cdn.ymaws.com€¦ · web viewthe defrauded money cannot be recovered, nor can the intruder be...

Facilitator and Planner Guide

Cyber Tabletop Exercise for the Healthcare IndustryFacilitator and Planner Guide

This page is intentionally left blank.

iHealthcare Industry Exercise Sensitive


Table of Contents Table of Contents .......................................................................................................... iiIntroduction....................................................................................................................1Healthcare Industry Cyber Tabletop Exercise.............................................................3

Purpose.........................................................................................................................................3Exercise Objectives......................................................................................................................3Exercise Schedule........................................................................................................................4General Characteristics ...............................................................................................................4

Exercise Guidelines.................................................................................................................5Exercise Assumptions and Artificialities.................................................................................6

Key Exercise Personnel...............................................................................................................6Exercise Technique......................................................................................................................7Facilitation of Scenarios..............................................................................................................7Exercise Structure........................................................................................................................8Exercise Wrap-Up........................................................................................................................9

Player Hot Wash......................................................................................................................9Facilitator and Data Collector Debrief.....................................................................................9

Data Collection............................................................................................................................9Developing the After Action Report and Improvement Plan....................................................10Analyze Data..............................................................................................................................10

Identify Root Causes and Develop Recommendations..........................................................11Identify Lessons Learned ......................................................................................................12

Contact Information...................................................................................................................12Planning Cyber Exercises...........................................................................................13

Exercise Foundation...................................................................................................................13Exercise Foundation Activities..................................................................................................14

Develop the Exercise Planning Team....................................................................................14Establishing exercise milestones and key events...................................................................14

Timeline and Milestones............................................................................................................14Exercise type..........................................................................................................................15Exercise planning staff experience and availability...............................................................15

iiHealthcare Industry Exercise Sensitive


Participation level..................................................................................................................15Resource constraints..............................................................................................................16

Conduct Planning Meetings ......................................................................................................16Exercise Design ........................................................................................................................17Exercise Logistics .....................................................................................................................18Facility and Meeting Room.......................................................................................................18Food and Refreshments..............................................................................................................20Directions/Parking/Access.........................................................................................................20

Appendix A: Facilitator Role and General Guidance...............................................22Role............................................................................................................................................22Group Dynamics........................................................................................................................23

Brainstorming........................................................................................................................23Scenario..................................................................................................................................23Questions................................................................................................................................23Trivializing the Answers........................................................................................................24

Facilitator Challenges................................................................................................................24Time Management.................................................................................................................24Focus and Level of Discussion..............................................................................................24

Appendix B: Vignette I: Compromise of electronic Protected Health Information (ePHI).............................................................................................................................26

Opening Scenario.......................................................................................................................26Facilitator Prompts ................................................................................................................26

Inject 1.......................................................................................................................................26Facilitator Prompts ................................................................................................................26


Ground Truth – Vignette I: Compromise of electronic Protected Health Information (ePHI)........................................................................................................29

Vignette Objectives....................................................................................................................29General Sequence of Events......................................................................................................29Overview....................................................................................................................................29

Appendix C: Vignette II: Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs).................................................................................................31

iiiHealthcare Industry Exercise Sensitive


Opening Scenario.......................................................................................................................31Facilitator Prompts ................................................................................................................31



Ground Truth – Vignette II: Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs)...................................................................................34

Vignette Objective.....................................................................................................................34General Sequence of Events .....................................................................................................34Overview....................................................................................................................................34

Appendix D: Vignette III: Cash Out - Billing System Disruption.............................37Opening Scenario.......................................................................................................................37

Facilitator Prompts ................................................................................................................37Inject 1.......................................................................................................................................38



Facilitator Prompts ................................................................................................................40Ground Truth – Vignette III: Cash Out – Billing System Disruption.......................41

Vignette Objective.....................................................................................................................41General Sequence of Events......................................................................................................41Overview....................................................................................................................................41

Appendix E: Vignette IV: Medical Device Malfunction.............................................43Opening Scenario.......................................................................................................................43


Facilitator Prompts ................................................................................................................44Ground Truth – Vignette IV: Medical Device Malfunction........................................45

Vignette Objective.....................................................................................................................45General Sequence of Events......................................................................................................45Overview....................................................................................................................................45

ivHealthcare Industry Exercise Sensitive


Appendix F: Reference Library..................................................................................47U.S. Department of Homeland Security and National Healthcare and Public Health Sector Documents.................................................................................................................................47Other Federal and Industry Documents.....................................................................................47Additional Online Resources.....................................................................................................47

Appendix G: Exercise Planning and Support Materials..........................................49Appendix H: Acronym List..........................................................................................50Appendix I: Glossary of Terms..................................................................................52

Tables and Figures

Table 1: Sample Agenda of a Four-Hour Exercise.....................................................4Table 2: Cyber Tabletop Exercise Components.........................................................8Table 3: Potential Exercise Participants...................................................................16Table 4: Guidelines of Planning Events Timeline.....................................................16Table 5: Cyber Tabletop Exercise Documents.........................................................18Table 6: U-shape Layout for a Tabletop Exercise....................................................19Table 7: Key Tabletop Exercise Format Features....................................................19Figure 1: Cyber Tabletop Exercise Technique...........................................................7Figure 2: Hseep Methodology....................................................................................13

vHealthcare Industry Exercise Sensitive


IntroductionThe U.S. Department of Homeland Security (DHS) Cyber Tabletop Exercise (TTX) for the Healthcare Industry is an unclassified, adaptable exercise template developed by the DHS National Cyber Security Division (NCSD) Cyber Exercise Program (CEP) through a partnership with the U.S. Department of Health and Human Services (HHS), the National Health Information Sharing & Analysis Center (NH-ISAC), and subject matter experts (SMEs) from the private Healthcare Industry Sector.

The physical and cyber assets of public and private institutions comprise much of the critical infrastructure upon which our Nation depends. In addition to Healthcare and Public Health, Federally-recognized critical infrastructure sectors include: Agriculture and Food; Banking and Finance; Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Government Facilities; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and Shipping; Transportation Systems; and Water. The cyber component of this infrastructure is a principal enabler of these sectors as well as a technical implementer for other important economic, security, and social systems of our country. Our reliance upon the technologies that comprise this vital infrastructure compels us to remain vigilant in order to prevent disruptions and their subsequent debilitating effects.

Performing rapid identification, information exchange, and cooperative response measures have demonstrated effectiveness at mitigating the undesirable or unanticipated consequences caused by disruptions to our Nation’s cyber infrastructure. Many of these lessons have been learned firsthand – during actual disruptions – but can be integrated into exercise programs to reduce cyber consequences, and improve preparedness and resiliency. NCSD CEP seeks to improve the Nation’s cybersecurity readiness, protection, and incident response capabilities by developing, designing, and conducting cyber exercises at the Federal, state, regional, and international levels, and in cooperation with private sector owners and operators of our Nation’s critical infrastructures.

NCSD CEP employs scenario-based exercises that focus on risks to cyber and information technology infrastructures. Through exercises, Participants are able to validate policies, plans, procedures, processes, and capabilities that enable preparation, prevention, response, recovery, and continuity of operations. The controlled environment of an exercise allows exercise Players to safely explore real-world situations to improve response communication and coordination, and to advance the efficacy of the broad-based public-private critical infrastructure protection partnerships. This TTX developed for the Healthcare Industry is an example of this relationship.

This Facilitator and Planner Guide follows the DHS Homeland Security Exercise and Evaluation Program (HSEEP) recommended guidance and methodology for the development and execution of exercises. The structure that HSEEP provides assists Facilitators and Planners through the process of focusing discussions and completing the tasks necessary to successfully complete exercise objectives. The Guide is not written as a basic “how to” manual. Rather, Facilitators and Planning Team members should have basic-level knowledge of exercise – preferably TTX – design, standardized HSEEP policy and terminology, and adult education or training experience. A common understanding of the fundamentals of cybersecurity and

1Healthcare Industry Exercise Sensitive


healthcare systems enables the Facilitator and Planning Team members to fully benefit from this Guide.

The Facilitator and Planner Guide is divided into three sections. The first section describes the TTX developed specifically for the Healthcare Industry, and details the structure for conducting and reporting on this exercise. As will be mentioned throughout this Guide, you are encouraged to modify exercise materials to suit the needs or constraints of your event. The second section provides general guidance on the planning, preparation, and development of a cyber TTX while embracing HSEEP policy and methodology. You may wish to follow HSEEP guidance if exercise-specific details are modified.

Nine appendices are included in the final section of this Guide. Four appendices (Appendix B-E) outline vignettes prepared exclusively for this exercise; contain scenario details; a “ground truth” storyline of information that might not be available except through forensic investigation; and information or prompting questions that may be used by the Facilitator to stimulate discussion or to redirect Player actions towards the exercise purpose and objectives. Reference materials – Facilitator role responsibilities and general guidance; exercise planning and support materials; and acronym list and glossary – complete this comprehensive Facilitator and Planner Guide.



