Hosting a Successful Cyber Breach Tabletop Exercise

Kopiha Nathan
graphic of two employees at a desk with a lock between them

HIROC is here to help. If your organization is looking for assistance in putting together a cyber breach tabletop exercise, developing educational resources, or if you'd like to share lessons learned, reach out to us at

A tabletop exercise is a cost-effective way to validate emergency response plans and system outage procedures (e.g., cyber breach incident response plan). During these exercises, leadership teams and employees with key emergency response roles come together to review hypothetical crisis situations (in a step-by-step, stress-free manner).

Exercises can be facilitated by internal or external experts and can run anywhere from two to eight hours, depending on the participants and the objectives.

Why Run a Tabletop Exercise

Tabletop exercises can help organizations assess the adequacy of current procedures and policies, identify the strengths and deficiencies of their crisis response plans, and define the roles and responsibilities of the crisis team. They are used to prepare relevant emergency response teams and leadership, as well as to educate healthcare board members around emergency response protocol. While exercises do take some planning to define key objectives, ensure credible scenarios, and to be risk based, they do not have to be complicated to stage. 

With the increase in cyber breaches across the sector, tabletop exercises are a necessary and powerful tool for healthcare organizations.

At a minimum, organizations should run cyber breach tabletop exercises with executive leadership teams annually. The exercise can also be run with cyber breach response teams and other functional teams as required. 

Key Elements of a Cyber Breach Tabletop Exercise

1. Clearly-defined objectives and expected outcomes


For example:


  1. Gain a clear understanding of a cyber breach incident 
  2. Review existing cyber breach response plan to identify gaps and opportunities for improvement
  3. Define roles and responsibilities of cyber breach response team members
  4. Understand emergency communication procedures and escalation paths (e.g., CEO will notify Board Chair, Board Chair will notify board members)
  5. Review and talk through response plans in a stress-free and safe environment

Expected outcomes:

  1. Clearly defined gaps and improvement ideas
  2. List of external or additional resource requirements

2. A cyber breach scenario or example that is frequently experienced by the industry

Pull from available cyber breach examples in the media or that peer healthcare organizations have experienced. You want the scenarios to be current and relevant. Ensure you keep this scenario well hidden from the participants of the tabletop exercise. The element of surprise is vital to the success of a tabletop exercise.

Sample cyber breach scenario: Through a phishing email, a cybercriminal targets one of the hospital’s Information Technology staff members who has system administrative privileges. The cybercriminal gains access to the network, compromises Personal Health Information (PHI) and installs ransomware on the hospital’s computers.

3. An engaging exercise structure for tabletop participants 

Exercise structure can be presented using multimedia (e.g., PowerPoint, videos, etc.). The exercise structure should include:

  • Cyber threat definition, examples and other details to educate the participants of the importance of cyber threats 
  • Description of events as they unfold from Day 1 to event resolution day, in a step-by-step and contemporary manner. Here is a sample description:
    • Day 1, 10:00 a.m.: A system administrator from the Information Technology (IT) Department receives an email from the personal email account of a Finance department employee. The email states the Finance employee recently noticed some security notifications on their payroll vendor’s website and recommends that the system administrator review the notification. The system administrator clicks on the link in the email and is re-directed to what appears to be the vendor’s website. The website contained a generic warning of a ransomware variant. The IT employee does not believe the email to be suspicious.
    • Day 4, 12:30 p.m.: Your IT staff conducts a routine review of intrusion detection system logs and discovers unusual traffic on your organization’s printer ports. There is a significant amount of data leaving the printer ports and going to external IP addresses.

4. An engaging facilitator

A facilitator should be knowledgeable and experienced enough to facilitate the group discussion by pausing and posing the right questions to the participants, at the right time. Sample questions may include:

  • What concerns do you have? How would you rate the severity of this event? Would this event need escalation?
  • Who (if anyone) should be informed? By whom?
  • What actions should be taken? By whom?

5. The right group of stakeholders and participants

To reap the benefits accordingly, the right group of participants should be engaged based on the topic of the exercise. A cyber breach tabletop exercise should involve the following representatives, at minimum:

  • Incident Manager
  • Information Technology or Infrastructure Lead
  • Chief Information Security Officer and Chief Information Officer
  • Human Resources
  • Communications/Media
  • Privacy Officer
  • Risk Manager
  • All other executive leaders (CEO, VPs, etc.)
  • Clinical leadership (as required)
  • Scribe (Document! Document! Document!)
  • Other appropriate roles from the Incident Management System Team (e.g., Logistics) 
  • Board members (optional)
  • Legal counsel (optional)

6. Well-documented responses

Your scribe should document the answers to the facilitator’s questions and gaps appropriately. Below is a sample of a completed Facilitation Questionnaire (following the scenarios presented above in part 3).

What concerns do you have? Who should be informed?  What actions would you take?
  • Potential cyber breach
  • How did the IT system administrator not identify the phishing email?
  • Did the system administrator use the elevated account when they clicked the phishing link?
  • Potential data breach or data exfiltration
  • Internal cyber security lead
  •  IT leadership / management
  • CIO
  • Cyber security firm
  • VPs and CEO
  • Privacy Officer
  • Take the printer offline
  • Look at all system activities and logs to identify potential anomalies
  • Look back at the printer logs to gage when the anomalies started
  • Contact Security Operations Centre (internal/external)

Discussion Questions for Cyber Security Teams

When running a tabletop exercise with the team responsible for cyber security, create discussion questions to ensure the important topics are covered. Sample discussion questions include:

  •  Do you have appropriate internal resources to handle such events?
  •  Do you know (and can you access) the contact details of external resources that may help resolve such events?
  • Do you have defined roles for handling cyber security incidents?
  • Do you have the necessary escalation path and decision-making criteria for paying the ransom?
  • Do you have an identified individual, or group of individuals, responsible for external communications and media relations? Do you have scripts developed?
  • What impact will a breach of Personal Health Information have on your organization? On patients/clients?
  • What preventative processes and activities have you employed to ensure that these types of breaches do not occur at your organization?

How HIROC Can Help

As your proactive safety partner, HIROC shares knowledge and scales lessons learned across the healthcare system.

HIROC held two virtual risk management clinics in 2021, which included a total of three facilitated cyber security tabletop exercises. These exercises were built on real-life cyber breach incidents observed in the healthcare space. Hundreds of Subscriber participants with representation from IT leadership, healthcare leadership, Risk Managers, Privacy Officers and Chief Information Officers participated in the clinics. To access recordings from the 2021 sessions, email Kopiha Nathan at

Stay tuned for more Subscriber-exclusive workshops in 2022 that can help your teams prepare and practice. 

Tabletop exercises do require planning and resources to ensure success. While they are valuable for all emergency planning, running tabletop exercises focused on cyber breach is critical for healthcare organizations.

If your organization is looking for assistance in putting together a cyber breach tabletop exercise or developing educational resources for staff, please do not hesitate to reach out to us at

Finally, for more information on best practices, download HIROC’s Cyber Risk Management Guide, and Cyber Security Crisis Communications Guide.

External Resources

Kopiha Nathan is HIROC’s Privacy and Compliance Officer. Reach out to her at