Sponsored Content

A Tool to Combat Health Care's Cybersecurity Crisis

© Ice Miller LLC © Ice Miller LLC

Health care organizations are facing a cybersecurity crisis. According to the February 2019 Beazley Breach Insights report, health care entities reported 41% of all cybersecurity incidents – the highest number of any sector. This percentage is up from 20% in 2017. The industry ranks 15 out of the 17 major industries in terms of cybersecurity and is one of the lowest performing industries in terms of endpoint security, according to the 2018 Health Care Cybersecurity Report.   

Health care organizations may assume that having a HIPAA Security Rule framework in place means they have appropriately managed their cybersecurity risk, but applying a proactive approach is the best way to reduce the legal exposure and manage the reputational impact that comes with a cybersecurity incident. The most effective proactive measure, however, is often overlooked. That is the tabletop exercise. This article will explain what occurs during a tabletop exercise, discuss the benefits of conducting such an exercise and provide some practical tips to maximize the effectiveness of a tabletop exercise. 

What is a Tabletop Exercise?

A tabletop exercise is a pre-planned simulation where key stakeholders assemble to test an organization’s Incident Response Plan (IRP) against a real-world cybersecurity incident scenario. An IRP is a written, internal plan that addresses the steps required to detect, contain, eradicate and recover from a security incident.

For more information click here.

The exercise typically spans several hours and occurs in person. The fact situation posed will be dynamic. One or more opening scenarios will be presented, followed by a series of injected new facts and developments. As the situation evolves, the assembled group will need to consider the new information and adjust its thinking. This format allows the group to mimic a realistic incident, where facts are often unknown at the outset or shift dramatically as an investigation progresses.

The assembled group should include a facilitator, an observer and a group of participants. The participants should include members of the Incident Response Plan’s team, who would be called upon to act in response to an incident. Depending on the objectives, a limited number of additional individuals, including organizational leadership or representatives from key business partners, should also participate. The facilitator is critical to control the pace and flow of the exercise. The facilitator can nudge the discussion along when it appears to be veering off-topic, affirmatively solicit opinions from less vocal participants and ensure those who have a pivotal role in certain decision points provide their input. An observer can record comments and propose issues for follow-up. 

Benefits of Conducting A Tabletop

Economical way to strengthen cybersecurity 

Improving cybersecurity response is a paramount concern. Many organizations are forced to make improvements after undergoing a costly data security incident. The average cost for responding to a data breach is $148 for each improperly accessed record containing sensitive and confidential information, according to the 2018 Cost of Data Breach Study by IBM Security and the Ponemon Institute. A tabletop exercise, however, is an economical way to strengthen your organization’s capacity to withstand a cybersecurity incident. The ability to quickly and effectively implement your organization’s crisis plan can mean real savings, so the relatively modest cost to conduct a tabletop exercise is well worth the investment.

Coordinating disparate corporate functions

An organization typically operates through the delegation of decisions to teams headed by a leader, who in turns reports to the Chief Executive Officer or other executive. These functions may interact on a periodic basis but typically make decisions within the unit. A cybersecurity incident requires leadership from these disparate functions to suddenly be called upon to work together as a team and balance sometimes competing interests. For example, the first discussion about balancing an employee policy that requires an immediate suspension during an investigation with the need for critical information regarding an incident should not occur during an incident. Likewise, decisions regarding which operational partners should be notified and when, who can approve the contract to hire a forensic vendor on an expedited basis and who is responsible for notifying a cybersecurity insurance carrier should be discussed in advance. At its most fundamental, a tabletop exercise allows each area to better understand the unique mix of considerations at play in each functional area and to better work together to arrive at a decision that takes into account multiple functional areas. 

Demonstrating the value of the cybersecurity program

An organization’s cybersecurity program is often viewed – incorrectly – as being solely an information technology, information security or compliance issue. Including representatives from other functional areas helps educate the organization about the ever-present risks associated with cybersecurity incidents. The tabletop exercise provides the opportunity for key stakeholders to buy into the cybersecurity program and can underscore the need for cybersecurity controls that might, without the appropriate context, be viewed as excessive or costly. 

Tips for an effective tabletop exercise

Prepare, prepare, prepare

Take the time to think through the exercise. Get granular about the objectives of your tabletop exercise. At its core, a tabletop exercise is meant to test the organization’s readiness to respond to a cybersecurity event, but specific objectives might also include identifying gaps between your IRP and the decision-making process, ensuring that business continuity is fostered while dealing with the incident, setting forth mechanisms to ensure that high-priority stakeholders, such as board members, business partners and employees, are updated at appropriate intervals, or ensuring that public messaging is consistent with the organization’s values. These objectives can help formulate aspects of the tabletop exercise.

