Sponsored Content

A Tool to Combat Health Care's Cybersecurity Crisis

© Ice Miller LLC © Ice Miller LLC

Health care organizations are facing a cybersecurity crisis. According to the February 2019 Beazley Breach Insights report, health care entities reported 41% of all cybersecurity incidents – the highest number of any sector. This percentage is up from 20% in 2017. The industry ranks 15 out of the 17 major industries in terms of cybersecurity and is one of the lowest performing industries in terms of endpoint security, according to the 2018 Health Care Cybersecurity Report.   

Health care organizations may assume that having a HIPAA Security Rule framework in place means they have appropriately managed their cybersecurity risk, but applying a proactive approach is the best way to reduce the legal exposure and manage the reputational impact that comes with a cybersecurity incident. The most effective proactive measure, however, is often overlooked. That is the tabletop exercise. This article will explain what occurs during a tabletop exercise, discuss the benefits of conducting such an exercise and provide some practical tips to maximize the effectiveness of a tabletop exercise. 

What is a Tabletop Exercise?

A tabletop exercise is a pre-planned simulation where key stakeholders assemble to test an organization’s Incident Response Plan (IRP) against a real-world cybersecurity incident scenario. An IRP is a written, internal plan that addresses the steps required to detect, contain, eradicate and recover from a security incident.

For more information click here.

The exercise typically spans several hours and occurs in person. The fact situation posed will be dynamic. One or more opening scenarios will be presented, followed by a series of injected new facts and developments. As the situation evolves, the assembled group will need to consider the new information and adjust its thinking. This format allows the group to mimic a realistic incident, where facts are often unknown at the outset or shift dramatically as an investigation progresses.

The assembled group should include a facilitator, an observer and a group of participants. The participants should include members of the Incident Response Plan’s team, who would be called upon to act in response to an incident. Depending on the objectives, a limited number of additional individuals, including organizational leadership or representatives from key business partners, should also participate. The facilitator is critical to control the pace and flow of the exercise. The facilitator can nudge the discussion along when it appears to be veering off-topic, affirmatively solicit opinions from less vocal participants and ensure those who have a pivotal role in certain decision points provide their input. An observer can record comments and propose issues for follow-up. 

Benefits of Conducting A Tabletop

Economical way to strengthen cybersecurity 

Improving cybersecurity response is a paramount concern. Many organizations are forced to make improvements after undergoing a costly data security incident. The average cost for responding to a data breach is $148 for each improperly accessed record containing sensitive and confidential information, according to the 2018 Cost of Data Breach Study by IBM Security and the Ponemon Institute. A tabletop exercise, however, is an economical way to strengthen your organization’s capacity to withstand a cybersecurity incident. The ability to quickly and effectively implement your organization’s crisis plan can mean real savings, so the relatively modest cost to conduct a tabletop exercise is well worth the investment.

Coordinating disparate corporate functions

An organization typically operates through the delegation of decisions to teams headed by a leader, who in turns reports to the Chief Executive Officer or other executive. These functions may interact on a periodic basis but typically make decisions within the unit. A cybersecurity incident requires leadership from these disparate functions to suddenly be called upon to work together as a team and balance sometimes competing interests. For example, the first discussion about balancing an employee policy that requires an immediate suspension during an investigation with the need for critical information regarding an incident should not occur during an incident. Likewise, decisions regarding which operational partners should be notified and when, who can approve the contract to hire a forensic vendor on an expedited basis and who is responsible for notifying a cybersecurity insurance carrier should be discussed in advance. At its most fundamental, a tabletop exercise allows each area to better understand the unique mix of considerations at play in each functional area and to better work together to arrive at a decision that takes into account multiple functional areas. 

Demonstrating the value of the cybersecurity program

An organization’s cybersecurity program is often viewed – incorrectly – as being solely an information technology, information security or compliance issue. Including representatives from other functional areas helps educate the organization about the ever-present risks associated with cybersecurity incidents. The tabletop exercise provides the opportunity for key stakeholders to buy into the cybersecurity program and can underscore the need for cybersecurity controls that might, without the appropriate context, be viewed as excessive or costly. 

Tips for an effective tabletop exercise

Prepare, prepare, prepare

Take the time to think through the exercise. Get granular about the objectives of your tabletop exercise. At its core, a tabletop exercise is meant to test the organization’s readiness to respond to a cybersecurity event, but specific objectives might also include identifying gaps between your IRP and the decision-making process, ensuring that business continuity is fostered while dealing with the incident, setting forth mechanisms to ensure that high-priority stakeholders, such as board members, business partners and employees, are updated at appropriate intervals, or ensuring that public messaging is consistent with the organization’s values. These objectives can help formulate aspects of the tabletop exercise.