Healthcare Industry Cyber Tabletop ExerciseThe Department of Homeland Security (DHS) Cyber Tabletop Exercise for the Healthcare Industry provides Participants with the opportunity to gain an understanding of issues associated with a significant, focused cyber attack and to coordinate with other government and private entities in response to a simulated attack. It is for industry’s members, intended only for their internal use. There is no requirement for exercise Participants or stakeholders to report to DHS or any other Federal, state, or local agency regarding any component of the exercise. Sharing of exercise results is strictly at the exercise Participant's and sponsor’s discretion. You are advised to consult with appropriate officials to determine if this exercise meets regulatory or statutory exercise requirements.

PurposeThe purpose of the DHS Cyber Tabletop Exercise for the Healthcare Industry is to examine cybersecurity considerations associated with the interruption of Healthcare Infrastructure elements initiated by cyber disruptions. Although physical consequences of these disruptions are important, they are not the principal focus of this exercise. Rather, this exercise focuses on a healthcare facility’s internal and external incident response and coordination efforts following a significant, simulated cyber attack. The intent of the exercise is to improve the facility’s understanding of key cybersecurity concepts; identify strengths and weaknesses; promote changes in attitude and perceptions; and enhance the overall cyber response posture and collective decision-making process of participating organizations and stakeholders. Additionally, this exercise will serve to:

• Create an opportunity for public and private Healthcare Industry stakeholders to explore and address cybersecurity challenges.

• Foster an understanding of the dependencies and interdependencies amongst information technology, business continuity, crisis management, and physical security functions.

• Observe and evaluate cyber incident response protocols.

• Identify shortcomings or gaps in demonstrated capabilities or current plans, policies, and procedures.

Exercise ObjectivesObjectives are the cornerstone of exercise project management as they drive exercise planning, conduct, and evaluation efforts. Exercising to meet defined objectives serves as a component in the modification or creation of plans, policies, and procedures. The objectives identified for the DHS Cyber Tabletop Exercise for the Healthcare Industry (provided below) focus on improved understanding of concerns affecting the Healthcare and Public Health Sector. Organization-specific objectives may also be included as needed:



1. Explore inter-organizational information sharing and collaboration mechanisms within the Healthcare and Public Health Sector during a cyber incident.

2. Improve understanding of the potential impacts and cascading effects cyber intrusions can have within the Healthcare and Public Health Sector.

3. Examine current organizational cyber incident response policies, plans, and protocols, and identify potential shortcomings or gaps.

4. Insert additional organization-specific objectives.

Exercise ScheduleAs shown in the schedule below, the DHS Cyber Tabletop Exercise for the Healthcare Industry is scheduled for four hours of exercise play; however, overall and individual breakout session duration is ultimately at your discretion and can be modified as necessary. Although following a schedule, exercise discussion times are open-ended and Participants are encouraged to take their time in arriving at in-depth decisions – without time pressure. While the Facilitator maintains an awareness of time allocation for each vignette discussion, it is not a requirement that the group complete every vignette action item to deem the exercise a success.

Registration 8:00 a.m. – 8:30 a.m.

Opening Plenary (Welcome, Introduction, and Guidelines) 8:30 a.m. – 9:00 a.m.

Vignette I 9:00 a.m. – 9:30 a.m.

Vignette II 9:30 a.m. – 10:05 a.m.

Break (at Facilitator’s discretion) 10:05 a.m. – 10:20 a.m.

Vignette III 10:20 a.m. – 10:55 a.m.

Vignette IV 10:55 a.m. – 11:30 a.m.

Closing Plenary (Hot Wash and Closing Comments) 11:30 a.m. – 12:00 p.m.

TABLE 1: SAMPLE AGENDA OF A FOUR-HOUR EXERCISE

General Characteristics A cyber tabletop exercise (TTX) is a facilitated discussion of a scenario in a formal or informal, stress-free environment. It is designed to be an open, thought-provoking exchange of ideas on various issues regarding a hypothetical, simulated cyber incident, and can be used to enhance general awareness, validate current plans and procedures, and assess the systems and activities



that lie within the framework of cyber incident response and recovery. It is effective for examining policies, plans, personnel contingencies, information sharing, and interagency coordination, as well as for discovering gaps, or unclear or overlapping responsibilities.

The dynamic nature of scenario development for a TTX allows modifications or refinements of scenario elements up to the moment that the scenario is introduced to exercise Players. This exercise will presumably be an example, ensuring that each scenario “inject” is tailored to the specific Participant base. Likewise, the Exercise Planning Team may prepare injects “on the fly” so that Player actions can be appropriately guided or re-focused to address a specific issue.

A scenario “ground truth” document provides key information and details necessary to accurately depict scenario conditions and events that drive exercise play to ensure that objectives can be met. Ground truth information forms the foundation of the scenario that the Facilitator uses as a basis when addressing Player inquiries regarding the nature of the scenario. Further, scenario ground truth is included in each vignette for this exercise and may be referenced by the Facilitator to gain an in-depth understanding of the situation.

For the DHS Cyber Tabletop Exercise for the Healthcare Industry, Facilitators will provide scenario vignette information to stimulate Participant discussion. The facilitated discussion poses key questions that focus on expected behavior; defined roles and responsibilities; existing plans; coordination; and cascading effects, amongst others, to support the exercise goals and objectives. Participants should share their subject matter expertise in the groups’ discussion of issue areas to reach a resolution; discussions may also be guided through Facilitator prompts. Documentation of this process is the foundation for subsequent data analysis and development of the After Action Report/Improvement Plan (AAR/IP).

Exercise Guidelines The following should serve as guidelines for exercise conduct:

This is an open, low-stress, no-fault environment. Varying and contradictory viewpoints should be anticipated and encouraged.

Participant’s responses should be based on their knowledge of current plans, capabilities (e.g., exclusive use of existing assets), and insights derived from training.

Decisions are not precedent-setting and may not reflect an organization’s final position on a given issue. This is an opportunity to discuss and present multiple options and possible solutions.

Assume hypothetical cooperation and support from other responders and agencies.

Problem-solving efforts should be the focus. Identifying issues is not as valuable as suggestions and recommended actions.

Situation updates, and written materials and resources provided, are the basis for discussion.

Although incident management, and current cybersecurity plans and policies used by participating organizations provide a foundation for Player action; such actions and



decisions made during the exercise should not be constrained by these plans or other current, real-world plans and management concepts. Exercise discussions will promote opportunities to enhance existing plans and concepts.

Exercise Assumptions and ArtificialitiesIn any exercise a number of assumptions and artificialities may be necessary to complete scheduled conduct in the time allotted. During this exercise, the following apply:

The scenario is plausible and events occur as they are presented.

There is no “hidden agenda,” nor any trick questions.

All Players receive information at the same time.

The scenario is not derived from current intelligence.

Players can make reasonable assumptions as necessary.

The exercise findings are not for attribution.

Local Players should assume that while concentrating on local response, Federal and state responders are initiating their own respective plans, procedures, and protocols.

Key Exercise PersonnelOne of the most important factors of a successful exercise is skilled planning and design by the Exercise Planning Team. The Exercise Planning Team oversees, and is ultimately responsible for, the exercise foundation, design, development, and often the conduct and evaluation. The team determines exercise objectives, tailors the scenario to meet the exercising entity’s needs, and develops documentation used in evaluation, control, and simulation. Planning Team members also help to develop and distribute pre-exercise materials, and conduct exercise planning conferences, briefings, and training sessions. Because Planning Team members are highly involved in the exercise, they are ideal selections for Facilitators, Controllers, and Evaluators. Other important exercise roles include the following:

• Players/Participants respond to the situation presented based on their respective SME knowledge of current plans, procedures, and insights derived from training and experience.

• Observers watch the exercise and are not Participants in the discussion.

• Facilitators ideally are individuals with functional area expertise that facilitate exercise discussion. The Facilitator is responsible for keeping the discussion focused on exercise objectives and ensuring all key issues are explored (time permitting).


FacilitatorsThe use of Facilitators generally allows more manageable control over discussion direction as they can draw information from Players to present a clear picture of issues and objectives. Active facilitation ensures that the discussion remains focused on issues and policies.


• Data Collectors are responsible for gathering relevant data arising from facilitated discussions during the exercise. They will then use this information to collectively develop the After Action Report/Improvement Plan (AAR/IP).

Exercise TechniqueThe theoretical technique employed within each vignette is based on an input action output paradigm. Participants will respond to issues or events described in the general scenario or from specific injects. Facilitators should be prepared to assist Players during discussions while utilizing the prompts included in the scenario vignettes (included as appendices to this Guide). The following depicts the general flow of this interactive technique:

FIGURE 1: CYBER TABLETOP EXERCISE TECHNIQUE

Facilitation of ScenariosThe four vignette scenarios offered in this exercise package were developed to support the exercise objectives, and to provide generic and qualitative descriptions of situations relevant to the overall exercise goal(s). The opening vignette scenario may be used as the context or starting point for Participants to identify major concerns and formulate their responses to the Facilitator, who will also manage the time allotted for each vignette.

To develop the scenarios, a team of industry SMEs and experienced Exercise Developers examined the unique cyber issues and challenges facing organizations within the Healthcare Industry Sector.



Each interactive vignette addresses a different cybersecurity issue within the Healthcare Industry. The vignette themes are:

Vignette I Compromise of electronic Protected Health Information (ePHI)

Vignette II Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs)

Vignette III Cash Out – Billing System Disruption

Vignette IV Medical Device Malfunction

A summarization of the scenario overview, sector-specific materials prepared by the Scenario Development Team, and scenario injects for each sector, are included as appendices to this Guide.

