<  All Posts

How to Plan a Successful Cyber Security Tabletop Exercise

Author:
Harrison Mussell

What is a Tabletop Exercise?

A tabletop exercise (TTX) is a discussion-based simulation where participants walk through a cyber security incident response scenario step-by-step in a controlled environment. It tests the organisation’s ability to handle an incident, such as a cyber attack, by discussing roles, actions, decision-making processes, and collaboration among teams, without actually responding to a live threat.

Key Features:

Why Do You Need Tabletop Exercises?

Key Reasons for Actioning Table Top Exercises:

For digital health and medical device companies, cyber security incidents can affect patient data, device performance, and regulatory compliance, making TTXs even more critical.

What Standards Require You to Do Tabletop Exercises?

Many regulatory standards require or recommend that organisations conduct tabletop exercises as part of their incident response and preparedness strategies. Below are some examples important for health and medical device companies:

ISO 27001

The leading international standard for information security management systems (ISMS), emphasises the need for organisations to conduct regular testing of their incident response plans, such as through tabletop exercises. It helps ensure that cyber risks are managed effectively and security policies are practiced in a controlled environment.

Relevant Clause: A.16.1.5 - Incident response testing should be carried out periodically to ensure that procedures are effective and up to date.

EUMDR (European Union Medical Device Regulation)

Under EUMDR, medical device manufacturers are required to maintain a risk management system that addresses cyber security risks. Conducting tabletop exercises helps manufacturers meet these requirements by ensuring their response plans to cyber attacks are robust and can handle device vulnerabilities that may compromise patient safety.

Important Section: Annex I, Section 14.2 – Manufacturers need plans to stop unauthorised access to devices and deal with security issues.

FDA Cyber Security Good Practice

The FDA’s Cyber Security Guidance for medical devices encourages manufacturers to conduct regular security assessments and response testing, including tabletop exercises, to safeguard the integrity, availability, and confidentiality of device data. This ensures that vulnerabilities are managed and patient safety is prioritised.

Important Guidance: The FDA’s "Content of Premarket Submissions for Management of Cybersecurity in Medical Devices" outlines the need for testing response plans, including through tabletop exercises.

NHS Data Security and Protection Toolkit (DSPT)

For organisations working with the NHS or dealing with NHS data, the NHS DSPT sets standards for data protection and cyber security. It encourages organisations to do regular security assessments and testing, such as tabletop exercises, to ensure their security processes are fit for purpose.

Important Standard: Standard 7.2 – Organisations must have tested response plans for security incidents.

What Does Each Standard Say About Tabletop Exercises?

ISO 27001

ISO 27001 stresses the importance of periodic testing of an organisation’s incident response plan. Tabletop exercises are a highly recommended method for organisations to practice their response capabilities, improve collaboration between departments, and assess how effectively they can react to cyber threats.

EUMDR

The EUMDR instructs that manufacturers create and maintain effective risk management processes. By running tabletop exercises, medical device manufacturers can ensure they comply with EUMDR’s cyber security requirements by demonstrating that their teams are prepared to respond to vulnerabilities that could impact device safety.

FDA Cyber Security Good Practice

The FDA's guidance for medical device cybersecurity highlights the importance of regular security testing. Tabletop exercises ensure that manufacturers understand how to handle cyber threats and mitigate potential risks to device functionality, safeguarding patient safety and data.

NHS DSPT

DSPT requires organisations to demonstrate they have tested their incident response plans. Tabletop exercises allow healthcare providers and their suppliers to ensure that data security incidents can be managed swiftly and effectively.

Steps to Success in a Tabletop Exercise

To hold a successful tabletop exercise, certain factors need to be in place. Each step below provides actionable insights into how to approach each aspect of the exercise.

1. Planning

2. Get the Right People Involved

3. Use Real Scenarios

4.Invoking an Emotional Response

The exercise should be designed to engage participants by making them feel some pressure of a real incident. Consider timing responses with countdowns for a sense of increase urgency.

5. Focus on What Matters - Ensure the the Key Aspects is Something the Team Cares About.

Think about the real-world consequences, like fines, damage to patient trust, and potential harm to individuals' health if devices are compromised, to make the exercise meaningful.

6. Have a Clear Plan

Break the scenario down into steps:

7. Prepare a Simple Slide Deck

Create a simple slide presentation with:

8. Limit Response Time

Give teams limited time to respond, just like in real life. This helps them practice making decisions quickly.

9. Keep the Group Focused

Have a facilitator lead the exercise to keep everyone on track and avoid distractions.

10. Keep the Energy Up

The facilitator should inject enthusiasm and momentum into the exercise, using varied tones, questions, and engagement techniques to keep participants focused and alert.

The Tabletop Exercise Guide

1. Planning

2. Building the Exercise

3. Organising

4. Running the Exercise

5. Debrief and Improve

Ready to take your digital health company to the next level by strengthening your cybersecurity and compliance? Contact Periculo today to see how we can help you meet crucial standards like ISO 27001 and build trust with major healthcare organisations.

Want personalised advice? Book a free 30-minute call with strategy to explore how Periculo can tailor a security solution that wins you more contracts and keeps your business secure.

Image Designed by vectorjuice / Freepik

Protecting Digital Health Solutions

Contact Periculo for expert cyber security solutions tailored to the digital health industry.

Subscribe
Stay updated with our newsletter for the latest features and releases.
By subscribing, you agree to our Privacy Policy and consent to receive updates from us.
Thank you! Subscription received.
Oops! Something went wrong. Please try again.