Cyber Security of Medicare: Tabletop Simulations: Part 8

EDITOR’S NOTE: Edward Roche, in association with RACmonitor, is writing a series on the need for U.S. healthcare facilities to protect themselves from cybercriminals demanding ransoms for patient records. This is the eighth installment in the series. 

Hospitals can mitigate the damage from a cyberattack by engaging in simulations designed to evaluate and improve their response. One variety of simulation is the “Tabletop Exercise” (TTX).

Unlike many organizations such as banks, the healthcare sector was never designed with a view to cyber security. Over time, the role of information systems has grown. It is only in the past few years when hospitals and others have felt the full threat of cyber sabotage. Serious hospital attacks have been growing at around 65 percent each year. For organizations that think of information technology only as a supporting infrastructure for their operations, it is common to find a lack of preparation.

Hospitals are in a very special category of organizations. If they are attacked, not only do they suffer damage to their organization and information systems, but they also will become the targets of the government. Inspections, audits, penalties, and fines are all actions that both the federal and state governments might take against a hospital if it loses control of its information system.  In addition, there is the question of patient care. Since a large number of patients depend upon various medical devices, they also are vulnerable to cyberattack. Cyber can kill.

Table top exercises for hospitals, abbreviated “TTX” are the perfect way for the organization to practice how they will respond to a cyberattack.  The TTX is a complex simulation. There are participants who respond to the scenario that is given to them. At the same time, a number of observers watch what is going on and take notes for future reference. When the team of participants meet to plot their response, a number of facilitators are dispatched to help to make sure the discussions go in the best direction.  Finally, this type of simulation employs a number of data collectors who track everything that happens and compile data that can be used later when making an assessment of how everyone performed.

In a tabletop exercise, first the team will receive a scenario and begin to respond. After the response has been recorded then results are calculated and saved for future analysis. The next stage is for the organization to compile what lessens it learned from the exercise. If this is done correctly, then often it will lead it to the development of new protocols.

Each simulation has a number of vignettes, which are called “Injects.” These are not drug injections, instead, they are a modification in the scenario designed to challenge the participants and possibly throw them off guard. A better word for “inject” might be “monkey wrench”.

Tabletop Exercise: Scenario One

Here is an example of a scenario of the type that might form the basis for a tabletop exercise at a hospital.

The nursing staff notices a part-time security guard has started showing up an hour earlier than he needs to. Six months ago, the guard’s fiancé (also an employee at your facility) was laid off.  Without warning, several administrative employees received an email with an invitation to check out her latest vacation pictures by clicking on  Then when they visit the website, they receive an error message such as: “404 Error File Not Found.”

Shortly thereafter the chief information officer receives an untraceable email. Inside the email she finds a file containing the electronic medical records, personally identifiable information, and credit card data for more than 1000 patients of the hospital. Along with this file is a note which states that this information plus data on an additional 5000 patients will go up for auction on the Dark Web. The bids close at midnight.

The remainder of the simulation focuses on the question of whether or not the healthcare organization was prepared for this type of scenario or in contrast, whether or not it must sustain significant damage.

This type of tabletop exercise is excellent because it brings together so many different parts of the healthcare organization. For example, the IT department, the department that handles compliance with federal laws and regulations, the department of security, and other organizations all are tested within the range of their competence.

The success of this type of exercise lies in the nature of the relationship between the different functional elements of the organization and how well they are able to coordinate with each other under extreme stress.

Scenario Two

The setting is a major trauma center. All of patient care is coordinated through an electronic medical records system. In order to keep things current, this software is updated on a regular basis. In fact, the software was updated only a few weeks ago.

The software has been working perfectly until today. The clinical support computers start to slow down, become sluggish, or completely freeze up and stop working. As a result, patient care becomes delayed. In response to this problem, the physicians in your facility began to switch over to manual procedures when they need to authenticate any patient information. As new patients continue to arrive, your healthcare facility becomes overwhelmed.

As the patient load continues to increase, your policies are changed so that only life-threatening emergencies are admitted to the facility. In general, your entire system has ground to a halt.

At this point, your director of information technology services receives notification from your sub-contractor that malware has been discovered. A worm has altered or erased entire data fields containing patient treatment information.

