Cyber Security Communications Strategy
Created by
In Consultation with
Mary Baines, Senior Communications Advisor,
Matt Lord, Security Manager, Ministry of Health
Ministry of Health
Signoff
Emma Blackmore, External Communications and
Engagement Manager, Ministry of Health
Purpose
This document sets out how the Ministry of Health wil ensure there is a coordinated approach to
managing communications about cyber events in the health and disability sector. The purpose of
this plan is to:
•
outline the Ministry’s communications and stakeholder engagement approach when
responding to a cyber incident;
•
provide a list of potential stakeholders and audiences and provide a guide on how to
communicate with them;
•
provide a scalable list of outputs and actions that should be produced or taken at different
phases of a cyber security incident response; and
under the Official Information Act 1982
•
identify and mitigate any communications-related risks.
This strategy sits alongside and aligns with the New Zealand Health Sector Cyber Event Response
Plan (February 2019). This document is for use by the Ministry of Health and an affected health
sector entity.
Released
Context
The global health sector has experienced an increasing trend of major cyber events, security
incidents and data breaches in recent years. The New Zealand health and disability sector has also
been impacted by cyber events, including when in May 2021, the Waikato District Health Board
was struck by a ransomware attack. The incident affected IT systems, hospitals’ service delivery and
privacy for staff and patients.
1
Attempted cyberattacks on the health and disability sector are a constant threat. While the vast
majority are prevented from impacting IT networks and systems and the provision of healthcare to
New Zealanders, it is important the sector is prepared for potential future incidents.
When dealing with cyber security incidents, responding to the technical issues is only part of the
response effort. A major component of a cyber security issue response is how wel an organisation
communicates with staff, people who may have been affected, the general public, and internal and
external stakeholders about what is going on, how it is affecting the organisation and how it could
affect them.
Communications objectives
The objectives of this plan are to ensure:
•
timely and accurate information is delivered to key audiences;
•
internal and external stakeholders are kept informed; and
•
consistent messaging and appropriate sequencing of information is delivered during a
cyber security incident.
Communications and engagement approach
Good communication, whether it’s with staff, customers, the media or the public is a key
component of managing a cyber security incident. Each cyber security incident is different, so the
communication approach used wil differ. In some circumstances, proactive communication wil
need to be assessed against other factors such as the nature of the cyber security event and where
known, the nature and capability of the actors behind it.
However, the fol owing key principles guide the Ministry of Health’s communications and
engagement approach to managing cyber events.
•
Proactiveness: When managing a cyber event issue, proactive communication with staff,
affected people and the media is normally the most effective approach. Even if only limited
information is available to be shared, it is important to let people know that an incident is
under the Official Information Act 1982
occurring.
•
Transparency: Sharing updates with stakeholders in an open and transparent way (which
does not include information that could aid the malicious actors) is key to managing
reputational risk and preserving public trust and confidence. An information vacuum can
lead to speculation and misinformation.
•
Timeliness: Prompt action is essential for shaping and getting ahead of a developing story.
Released
Knowing what to say and when to say it can make a big difference to the perception of
how wel the incident is being managed.
•
Collaboration: Relevant entities across the health and disability sector have a
responsibility to work col aboratively when dealing with a cyber issue, including ensuring
regular information sharing and sticking to agreed messaging.
2
Roles and responsibilities
As per the Response Plan, during a cyber security incident, the health and disability sector may be working with government agencies like CERT NZ or
the National Cyber Security Centre (NCSC). The affected organisation (e.g. Ministry of Health or a health sector entity – depending on the nature of the
incident) is the lead for communications.
1982
The roles and responsibilities of each organisation who are involved in communications and stakeholder engagement are outlined below.
Act
Organisation
Role
Responsibilities
Ministry of Health
To coordinate external communications, stakeholder
engagement and strategic advice regarding the
• To support the affected health sector entity in its
incident, and on behalf of, the health sector entity.
external communications and engagement regarding
th
Information e event.
• To lead the provision of advice to the Minister(s) in
partnership with the affected health sector entity and
NCSC/CERT NZ.
• To protect and preserve critical national digital health
Official
systems and capabilities.
• To work collaboratively with, and in support of, the
affected health sector entity.
the
Affected health sector entity
To communicate with staff, affected people
and the community about the incident.
• To provide internal updates/communications to staff.