Make the scenario realistic

Care should be taken before conducting the tabletop to ensure the scenarios presented strike at the heart of the organization’s real-world concerns. By discussing the organization’s vulnerabilities in advance, the facilitators can ensure active participation and help stave off the group “fighting the hypothetical.” The facilitators should infuse elements of high-profile cybersecurity incidents in the organization’s industry. By tracking current events, the exercise works to proactively deal with the types of cybersecurity trends that will be top of mind for stakeholders.

Include outside organizations 

A tabletop exercise should be conducted with the assistance of those outside the organization who can bring perspective from other data security incidents and flag the types of issues that have created delay in real-life scenarios. Ideally, those organizations are the same you would call upon in a real-life cybersecurity incident. Accordingly, involving your legal counsel, forensic vendors and even public relations personnel will further improve the organization’s results.

Gather feedback

Build in time throughout, and at the end of, the exercise to go over feedback. The tabletop exercise is an invaluable opportunity to gather input from different parts of the organization. At the outset of the exercise, the participants should be encouraged to raise concerns and suggestions for improvement. The observer should be tasked with preparing a report with key findings and issues for follow-up. 

Adjust the plan(s)

The exercise will undoubtedly expose areas where the IRP falls short. The organization should use this opportunity to modify the IRP to add actions, change the order of activity or alter the composition of the IRP team. Indeed, identifying these gaps is a significant reason for engaging in the exercise. A related benefit is that the exercise will allow the participants to better understand how the IRP will interact with other organizational plans, including any internal emergency response, business continuity, disaster recovery and computer failure plans. The exercise may prompt updates to those plans as well. 


In sum, tabletop exercises are a low-cost measure that significantly improves an organization’s incident response readiness. The tabletop exercise enables the response team to train as a team, gain a common understanding of the IRP and coordinate decisions that impact several teams. An added benefit is that the participants have the opportunity to not only become more comfortable with their own roles, but to see how the entire response process will play out across the organization. The result is an IRP team that is as prepared as possible to act effectively and efficiently in facing a cybersecurity incident. While a tabletop exercise will not completely eliminate cybersecurity risk, it can return the organization to normal operations sooner, saving precious time, money and reputational impact.

For more information, contact Reena Bajowala or another member of Ice Miller's Data Security and Privacy Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

  • Perspectives

    • Baby Boomers Are Impacting the Building Industry

      There are currently 78 million baby boomers in the U.S., making up 25% of the population and controlling 67% ($28 trillion) of the country’s wealth, according to the Living In Place Institute. AARP says 90% of people surveyed want to remain as long as possible in their homes. The majority of those 65 and older remodel their home to make it safer and accessible. In fact, 45% of all remodeling work is being done for people over the age of 65. With this amount of data supporting...



Company Name:
Confirm Email:
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections


  • Most Popular Stories

    • The facility could be build within the River Ridge Commerce Center.

      Jeffersonville Being Considered for CBD Plant

      California-based Layn USA could soon establish operations in southern Indiana. One Southern Indiana, the economic development organization and chamber of commerce for Clark and Floyd counties, says the company has signed a purchase and sales agreement with the River Ridge Development Authority for a proposed $52 million CBD manufacturing facility. The project, the company says, would have the capacity to process a minimum of 5,000 tons of hemp biomass each year. As part of the...

    • (Photo Courtesy: Roche Diagnostics)

      Roche VP on List of Influential Women Executives

      An executive with Roche Diagnostics has joined an exclusive list of prominent and influential women, including Oprah Winfrey and Serena Williams.  Cindy Carlisle, Vice President of Human Resources at Roche Indy, was named to Savoy Magazine’s 2019 Most Influential Women in Corporate America. 

    • Hub & Spoke Aims to Fuel 'Purpose and Passion'

      The co-founder of a $16 million mixed-use development in Fishers says the project aims to have the biggest social impact possible. Officials broke ground Tuesday on Hub & Spoke, which will include a design center, coworking space and makerspace when completed. David Decker says the project is the first of its kind in the nation and seeks to help people find their purpose and passion and tie that into their vocation. In an interview with Inside INdiana Business Reporter...

    • New Mixed-Use Development Planned for Fishers

      A new mixed-use development is coming to Fishers. Thompson Thrift Retail Group has announced the development of The Station, an office building that is part of an overall project that includes a 150-room hotel, a future retail pad along 116th Street and nearly 40 3-story townhomes.

    • Rendering courtesy of Two EEs Winery

      Two-EE's Winery to Adopt New Age Policy

      Two-EE's Winery in Huntington has announced it will adopt a new age policy begining in August. Our partners at WPTA-TV report the winery will no longer allow people aged under 21 to visit the establishment due to ongoing problems with unsupervised or misbehaving children.