Facilitator and Planner Guide

Facilitator and
Planner Guide

Cyber Tabletop Exercise for the Healthcare Industry

Facilitator and Planner Guide

This page is intentionally left blank.

Table of Contents

1

Healthcare Industry Exercise Sensitive

Cyber Tabletop Exercise for the Healthcare Industry

Facilitator and Planner Guide

Table of Contents ...... ii

Introduction...... 1

Healthcare Industry Cyber Tabletop Exercise...... 3

Purpose...... 3

Exercise Objectives...... 3

Exercise Schedule...... 4

General Characteristics ...... 4

Exercise Guidelines...... 5

Exercise Assumptions and Artificialities...... 6

Key Exercise Personnel...... 6

Exercise Technique...... 7

Facilitation of Scenarios...... 7

Exercise Structure...... 8

Exercise Wrap-Up...... 9

Player Hot Wash...... 9

Facilitator and Data Collector Debrief...... 9

Data Collection...... 9

Developing the After Action Report and Improvement Plan...... 10

Analyze Data...... 10

Identify Root Causes and Develop Recommendations...... 11

Identify Lessons Learned ...... 12

Contact Information...... 12

Planning Cyber Exercises...... 13

Exercise Foundation...... 13

Exercise Foundation Activities...... 14

Develop the Exercise Planning Team...... 14

Establishing exercise milestones and key events...... 14

Timeline and Milestones...... 14

Exercise type...... 15

Exercise planning staff experience and availability...... 15

Participation level...... 15

Resource constraints...... 16

Conduct Planning Meetings ...... 16

Exercise Design ...... 17

Exercise Logistics ...... 18

Facility and Meeting Room...... 18

Food and Refreshments...... 20

Directions/Parking/Access...... 20

Appendix A: Facilitator Role and General Guidance...... 22

Role...... 22

Group Dynamics...... 23

Brainstorming...... 23

Scenario...... 23

Questions...... 23

Trivializing the Answers...... 24

Facilitator Challenges...... 24

Time Management...... 24

Focus and Level of Discussion...... 24

Appendix B: Vignette I: Compromise of electronic Protected Health Information (ePHI) 26

Opening Scenario...... 26

Facilitator Prompts ...... 26

Inject 1...... 26

Facilitator Prompts ...... 26

Inject 2...... 27

Facilitator Prompts ...... 27

Ground Truth – Vignette I: Compromise of electronic Protected Health Information (ePHI) 29

Vignette Objectives...... 29

General Sequence of Events...... 29

Overview...... 29

Appendix C: Vignette II: Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs) 31

Opening Scenario...... 31

Facilitator Prompts ...... 31

Inject 1...... 32

Facilitator Prompts ...... 32

Inject 2...... 32

Facilitator Prompts ...... 32

Ground Truth – Vignette II: Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs) 34

Vignette Objective...... 34

General Sequence of Events ...... 34

Overview...... 34

Appendix D: Vignette III: Cash Out - Billing System Disruption...... 37

Opening Scenario...... 37

Facilitator Prompts ...... 37

Inject 1...... 38

Facilitator Prompts ...... 38

Inject 2...... 38

Facilitator Prompts ...... 38

Inject 3...... 39

Facilitator Prompts ...... 40

Ground Truth – Vignette III: Cash Out – Billing System Disruption...... 41

Vignette Objective...... 41

General Sequence of Events...... 41

Overview...... 41

Appendix E: Vignette IV: Medical Device Malfunction...... 43

Opening Scenario...... 43

Facilitator Prompts ...... 43

Inject 1...... 43

Facilitator Prompts ...... 44

Ground Truth – Vignette IV: Medical Device Malfunction...... 45

Vignette Objective...... 45

General Sequence of Events...... 45

Overview...... 45

Appendix F: Reference Library...... 47

U.S. Department of Homeland Security and National Healthcare and Public Health Sector Documents 47