• To fulfil any privacy obligations in notifying affected
under
individuals.
• To engage with media regarding the event (i.e.
manage press conferences, media requests (unless
sent directly to the Ministry of Health) and press
releases).
Released
3
National Cyber Security Centre (NCSC)
To provide incident response including on-the-
ground support, forensic analysis, mitigation advice • Given the varied nature of cyber security emergencies,
and communications advice.
and size and mandate of
various health sector entities, the operational lead
CERT NZ
To promote awareness of good cyber security practice,
agency may vary but could be NCSC
support response advice for potentially high or national
or CERT NZ.
impact cyber security events, and situational awareness •
To provide specialist technical cyber security incident
and information sharing.
response capabilities (NCSC only).
•
To input into communications and advisory activities
undertaken by the Ministry of Health and/or the
health sector entity.
•
To review affected entity’s/Ministry of Health’s
messaging.
under the Official Information Act 1982
Released
4
Communicating with key stakeholders and audiences
The stakeholders and audiences and how to communicate with them wil vary between incidents
but wil be both internal and external. However, in general terms:
•
The staff of the affected health sector entity wil need to know how this incident wil impact
their work; if they need to change the way they are working; what actions they can take to
protect themselves; what they can say if they get questions; and what they can expect to
happen next.
•
The public wil need to know how this may impact them; what is being done; what actions
they can take to protect themselves; how they wil know if they have been affected; and
next steps.
Government
Audience/stakeholder
Channel/method
Minister(s)
•
Situational reports
•
Communication Line Book
•
Regular meetings
•
Ministerial Reports
Agencies involved in the cyber incident response (e.g. • Situational reports
CertNZ, NCSC, vendors or other security service
•
Communication Line Book
providers)
•
Regular meetings
Government agencies that have an interest due to
•
Key messages document, sent via email
the nature of their work (e.g. Privacy Commissioner,
ACC, DIA, IDCare, NetSafe)
Internal
Audience/stakeholder
Channel/method
Staff from affected health sector entity
•
Internal communications channels including
email, printed copies, intranet, phone/video calls
under the Official Information Act 1982
Other health entities (who were not directly affected • Updates via regular meetings
but are feeling impact)
•
Key message document
Ministry of Health staff
•
Internal communications channels including DG
updates and intranet
Released
Ministry of Health’s Executive Leadership Team and • Regular meetings with the Ministry of Health’s
DDG
response lead
External
Audience/stakeholder
Channel/method
Members of the public who have been affected by
•
Direct contact (phone, letter or email by affected
the cyber incident
health sector entity)
Media
•
Press conferences
5
•
Press releases
•
Media advisories
•
Proactive conversations
•
Reactive responses – statements and interviews
General public
•
National and local media channels
•
Public information campaigns via local
advertising (print, digital, radio)
•
Social media posts from Ministry of Health
and/or affected health sector entity
Key messages
Approach
The key messages for each incident wil vary depending on its nature, severity and impacts.
Internal and external messaging should include what has happened, when it happened, and what
the next steps are. If there are gaps in the information about the incident, it should be stated that
the situation is being investigated and that the public wil be updated when more information
becomes available.
When framing the message:
•
Base al information on facts: In the first few days after a cyber incident, it’s difficult to
know its ful scale and impact. Double check that everything you are saying is factual y
correct.
•
Accept responsibility: The affected health sector entity is responsible for its network and
data.
•
Avoid downplaying: This may be seen as not taking the incident seriously.
•
Address feelings of vulnerability: While doing so, identify ways people can protect
themselves.
•
Keep the messages clear and easy to understand: Avoid jargon and keep the message
simple.
•
Make it clear that it takes time to assess and recover from these incidents: Provide
under the Official Information Act 1982
timelines where possible. Do not feel tempted to give an answer or say you are on top of
the situation, as there is likely to be more information to come to light.
It is important to note that cyber criminals can monitor media commentary relating to an incident
and may change their behaviour based on that commentary. Certain words and nuances in
language may unintentionally inform the attackers. Al messaging must therefore be reviewed by
NCSC and/or CERT NZ.
Released
Skeleton messaging
The below skeleton messaging can be adapted for different cyber incidents.
•
We have been made aware that a cyber security incident is affecting the organisation’s IT
environment.
•
We are in the early stages of identifying what has happened. An investigation is underway.
