The Importance of Tabletop Exercises in Healthcare
A tabletop exercise is a meeting to discuss a simulated emergency. Participants review and discuss the actions they would take in a particular emergency, such as a ransomware attack, testing the organization’s emergency plan in an informal, low-stress environment.
Tabletop exercises are used to clarify roles and responsibilities, and to identify additional campus mitigation and preparedness needs. Walking through a near-life scenario tends to sharpen critical thinking and uncover challenges before a real-life scenario happens.
They also present an opportunity to bring people together with the right set of skills from inside and outside the healthcare organization to help survive a business disruption.
Tabletop exercises should result in action plans for continuous improvement of the emergency plan. A written evaluation of an exercise provides a guideline for what went well and what areas need attention, and should categorize outcomes by people, processes or technology.
Penetration Testing Increases Cybersecurity Readiness
Penetration testing is another practical method for assessing and evaluating the effectiveness of security controls that are in place for data privacy and protection.
Unlike vulnerability scanning, pen testing is mandatory for compliance with payment card industry regulations. If you are taking credit cards at your healthcare organization, you need to comply with some level of the Payment Card Industry Data Security Standard.
A comprehensive pen test attempts to exploit all the layers within an organization’s ecosystem — before malicious actors do — to expose whether a configuration is as secure as it seems. Pen testing can reveal, for example, misapplied fixes or undocumented vulnerabilities, and even identify threats and threat vectors, which can boost the security personnel’s knowledge and response time to an incident.
Here is an example of a journey through different aspects of pen testing:
- Start from the outside perimeter in traditional perimeter control, or north-to-south traffic. If you’re already in the cloud, do a cloud configuration security pen test, which reveals who can get into the system to quickly compromise it.
- Then, move into wireless network pen testing. You'll need people to physically visit your campus and be able to look for rogue types of wireless controllers, or have the ability to do that test remotely to make sure that your wireless is sound.
- Next, try an internal or lateral type of pen testing. What you're looking for here is how far somebody can go once they're authenticated to your network. They may be looking for privilege escalation. What other information is readily exposed on the internal network that is not being protected?
- Follow it with application pen testing. This reveals what applications do, what credentials are being used, how they're being used, how they’re interacting with each other and what type of data they are exposing or leaving behind. Perhaps they produce some type of report, and the report is just pending, out in the open, not secured with the rest of the hospital’s protected health information.
Some level of social engineering testing would enhance each scenario. For example, have someone call a colleague to see whether they can get credentials. Or perhaps see if that information can be obtained in an open conversation in a hospital’s hallway.
Pen testing can also serve as an official record for demonstrating risk management efforts to avoid revenue loss or legal consequences and reputational damage after a breach.
Cybersecurity from Planning to Action
It is critical for healthcare organizations to regularly perform both tabletop exercises and pen testing to enhance their security posture so they are more familiar with how they will respond and recover from an emergency within an established time frame.
Tabletop exercises take into consideration several technology standards, and cybersecurity insurance carriers in the healthcare market are asking for such governance activities. The absence of regular testing, assessment and evaluation of security controls can result in insurance coverage denial, high deductibles or limited coverage at high premiums.
Also, more vendors are requiring their clients to fail over their production environment to a separate infrastructure, whether that is a data center or a cloud instance, and they're doing this to fully validate an organization’s recovery strategy in the event of an outage or cyberattack.
Establishing governance and technical committees will help drive a healthcare organization’s initiatives. Translate technical initiatives into business outcomes — especially important if you’re seeking board and C-suite approval.
Maintain a training program for your technical staff and the rest of your workforce so that they can continue being effective at keeping the organization safe.
Security partnerships can help healthcare providers better execute these initiatives. A partner can prioritize a security roadmap, validate a solution or provide the right resources.