Other Federal and Industry Documents...... 47

Additional Online Resources...... 47

Appendix G: Exercise Planning and Support Materials...... 49

Appendix H: Acronym List...... 50

Appendix I: Glossary of Terms...... 52

1

Healthcare Industry Exercise Sensitive

Cyber Tabletop Exercise for the Healthcare Industry

Facilitator and Planner Guide

Tables and Figures

1

Healthcare Industry Exercise Sensitive

Cyber Tabletop Exercise for the Healthcare Industry

Facilitator and Planner Guide

Table 1: Sample Agenda of a Four-Hour Exercise...... 4

Table 2: Cyber Tabletop Exercise Components...... 8

Table 3: Potential Exercise Participants...... 16

Table 4: Guidelines of Planning Events Timeline...... 16

Table 5: Cyber Tabletop Exercise Documents...... 18

Table 6: U-shape Layout for a Tabletop Exercise...... 19

Table 7: Key Tabletop Exercise Format Features...... 19

1

Healthcare Industry Exercise Sensitive

Cyber Tabletop Exercise for the Healthcare Industry

Facilitator and Planner Guide

Figure 1: Cyber Tabletop Exercise Technique...... 7

Figure 2: Hseep Methodology...... 13

1

Healthcare Industry Exercise Sensitive

Cyber Tabletop Exercise for the Healthcare Industry

Facilitator and Planner Guide

Introduction

The U.S. Department of Homeland Security (DHS) Cyber Tabletop Exercise (TTX) for the Healthcare Industry is an unclassified, adaptable exercise template developed by the DHS National Cyber Security Division (NCSD) Cyber Exercise Program (CEP) through a partnership with the U.S. Department of Health and Human Services (HHS), the National Health Information Sharing & Analysis Center (NH-ISAC), and subject matter experts (SMEs) from the private Healthcare IndustrySector.

The physical and cyber assets of public and private institutions comprise much of the critical infrastructure upon which our Nation depends. In addition to Healthcare and Public Health, Federally-recognized critical infrastructure sectors include: Agriculture and Food; Banking and Finance; Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Government Facilities; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and Shipping; Transportation Systems; and Water. The cyber component of this infrastructure is a principal enabler of these sectors as well as a technical implementer for other important economic, security, and social systems of our country. Our reliance upon the technologies that comprise this vital infrastructure compels us to remain vigilant in order to prevent disruptions and their subsequent debilitating effects.

Performing rapid identification, information exchange, and cooperative response measures have demonstrated effectiveness at mitigating the undesirable or unanticipated consequences caused by disruptions to our Nation’s cyber infrastructure. Many of these lessons have been learned firsthand – during actual disruptions – but can be integrated into exercise programs to reduce cyber consequences, and improve preparedness and resiliency. NCSD CEP seeks to improve the Nation’s cybersecurity readiness, protection, and incident response capabilities by developing, designing, and conducting cyber exercises at the Federal, state, regional, and international levels, and in cooperation with private sector owners and operators of our Nation’s critical infrastructures.

NCSD CEP employs scenario-based exercises that focus on risks to cyber and information technology infrastructures. Through exercises, Participants are able to validate policies, plans, procedures, processes, and capabilities that enable preparation, prevention, response, recovery, and continuity of operations. The controlled environment of an exercise allows exercise Players to safely explore real-world situations to improve response communication and coordination, and to advance the efficacy of the broad-based public-private critical infrastructure protection partnerships. This TTX developed for the Healthcare Industry is an example of this relationship.

This Facilitator and Planner Guide follows the DHS Homeland Security Exercise and Evaluation Program (HSEEP) recommended guidance and methodology for the development and execution of exercises. The structure thatHSEEP provides assists Facilitators and Planners through the process of focusing discussions and completing the tasks necessary to successfully complete exercise objectives. The Guide is not written as a basic “how to” manual. Rather, Facilitators and Planning Team members should have basic-level knowledge of exercise – preferably TTX – design, standardized HSEEP policy and terminology, and adult education or training experience. A common understanding of the fundamentals of cybersecurity and healthcare systems enables the Facilitator and Planning Team members to fully benefit from this Guide.

The Facilitator and Planner Guide is divided into three sections. The first section describes the TTX developed specifically for the Healthcare Industry, and details the structure for conducting and reporting on this exercise. As will be mentioned throughout this Guide, you are encouraged to modify exercise materials to suit the needs or constraints of your event. The second section provides general guidance on the planning, preparation, and development of a cyber TTX while embracing HSEEP policy and methodology. You may wish to follow HSEEP guidance if exercise-specific details are modified.

