What is a Tabletop Exercise?
A tabletop exercise (TTX) is a discussion-based simulation where participants walk through a cyber security incident response scenario step-by-step in a controlled environment. It tests the organisation’s ability to handle an incident, such as a cyber attack, by discussing roles, actions, decision-making processes, and collaboration among teams, without actually responding to a live threat.
Key Features:
- Includes senior leaders, IT, security, and business teams.
- Simulates real-world scenarios to evaluate incident response plans
- Identifies gaps in security and operational readiness.
- Enhances team collaboration and preparedness
Why Do You Need Tabletop Exercises?
Key Reasons for Actioning Table Top Exercises:
- Incident Preparedness: Make sure your team is ready to respond to security breaches.
- Identify Gaps: Spot any gaps in your cyber security system.
- Stay Compliant: Meet legal requirements that ask for regular security tests.
- Stakeholder Engagement: Engage cross-functional teams in security efforts and foster better communication during crises
- Rehearse Critical Roles: Allow team members to practice their roles and responsibilities during a security incident.
For digital health and medical device companies, cyber security incidents can affect patient data, device performance, and regulatory compliance, making TTXs even more critical.
What Standards Require You to Do Tabletop Exercises?
Many regulatory standards require or recommend that organisations conduct tabletop exercises as part of their incident response and preparedness strategies. Below are some examples important for health and medical device companies:
ISO 27001
The leading international standard for information security management systems (ISMS), emphasises the need for organisations to conduct regular testing of their incident response plans, such as through tabletop exercises. It helps ensure that cyber risks are managed effectively and security policies are practiced in a controlled environment.
Relevant Clause: A.16.1.5 - Incident response testing should be carried out periodically to ensure that procedures are effective and up to date.
EUMDR (European Union Medical Device Regulation)
Under EUMDR, medical device manufacturers are required to maintain a risk management system that addresses cyber security risks. Conducting tabletop exercises helps manufacturers meet these requirements by ensuring their response plans to cyber attacks are robust and can handle device vulnerabilities that may compromise patient safety.
Important Section: Annex I, Section 14.2 – Manufacturers need plans to stop unauthorised access to devices and deal with security issues.
FDA Cyber Security Good Practice
The FDA’s Cyber Security Guidance for medical devices encourages manufacturers to conduct regular security assessments and response testing, including tabletop exercises, to safeguard the integrity, availability, and confidentiality of device data. This ensures that vulnerabilities are managed and patient safety is prioritised.
Important Guidance: The FDA’s "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" outlines the need for testing response plans, including through tabletop exercises.
NHS Data Security and Protection Toolkit (DSPT)
For organisations working with the NHS or dealing with NHS data, the NHS DSPT sets standards for data protection and cyber security. It encourages organisations to do regular security assessments and testing, such as tabletop exercises, to ensure their security processes are fit for purpose.
Important Standard: Standard 7.2 – Organisations must have tested response plans for security incidents.
What Does Each Standard Say About Tabletop Exercises?
ISO 27001
ISO 27001 stresses the importance of periodic testing of an organisation’s incident response plan. Tabletop exercises are a highly recommended method for organisations to practice their response capabilities, improve collaboration between departments, and assess how effectively they can react to cyber threats.
EUMDR
The EUMDR instructs that manufacturers create and maintain effective risk management processes. By running tabletop exercises, medical device manufacturers can ensure they comply with EUMDR’s cyber security requirements by demonstrating that their teams are prepared to respond to vulnerabilities that could impact device safety.
FDA Cyber Security Good Practice
The FDA's guidance for medical device cybersecurity highlights the importance of regular security testing. Tabletop exercises ensure that manufacturers understand how to handle cyber threats and mitigate potential risks to device functionality, safeguarding patient safety and data.
NHS DSPT
DSPT requires organisations to demonstrate they have tested their incident response plans. Tabletop exercises allow healthcare providers and their suppliers to ensure that data security incidents can be managed swiftly and effectively.
Steps to Success in a Tabletop Exercise
To hold a successful tabletop exercise, certain factors need to be in place. Each step below provides actionable insights into how to approach each aspect of the exercise.