Exercise StructureFirst and foremost: this exercise should not be viewed as a test. Rather, it is an opportunity for participating organizations to examine plans, policies, and procedures; improve coordination and confidence; augment skills; refine roles and responsibilities; reveal weaknesses and resource shortcomings or gaps; and build teamwork. As this event will be self-assessed, evaluation criteria will be determined by each participating organizations.

During this exercise, Players will discuss issues in-depth, and develop decisions through paced and facilitated decision-making processes typically experienced during real-world conditions.

The major elements of the DHS Cyber Tabletop Exercise for the Healthcare Industry include:

Opening PlenumThe opening plenum is an orientation that provides administrative information and sets the stage for the remainder of the exercise. It includes an explanation of the interactive process, setting ground rules, a charge to the Participants, and the introductory scenario.

Interactive SessionsFollowing the opening plenum, Participants will adjourn to their respective breakout areas, and engage in interactive dialogue focused on exercise objectives; Facilitators will encourage discussions through a list of focused questions.

Summary PlenumThe summary plenum concludes the interactive portion of this exercise and is often known as a “hot wash” (discussed in the following section, Exercise Wrap-Up: Player Hot Wash).

TABLE 2: CYBER TABLETOP EXERCISE COMPONENTS

In addition to developing discussion points, Facilitators will find general prompts to initiate and maintain discussion amongst exercise Participants in the appendices of this Guide. These prompts may include:

What do you know?

How might you know this?

What other information needs exist?

How do you intend to obtain this information?



With whom do you share this information?

What actions would you take/intend to take at this point in time?

At the completion of each vignette, the breakout groups will review their activities and prepare materials, to include significant outcomes, concerns, and critical issues from exercise play, for the summary plenum.

Exercise Wrap-UpPlayer Hot WashImmediately following the exercise, a hot wash allows Players to provide immediate exercise feedback, as well as the opportunity for self-assessment and discussion surrounding the major issues and outcomes of the exercise. The hot wash also provides the Data Collectors with the opportunity to clarify points or collect any missing information from the Players while it is still fresh in their minds and before they leave the area. To supplement the information collected during the player hot wash, the Facilitator should distribute Participant Feedback Forms to ascertain the level of satisfaction with the exercise, identify issues or concerns, and seek input on any areas for improvement Participants may have identified. Participant feedback forms completed during the hot wash are later used to help develop the AAR/IP.

Facilitator and Data Collector DebriefThe Facilitators and Observers/Data Collectors should conduct a separate debrief immediately following the Player hot wash. This forum enables Facilitators and Observers/Data Collectors to provide an overview of observations (e.g., individual breakout table, functional area, geographic region); reconcile conflicting exercise outcomes; highlight common themes; and to discuss both strengths and areas for exercise improvement.

Data CollectionFacilitators and Data Collectors must keep accurate written records of Player discussions, actions, and decisions, as well as to note strengths, deficiencies, and unresolved issues. Knowing which events are important makes data collection manageable, eliminates superfluous information, and provides information most useful for the after action process.

An effective Facilitator or Observer/Data Collector should be aware and familiar with the following elements during plenary or breakout discussions:

Existing organizational plans, policies, or procedures to achieve the stated exercise objective and demonstrate the appropriate capabilities.

Deviations from those plans and implementation procedures.

Roles and responsibilities of Players with actions and decisions related to the exercise objectives and capabilities.



Decisions made by exercise Players.

Recommendations offered by Players.

Any unresolved issues discussed during the exercise.

Prior to this exercise, the Facilitator should instruct the Data Collectors to keep an accurate written record of what is observation and discussion as Players identigy actions, make decisions, and discuss their capabilities during the exercise. This information should be collected at the conclusion of the exercise.

Effective notes will assist when writing the final analysis. During this exercise, it is important for Facilitators and Data Collectors to concentrate on listening and recording the discussions and actions as they unfold, specifically what is discussed by the group as it relates to the exercise objectives. Lengthy and detailed writing during the exercise can cause data collectors to miss important discussions among Participants. Notes should identify and capture:

Who (name or position) made the decision/raised a particular issue.

What the decision/issue discussed was.

Why the decision/issue was made/raised (e.g., the “trigger”).

How the group reached the decision (the process) and whether or not there was group consensus around the accuracy of a given issue.

Developing the After Action Report and Improvement PlanOne of the end goals of the exercise is to produce an AAR/IP to capture events as they occurred during an exercise, provide analysis of the events relative to your exercise objectives, and suggest development actions to enhance or improve participating agencies’ planning and response capabilities.

The After Actin Report (AAR) provides a comprehensive overview of the exercise, describes best practices and strengths observed, and identifies areas for improvement. The Improvement Plan (IP) outlines corrective actions stemming from the exercise with projected completion dates to assigned organizations as assigned by a senior executive from the participating organization. By addressing corrective actions in the IP, your organization can continually undertake preparedness activities to ensure an improved cybersecurity posture.

The Facilitator must determine when exercise write-ups are due and ensure that Data Collectors are given a no later than date for submission. It is strongly recommended that the AAR portion of the AAR/IP be completed in a single voice utilizing the Homeland Security Exercise and Evaluation Program (HSEEP) AAR/IP template.


A sample AAR/IP template is included in Appendix G of this Guide should you choose to use it.


Analyze DataThe goal of data analysis is to transform the data collected during exercise conduct into a comprehensive and manageable narrative that addresses demonstrated strengths as well as areas for improvement. Considerations for preliminary analysis include whether:

Exercise objectives were met;

Players were adequately trained to meet the objectives;

Discussions/actions identified any resource limitations that could inhibit Players’ ability to meet the objectives;

Players were familiar with the applicable plans, policies, and procedures; and

Strengths were identified.

Data Collectors combine their observations and review exercise materials to reconstruct events, and analyze decisions and interactions across organizations and functional areas to achieve broad objectives outcomes. Steps taken to analyze the data include:

1. Reviewing exercise discussion notes.

2. Comparing Player discussions to existing plans, identifying deviations, and rationalizing the root-cause of actions (or inactions).

3. Identifying tangible recommendations to resolve issues.

Identify Root Causes and Develop RecommendationsTo produce an AAR/IP with recommendations for enhancing preparedness capabilities, it is critical for Data Collectors to discover not only what happened, but why events happened. Data Collectors must search for the root-cause of why an expected action did not occur or was not performed as expected for each identified issue. A “root-cause” is the source or underlying reason behind an identified issue (as uncovered during data analysis) from which the Data Collector can identify improvement in the form of corrective actions. To arrive at a root-cause, an Observer/Data Collector should attempt to trace each event back to its origin. Root-cause analysis may require the review and evaluation of applicable statutes, training programs, policies, and procedures to determine the fundamental causal factor.

Data Collectors should use the following questions as a guide for developing recommendations for improvement:

Were the exercise objectives met?

Did the discussions imply that all Players would be able to successfully complete the tasks necessary to execute the activity in a real-world situation? If not, why?

What are the key decisions associated with each activity?

Did the discussions suggest that all Players are adequately trained to complete the activities or tasks needed to demonstrate a highlighted capability?



Did the discussion identify any resource shortcomings or gaps that could inhibit the ability to execute an activity?

Do the current plans, policies, and procedures support the performance of activities? Are Players familiar with these documents?

Do personnel from multiple organizations need to work together to perform a task, activity, or capability? If so, are agreements or relationships in place to support the coordination required?

What was learned from this exercise?

What are strengths, areas for improvement, and recommended solutions, if any?

Identify Lessons Learned According to HSEEP, “lessons learned” are positive and negative knowledge and experience derived from observations and historical study of operations, training, and exercises. A lesson learned is not only a summary of what did or did not go wrong; it provides information that might later be relevant and provide valuable insight into how a similar problem may be approached in the future, or what changes may be needed to improve performance (e.g., plans and policies; organizational structure; leadership and management; training; equipment).

The Lessons Learned Information Sharing (LLIS.gov) network is a secure, collaborative DHS portal dedicated to providing knowledge and experience derived from actual cyber threats and attacks; and training and exercises. LLIS offers a national network of lessons learned and best practices for private and public sectors, and includes a library of exclusive documents and other user-submitted materials related to cybersecurity and other all-hazards incidents.

Contact InformationFor questions, concerns, or recommendations for improving the DHS Cyber Tabletop Exercise for Healthcare Industry, please contact DHS CEP at [email protected]. GOV.

For questions concerning health information technology standards, regulation, policies, and guidelines, please contact HHS at [email protected] OV .

For National Health Information Sharing and Analysis Center (NH-ISAC) questions and comments, please email [email protected].


LLIS.gov MembershipTo become an LLIS.gov member, an information sheet of the registration process is provided in the Reference Materials section of this Guide. LLIS.gov members have exclusive access to AARs; a comprehensive, online repository of documents; and a secure, validated network to generate and disseminate lessons learned and best practices.

mailto:[email protected]



https://www.llis.dhs.gov/


Planning Cyber ExercisesCyber exercise planning addresses project management through the foundation, design, and development of individual exercises. It focuses on establishing individual exercise objectives, which take into account what each participating organization seeks to accomplish during the exercise, such as an organization’s Cyber Incident Response Team (CIRT) responding to malware disruption of critical business operations. The principles and processes used to develop cyber exercises are informed by Homeland Security Exercise and Evaluation Program (HSEEP) policy and methodology, and may adapted to meet the unique characteristics of your cyber exercise.