•
We have a plan in place for when these kinds of incidents occur. We are fol owing our
processes set out in our plan.
•
We have engaged external assistance to help us address the incident.
•
We wil keep the public and our stakeholders updated as the situation develops.
6
General key messages about cyber security
• Attempted cyberattacks on the health and disability sector are a constant and ever-
evolving threat. The vast majority are prevented from impacting IT networks and systems
and the provision of healthcare to New Zealanders.
• The health and disability system has robust processes in place to al ow it to continue
providing services in a variety of situations.
• Al organisations need to continually review and improve cyber security protections. Cyber
criminals continue to pose a threat to the security of the health sector, which is why there
is ongoing investment in new security protections.
• In Budget 2021, the Government announced investment of up to $385 mil ion over four
years to improve health sector data and digital infrastructure and capability.
General key messages about keeping personal data safe
• Please be wary of any unsolicited communications claiming to be from a Government
1982
organisation or private company like a bank. Unusual activity can include:
o contact that is out of the blue via phone, email, on social media or even by mail
Act
o being asked to verify your account or personal details
o being asked for remote access to your device
o being told there’s a problem with your phone, laptop or internet connection
o someone pressuring you to make a decision quickly
• The latest known scams are recorded by Scamwatch at Consumer Protection and can be
viewed here -
www.consumerprotection.govt.nz.
• There are a number of ways you can protect your personal information and data, including:
Information
o regularly changing passwords
o avoiding opening attachments from unknown sources
o having up-to-date antivirus tools for al of your devices that access the internet
o keeping your electronic devices and applications up to date
Official
o talking to your bank about additional security you can put on your accounts.
• If you have concerns about the safety of your information or are seeking additional ways to
the
protect yourself, you may wish to visit IDCARE, New Zealand’s national identity and cyber
support community service -
www.idcare.org. IDCARE is a registered New Zealand charity
that specialises in working with community members to protect and respond to personal
information risks. under
• If you are concerned your privacy has been breached, you can make a complaint via the
Privacy Commissioner here -
www.privacy.org.nz.
Spokesperson
It is usual y best practice to use the same spokespeople throughout the incident. Even if there may
Released
be not much information to share, the public can feel more reassured if the same people are
speaking about the incident. Who is put forward as a spokesperson wil depend on the nature of
the incident, but spokespeople could include:
• The CE of the affected health sector entity;
• Subject matter experts in IT restoration, privacy and clinical service delivery from the health
sector entity; and/or
• The Deputy Director General Data and Digital, Ministry of Health.
An external media professional can be useful to test spokespeople’s understanding of the complex
issues before fronting for the media.
7
Standard operating procedures
This section lays out the specific communications actions that should be taken before, during and after the New Zealand Health Sector Cyber Event
Response Plan (February 2019) is activated. The Response Plan is activated when a cyber event affecting a local health sector entity is escalated to the
Ministry due to its potential to have severe consequences at a national level.
Objective
Actions
Lead
Notes
Phase 1: Local health sector entity cyber response and severity impact assessment
As per the Response Plan, an affected health sector entity must activate its internal event response plan and make an assessment as to the potential sector-wide impacts.
Depending on the outcome of this severity assessment process, the incident wil either remain categorised as a localised event that is being responded to solely by the affected
health sector entity or be assessed as having potential consequences to multiple entities or wider public health safety. If the second action pathway is identified as the most likely,
the affected health sector must immediately contact the Ministry of Health.
Groundwork is laid so the Ministry is
Ministry of Health spokesperson identified Ministry of Health’s communication team -
prepared to respond to a local cyber
and briefed
security issue, if Phase 2 is activated
Holding messages developed in
Ministry of Health’s communication team -
anticipation of escalation
Phase 2: Responding to a cyber security incident
If the Response Plan has been activated, Phase 2 begins. It is at this point that the affected health sector entity in partnership with Ministry of Health (and NCSC/CERT NZ if
necessary, as set out in Annex D of the Response Plan) assesses the potential severity of the technical, personal health information, clinical, legal, financial and policy/reputational
impact(s) of the cyber event. As per the response plan, during Phase 2, the Ministry’s core function is to coordinate external communications, stakeholder engagement and
provide strategic-level advice. All actions will be taken collaboratively with, and in support of, the affected health sector entity.
