Health care organizations are facing a cybersecurity crisis. According to the February 2019 Beazley Breach Insights report, health care entities reported 41% of all cybersecurity incidents – the highest number of any sector. This percentage is up from 20% in 2017. The industry ranks 15 out of the 17 major industries in terms of cybersecurity and is one of the lowest performing industries in terms of endpoint security, according to the 2018 Health Care Cybersecurity Report.
Health care organizations may assume that having a HIPAA Security Rule framework in place means they have appropriately managed their cybersecurity risk, but applying a proactive approach is the best way to reduce the legal exposure and manage the reputational impact that comes with a cybersecurity incident. The most effective proactive measure, however, is often overlooked. That is the tabletop exercise. This article will explain what occurs during a tabletop exercise, discuss the benefits of conducting such an exercise and provide some practical tips to maximize the effectiveness of a tabletop exercise.
What is a Tabletop Exercise?
A tabletop exercise is a pre-planned simulation where key stakeholders assemble to test an organization’s Incident Response Plan (IRP) against a real-world cybersecurity incident scenario. An IRP is a written, internal plan that addresses the steps required to detect, contain, eradicate and recover from a security incident.
For more information click here.
The exercise typically spans several hours and occurs in person. The fact situation posed will be dynamic. One or more opening scenarios will be presented, followed by a series of injected new facts and developments. As the situation evolves, the assembled group will need to consider the new information and adjust its thinking. This format allows the group to mimic a realistic incident, where facts are often unknown at the outset or shift dramatically as an investigation progresses.
The assembled group should include a facilitator, an observer and a group of participants. The participants should include members of the Incident Response Plan’s team, who would be called upon to act in response to an incident. Depending on the objectives, a limited number of additional individuals, including organizational leadership or representatives from key business partners, should also participate. The facilitator is critical to control the pace and flow of the exercise. The facilitator can nudge the discussion along when it appears to be veering off-topic, affirmatively solicit opinions from less vocal participants and ensure those who have a pivotal role in certain decision points provide their input. An observer can record comments and propose issues for follow-up.
Benefits of Conducting A Tabletop
Economical way to strengthen cybersecurity
Improving cybersecurity response is a paramount concern. Many organizations are forced to make improvements after undergoing a costly data security incident. The average cost for responding to a data breach is $148 for each improperly accessed record containing sensitive and confidential information, according to the 2018 Cost of Data Breach Study by IBM Security and the Ponemon Institute. A tabletop exercise, however, is an economical way to strengthen your organization’s capacity to withstand a cybersecurity incident. The ability to quickly and effectively implement your organization’s crisis plan can mean real savings, so the relatively modest cost to conduct a tabletop exercise is well worth the investment.
Coordinating disparate corporate functions
An organization typically operates through the delegation of decisions to teams headed by a leader, who in turns reports to the Chief Executive Officer or other executive. These functions may interact on a periodic basis but typically make decisions within the unit. A cybersecurity incident requires leadership from these disparate functions to suddenly be called upon to work together as a team and balance sometimes competing interests. For example, the first discussion about balancing an employee policy that requires an immediate suspension during an investigation with the need for critical information regarding an incident should not occur during an incident. Likewise, decisions regarding which operational partners should be notified and when, who can approve the contract to hire a forensic vendor on an expedited basis and who is responsible for notifying a cybersecurity insurance carrier should be discussed in advance. At its most fundamental, a tabletop exercise allows each area to better understand the unique mix of considerations at play in each functional area and to better work together to arrive at a decision that takes into account multiple functional areas.
Demonstrating the value of the cybersecurity program
An organization’s cybersecurity program is often viewed – incorrectly – as being solely an information technology, information security or compliance issue. Including representatives from other functional areas helps educate the organization about the ever-present risks associated with cybersecurity incidents. The tabletop exercise provides the opportunity for key stakeholders to buy into the cybersecurity program and can underscore the need for cybersecurity controls that might, without the appropriate context, be viewed as excessive or costly.
Tips for an effective tabletop exercise
Prepare, prepare, prepare
Take the time to think through the exercise. Get granular about the objectives of your tabletop exercise. At its core, a tabletop exercise is meant to test the organization’s readiness to respond to a cybersecurity event, but specific objectives might also include identifying gaps between your IRP and the decision-making process, ensuring that business continuity is fostered while dealing with the incident, setting forth mechanisms to ensure that high-priority stakeholders, such as board members, business partners and employees, are updated at appropriate intervals, or ensuring that public messaging is consistent with the organization’s values. These objectives can help formulate aspects of the tabletop exercise.
Make the scenario realistic
Care should be taken before conducting the tabletop to ensure the scenarios presented strike at the heart of the organization’s real-world concerns. By discussing the organization’s vulnerabilities in advance, the facilitators can ensure active participation and help stave off the group “fighting the hypothetical.” The facilitators should infuse elements of high-profile cybersecurity incidents in the organization’s industry. By tracking current events, the exercise works to proactively deal with the types of cybersecurity trends that will be top of mind for stakeholders.
Include outside organizations
A tabletop exercise should be conducted with the assistance of those outside the organization who can bring perspective from other data security incidents and flag the types of issues that have created delay in real-life scenarios. Ideally, those organizations are the same you would call upon in a real-life cybersecurity incident. Accordingly, involving your legal counsel, forensic vendors and even public relations personnel will further improve the organization’s results.
Build in time throughout, and at the end of, the exercise to go over feedback. The tabletop exercise is an invaluable opportunity to gather input from different parts of the organization. At the outset of the exercise, the participants should be encouraged to raise concerns and suggestions for improvement. The observer should be tasked with preparing a report with key findings and issues for follow-up.
Adjust the plan(s)
The exercise will undoubtedly expose areas where the IRP falls short. The organization should use this opportunity to modify the IRP to add actions, change the order of activity or alter the composition of the IRP team. Indeed, identifying these gaps is a significant reason for engaging in the exercise. A related benefit is that the exercise will allow the participants to better understand how the IRP will interact with other organizational plans, including any internal emergency response, business continuity, disaster recovery and computer failure plans. The exercise may prompt updates to those plans as well.
In sum, tabletop exercises are a low-cost measure that significantly improves an organization’s incident response readiness. The tabletop exercise enables the response team to train as a team, gain a common understanding of the IRP and coordinate decisions that impact several teams. An added benefit is that the participants have the opportunity to not only become more comfortable with their own roles, but to see how the entire response process will play out across the organization. The result is an IRP team that is as prepared as possible to act effectively and efficiently in facing a cybersecurity incident. While a tabletop exercise will not completely eliminate cybersecurity risk, it can return the organization to normal operations sooner, saving precious time, money and reputational impact.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.