Nine appendices are included in the final section of this Guide. Four appendices (Appendix B-E) outline vignettes prepared exclusively for this exercise; contain scenario details; a “ground truth” storyline of information that might not be available except through forensic investigation; and information or prompting questions that may be used by the Facilitator to stimulate discussion or to redirect Player actions towards the exercise purpose and objectives. Reference materials – Facilitator role responsibilities and general guidance; exercise planning and support materials; and acronym list and glossary – complete this comprehensive Facilitator and Planner Guide.

Healthcare Industry Cyber Tabletop Exercise

The Department of Homeland Security (DHS) Cyber Tabletop Exercise for the Healthcare Industry provides Participants with the opportunity to gain an understanding of issues associated with a significant, focused cyber attack and to coordinate with other government and private entities in response to a simulated attack. It is for industry’s members, intended only for their internal use. There is no requirement for exercise Participants or stakeholders to report to DHS or any other Federal, state, or local agency regarding any component of the exercise. Sharing of exercise results is strictly at the exercise Participant's and sponsor’s discretion. You are advised to consult with appropriate officials to determine if this exercise meets regulatory or statutory exercise requirements.

Purpose

The purpose of the DHS Cyber Tabletop Exercise for the Healthcare Industry is to examine cybersecurity considerations associated with the interruption of Healthcare Infrastructure elements initiated by cyber disruptions. Although physical consequences of these disruptions are important, they are not the principal focus of this exercise. Rather, this exercise focuses on a healthcare facility’s internal and external incident response and coordination efforts following a significant, simulated cyber attack. The intent of the exercise is to improve the facility’s understanding of key cybersecurity concepts; identify strengths and weaknesses; promote changes in attitude and perceptions; and enhance the overall cyber response posture and collective decision-making process of participating organizations and stakeholders. Additionally, this exercise will serve to:

•Create an opportunity for public and private Healthcare Industry stakeholders to explore and address cybersecurity challenges.

•Foster an understanding of the dependencies and interdependencies amongst information technology, business continuity, crisis management, and physical security functions.

•Observe and evaluate cyber incident response protocols.

•Identify shortcomings or gaps in demonstrated capabilities or current plans, policies, and procedures.

Exercise Objectives

Objectives are the cornerstone of exercise project management as they drive exercise planning, conduct, and evaluation efforts. Exercising to meet defined objectives serves as a component in the modification or creation of plans, policies, and procedures. The objectivesidentified for the DHS Cyber Tabletop Exercise for the Healthcare Industry (provided below) focus on improved understanding of concerns affecting the Healthcare and Public Health Sector. Organization-specific objectives may also be included as needed:

1. Explore inter-organizational information sharing and collaboration mechanisms within the Healthcare and Public Health Sector during a cyber incident.
2. Improve understanding of the potential impacts and cascading effects cyber intrusions can have within the Healthcare and Public Health Sector.
3. Examine current organizational cyber incident response policies, plans, and protocols, and identify potential shortcomings or gaps.
4. Insert additional organization-specificobjectives.

Exercise Schedule

As shown in the schedule below, the DHS Cyber Tabletop Exercise for the Healthcare Industry is scheduled for four hours of exercise play; however, overall and individual breakout session duration is ultimately at your discretion and can be modified as necessary. Although following a schedule, exercise discussion times are open-ended and Participants are encouraged to take their time in arriving at in-depth decisions – without time pressure. While the Facilitator maintains an awareness of time allocation for each vignette discussion, it is not a requirement that the group complete every vignette action item to deem the exercise a success.

Registration / 8:00 a.m. – 8:30 a.m.
Opening Plenary (Welcome, Introduction, and Guidelines) / 8:30 a.m. – 9:00 a.m.
Vignette I / 9:00 a.m. – 9:30 a.m.
Vignette II / 9:30 a.m. – 10:05 a.m.
Break (at Facilitator’s discretion) / 10:05 a.m. – 10:20 a.m.
Vignette III / 10:20 a.m. – 10:55 a.m.
Vignette IV / 10:55 a.m. – 11:30 a.m.
Closing Plenary (Hot Wash and Closing Comments) / 11:30 a.m. – 12:00 p.m.