Scenario Three

It is a normal working day at your healthcare facility. Three of your administrative employees receive an email from the HR department. The email contains detailed instructions requesting them to update their passwords as a security measure. Conveniently, the email has a link to do this. Because many times in the past they have received emails with specific instructions regarding the use of the information system, they quickly update their passwords.

Within a few days, the chief financial officer discovers discrepancies in the accounting records. A quick investigation reveals that a cyberattack has been sustained against the billing system. It already was known that the system had a vulnerability, but unfortunately, this problem was not patched in a timely manner.

At this point, outsiders now control all of the billing system including receivables. The money cannot be recovered.

Shortly thereafter, the chief executive officer (CEO) receives a demand to pay $1 million dollars within 24 hours. If this payment is not received, then the entire database will be destroyed and all of the credit card information will be auctioned off on the Dark Web.

Not only is there an existential threat to the receivables for the facility, it also is the case that your system no longer is compliant with payment card industry requirements. As a result, your organization now is subject to penalties and fines. You quickly learn that the organization must pay out a minimum of $3 million to notify all patients whose credit card information has been taken and on top of that pay for one year of credit monitoring for each patient.

The Theory of Tabletop Simulations

It often is said that the organization which works best is one that practices the most. In the case of developing a robust response to cyber threats, the Department of Homeland Security has found that conducting tabletop exercises on a regular basis can greatly improve one’s chances of surviving a severe cyberattack. The theory of tabletop simulations is that each round of practice leads to an evaluation which then leads to a change in procedures (protocol). The organization learns to communicate in the ways that are necessary given these extraordinary circumstances. It becomes possible to measure response time not merely within departments, but across the entire organization as a whole on a cross functional basis.

Have you ever thought about what happens when two football teams meet on the field? Let’s assume for a moment that each team has exactly the same strength and speed. In this case, when all other conditions are experimentally controlled, so to speak, we find that the team which has practiced the most is the one that will win every time. We practice because in doing so we discover unexpected problems that can occur and if we are careful and keep records we change our procedures so the next time these unexpected events occur they can be dealt with effectively.

The cyberattack war against the United States and all of its organizations including the healthcare sector shows no sign of abating. We can only be sure of one thing: attacks will continue, attacks will become more severe, attacks will be more difficult to defeat, and attacks will become deadlier. At the heart of this problem is the simple fact that there is no such thing as a completely secure information system. It simply does not exist. Therefore, the art of management is knowing what to do in the best way when faced with the inevitable problems posed by a cyberattack.

Print Friendly, PDF & Email

Edward M. Roche, PhD, JD

Edward Roche is the director of scientific intelligence for Barraclough NY, LLC. Mr. Roche is also a member of the California Bar. Prior to his career in health law, he served as the chief research officer of the Gartner Group, a leading ICT advisory firm. He was chief scientist of the Concours Group, both leading IT consulting and research organizations. Mr. Roche is a member of the RACmonitor editorial board as an investigative reporter and is a popular panelist on Monitor Mondays.

Related Stories

Leave a Reply

Please log in to your account to comment on this article.

Featured Webcasts

The Inpatient Admission Order: Master the Who, When, and How

The Inpatient Admission Order: Master the Who, When, and How

During this webcast Dr. Ronald Hirsch delves into the inpatient admission order process including when to get it, when it becomes effective, its impact on billing and payment, who can write it, how to cancel it, the effects on the beneficiary, and more. You’ll leave with a clear understanding of inpatient orders and guidelines for handling improper orders that you can implement immediately.

June 20, 2024
Navigating AI in Healthcare Revenue Cycle: Maximizing Efficiency, Minimizing Risks

Navigating AI in Healthcare Revenue Cycle: Maximizing Efficiency, Minimizing Risks

Michelle Wieczorek explores challenges, strategies, and best practices to AI implementation and ongoing monitoring in the middle revenue cycle through real-world use cases. She addresses critical issues such as the validation of AI algorithms, the importance of human validation in machine learning, and the delineation of responsibilities between buyers and vendors.