FIGURE 2: HSEEP METHODOLOGY

Exercise FoundationIt is important to establish the groundwork for the design, development, conduct, and evaluation of an exercise. In order to build an exercise foundation, participating entities should do the following:

Establish a purpose. Create a base of support. Identify communities of interest. Identify an Exercise Planning Team. Establish exercise timelines and milestones.


What is HSEEP?HSEEP is a capabilities- and performance-based exercise program that was developed to provide common exercise policy and program guidance to constitute a national standard for exercises. It includes use of consistent terminology, design process, evaluation tools, and documentation standards. HSEEP reflects community best practices as well as lessons learned from previous and existing exercise programs. HSEEP is designed to be adaptable to any exercise program. Because cyber events often have physical consequences affecting our critical infrastructure it is important that cyber exercise designers employ planning techniques and terms used by the emergency management community.


Schedule planning events.These elements can also be considered a checklist of activities for Exercise Planners to complete during the foundational phase of the exercise planning process. These activities may differ depending on exercise type, complexity, and the time and resources available for the planning effort; Planners should adapt these activities to the needs of their exercise. Exercise design and development should center on activities that will help Players meet the defined exercise objectives. Sustaining a strong exercise foundation is often an iterative effort.

An important part of the groundwork for an exercise is identifying the purpose of the exercise, an Exercise Planning Team, and exercise Participants. The purpose of the exercise should be clearly identified in a broad statement highlighting the reason for the cyber exercise (e.g., examination of an organization’s capacity to respond to a cyber attack). It should be briefed to senior members of an organization to gain their support and to ensure consistency with the entities’ strategic objectives. The purpose and the objectives then help the Exercise Planning Team identify additional subject matter experts (SMEs) to be involved in exercise planning and evaluation. A purpose for the DHS Cyber Tabletop Exercise for the Healthcare Industry exercise has been developed for your consideration and is presented both in this Guide and the Situation Manual (SITMAN). You may modify the purpose to suit your needs.

Exercise Foundation ActivitiesDevelop the Exercise Planning TeamThe Planning Team develops the exercise objectives and documents to be used during exercise conduct and evaluation. They conduct planning meetings, briefings, and training sessions to prepare Participants for the exercise. Successful Planning Teams maintain an organized structure, have clearly defined roles and responsibilities, and employ individuals with relevant skills based on functional areas (e.g., Chief Information/Technology Officer, Information Technology [IT] technician,) in addition to respective SMEs (e.g. familiarity with strategic plans and policy, experience working with private sector owners, cyber attack response).

Establishing exercise milestones and key eventsTimelines and milestones are crucial to smooth, timely progress when planning an exercise. Exercise Planners determine the optimal planning timelines and milestones with respect to the complexity of the exercise and the resource realities of the participating entities.

Timeline and MilestonesExercise Planners must consider several key factors when developing an exercise planning timeline and milestones:



Exercise typeHSEEP describes seven types of exercises of which five have applicability to the cyber realm. Each type of exercise is either discussions-based or operations-based. These types include:

Seminar: A seminar is an informal discussion designed to orient Participants to new or updated plans, policies, or procedures.

Workshop: A workshop resembles a seminar, but is employed to build specific products, such as a draft plan or policy.

Tabletop Exercise (TTX): A TTX involves key personnel discussing simulated scenarios in an informal setting. TTXs can be used to assess current plans, policies, and procedures.

Game: A game is a simulation of operations that often involves two or more teams, usually in a competitive environment, using rules, data, and procedure designed to depict an actual or assumed real-life situation.

Functional Exercise (FE): An FE is an operations-based exercise that examines and/or validates the coordination, command, and control between various multi-agency coordination centers.

Exercise planning staff experience and availabilityAn experienced team of Exercise Planners dedicated full-time to their exercise activities generally requires less time to plan an exercise, than a team of inexperienced Planners only able to devote a portion of their time to their respective tasks.

Participation levelSingle-entity exercises generally need less time for coordination whereas the coordination of multiple agencies, with varying levels of government, and/or with private sector entities could substantially add to planning time requirements. Players must be chosen carefully to adequately represent their organization and have the appropriate authority to commit organizational resources to the corrective action process. Based on past sector-specific exercises, there are common Participants – internal and external – to a facility to be considered:

Internal External

Physician/Business Owner Management Physical/Facility Security IT Support Personnel Cyber Incident Response Team Public Affairs Corporate Communications Legal

Suppliers/Distributors/Venders Federal/State/Local Law Enforcement State/Local Emergency Management Regulating Agencies National Healthcare Information Sharing and

Analysis Centers Sector Coordinating Councils Government Coordinating Councils Professional Associations



TABLE 3: POTENTIAL EXERCISE PARTICIPANTS

Resource constraintsSome or all of the exercise Participants may face resource constraints that need to be considered – staffing issues in particular can be a challenge as most Exercise Planners are usually involved in performing their regular responsibilities.

Conduct Planning Meetings The Exercise Planning Team should establish a timeline that identifies key planning meetings and milestones to effectively structure exercise design and development. Information on an organization program management, its objectives, and its flexibilities and limitations should guide the number and type of meetings; the HSEEP meeting structure is intentionally flexible and need not be followed verbatim. Exercise planning meetings serve as milestones to review and validate the Planners’ work. However, the work itself is performed prior to each of these the meetings.

To ensure all organizations’ exercise objectives are met, planning meeting Participants should include most of the lead planning authorities from those organizations. The Planning Team should be selected carefully because they will be exposed to the scenario prior to the exercise and, as trusted agents, not allowed to discuss details of the scenario or other exercise specifics with Players prior to the event; Planning Team members are not expected to play in the exercise.

The table below provides guidance on an approximate timeline of planning events, with an overview of each, to be considered in the development of a TTX.

Planning Meeting Overview Timeframe

Concept & Objectives Meeting

At this meeting Participants complete the exercise foundation. They agree on the exercise objectives, determine the exercise scope, propose the level of play and the cyber threat, and reach consensus on exercise planning timelines and key milestones.

4 months prior to exercise conduct or concurrently with Initial Planning Meeting

Initial Planning Meeting

At this meeting Participants agree on the plans, policies, and procedures to be exercised. They also identify the entities’ level of play, confirm the cyber threat, exercise scope, identify ground truth requirements, and reach consensus on control and evaluation architectures and plans.

3 months prior to exercise conduct

Final Planning Meeting

At this meeting, Participants approve the scenario and the ground truth documents; approve the control and evaluation architectures, staffing, and communications plans; finalize logistical details and level of play commitments; and approve exercise materials.

3 weeks prior to exercise conduct

TABLE 4: GUIDELINES OF PLANNING EVENTS TIMELINE



Exercise Design Building on the foundation stage of the planning cycle, Exercise Planners utilize the exercise design process to establish the objectives and scope of the exercise, and craft a scenario to test the those objectives. Objectives determine what actions, tasks, and decisions are anticipated to be validated upon completion of the exercise. Scope addresses exercise type, the participation level of each entity, and the duration and location of the exercise. Additionally, the Exercise Planning Team designs and develops the documents to prepare Participants for exercise conduct.

For the DHS Cyber Tabletop Exercise for the Healthcare Industry, the documents listed below have been developed for your consideration. However, they should be reviewed and modified as necessary to suit your needs or constraints. Details included in the vignette scenarios are technically plausible, but notional, and intended only for exercise and training purposes.

Cyber Tabletop Exercise Documents

Exercise Presentation

An exercise presentation provides key information to exercise Participants and is presented during the opening plenum. It augments the Situation Manual (SITMAN). The presentation provides administrative, logistics, and background information relevant to the event. It also describes how the TTX will be conducted.

Situation Manual

A SITMAN serves as the core document for all Participants. It addresses the following aspects:

Schedule of events Exercise objectives and scope Exercise structure (e.g., vignette order) Instructions for exercise Facilitators, Players, and Observers Exercise assumptions and artificialities Exercise rules Exercise scenario background

Facilitator and Planner Guide

A Facilitator and Planner Guide is designed to aid Facilitators and Data Collectors in managing the exercise. This document provides instructions and examples for Facilitators and Data Collectors to properly capture information and feedback during the exercise for review and development of an AAR/IP. It also provides scenario ground truth and question prompts that may be used by the Facilitator to guide Participant discussion.

Participant Feedback Forms

Participant Feedback Forms are utilized to gather information for exercise improvements and key outcomes expressed by the Participants.

Exercise Feedback Forms

Exercise Feedback Forms are utilized by Facilitators to collate and summarize Participant feedback on exercise improvements and key outcomes.

For this exercise, Exercise Feedback Forms can be sent to NH-ISAC, via e-mail at [email protected]

After Action Report/Improvement Plan

The AAR/IP provides feedback to participating entities on their performance during the exercise, summarizes exercise events, and analyzes performance of the tasks identified as important during the planning process. The IP portion of the AAR/IP includes corrective actions for improvement, timelines for their implementation, and assignment to responsible parties. A sample AAR/IP template is provided in the




Cyber Tabletop Exercise Documents

Exercise Planning folder of the CD.

