Tabletop Exercises: Unappreciated and Underutilized
Value for healthcare security – Not just a government planning tool
Government defense and response agencies from the Pentagon to FEMA, from state government to the EPA, have been conducting tabletop exercises (TTXs) for years. Why? In a word: they work. Cybersecurity attacks have been increasing in numbers and complexity against our government’s critical infrastructures and led to the development of cybersecurity exercises as a strategic way for an organization to test their detection and response actions, and as well as their response to information security threats and vulnerabilities in a real-time environment.
Tabletop exercises don’t only work for government defense; they can be applied in healthcare to prepare for extraordinary events that would disrupt security practices. Recent attacks on hospital computer systems by hackers to steal or manipulate patients’ financial or medical records or other information have threatened healthcare organizations’ information technology, their underlying security measures, and their employees’ ability to care for patients and respond to emergencies.
Loss of patient information, disruption of care because of software unavailability, loss of confidence in providers because of the perception of inadequate security, power outages, and risks to personal medical devices (pacemakers, and insulin pumps for example) have all been results of cyber attacks. In recent years, healthcare organizations and hospitals have increased the use of wireless, personal medical devices and network connections, which places these devices at risk for privacy and security breaches. Medical devices are at risk for remote interference from cyber attackers.
What is a Tabletop Exercise?
According to the ready.gov website, tabletop exercises are discussion-based sessions where team members meet in an informal, classroom setting with a facilitator to discuss their roles during an emergency and to prepare their responses to one or more particular emergency situations. The duration of a tabletop exercise depends on the audience, the exercise topic, and the exercise objectives. Many tabletop exercises can be conducted in a few hours, so they are cost-effective tools to validate plans and capabilities. Tabletop exercises can be used to identify weak points to address so that, in the event of a real-life security breach or emergency, responding individuals will be ready.
Why should you be doing them?
Beyond the desire to protect your healthcare systems and patients, a reason to be conducting a tabletop exercise is that it meets the criteria for compliance with HIPAA statute §164.308(a)(7)(ii)(D): Implement procedures for periodic testing and revision of contingency plans. As well as meeting regulatory requirements, tabletop exercises are a cost-effective and robust method for dealing with security risks.
With a long history of use by government agencies, tabletop exercises are one of the most talked-about ways in government to challenge and examine organizationally or cross-organizational plans, hone staff problem-solving under pressure and increase your company’s preparedness and communication—provided you properly design, carefully conduct, fully evaluate, and actually implement the results of your exercise.
What does it do for you?
The most obvious advantage of these exercises is that it allows staff members or participants to test organizational plans or even hypothetical situations without disrupting daily operations (e.g., disaster recovery, data breach, business continuity). Another advantage is they bring all applicable participating members together. It may not seem like a big deal, but in mid to large sizes organizations, staff members from different departments could work years without ever meeting. Tabletop exercises afford individuals the ability to build critical relationships before security events ever happen. There is an old saying in the emergency response community, “you don’t want to be trading business cards at the incident site.”
Increased familiarity with the response plan is another benefit. The effort of talking through the entire plan is itself a way of training staff members to learn more about what their actions, and the actions of others around them, should be. Typically, staff members will review and comprehend only their portion of the plan – especially if the plan is longer than 15 pages. A TTX enables each cross-functional department to listen and consume what their counterparts are doing. This “cross-talk” is where the real magic happens during a tabletop.
Critical to the success of the TTX is ensuring that the appropriate incident response and disaster recovery plans are updated with findings from the exercise. As the team works through the exercise, there are sure to be identified deficiencies that require process updates. Updating and implementing processes ensure an effective plan should it ever be needed.
However, the most significant advantage to Tabletop exercises is something health systems and security officers are always thinking about: resources and money. The essence of a tabletop exercise is to be informal, low maintenance, and efficient. The idea is to encourage and spur discussion across the team members. The focus of working in a single meeting room, without disrupting your facilities, employees, or patients, could revolutionize and evolve your disaster recovery plan with the proper planning and experienced facilitators.
The benefits of Tabletop Exercises are vast; here are a few additional advantages published by the Oak Ridge Institute for Science and Education (a U.S. Department of Energy institute):
- Provides the opportunity to replicate working conditions and actions without concern for safety and hazards to personnel, facility, equipment, and the public
- Provides varying amounts of realism, depending on the activity
- Allows staff members to experience and practice job-related skills and receive feedback on performance
- Allows staff members to practice behaviors recently acquired or to experiment with behaviors that have the potential to be useful
- Allows staff members to observe the effects of their action on others and emphasizes that good human relations require skill
- Provides flexible and cost-effective training by reducing the cost of development, delivery, and documentation
- Provides training that is less stressful than full-scale exercises
- Allows enhanced “learning by doing”
- Provides documented results
- Allows interactive communication between emergency management staff in a non-threatening environment
As you can see, there is a wide array of advantages to performing Tabletop exercises. Immeasurable, however, is the extra time and protection such exercises can provide to your employees and patients when facing inevitable cybersecurity attacks.
About the Author
Intraprise Health’s Vice President of Security Products and Strategy, Ryan Patrick, MBA, CISSP, CCSFP, brings 17 years’ experience in security and information technology for both the public and private sectors.
Ryan brings an innovative perspective to protecting information and organizational resources. Before joining Intraprise Health, Ryan served as the Vice President of Client Services & Operations with Fortified Health Security where he developed and led a team that was named the 2018 North American Health IoT Company of the Year by Frost & Sullivan and a Top Provider of Medical Device & IoT Cybersecurity Solutions by Black Book. Ryan previously served as the Director of Security, Privacy and Compliance at Blueprint Healthcare IT.
Working within organizations like MetLife and Memorial Sloan-Kettering Cancer Center as a security analyst, Ryan has gained a wealth of experience conducting risk assessments against HIPAA, ISO 27001, NIST 800-53 and PCI-DSS.
He has been Battalion Commander at United States Army Reserve since April 2017. His previous military assignments include serving as Global Enterprise Operations Center Team Chief for the US Special Operations, Chief Information Officer of 42d Infantry Division within the New York Army National Guard, as the Deputy Chief Information Officer, and Chief Information Officer of FEMA Region II Homeland Response Force.