flashlights everywhere but eventually, they didn’t have any batteries left to use them.  They were eventually useless.  While a flashlight isn’t about communicating – well except maybe with Batman – the example does show how some small item overlooked in a plan can cripple that plan completely.  The flashlights may have been helpful as weapons I doubt that was what they expected their primary responsibility to be during the crisis.

A larger incident response plan includes a crisis communications plan.  We have talked about incident response plans many times.  Each time, we mention the need to communicate in some manner.  There is a lot to consider when you build just the communication plan.

Building crisis communications plans

What kinds of things should you think about when making a communications plan?  The good news is there are resources out there from places like Ready.gov (which everyone should check out).  Even wikihow.com has some fairly good information about it.

The bottom line is that you need a full plan that addresses the who, what, why, when, and how your team can communicate with each other, your data, your business partners, your patients/clients, insurance company, lawyers, news media, etc.  Considerations to include in the plan will vary based on the type of business, location, type of crisis, and much more.  If you have a plan in place it is much easier to adapt to variances than if you are flying by the seat of your pants during a crisis.

Who ya gonna call?

You can’t just assume so and so will take care of it.  What if they are out of the country, injured, or worse.  There needs to be a team with several people understanding the mission and the plan.  Of course, in a perfect world so and so will be just fine and be there as planned.  But the whole point of this plan is to prepare you for a crisis.

There should be a conversation amongst those in charge to determine how they can communicate with each other, your staff, partners, media, etc.  More than just so and so should know what those plans include and who can perform the various tasks.  This main team must make sure that the entire staff is aware of who is managing communications.  You don’t need someone eager to help to step in just because they had no idea someone had it handled already.

What will be said in your crisis communications?

Many people believe in having a prepared script that is ready to use until you have specific messages formed during a crisis.  It is a great idea so that chaos seems to be controlled since effective messages are being shared immediately.

If your office needs to be closed for a crisis, what will outgoing messages say?  What about your website and social media pages?  This is where you make a list of all the people or places where you may need to communicate and come up with an “I got nothin” statement that doesn’t say exactly that you got nothin.

It is very important to keep in mind that your obligation to protect patient information doesn’t get thrown out the window just because you have a crisis.  There may be cases where HIPAA regulations get loosened up but they don’t go away.  We discussed this before in an episode after the Pulse Nightclub Tragedy.  You must have an idea how to respond to patient and family inquiries when developing these scripts.  Just another reason it is a good idea to review some questions that may come up with some example answers.

It is very risky to assume that your whole staff will simply say “No comment”.  First, do you think they all would really do that without any instruction from management?  Second, is that really what you want them to say with any question that may come through them?

Ready.gov had some great examples on their site:

Messages should be scripted to address the specific needs of each audience, which may include:

Customer – “When will I receive my order?” “What will you give me to compensate for the delay?”

Employee – “When should I report to work?” “Will I have a job?” “Will I get paid during the shutdown or can I collect unemployment?” “What happened to my co-worker?” “What are you going to do to address my safety?” “Is it safe to go back to work?”

Government Regulator – “When did it happen?” “What happened (details about the incident)?” “What are the impacts (injuries, deaths, environmental contamination, the safety of consumers, etc.)?”

Elected Official – “What is the impact on the community (hazards and economy)?” “How many employees will be affected?” “When will you be back up and running?”  (Oklahoma – remember)

Suppliers – “When should we resume deliveries and where should we ship to?”

Management – “What happened?” “When did it happen?” “Was anyone injured?” “How bad is the property damage?” “How long do you think production will be down?”

Neighbors in the Community – “How can I be sure it’s safe to go outside?” “What are you going to do to prevent this from happening again?” “How do I get paid for the loss I incurred?”

News Media – “What happened?” “Who was injured?” “What is the estimated loss?” “What caused the incident?” “What are you going to do to prevent it from happening again?” “Who is responsible?”

Messages can be pre-scripted as templates with blanks to be filled in when needed. Pre-scripted messages can be developed, approved by the management team and stored on a remotely accessible server for quick editing and release when needed.

When will these crisis communications plans be used?

How will everyone know that your crisis communications plan has been activated and how will they know when to go back to normal?  This seems silly to have to discuss it but the minute you make that assumption you have essentially shot yourself in the foot when it comes to this kind of planning.  Who communicates this plan is activated and when it is over?

Make sure everyone understands the plan exists.  In a data breach case, there is very little need to explain every detail to everyone.  In fact, most people don’t want to know every detail.  What is important is for them to know what to say if anyone asks them about it even if they are blindsided by a question.  How should they respond and what to do after they have dealt with it should be informed that every staff member knows how to find or at least who to talk to about it.

It definitely doesn’t mean you need everyone calling so and so because they always handle this kind of stuff.  If big stuff is going down you can bet that so and so is busy enough without every person contacting them directly with questions, ideas, input, and the like.

Where will you manage these communications?

Many plans include an emergency operations center – yep an EOC!  Others have a CCC – crisis command center.  Maybe your’s will simply be called BKT or the Boss’s Kitchen Table. No matter what you call it you must decide if you will have a physical location or a virtual location to have discussions amongst the team.  Being able to meet face-to-face does alleviate the issues with technology and functionality.  However, it does open up new ones like transportation and timing.

No matter what, it would be a good idea to have a plan A, B, and C that the team knows to work through until they find everyone else.

How will you communicate with each other and your systems?

Make sure you have a plan A, B, and C as to the methods.  Again, making assumptions here can be a huge problem.  Just ask the OK VA CISO if he thought he would have to explain to the Governor why his plan was a solid one.

Most of us plan to use mobile devices these days.  There are layers of concerns there though.  Your phone must have access to service or wifi.  You must also have power.  Finally, what if you have those two things but others on the team do not, what would be the next way they would try to communicate with you?

You must understand things like having awareness of where strong signals are and how much backup battery supplies should you have in place.  Another issue is the number of cell tower resources may be limited and overwhelmed.  So even if you can get a signal you may not be able to easily get a call through.  That used to happen back in the day at sporting events, festivals, and concerts where large groups of people were hitting the resources.

Social media private groups are a way that many businesses are setting up a communications center for their team.  Everyone knows where to go on the web to get the latest messages and leave questions and updates.  However, it is very important that you are clear about what can be said on the site and make sure that it is a private site, not publically accessible.  Also, make sure that everyone understands that they need to get to an internet signal to access this information.  If some folks can’t get there, what do they do?

Here are a few tips:

  • Know exactly how you will handle communications with all groups:
    • Patients/clients
    • Incident response team members
    • Staff
    • Business partners
    • Media
    • Family members of patients and staff
  • Have several USB power packs for your team and the office to use for charging devices.
  • Consider power packs that can power laptops.
  • Have several batteries of different sizes that are periodically checked.
  • Walkie Talkies can be a great option for situations where phones don’t work
  • When signals are weak or overwhelmed sometimes text messages will get through when phone calls won’t do it.
  • Have a phone tree plan for each team member to disseminate information to the staff.  It keeps one member from getting overwhelmed when calls are required and questions come in.

Yes, there are many things to worry about here.  It is important to note that very little of what we discussed here has anything specifically to do with HIPAA.  It just makes good business sense to have one of these plans.  It also makes sense to have one for your family.  You just never know when this will be one of the best things you ever did or the biggest regret for not doing it.