Reference Library Reference materials that are associated with cybersecurity within the Healthcare and Public Health critical infrastructure sector are located in Appendix F.

Exercise Planning and Support Materials

A list of exercise support materials (e.g., sample invitation, feedback forms, Web sites) is located in the Exercise Planning folder of the CD.

TABLE 5: CYBER TABLETOP EXERCISE DOCUMENTS

Exercise Logistics Logistics is an important aspect of your cyber TTX development and conduct, as it involves the setup of exercise venues and testing of exercise systems; preparations for exercise support staff and Players; execution of planned exercise control; and wrap-up activities.

Setup prepares exercise venues for activities during the event. It entails installing and testing audio/visual (A/V) equipment, presentations, or computer systems; positioning tables and chairs to meet planned arrangements such as seating charts; setting up registration facilities; staging handout materials; and ensuring that all key control, evaluation, and logistics functions are prepared before the exercise starts.

A walkthrough is a part of the setup process that allows members of the Planning Team (e.g., Facilitators) to see their assigned positions and to practice their event responsibilities using the communications tools and other systems planned for the exercise; players are not involved in the walkthrough. A dry-run of briefings and other activities that require coordination amongst the Planning Team can be conducted as part of the walkthrough.

A list of logistical issues to be considered in the development of your cyber TTX is shown below.

Facility and Meeting Room Select a location large enough to seat all desired Participants and Observers, and is

accessible to all invitees. It would be beneficial if the required space was available the day prior to the exercise for setup, walkthrough, and to address remaining technical issues. Identify an area for the Facilitators and Data Collectors to meet prior to and following the exercise; this may be an area that could also serve as a backup meeting space option if unforeseen events occur with the scheduled meeting space.

The room should have adequate A/V and acoustic capabilities to support a multimedia platform, to include virtual meetings if that is part of your scheme. Your multimedia presentations are key aspects of the TTX as they add realism. In the event of technology incompatibility, venue change, or security hurdles, always have a “Plan B” (e.g., alternate information formats, backup documents) prepared.



Ensure there are enough tables and chairs to accommodate every Player, Observer, Facilitator, and presenter. A U-shaped layout (see Table 6) is the most conducive to facilitation and Participant interaction. Participants can also be separated into breakout groups based on discipline, organization, or functional area; or, each table incorporates a mix of disciplines to encourage “cross-function” discussions.

Determination of the appropriate room layout for the exercise is at the discretion of your Exercise Planning Team and in consideration of the available meeting space. TTX’s are generally conducted using either a breakout or plenary format as described below.

Breakout Format

Several breakout groups of varying sizes, seated at different tables Individual groups consider their own probable actions based on current

plans, policies, and procedures after the scenario is presented to all groups simultaneously

Re-assembly at the plenary session following the conclusion of each vignette

Plenary Format

Players grouped together in a single space with no periods of time set aside for small or subgroup discussions

Requires active facilitation Ensures that comments and recommendations are heard by all

ParticipantsTABLE 7: KEY TABLETOP EXERCISE FORMAT FEATURES


Tabletop Exercise Staffing Recommendations: U-shaped LayoutAt least two Observers/Data Collectors to capture information.Breakout TablesOne Facilitator and one Observer/Data Collector will be needed for each table.

TABLE 6: U-SHAPE LAYOUT FOR A TABLETOP EXERCISE


Plan to bring supplies, such as writing utensils, flipcharts and markers, notepads, name badges, etc., for Participants, and encourage the use of these supplies during discussions in order to capture notes or key ideas.

Food and Refreshments Snacks, refreshments, and/or lunch can be provided to Participants and observers at your

discretion. At a minimum, water and coffee are recommended. Plan with your facility or an outside vendor accordingly.

Directions/Parking/Access Ensure that all exercise players and observers/data collectors are provided with accurate

and clear directions to the facility. If possible, post signage in designated parking areas on the date of the exercise. Additionally, include: special instructions if extra time will need to be allotted for security; badging/credentialing requirements (facility or exercise mandated); parking rules and fees, if necessary; etc.



Appendix A: Facilitator Role and General Guidance

RoleAs a Facilitator for this tabletop exercise (TTX) you are responsible for coordinating your group’s activities throughout the TTX.

Your responsibilities include:

Directing the movement and flow of the sessions.

Keeping the discussions on track and at the appropriate level.

Following established processes.

Identifying and addressing the appropriate issues.

Overseeing the creation of the Summary Plenum (hot wash) briefings.

Characteristics of a good Facilitator include the following:

Ability to keep side conversations to a minimum; keep discussions on track and within established time limits; control group dynamics and strong personalities; and speak competently and confidently about the subject without dominating or steering the conversation.

Functional area expertise or experience.

Awareness of participating organization’s current plans, policies, procedures, and capabilities.

Ability to capture the discussion in notes for inclusion in the After Action Report/Improvement Plan (AAR/IP).

If the exercise is arranged in a multi-table breakout format, facilitated discussion at each table occurs following a scenario brief or inject. After a defined period, facilitated table discussion concludes and a moderated discussion of key findings from each table begins. Players should discuss their responses based on their knowledge of current plans, policies, procedures, and capabilities.

In moderated discussions, a representative from each breakout table presents the key findings and issues, as well as unresolved issues or questions, from the group’s facilitated discussion, to all exercise Players. Time allotment for the discussion – both moderated and facilitated – of each breakout session’s vignette is factored into the exercise agenda, as are the frequently longer discussions during the conclusion of the exercise. For each breakout table’s discussion, the group should be careful to focus only on the material presented for the given vignette.



Facilitators will have a Data Recorder and may have to select an “administrative assistant” (PowerPoint operator) to help the groups prepare the briefing materials to be used during the plenary sessions. Keep in mind that the briefing slides reflect the best efforts of the group – and the Facilitator. Facilitators may want to consider using the assistant to be the “flip-chart writer” to capture the major discussion points. The Facilitator is not the briefer during the plenary sessions. Although several people may seek to speak during each of the plenums, only one individual from the group will present the group’s views. Select the speaker early as it permits the presenter to develop a “briefing mindset” and to work with members of the group to prepare the briefing slides.

Group DynamicsBrainstorming

The Facilitator should strive to begin the discussion flow as soon as practical. If problems arise in your group that you cannot resolve, seek assistance from the Monitoring Team immediately. In some tasks you may choose to use brainstorming techniques to generate the large number of ideas needed within your group. Your role as Facilitator is to act as the “official encourager” as well as the “policeman” against improper group and individual behavior. The following rules apply while brainstorming:

Criticism is not permitted in any verbal or non-verbal form

Bits and pieces of ideas are encouraged

No idea is rejected while brainstorming

A large quantity of ideas is encouraged

Combining and using pieces of other ideas from the group is encouraged

All ideas should be recorded as they are stated, in short phrases or words

ScenarioSome TTX Participants may not agree or comply with a given scenario because of their own perceptions of what the cause or consequences of a network disruption may be. If your group is unyielding about disregarding the TTX situations as provided, Participants may change elements within the situations as long as they remain within the overall objectives of this TTX. Should your group insist upon conducting its discussions on information significantly different from that provided, note this during your group’s briefing in the vignette’s plenum session.

QuestionsAt times there is a tendency for Participants to ask more questions than necessary to address the situation. They will insist on knowing every detail within the research used to develop a situation (e.g., exactly what are all the factors causing low public confidence?). Your answer can be quite straightforward, “There is no more information



than what is described in the situation and other tabletop material.” If Participants insist that more information is required, they should develop it by generating assumptions based on their experience or by presenting other information to the group. Once again, it is important to note these adjustments during plenary session.

Participants may also generate “solution assumptions” that diminish the significance of the problem (e.g., a programmer developed a “one-size-fits-all” computer fix for virus). The Facilitator should reject these assumptions.

Trivializing the AnswersAnalogous to the excessively broad assumption, is the tendency for Participants to trivialize their answers. They may develop over-simplistic answers to the complex problems set before them. The Facilitator can use a broad answer and encourage the Participants to be more specific. Responses should be focused. Similarly, if Participants deem a consequence not to be critical, the Facilitator should direct them to defend their reasoning. As with many preparation and planning events, no authoritative or accurate projection of the future exists. The TTX is designed for Participants to examine possible future consequences and manage them.

Facilitator ChallengesTime Management

Because of the limited time during the interactive portion of each vignette, managing the Participants’ responses, necessary discussions, and completing the materials to be used during the Summary Plenary Session will be hard work, but it is not insurmountable. The dynamics of each group preclude creating a single time schedule for getting through the tasks set before your group. You will find that the group dynamics will evolve differently for each group; therefore, some points may be more relevant than others. Depending on your group, develop a mental plan as to how to pace their efforts. Allow time for discussion in each task, and at the end of each vignette allow time for concluding and summarizing all the major points that will be integrated into the briefing material. Injects provided by the Monitoring Group are used not only for the introduction of information, but as regulators that dictate the TTX pace. Do not permit your group to get bogged down by peripheral matters. However, should this occur, prepare a question or a prompt to redirect discussion toward the TTX’s purpose and objectives and the task at hand.