under the Official Information Act 1982
First 24 hours
Communications coordination structure
Ministry of Health comms lead and
Communications lead, Ministry of Health
-
established
Communications Manager from affected
health sector entity connect to discuss
requirements, approach, role and
Released
responsibilities and agree next steps
8
Ministry of Health comms lead connects
Communications lead, Ministry of Health
-
with relevant Government communications
leads (e.g. NCSC) to discuss roles and
responsibilities and agree next steps
Staff from affected health entity notified
Staff from affected health sector entity
Communications Manager, affected health During the Waikato DHB IT outage, staff
and feel informed
notified about incident, provided with
sector entity
were notified about the incident via email,
information on how to keep their
text, phone calls and printed copies of
information safe and given guidance on
updates distributed throughout facilities
next steps and expected timeframes
Key messages, reactive lines and FAQ
Communications Manager, affected health -
documents specific to internal
sector entity
audiences/affected staff developed
Incident communicated externally
Media advisory or press release issued as
Communications lead, Ministry of Health
-
required
and Communications Manager, affected
health sector entity
Social media update posted by affected
Communications lead, Ministry of Health
-
health entity or Ministry of Health as
and Communications Manager, affected
required
health sector entity
External messaging and reactive lines
Communications lead, Ministry of Health
Review required from NCSC or CERT NZ to
developed
ensure language does not aid malicious
actors
under the Official Information Act 1982
Media management
Media alerts set up to monitor and track
Communications lead, Ministry of Health
Via media monitoring provider
stories
Media requests sent to Ministry or affected Media team, Ministry of Health and
-
health sector entity responded to
Communications Manager, affected health
Released
sector entity
9
Internal and external stakeholders
Ministry of Health’s DG and ELT updated
Ministry of Health’s response lead
-
communicated with and feel informed
and informed via written and oral updates
Relevant Minister(s) updated and informed Ministry of Health’s response lead
-
via written and oral updates
First sitrep sent
Ministry of Health’s Intel lead
If an EMT/CIMS structure is set up to
respond to the cyber incident, the
Intelligence function will issue daily
situational reports (sitreps) to key
stakeholders including Ministers, Ministry
leadership and key Government
stakeholders
First communication line book sent
Communications lead, Ministry of Health
If an EMT/CIMS structure is set up to
respond to the cyber incident, the
Communications/PIMS function wil issue
daily communication line books/key
messages to Ministers and key Government
stakeholders
Ongoing response (Day 2 until recovery phase)
Staff from affected health entity updated Regular communications issued to affected Communications Manager, affected health During the Waikato DHB IT outage
regularly and kept informed of developing staff as required via email, text,
sector entity
response phase, staff received two daily
situation
phone/video call, print copies, outlining
updates (AM and PM) via email, a printed
under the Official Information Act 1982
updates and guidance across all services, as
daily staff update distributed across all
required
facilities, and emails and text messages for
urgent updates requiring immediate
response
Released
10
Ongoing communication to the public
Public information management campaign Communications lead, Ministry of Health
A public information campaign could
about the incident
started
and Communications Manager, affected
include digital, print or radio advertising
health sector entity
and focus on issues including keeping the
community updated on service restoration
or privacy issues. During the Waikato DHB
IT outage, there was a public information
campaign on personal data and privacy
including advertising in the local
newspaper
Social media updates, as required
Communications lead, Ministry of Health
During the Waikato DHB IT outage, social
and Communications Manager, affected
media updates on protecting personal data
health sector entity
were posted on both the DHB’s and the
Ministry’s accounts as part of the public
information campaign
Media management
Proactive media as required via press
Communications lead, Ministry of Health
During the Waikato DHB IT outage, the
conferences and media releases, as required and Communications Manager, affected
DHB held daily press conferences and
health sector entity
issued daily press releases every day for the
first three weeks. This was scaled back to
three times weekly then weekly
Media requests responded to, as required Media team, Ministry of Health and
-
Communications Manager, affected health
sector entity
under the Official Information Act 1982
Media advisories reminding journalists of
Communications lead, Ministry of Health
Advisories may be sent from Privacy
obligations (e.g. around publishing private and Communications Manager, affected
Commissioner or CERT NZ, with support