Table 1: Sample Agenda of a Four-Hour Exercise

General Characteristics

A cyber tabletop exercise (TTX) is a facilitated discussion of a scenario in a formal or informal, stress-free environment. It is designed to be an open, thought-provoking exchange of ideas on various issues regarding a hypothetical, simulated cyber incident, and can be used to enhance general awareness, validate current plans and procedures, and assess the systems and activities that lie within the framework of cyber incident response and recovery. It is effective for examining policies, plans, personnel contingencies, information sharing, and interagency coordination, as well as for discovering gaps, or unclear or overlapping responsibilities.

The dynamic nature of scenario development for a TTX allows modifications or refinements of scenario elements up to the moment that the scenario is introduced to exercise Players. This exercise will presumably be an example, ensuring that each scenario “inject” is tailored to the specific Participant base. Likewise, the Exercise Planning Team may prepare injects “on the fly” so that Player actions can be appropriately guided or re-focused to address a specific issue.

A scenario “ground truth” document provides key information and details necessary to accurately depict scenario conditions and events that drive exercise play to ensure that objectives can be met. Ground truth information forms the foundation of the scenario that the Facilitator uses as a basis when addressing Player inquiries regarding the nature of the scenario. Further, scenario ground truth is included in each vignette for this exercise and may be referenced by the Facilitator to gain an in-depth understanding of the situation.

For the DHS Cyber Tabletop Exercise for the Healthcare Industry, Facilitators will provide scenario vignette information to stimulate Participant discussion. The facilitated discussion poses key questions that focus on expected behavior; defined roles and responsibilities; existing plans; coordination; and cascading effects, amongst others, to support theexercise goals and objectives. Participants should share their subject matter expertise in the groups’ discussion of issue areas to reach a resolution; discussions may also be guided through Facilitator prompts. Documentation of this process is the foundation for subsequent data analysis and development of the After Action Report/Improvement Plan (AAR/IP).

Exercise Guidelines

The following should serve as guidelines for exercise conduct:

• This is an open, low-stress, no-fault environment. Varying and contradictory viewpoints should be anticipated and encouraged.
• Participant’s responses should be based on their knowledge of current plans, capabilities (e.g., exclusive use of existing assets), and insights derived from training.
• Decisions are not precedent-setting and may not reflect an organization’s final position on a given issue. This is an opportunity to discuss and present multiple options and possible solutions.
• Assume hypothetical cooperation and support from other responders and agencies.
• Problem-solving efforts should be the focus. Identifying issues is not as valuable as suggestions and recommended actions.
• Situation updates, and written materials and resources provided, are the basis for discussion.
• Although incident management, and current cybersecurity plans and policies used by participating organizations provide a foundation for Player action; such actions and decisions made during the exercise should not be constrained by these plans or other current, real-world plans and management concepts. Exercise discussions will promote opportunities to enhance existing plans and concepts.

Exercise Assumptions and Artificialities

In any exercise a number of assumptions and artificialities may be necessary to complete scheduled conduct in the time allotted. During this exercise, the following apply:

• The scenario is plausible and events occur as they are presented.
• There is no “hidden agenda,” nor any trick questions.
• All Players receive information at the same time.
• The scenario is not derived from current intelligence.
• Players can make reasonable assumptions as necessary.
• The exercise findings are not for attribution.
• Local Players should assume that while concentrating on local response, Federal and state responders are initiating their own respective plans, procedures, and protocols.

Key Exercise Personnel

One of the most important factors of a successful exercise is skilled planning and design by the Exercise Planning Team. The Exercise Planning Team oversees, and is ultimately responsible for, the exercise foundation, design, development, and often the conduct and evaluation. The team determines exercise objectives, tailors the scenario to meet the exercising entity’s needs, and develops documentation used in evaluation, control, and simulation. Planning Team members also help to develop and distribute pre-exercise materials, and conduct exercise planning conferences, briefings, and training sessions. Because Planning Team members are highly involved in the exercise, they are ideal selections for Facilitators, Controllers, and Evaluators. Other important exercise roles include the following:

•Players/Participants respond to the situation presented based on their respective SME knowledge of current plans, procedures, and insights derived from training and experience.

•Observerswatch the exercise and are not Participants in the discussion.

•Facilitatorsideally are individuals with functional area expertise that facilitate exercise discussion. The Facilitator is responsible for keeping the discussion focused on exercise objectives and ensuring all key issues are explored (time permitting).