Focus and Level of DiscussionEnsuring the group’s discussion focused on the task and at a level necessary to achieve the TTX’s objectives is very important. The truly noteworthy discussions that occur during this TTX will be those that shed new light on those planning and policy issues, or that generate insights that have yet to be considered either by the entity or others within the Healthcare Industry Sector.



Keep in mind what products are required at the end of each session and what will have to be briefed during each plenary session. The level of detail necessary to develop these products should be similar to the level of discussions within the group. Everyone attending the TTX will have an opinion about network disruptions and their associated consequences. Some may be overly vocal and ensures that their opinion dominates the group’s discussions and final outcomes. Others may attempt to change the group’s discussion to be more compatible with the Participant’s experience or at a level in which they can demonstrate their professional experience. Be prepared to deal with this situation quickly and as tactfully as possible. There is no easy solution to this problem, but you may try techniques such as asking the group, “What are some other opinions on this subject?” as a counterbalance, or as a last resort have a quiet word with the individual during a break.

Do your best to keep the group focus on the TTX’s objectives. Should the group get “in the weeds” – and the discussion has merit – create a sidebar discussion group by selecting a small number (2-3 people) to develop a resolution or recommendation for this issue in a short period (not more than 15-20 minutes) and report back to the entire group. It is important to engage everyone in the TTX process and discussions. This assures that all members of the group claim ownership of the group’s decisions and the briefing materials at the end of the TTX.

Issue areas have been developed for this TTX and are available to Facilitators should deafening silence fill your room, or to redirect your group’s discussions back to the objectives of the TTX. Before the TTX begins, review these issue areas and think of a question or two that would stimulate discussion. The best “prompts” are usually generated by the Facilitator using information within the group’s discussion. Convert statements made by Participants into questions to redirect the group back to the task in progress.



Appendix B: Vignette I: Compromise of electronic Protected Health Information

(ePHI)Opening Scenario

The nursing staff members at your healthcare facility have noticed that over the past several months a part-time security guard has repeatedly shown up at least an hour earlier than his shift is scheduled to begin. The guard is well-liked and has worked at the facility for over five years.

Six months ago the guard’s fiancé (also an employee at your facility), along with 25 other support employees, were laid off. Three months later, several administrative and finance employees at your facility received an email from the guard’s fiancé with an invitation to check out her latest vacation pictures from Tahiti by clicking on a link to www.SeeMyVacationPhoto.com. Upon clicking the link, an error message (“404 Error – File Not Found”) was displayed. Some employees replied to the sender that there was an error message; others did nothing.

Facilitator Prompts What do you know?



How do you intend to get this information?


What actions would you be taking and/or intend to take?

Inject 1 Two nights ago your Information Technology (IT) operations manager received the daily

report from his team stating that the anti-virus software had quarantined several unrecognizable files. Additionally, the security event’s log showed unusual activity on the network by several night shift employees recorded earlier in the day.

Yesterday your Chief Information Security Officer (CISO) returned from his vacation to a report of three lost laptops.

Facilitator Prompts How have things changed?







Do your end users and IT support personnel receive training pertaining to cybersecurity? How often? Is it mandatory? What type of employee security (cyber and physical) employee training programs do you have?

Are there corporate policies (formal and informal) pertaining to USB thumb drives or other removable storage devices?

Does your company have formal/informal policies or procedures pertaining to IT account management?

o Do these policies or procedures include protocols for establishing, activating, modifying, disabling and removing accounts?

o Do these policies or procedures include protocols for notifying IT account managers/administrators when users are terminated?

Does your company terminate information system access (including remote access) upon an employee’s termination?

o Is there a time period defined for the termination of system access?

o Is there a difference in the time period defined for normal and adverse termination?

Does your company retrieve all information system-related property (e.g., authentication key, system administration's handbook/manual, keys, identification cards, etc.) during the employment termination process?

Inject 2 This morning, your Chief Information Officer (CIO) received an untraceable email with a

file containing ePHI and credit card data of a thousand former and current patients. The email states that this information, and that of over 5,000 other patients, will be made available to the highest bidder and invites your organization to make a bid. Bids close tonight at midnight.

Facilitator Prompts Are there any existing procedures in place to guide you on how to respond to such

event?

Who would you contact about the incident?

Internally?



Externally?

What internal and external messages should be developed? How are they being distributed?

What are the business implications of the scenario? How would you determine them?

Would you contact customers? If so, how is your firm’s public relations department involved? What role would you have in shaping the messages for customers and media inquiries?

At what point would you contact law enforcement?

Would this situation trigger contact with regulators? Others? Why or why not?



Ground Truth – Vignette I: Compromise of electronic Protected Health Information

(ePHI)Vignette Objectives

Examine the consequences and response mechanisms associated with a cyber-related breach of electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII).

Improve the understanding of cybersecurity policies, practices, and procedures for securing ePHI.

General Sequence of Events Hacker hired by insider gains access to an organization’s network.

Collection of patient data and insurance information for the purpose of selling on the black market.

Hacker actions result in organization-wide privacy and confidentiality loss, identity theft/fraud, potential civil fines for violation of Federal and state breach statutes, and reputational damage intensified by public exposure.

Overview As an act of revenge, a part-time security guard at a large hospital hires a hacker to break

into the hospital network to steal patients’ protected health data and credit card information. The plan is to sell this information on the black market and split the proceeds between themselves.

To prepare for his intrusion the hacker conducts cyber reconnaissance of his target network several months before the attack. He uses phishing techniques on hospital employees to obtain several user account credentials. The cyber-identities of these individuals were collected through social networking web sites. Using a hand-sketched map of the facility provided by the security guard, the hacker, disguised as a courier, enters into secure areas of the hospital using counterfeit passes. In order to gain access to a supposedly “air gapped” network, the hacker then locates an unattended computer workstation in a remote, quiet area. With the network credentials the hacker stole before the attack, he is able to gain access to several patient admissions, transfer, and discharge (ATD) databases, where he then downloads medical records and insurance information for over five thousand current and previous patients.

The hacker also steals several running laptops and thumb drives connected to biomedical devices in an unattended interventional radiology room as he exits the hospital. After the



hacker later cracks these stolen computers he discovers that an unencrypted laptop and thumb drives contain a significant amount of ePHI and PII data.



Appendix C: Vignette II: Corrupted Electronic Health Records/Electronic Medical Records

(EHRs/EMRs)Opening Scenario

Your healthcare organization is a major trauma center in a metropolis that triages and treats patients. Patient care is captured, tracked, and reviewed via a remotely accessible Electronic Health Record/Electronic Medical Record (EHR/EMR) system that provides real-time, point-of-care, patient-specific clinical data.

Several weeks ago the software on your EHR/EMR system was updated and despite some very minor initial problems the system has been operating well. Today it is not. You clinical support computers are very slow and/or do not respond and/or freeze. Patient care is increasingly delayed as physicians and clinicians authenticate and verify patient EHR/EMR information through labor intensive and time-consuming, downtime manual paper procedures (e.g., patient questioning, contact made to families, paper records). Amidst the treatment of patients with corrupt HER’s/EMR’s, the center becomes rapidly overwhelmed and as new patients arrive, only life-threatening emergencies are accepted for emergency department treatment. Trauma staff members are complaining that the EHR/EMR system has virtually ground to a halt and is unusable. Administrator priorities shift to reaffirming EHR/EMR data integrity.

Facilitator Prompts What does this mean?

Are there existing procedures to guide you on how to respond to such an incident?

How does this impact you? Considerations:

o Notification process (internal and external)

o Patient responsibilities

o Intra-center/services/unit coordination and workflow

What are your “next steps?” Considerations:

o Standard Operating Procedure (organization and/or department/unit)

o Establishing or coordinating a process of authenticating and validating patient EHR/EMR information, and relaying treatment plan information as needed (to provide situational awareness)

o Prioritization of patient treatment based on patient criticality



Inject 1 The center’s off-site information technology (IT) services contractor discovers malware

while investigating a high number of complaints of suspicious events and slow network speed. The technicians find that malicious code has infected multiple network-level servers, and possibly desktop and mobile work stations.

Facilitator Prompts What types of cybersecurity policies, plans, and/or protocols does your organization

have in place to detect, respond to, and/or recover from a cyber incident?

What types of cybersecurity policies, plans, and/or protocols does your organization have in place for the control system network to detect, respond to, and/or recover from a cyber incident?

o Do you have detection, triage, and response capabilities?

o What constitutes suspicious cybersecurity activities or incidents? Do you know what actions to take when one arises?

Who directly coordinates with the IT services contractors?

o If technology (e.g., network, server, devices) directly impact safety and health care, how (and by whom) is this information exchanged?

Do you have umbrella, center-wide standard operating procedures or authorities, or network centralization, which provides organization-wide situational awareness? What is the ease with which information is exchanged/shared between departments (whilst complying with the Health Insurance Portability and Accountability Act [HIPAA])?

Inject 2 IT support determines that the Web and main network servers are infected with a worm

that has altered or erased an indeterminate quantity of data fields containing relevant patient health and treatment plan information.

Facilitator Prompts How are you notified? Is it your responsibility to inform others?

Would you (and are you authorized to) share this information with patients? With immediate family members? With the public?

o If so, would this be handled directly by the patient’s medical team or through your organization’s public relations department?