May 21, 2024
Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Leveraging the CERT: A New Coding and Billing Risk Assessment Plan

Frank Cohen shows you how to leverage the Comprehensive Error Rate Testing Program (CERT) to create your own internal coding and billing risk assessment plan, including granular identification of risk areas and prioritizing audit tasks and functions resulting in decreased claim submission errors, reduced risk of audit-related damages, and a smoother, more efficient reimbursement process from Medicare.

April 9, 2024
2024 Observation Services Billing: How to Get It Right

2024 Observation Services Billing: How to Get It Right

Dr. Ronald Hirsch presents an essential “A to Z” review of Observation, including proper use for Medicare, Medicare Advantage, and commercial payers. He addresses the correct use of Observation in medical patients and surgical patients, and how to deal with the billing of unnecessary Observation services, professional fee billing, and more.

March 21, 2024
Comprehensive Inpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Comprehensive Inpatient Clinical Documentation Integrity: From Foundations to Advanced Strategies

Optimize your inpatient clinical documentation and gain comprehensive knowledge from foundational practices to advanced technologies, ensuring improved patient care and organizational and financial success. This webcast bundle provides a holistic approach to CDI, empowering you to implement best practices from the ground up and leverage advanced strategies for superior results. Participants will gain actionable insights to improve documentation quality, patient care, compliance, and financial outcomes.

June 26, 2024
Advanced Inpatient Clinical Documentation Integrity: Harnessing Technology, Analytics, and Compliance

Advanced Inpatient Clinical Documentation Integrity: Harnessing Technology, Analytics, and Compliance

Join expert Angela Comfort, MBA, RHIA, CDIP, CCS, CCS-P., as she helps you navigate advanced inpatient CDI technologies, regulatory changes, and system interoperability. Angela will provide actionable strategies for integrating AI and predictive analytics into CDI practices, ensuring seamless system interoperability, and maintaining compliance with evolving regulations. Attendees will learn to select and implement advanced EHR systems and CDI software, leverage data analytics to enhance documentation accuracy, and stay audit-ready with the latest compliance updates. Real-world case studies and practical tools will empower you to drive continuous improvement in CDI, improve patient outcomes, and enhance organizational efficiency. Don’t miss this opportunity to advance your CDI practices and stay ahead in this dynamic field.

July 11, 2024
Foundations of Inpatient Clinical Documentation Integrity: Enhancing Accuracy and Compliance

Foundations of Inpatient Clinical Documentation Integrity: Enhancing Accuracy and Compliance

Join expert Angela Comfort, MBA, RHIA, CDIP, CCS, CCS-P, for an insightful webcast on improving inpatient clinical documentation integrity (CDI). Inaccurate documentation can lead to misdiagnosis, improper treatment, and compromised patient safety. High workloads, lack of standardized practices, and outdated EHR systems contribute to these issues, affecting care quality and financial outcomes. Angela will offer practical strategies and tools to enhance accuracy, consistency, and timeliness in documentation. Attendees will learn to use standardized templates, checklists, and advanced EHR systems, while staying compliant with regulations. Improve patient care, ensure accurate billing, and reduce audit risks with actionable insights from this essential webcast.

June 26, 2024
Mastering E/M Coding: Navigating the Evolving Landscape

Mastering E/M Coding: Navigating the Evolving Landscape

Join industry expert, Kathy Pride, RHIT, CPC, CPMA, CCS-P, for an in-depth exploration of Evaluation and Management (E/M) coding, tailored for healthcare professionals navigating recent guideline changes. Dive into advanced topics beyond mere code selection, including shared visits, criteria for selecting E/M levels, and documentation best practices. Gain clarity on complex guideline terminology and ensure compliance with regulatory standards. This comprehensive session is essential for coders, auditors, educators, and practitioners seeking to enhance their proficiency in E/M coding and maximize revenue capture.

June 19, 2024

Trending News

Happy National Doctor’s Day! Learn how to get a complimentary webcast on ‘Decoding Social Admissions’ as a token of our heartfelt appreciation! Click here to learn more →

Honor Memorial Day with Savings! Get 20% off all items using code MEMORIAL24 at checkout. Shop today and save! Offer valid until May 31. Exclusions apply.

Happy World Health Day! Our exclusive webcast, ‘2024 SDoH Update: Navigating Coding and Screening Assessment,’  is just $99 for a limited time! Use code WorldHealth24 at checkout.