Testing Your Plan


Imagine the following scenario: On Monday morning employees arrive at your practice to find their workstations locked by ransomware. IT staff are investigating the incident, and responding to employees cannot access their workstations. Patients are beginning to walk in for their appointments, and the receptionist is fielding incoming calls. Without access to workstations, employees start to use paper and pen to take down information. IT discovers the files will not be unencrypted unless the ransom is paid. How do you proceed?

The scenario above is based on real-life cyber events that have impacted health care organizations across the country. Health organizations are an attractive target to cyber criminals due to the large amount of personally identifiable information in their possession. On October 29, 2020, the Office for Civil Rights issued a warning of ransomware activity targeting the healthcare and public health sector. They urged health organizations to continuously engage in managing the risk posed by ransomware and other cyber threats. The increase in cyber threats comes with more employees working remotely and organizations becoming more reliant on technology.

Over the course of this year’s Incident Response Plan series, we’ve covered selecting your response team, how to develop your response game plan, and how to communicate your plan throughout your organization. One crucial final element remains: practice! As they say, nothing is like the real thing, and that certainly holds with cyber events. To make sure you’re ready for any incident that comes your way, the following are ways your organization can regularly practice your incident response plan.

Tabletop Exercises
Tabletop exercises are an effective way to put an incident response plan to the test.  They elicit valuable information that strengthens the plan and the team. Consider the ransomware scenario above, and imagine it’s happened to your organization. At which point does your organization activate the incident response plan? Do you bring in external resources – such as insurance or forensic experts – at this point, or do you wait? Is your organization ready to communicate with your patients and partners about what is occurring? What if the media gets involved, are you ready to respond? During a tabletop exercise, working through these questions will smooth out the incident response plan and bring forth action items not considered before. The team will be able to identify gaps in the current plan and build on strengths.

You can build possible scenarios and response templates into your incident response plan. Your plan can include documents such as letters and forms to use if an event occurs similar to a pre-tested scenario. Those scenarios can be identified and developed through a tabletop exercise or through a team meeting. Again, the more you practice your incident response plan, the better your response will be.

Updates to the Plan
Nothing is static and the cyber landscape. It changes rapidly. Your incident response plan should be regularly reviewed and updated by all your team members. Regular review of your plan allows your team members to keep the plan fresh in their minds. Additionally, the roles and positions of your team members may change. You may identify new resources. Contact information may change. All of these are good reasons to review and update your plan regularly. Should your organization experience a cyber event, make sure to update your plan with the lessons learned from the event. Keep in mind that any substantial changes to the plan should be communicated to employees and necessary training be timely provided.

Anticipating cyber threats and being prepared for them gives your organization the ability to contain and mitigate cyber events quickly and effectively. Your team effort, response plan, and practice will ensure your organization is equipped to respond and strike out any cyber threats that come your way.