What steps do you take to differentiate between altered and un-altered EHR/EMR information?



o How do you determine which information has been erased or altered, or is unaffected?

What are alternate methods for capturing patient health and treatment plan information? Are these outlined in current, formalized plans, policies, or procedures?

How does this affect post-incident HR/MR management?

o Is your current Standard Operating Procedure (SOP) compliant with existing policy or procedures? If not, who initiates the process of updating the SOP? If a SOP is not in place, who leads the effort in developing one?

o Synchronous across the entire center/services/units?



Ground Truth – Vignette II: Corrupted Electronic Health Records/Electronic Medical

Records (EHRs/EMRs)Vignette Objective

Examine the operational impacts of cyber exploitation of HER’s/EMR’s that leads to safety and healthcare clinical errors.

General Sequence of Events Cyber-disruption.

Unauthorized disclosure of identifiable ePHI.

Corrupt patient EHR/EMR information.

Malicious worm identification.

Diminished quality of patient care; patient safety and life-threatening issues; legal practice and liability implications; and public exposure and reputational damage.

Overview A major trauma center in a metropolis that triages and treats patients presenting the

gamut of criticality experiences a cyber-disruption that initiates cascading consequences impacting EHRs/EMRs and subsequently, patient care. The center’s off-site IT services contractor discovers malware while investigating a high number of complaints of suspicious events and slow network speed. The nursing staff reports to the help desk that clinical support computers are very slow, do not respond, or freeze. The technicians find that malicious code has infected multiple network-level servers, and possibly desktop and mobile work stations.

The remotely accessible EHR/EMR system provides real-time, point-of-care, patient-specific clinical data that includes: vital signs, drugs administered, patient allergies, medical history, immunizations, drug-drug interactions, legal permissions, diagnostic tests and imaging reports, observations, therapies, treatment plans, and other safety-related concerns. With network administrator rights, the technician has access to the center’s personnel, insurance, patient, and financial records.

In preparation for surgery, a nurse confirms a patient’s blood type; a patient transferred onto another floor is placed onto an appropriate hospital bed; do not resuscitate orders for the patient are verified; a physician administers an anticoagulant to a hemophiliac; centrifugation of blood samples are delayed; laboratory results indicate that a patient’s white blood cell count is dangerously high leading to emergent treatment. In each of these actions, medical personnel reviewed the patient’s EHR/EMR to inform the



respective treatment plan. Physicians and clinicians became aware of inaccurate EHR/EMR information following a series of near-fatal patient reactions to medical treatments and procedures (e.g., erroneous insulin dosage induces profound diabetic hypoglycemia and subsequent coma). In the subsequent emergent care provided, confusion from questionable EHR/EMR information alerts both medical and IT support personnel.

IT support determines that the Web and main network servers are infected with a worm that is altering or erasing an indeterminate quantity of data fields containing relevant patient history and treatment plan information. To remediate the situation, affected computers need be re-imaged, servers’ operating systems need be restored from original backup tapes and the application systems re-installed.

Amidst the treatment of patients with corrupt EHRs/EMRs, the center rapidly becomes overwhelmed and as new patients arrive, only life-threatening emergencies are accepted for emergency department treatment. Administrator priorities shift to reaffirming EHR/EMR data integrity.



Appendix D: Vignette III: Cash Out - Billing System Disruption

Opening Scenario Six months ago three administrative employees in your healthcare organization receive

an email from the facilities’ human resources (HR) department/provider. The email contains what seems to be an attachment that will not open. The employees do not report this problem to anyone. Other employees also receive seemingly “legitimate” emails from HR/payroll asking them to update their password-protected, personal information through hyperlinks embedded in the emails.

During a routinely scheduled financial audit this week, significant discrepancies are discovered and immediately reported to your Chief Financial Officer (CFO). A quick internal investigation by the CFO exonerates your employees. This investigation determines that an external network intruder has exploited a known – but unpatched – billing system vulnerability and now controls key components of your billing and receivables capabilities. It is determined that the money cannot be recovered, nor can the intruder be identified.

Facilitator Prompts Describe the threat, vulnerability, and consequence methodologies used in risk

assessment. What are the sources of information that contribute to them?

What physical, information security, and/or other risk management methodologies do you use?

Describe your employee and end user cybersecurity awareness training? It is standardized across your enterprise? Is it required prior to login permissions?

Does your business continuity planning address cybersecurity? How often is it exercised?

Do you have a threat escalation matrix with thresholds and/or triggers for protective actions and incident management?

How do information technology skillsets differ from information security skills? Do you have sufficient employees with both? How are they organized?

What are your sources of cyber threat collection and analysis?

Describe your initial planned response? If no response is planned, discuss who would be in command and why? What are the essential elements of information necessary to support decision-making?




Do your initial actions account for the possibility of an insider threat and/or compromised email and, if Voice Over Internet Protocol (VOIP), voice and voicemail communications?

Discuss decision-making related to the notification of law enforcement.

Inject 1 Your healthcare organization hires a third party cyber service to remediate the

vulnerability, secure the system, and conduct forensic analysis. This vendor completes the work and states that they believe the intruder has been prevented from further access to your system. You continue efforts to resolve business, legal, and regulatory damages caused by the breach.

Facilitator Prompts Has leadership of the incident management changed?

Describe your incident management structure?

What are the current legal concerns?

Discuss liability and indemnification contract issues with your partners?

Does your contract specify who owns the data they collected during the response?

Discuss initial notifications to regulators?





What are your biggest challenges in this situation?

Inject 2 Your Chief Executive Officer (CEO) receives an untraceable email from the hacker who

claims credit for the fraudulent billing and attempts to extort money from your organization to avert public disclosure. The email includes current, dated screen shots of your billing system and declares that she still has it under her control. The email states that your CEO has 24 hours to pay a ransom of $1 million or she will both delete a portion of your billing database, and offer patient credit card information for sale on the Internet.

Facilitator Prompts What are your concerns, if any, about contacting law enforcement?



How developed is your relationship with law enforcement?

How developed is your relationship with local government?

What other relationships would be impacted?

How are these relationships nurtured?

How will the needs of law enforcement (e.g., evidence collection) impact your mitigation efforts?

How are these impacts managed?

Who leads the response?

What essential elements of information are needed to support incident management?

Who determines interdependencies and cascading effects?

Who develops the worst case scenario and other decision support requirements for leadership?

What are your incident objectives?



With whom do you share this information and why?


How do you manage extortion?


Inject 3 After notifying law enforcement, your board of directors tries to negotiate with the hacker

and delays in paying the ransom; the hacker subsequently deletes 10% of the billing database. In addition to this damage, the intruder’s malware has also caused you to lose the ability to quickly verify patient insurance payments through electronic means. This results in significant delay, and in some cases outright denial, of medical services to non-emergency and all elective-surgery patients. Those denied services are referred to nearby healthcare providers. Despite continued attempts, the IT technicians are unable to regain control of these databases. The intruder then raises the ransom to $5 million and threatens to erase 50% of your database if you fail to make full payment within 24 hours.

The significant loss of data and increase in patient load at nearby healthcare facilities prompts your organization to disclose and communicate the breach with other healthcare providers in the region. Your limited ability to share data with federal and state service providers, service payroll, and manage bills brings your facility close to temporarily shutting down operations. Your Incident Management Team (IMT) coordinates their response with law enforcement, regulators, and other authorities. Based on the



information you provide, some regional healthcare providers also discover similar fraudulent billing due to actions by this intruder. The hacker is attempting to extort money from these other providers as well.

Your organization becomes non-compliant with Payment Card Industry (PCI) requirements and therefore is subject to penalties and fines. It is estimated that your healthcare organization may have to spend in excess of $3 million to make notification to those patients whose credit card information was stolen, and to provide them with credit monitoring for a year.

Facilitator Prompts What cybersecurity requirements are contractually required of your third-party

service providers, supply chain, and business partners? What standards are used and why?

Discuss public affairs messaging. Who leads this process? How is it coordinated?

What are your concerns notifying customers? The public? Regulators? Your supply chain? Your business partners? Elected officials? Industry organizations? Media? Government partners? Corporate Board and shareholders (if applicable)?

What is the mechanism for sustaining incident response?

What are your criteria for demobilization of incident response?





Have your challenges changed?



Ground Truth – Vignette III: Cash Out – Billing System Disruption

Vignette Objective To examine the interdependencies and cascading effects of, and organizational response

to, cyber disruptions in a healthcare billing system.

General Sequence of Events External network intruder commits fraud followed by extortion.

Actions by the intruder result in the loss of billing capabilities disrupting patient care, operations, and causing loss of revenue; as a result public exposure and reputational damage ensue.

Information sharing with other regional healthcare organizations indicates that they are experiencing a similar cyber attack.

Credit card information breach results in fines, penalties, and costs associated with credit monitoring.

Overview Three junior administrative employees from your healthcare organization receive an

email that appears to come from your HR department/provider. The email contains an attachment that will not open; none of the employees report the email attachment problem to anyone. Unbeknownst to the employees, the “non-functioning attachment” is a malicious worm that has infected the billing system.

The hacker then sends phishing emails to 50 additional employees in an attempt to obtain administrative account credentials. The phishing email appears to be sent by the IT help desk, simply states that the user’s network password expired, and provides a hyperlink. Users are lured to click the hyperlink which sends them to a fraudulent Web site where the employee enters their username and password.