Make the scenario realistic

Care should be taken before conducting the tabletop to ensure the scenarios presented strike at the heart of the organization’s real-world concerns. By discussing the organization’s vulnerabilities in advance, the facilitators can ensure active participation and help stave off the group “fighting the hypothetical.” The facilitators should infuse elements of high-profile cybersecurity incidents in the organization’s industry. By tracking current events, the exercise works to proactively deal with the types of cybersecurity trends that will be top of mind for stakeholders.

Include outside organizations 

A tabletop exercise should be conducted with the assistance of those outside the organization who can bring perspective from other data security incidents and flag the types of issues that have created delay in real-life scenarios. Ideally, those organizations are the same you would call upon in a real-life cybersecurity incident. Accordingly, involving your legal counsel, forensic vendors and even public relations personnel will further improve the organization’s results.

Gather feedback

Build in time throughout, and at the end of, the exercise to go over feedback. The tabletop exercise is an invaluable opportunity to gather input from different parts of the organization. At the outset of the exercise, the participants should be encouraged to raise concerns and suggestions for improvement. The observer should be tasked with preparing a report with key findings and issues for follow-up. 

Adjust the plan(s)

The exercise will undoubtedly expose areas where the IRP falls short. The organization should use this opportunity to modify the IRP to add actions, change the order of activity or alter the composition of the IRP team. Indeed, identifying these gaps is a significant reason for engaging in the exercise. A related benefit is that the exercise will allow the participants to better understand how the IRP will interact with other organizational plans, including any internal emergency response, business continuity, disaster recovery and computer failure plans. The exercise may prompt updates to those plans as well. 


In sum, tabletop exercises are a low-cost measure that significantly improves an organization’s incident response readiness. The tabletop exercise enables the response team to train as a team, gain a common understanding of the IRP and coordinate decisions that impact several teams. An added benefit is that the participants have the opportunity to not only become more comfortable with their own roles, but to see how the entire response process will play out across the organization. The result is an IRP team that is as prepared as possible to act effectively and efficiently in facing a cybersecurity incident. While a tabletop exercise will not completely eliminate cybersecurity risk, it can return the organization to normal operations sooner, saving precious time, money and reputational impact.

For more information, contact Reena Bajowala or another member of Ice Miller's Data Security and Privacy Group.

This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.

  • Perspectives

    • 3 Tips to Attract and Retain Employees in the Gig Economy

      The gig economy has been around ever since workers began looking for supplemental income, but, it has recently evolved with the introduction of technology. Companies emerging like Uber, Lyft and GrubHub, are changing the gig economy landscape of the workforce. The gig economy has attracted millennials and Gen Zers because of the flexibility and autonomy to work from anywhere, at any time.



Company Name:
Confirm Email:
INside Edge
Morning Briefing
BigWigs & New Gigs
Life Sciences Indiana
Indiana Connections


  • Most Popular Stories

    • (Industrial hemp photo courtesy of Purdue University)

      Hemp Processor Announces Expansion

      Indianapolis-based BDX Indiana has announced plans to bring more than 100 new jobs to central Indiana, with about a third of those going to a planned hemp extraction facility in Westfield. BDX extracts CBD oil from Indiana-grown hemp and is a sister company of Biodynamic Ventures, the largest hemp grower in Indiana. The city says the phase one build-out of the overall $50 million project is expected to begin this month with production to start in December. 

    • (photo courtesy of Indianapolis International Airport)

      Indy Airport Showcases New Retail Offerings

      Indianapolis International Airport is celebrating the opening of the first wave of new retail offerings. The new stores are part of the airport's multi-year Concessions Refresh initiative, which aims to bring a greater mix of nationally-known brands, such as FAO Schwarz and Vineyard Vines, with more local offerings, including Natalie's Candy Jar and Fountain Square Market. In all, nine new retail stores opened Tuesday morning. In an interview with Inside INdiana Business...

    • Butler Blue III is retiring next spring as the school's mascot. (photo courtesy Butler University)

      Butler Mascot Set to Retire

      One of the best-known ambassadors for Butler University is stepping down, all four legs of him, at the end of the current academic year. The university says their furry mascot, Butler Blue III, is ready to retire after nearly eight years of greeting visitors, students and staff. 

    • (WISH-TV Photo)

      Waterside Fight Continues Between Ambrose, City

      Ambrose Property Group has taken another step in its fight with the city of Indianapolis over the former GM Stamping Plant site in the city's downtown. The developer has given a notice of the legal action it intends to pursue against the city for what it calls "the city's baseless eminent domain threat and defamation." The back-and-forth between the two parties stems from Ambrose's announcement in late September that it planned to sell the property, which was being...

    • DePauw University ranked No. 20 on list of Best "Colleges"

      Small Indiana Colleges Rank High Nationally

      Indiana has two institutions of higher learning, with intentionally small enrollments, that rank in the top 30 in the nation for an overall experience.  The personal finance website, WalletHub, conducted a survey of what it calls the 2020 Best College Ranking.