1. Planning
- Set Clear Goals: Know what you want to achieve, like improving response times, understanding team roles or finding weaknesses.
- Pick the Right Scenario: Choose a realistic problem, and relevant to your industry, such as a ransomware attack targeting patient data or a cyber threat compromising a medical device.
- Define Success: Decide what a successful response looks like, Clear outcomes should guide the exercise.
2. Get the Right People Involved
- Make sure the right teams are involved such as executive leadership, IT teams, cyber security personnel, legal advisors, and business unit leaders.
- For medical device companies, involve product managers, regulatory affairs experts, and clinical professionals to address technical and safety concerns.
3. Use Real Scenarios
- Use real-life incident examples or threats that your industry faces. For example, a breach in patient health data can have severe consequences in digital health.
- Base the scenario on recent trends, such as phishing or ransomware attacks in healthcare.
4.Invoking an Emotional Response
The exercise should be designed to engage participants by making them feel some pressure of a real incident. Consider timing responses with countdowns for a sense of increase urgency.
5. Focus on What Matters - Ensure the the Key Aspects is Something the Team Cares About.
Think about the real-world consequences, like fines, damage to patient trust, and potential harm to individuals' health if devices are compromised, to make the exercise meaningful.
6. Have a Clear Plan
Break the scenario down into steps:
- Phase 1: Initial incident detection
- Phase 2: Escalation and communication
- Phase 3: Incident response and recovery
- Phase 4: Post-incident actions (debrief and lessons learned)
7. Prepare a Simple Slide Deck
Create a simple slide presentation with:
- Scenario introduction
- Key decision points for participants
- Timeline to maintain flow
- Evaluation criteria to assess responses
8. Limit Response Time
Give teams limited time to respond, just like in real life. This helps them practice making decisions quickly.
9. Keep the Group Focused
Have a facilitator lead the exercise to keep everyone on track and avoid distractions.
10. Keep the Energy Up
The facilitator should inject enthusiasm and momentum into the exercise, using varied tones, questions, and engagement techniques to keep participants focused and alert.
The Tabletop Exercise Guide
1. Planning
- Objective Setting: Determine the goals (e.g., testing specific systems, practicing communication).
- Choose the Right Scenario: Make it realistic but varied, addressing different types of incidents like phishing, ransomware, or data breaches.
- Identify Key Participants: List everyone who needs to be involved, from IT and security to legal and HR.
- Set Date and Time: Schedule the exercise, ensuring adequate time is allocated.
2. Building the Exercise
- Develop the Scenario: Write a detailed scenario relevant to your industry. For medical devices, you might simulate a device malfunction caused by malware.
- Create Role Cards: Assign specific roles and responsibilities to participants.
- Prepare Supporting Materials: Develop incident reports, mock emails, and notifications that simulate the escalation of the incident.
3. Organising
- Brief Participants: Provide a clear overview of what the exercise will cover without revealing the scenario in advance.
- Set up the Environment: Choose a meeting space conducive to discussion or use virtual meeting software if remote.
4. Running the Exercise
- Present the Scenario: Walk participants through the scenario, ensuring they understand their roles and what’s expected.
- Facilitate Discussion: Encourage participants to discuss their actions at each stage.
- Track Time: Use a clock to simulate time pressures, forcing participants to make decisions under stress.
5. Debrief and Improve
- Debrief Immediately: After the exercise, hold a meeting to discuss what went well and what could be improved.
- Document Lessons Learned: Record key takeaways and improvements.
- Update Response Plans: Revise your incident response plans based on findings from the exercise.
- Distribute Results: Share the exercise results with leadership and teams for continued improvement.
Ready to take your digital health company to the next level by strengthening your cybersecurity and compliance? Contact Periculo today to see how we can help you meet crucial standards like ISO 27001 and build trust with major healthcare organisations.
Want personalised advice? Book a free 30-minute call with strategy to explore how Periculo can tailor a security solution that wins you more contracts and keeps your business secure.