information) issued as required
health sector entity
from the Ministry or the affected health
sector entity
Released
11
Reactive messaging on emerging issues
Communications lead, Ministry of Health
-
developed, as required
and Communications Manager, affected
health sector entity
Internal and external stakeholders
Daily meeting between Ministry’s
Communications lead, Ministry of Health
-
communicated with regularly
communications team, affected entity’s
communications team and supporting
comms people (e.g. NCSC or CERT NZ)
Daily Situational report issued
Ministry of Health’s Intel lead
If If an EMT/CIMS structure is set up to
respond to the cyber incident, the
Intelligence function will issue daily
situational reports (sitreps) to key
stakeholders including Ministers, MoH
leadership and key Government
stakeholders
Media scan email (collated from alerts) sent Communications lead, Ministry of Health
Email outlining key media topics and
to internal stakeholders and leadership daily
emerging risks
Daily meeting with Minister’ Office to
Ministry of Health’s response lead
-
provide updates
Daily communication line book issued
Communications lead, Ministry of Health
If an EMT/CIMS structure is set up to
respond to the cyber incident, the
Communications/PIMS function wil issue
under the Official Information Act 1982daily communication line books/key
messages to Ministers and key Government
stakeholders
Weekly Ministerial Report sent to Minister’s
If an EMT/CIMS structure is set up to
Office
respond to the cyber incident, the response
Released
12
lead will send a weekly report to Ministers
outlining key and emerging issues
Twice-weekly key messages document sent Communications lead, Ministry of Health
The key messages document is a scaled
to stakeholders
back version of the communication line
book and can be sent to Government
agencies that have an interest in the
response (e.g. Privacy Commissioner, Net
Safe)
Phase 3: Recovery phase
Staff from affected health entity updated Twice-weekly communications to staff
Communications Manager, affected health During the recovery phase, Waikato DHB
regularly
outlining guidance on service delivery,
sector entity
staff received twice-weekly updates via
recovery planning and progress updates
email and print. Further communications
occurred to advise staff of potential privacy
impacts.
Ongoing communication to the public
Public information campaign continued as Communications lead, Ministry of Health
-
about the incident
required
and Communications Manager, affected
health sector entity
Media management
Proactive media as required via press
Communications lead, Ministry of Health
-
conferences and media releases, as required
Reactive messaging on emerging issues
Communications lead, Ministry of Health
-
developed, as required
and Communications Manager, affected
under the Official Information Act 1982
health sector entity
Media requests managed as required
Media team, Ministry of Health and
-
Communications Manager, affected health
sector entity
Released
13
Internal and external stakeholders
Weekly Ministerial Report to Minister’s
Ministry of Health’s response lead
-
communicated with regularly
office
Situational reports sent three-times weekly Ministry of Health’s Intel lead
-
1982
Communications Line book sent weekly
Communications lead, Ministry of Health
-
Act
Key messages sent to stakeholders as and Communications lead, Ministry of Health
-
when issues emerge
Media scan email sent to key internal
Communications lead, Ministry of Health
-
stakeholders as and when issues emerge
Information
Official
the
under
Released
14
Communications risks and issues
Issue/Risk
Mitigation
Lack of coordination between communications
people from different organisations involved in • Clear structure defining roles and
the response
responsibilities of each organisation defined
at the beginning of the response
•
Regular meetings set up between al
communications people involved in the
response
Staff of affected health entity not feeling
informed
•
Regular updates sent to staff of affected
health entity via different means including
email, text, printed copies and phone cal s
Public not feeling informed about situation
•
Public information campaign launched
providing information on key issues (e.g.
services available, privacy)
Stakeholders not feeling informed
•
Situational report and communication line
book sent daily
•
Key messages document sent to key
stakeholders in government twice weekly
during response phase and as and when
required during recovery phase
Minister(s) not feeling informed
•
Regular meetings set up with relevant
Minister’s office
•
Situational report and communication line
book sent daily
•
Ministerial report sent weekly
under the Official Information Act 1982
Negative media coverage
•
Transparent and open relationship with
journalists
•
Regular press conferences and press
releases
Released
•
Media advisories sent to provide additional
support to journalists
•
Timeliness in responding to media requests
Information or wording provided to media may
aid or inform malicious actors (the use of certain • Al messaging and nuance in language
words may unintentionally inform the attackers)
reviewed by NCSC or CERT NZ
ENDS
15
Document Outline