All healthcare providers know the value of crisis planning and having teams ready to swiftly react to any scenario, whether an incident involves one patient or a wider population.
Likewise, health IT leaders recognize — and anticipate — the possibility of technology failures, as well as the constant presence of threat actors. It’s why detailed incident response and business continuity plans are an important first line of defense.
But they aren’t enough: Just as organizations plan for physical emergencies, they must also train employees to spot and react to signs of a cybersecurity incident.
Tabletop exercises, which are guided sessions where team members discuss their roles and responses in a crisis, are a great way to make this happen. They’re particularly important in the healthcare industry, where data breach costs run 60 percent higher than the cross-industry average, according to 2019 data from the Ponemon Institute and IBM Security.
Here are some practical tips to get started.
Start with Understanding Your Training Objectives
Tabletop exercises can mimic any number of scenarios: a critical power failure, a ransomware attack, the malfunction of a medical device, a successful phishing email, an active shooter situation or some hybrid of these scenarios.
Over a period of a few hours to several days, relevant personnel will be presented with one or more technology-focused emergencies that require rapid response.
It is far better to identify these gaps during a simulated event than during a real crisis.”
Health Care Privacy Attorney, Beckage
The process involves determining how to respond to the emergency, walking through each step of the response and evaluating how the group performed. Participants should consult relevant policies and procedures to guide their response to the incident.
Despite their name, these tabletop drills may be conducted virtually via secure videoconferencing as employees continue to work from home during the pandemic.
READ MORE: Learn why all healthcare employees need cybersecurity training.
Ensure You Recruit a Response Team
Identifying participants for a given exercise depends on the size and complexity of an organization. The purpose of the exercise, after all, is to test the incident response plan and verify that relevant personnel understand each person’s role in the response.
Still, consider casting a wider net by inviting others who may be relevant to actions relating to legal, public relations, technical and organizational decisions.
It is also important to choose the right facilitator. In order to provide impartial feedback about the effectiveness of the group’s response, he or she should not work for the organization.
1 in 4
The number of healthcare workers who have not received cybersecurity training
Source: Kaspersky, “Cyberpulse: The State of Cybersecurity in Healthcare — Part Two,” August 2019
Outside counsel can often serve as effective facilitators, as they can provide insight into compliance matters and how decisions could impact future investigations and lawsuits. Legal risk mitigation is an important part of the exercise, as is strategizing how IT teams will get systems back up and running.
Do Your Best to Re-create Real-Life Challenges
Generally, a tabletop exercise begins with an introduction by the facilitator, who will define objectives and emphasize the improvisational nature of the activity. The exercise will commence through the activation of a crisis.
Notice of the crisis can be in the form of a scripted statement by the facilitator describing the scope and substance of the event, followed by interactive videos and simulated news reports. Similarly, mock social media accounts can provide updates on the reaction of the local community. The facilitator or others can relate the actions of federal and state agencies to the group, if appropriate.
Together, the incident response team will identify and implement crisis response, recovery and mitigation actions. Legal analysis of the steps taken will be important to confirm that the organization complies with applicable laws and other legal requirements.
The team also will need to work together to identify and limit health risks, soften economic impacts and determine how to communicate the incident to internal and external parties. Under rapidly changing circumstances, the team will also need to decide on all aspects of the investigation and response to the crisis. The team should also evaluate steps to best protect patient privacy.
MORE ON SECURITY: Learn how to stay HIPAA compliant from home.
Evaluate, Acknowledge and Adapt to Improve Results
When properly executed, a tabletop exercise may reveal unforeseen weaknesses in crisis response or in the plan documentation. It may also reveal places where the current incident response plan fails to meet regulatory requirements or address legal risk mitigation opportunities.
This is precisely why tabletop exercises should be performed with an organization’s technical and legal teams: It is far better to identify these gaps during a simulated event than during a real crisis.
To provide opportunities for improvement, the facilitator and participants should discuss lessons learned following the tabletop exercise, as well as share observations about weaknesses in order to strengthen the incident response plan.
Finally, organizations should work with legal counsel to memorialize learnings in their policies and procedures — and to ensure changes are implemented.