A well-orchestrated healthcare cybersecurity tabletop exercise (TTX) can greatly benefit any healthcare organization. Unfortunately, some TTXs are chaotic and unproductive. When 25 hospital leaders are tied up in a disorganized TTX for four hours, that’s 100 hours of lost productivity.
Here are some tips for how to conduct successful healthcare TTXs that can dramatically improve your preparedness for cyber crises:
Choose your invitations carefully – I’ve been in tabletop exercises that involved 60 hospital employees. That’s generally too many attendees. Ten to 25 people is the norm if you’re including people from across the enterprise: C-suite, legal, compliance, IT staff, etc. If an exercise is only for IT staffers, five to 10 attendees might be plenty.
Select an impartial facilitator – Managed Security Service Providers (MSSPs) make ideal TTX facilitators because they have deep technical expertise and can speak honestly because they’re not involved in hospital governance. Putting all the slide decks and support materials together for an exercise is a time-consuming chore, so outsourcing that to a security partner makes sense.
Don’t let the session exceed four hours in length – A four-hour duration gives everyone a chance to contribute without the exercise turning into a marathon.
Don’t let attendees defer to one or two executives – Sometimes TTX participants are afraid to “buck the boss” during an exercise, deferring again and again to what a CIO or CISO is saying. Here’s an interesting experiment: ask the CIO and CISO to pretend like they’re on vacation and unreachable for the next 30 minutes. In many cyber incidents, key executives are temporarily unreachable – and the TTX can simulate what would actually happen if that were the case.
Look for signs of overconfidence and denial – Most exercises begin with a cybersecurity scenario like “you’ve just been hit with ransomware.” It’s not unusual for participants to immediately respond, “That could never happen to us – we have a great EDR.” But for a TTX to be successful, participants must assume that one of their safeguards has failed. Some hospital executives stubbornly refuse to believe that their EDR could be circumvented or that the threat actor’s approach may not set off alarms right away and allow ransomware to get in.
Be on the lookout for “we’re working on it” responses – When a weakness gets exposed, some TTX participants are likely to sugar-coat the situation and say “we’re working on a fix for that problem” or “that’s in development.” In reality, the organization may have some glaring deficiencies that need to be swiftly addressed.
Never schedule more than two full-scale TTXs per year – An exercise usually identifies numerous procedural and policy-level gaps – and those can take significant time to remedy. You have to give people ample time to fix the problems. For example, if an organization needs to ratify an emergency communication plan, that’s obviously not an overnight task.
Encourage departmental mini-tabletop drills – Once a full-scale TTX has concluded, it’s the perfect time for individual departments to conduct mini-tabletop exercises. After facilitating a TTX recently, I encouraged the nursing director to meet with her department heads. Just tell them “This is what we uncovered in our recent TTX and I’d like you to discuss it with your staff.” You can go to the NICU nurses and say, “If these systems are down, walk me through what you’d do.” A mini-exercise isn’t disruptive or time-consuming – and it keeps the staff more engaged in security issues.
In addition to the tips shared here, the Cybersecurity & Infrastructure Security Agency (CISA) offers helpful suggestions for how to conduct an effective cybersecurity TTX.
In role-playing games like Dungeons & Dragons, the worst you can do is lose the game. But in a role-playing exercise like a TTX, you discover that you could potentially lose millions of dollars if you don’t have the right teamwork and procedural/policy clarity.
About T.J. Ramsey
T.J. Ramsey is Senior Director, Threat Operations at Fortified Health Security with 18 years of experience in healthcare and defense intelligence. He served as a U.S. Army Military Intelligence Analyst for the Department of Defense and held security roles at Obsidian Solutions Group and SAIC/Leidos.