With administrative credentials gained through phishing the intruder exploits a previously unknown vulnerability of the operating system to gain full system privileges. The hacker then accesses your billing system to modify the worm-originated data that sent illegitimate invoices to health sector providers and payers including Medicare, Medicaid and other insurers. Payments are routed to the intruder’s offshore bank account and laundered as quickly as money is received. The hacker’s control of the billing system allows her to alter data and mask her crime for an extended period of time.



During a routinely scheduled financial audit, your Chief Financial Officer (CFO) is informed that significant fraudulent activity has been discovered. The CFO’s investigation exonerates your employees but suspects that an external network intruder has exploited a software vulnerability and now controls key components of your billing system. The defrauded money cannot be recovered, nor can the intruder be identified. Your CISO hires a third party service to remediate the vulnerability, re-secure your systems, and conduct additional forensics analysis.

The cybersecurity vendor completes the remediation and believes it has prevented the intruder further access to the system. Your organization continues efforts to resolve business, legal, and regulatory damages and repercussions caused by the attack.

Your CEO receives an untraceable email from the hacker who claims credit for the fraudulent billing and attempts to extort money from your organization to avert public disclosure. The email includes current, dated screen shots of your billing system and declares that she still has it under her control. The email states that your CEO has 24 hours to pay a ransom of $1 million or she will both delete a portion of your billing database, and offer patient credit card information for sale on the Internet.

After notifying law enforcement, your board of directors tries to negotiate with the hacker and delays in paying the ransom; the hacker subsequently deletes 10% of the billing database. In addition to this damage the intruder’s malware has also caused you to lose the ability to quickly verify patient insurance payment through electronic means. This results in significant delay, and in some cases outright denial, of medical services to non-emergency and all elective-surgery patients. Those denied services are referred to nearby healthcare providers. Despite continued attempts, the IT technicians are unable to regain control of these databases. The intruder then raises the ransom to $5 million and threatens to erase 50% of your database if you fail to make full payment in 24 hours.

The significant loss of data and increase in patient load at nearby healthcare facilities leads to your organization disclosing the breach and communicating with other healthcare providers in the region. Your limited ability to share data with federal and state service providers, service payroll, and manage bills, brings your facility close to temporarily shutting down operations. Your IMT coordinates their response with law enforcement, regulators, and other authorities. Based on information you provide, some regional healthcare providers also discover similar fraudulent billing due to actions by this intruder. The hacker is attempting to extort money from these other providers as well.

Your organization becomes non-compliant with PCI requirements and becomes subject to penalties and fines. It is estimated that your healthcare organization may have to spend in excess of $3 million to notify patients whose credit card information was stolen and provide credit monitoring for a year.



Appendix E: Vignette IV: Medical Device Malfunction

Opening Scenario The medical device industry has experienced substantial growth in the past decade owing

primarily to changes in patient demographics and rapid globalization. Nevertheless the industry continues to face pressures to cut costs and increase product development. A variety of cost cutting measures, including global outsourcing, continue to play a major role in medical device development and manufacturing.

Activities outsourced include product design, prototyping, manufacturing, and supply chain management. Alongside these are challenges in regulatory compliance and certifying that all components and products are authentic. The reliability and surety of devices are becoming an increasingly public issue. In the wake of several high-profile safety incidents, many manufacturers are taking additional steps to ensure that their products are both safe and effective. It has been reported that several devices with the ability to be reprogrammed remotely via wireless technology, are used within your healthcare organization and have suspect reliability.

Facilitator Prompts What do you know?







Inject 1 A new generation of implantable cardioverter defibrillators (ICD’s) manufactured by

multiple companies with components made in the United States, Asia, and Europe are now used by many healthcare organizations, including your own. The new generation of ICD’s is intended to offer improved reliability and safety over older models, and a “reasonable assurance of safety and effectiveness” is touted by the manufacturers.

Failure rates of the newer ICD’s across all manufactures have been tracked as below traditional averages. The United States Food and Drug Administration (FDA) has identified firmware as the primary cause of device problems. To gain a competitive advantage, one manufacturer decides to update the firmware in its in-stock ICD’s and



incentivizes physicians and suppliers to replace the non-updated implants with the safer, more reliable device.

Several weeks after undergoing replacement of an implanted device, three very similar reports of “adverse events” – including one death – by patients who received the updated ICD’s at your hospital.

Facilitator Prompts Are there any existing procedures in place to guide you on how to respond to such

event?

Who would you contact about the incident?

o Internally?

o Externally?

What internal and external messages should be developed? How are they being distributed?

What are the business implications of the scenario? How would you determine them?

Would you contact customers? If so, how is your firm’s public relations department involved? What role would you have in shaping the messages for customers and media inquiries?

At what point would you contact law enforcement?

Would this situation trigger contact with regulators? Others? Why or why not?



Ground Truth – Vignette IV: Medical Device Malfunction

Vignette Objective Explore intra- and inter-organizational response practices resulting from cyber-induced,

malfunctioning implanted medical devices.

General Sequence of Events Creation of a vulnerability in a medical device component.

Shipment of faulty components for manufacture and use in United States healthcare facilities and elsewhere.

Devices implanted in patients directly link to life threatening conditions.

Overview The medical device industry has experienced substantial growth in the past decade owing

primarily to changes in patient demographics and rapid globalization. Nevertheless, the industry continues to face pressures to cut costs and increase product development. A variety of cost cutting measures, including global outsourcing, continue to play a major role in medical device development and manufacturing.

Activities outsourced include product design, prototyping, manufacturing, and supply chain management. Alongside these are challenges in regulatory compliance and certifying that all components and products are authentic. The reliability and surety of devices are becoming an increasingly public issue. In the wake of several high-profile safety incidents, many manufacturers are taking additional steps to ensure that their products are both safe and effective. It has been reported that several devices with the ability to be reprogrammed remotely via wireless technology, are used within your health care organization and have suspect reliability.

In concert with a large international criminal organization, a foreign corporation produces compromised microchips to be embedded in a new generation of ICDs. The criminal organization orchestrates the delivery of the compromised chips to the United States and Europe where the ICD s devices will be manufactured. These flaws go undetected during pre-market testing conducted by device manufacturers or by the FDA, respectably, and a “reasonable assurance of safety and effectiveness” is promoted by the manufacturers. The new generation of devices is intended to offer improved reliability and safety over older models. Some models provide the ability to be reprogrammed remotely with wireless technology to update software and personalize settings.



Compromised chips enable the corruption of firmware resulting in time-delayed binary malware generated within the device after a firmware update. Over 25 thousand of these devices have been implanted into patients in the United States alone. A similar number of new generation ICDs are in-stock around the country potentially affecting an untold number of patients.

Failure rates of the newer ICDs across all manufactures have been below traditional averages. The FDA has identified firmware as the primary cause of device problems. To gain a competitive advantage, one manufacturer decides to update the firmware in its in-stock ICDs and encourages physicians and suppliers to replace the non-updated implants with the “safer, more reliable” device or to update the firmware through wireless means in implanted devices.

Several weeks after undergoing a replacement or updating of an implanted device, three very similar cases of an “adverse event” – including one death – in patients who received updated ICDs within your hospital are reported.



Appendix F: Reference LibraryU.S. Department of Homeland Security and National

Healthcare and Public Health Sector Documents1. Healthcare and Public Health Sector-Specific Plan: An Annex to the National

Infrastructure Protection Plan

2. National Infrastructure Protection Plan: Healthcare and Public Health Sector Snapshot

3. HHS: Basic Security for the Small Healthcare Practice Checklists V1.0

Other Federal and Industry Documents1. National Institute of Standards and Technology (NIST) – An Introductory Resource

Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule (SP-800-66-Revision 1)

2. NIST – Computer Security Incident Handling Guide (SP800-61rev1)

3. NIST – Computer Security Incident Handling Guide (SP800-61rev2), Draft

4. NIST – Security Architecture Design Process for Health Information Exchanges (NISTIR-7497)

Additional Online Resources1. The National Health Information Sharing and Analysis Center (NH-ISAC)

2. United States Computer Emergency Readiness Team (US-CERT)

3. How to Subscribe to US-CERT Publications

4. US-CERT – National Cyber Awareness System

5. NIST – Computer Security Resource Center

6. Homeland Security Exercise and Evaluation Program (HSEEP)

7. HSEEP Library

8. Federal Emergency Management Agency’s (FEMA’s) Emergency Management Institute (EMI)

9. Lessons Learned Information Sharing (https://www.llis.dhs.gov)

Developing cyber exercises requires not only exposure to exercise design, but an understanding of the theoretical foundation supporting it as well. FEMA has developed a series of online, Independent Study (IS) courses that provide that base. It is recommended that members of the


https://www.llis.dhs.gov/

http://training.fema.gov/EMI/

https://hseep.dhs.gov/hseep_Vols/default1.aspx?url=home.aspx

https://hseep.dhs.gov/

http://csrc.nist.gov/index.html

http://www.us-cert.gov/alerts-and-tips/

http://www.us-cert.gov/cas/signup.html

http://www.us-cert.gov/index.html

http://www.nhisac.org/

http://www.dhs.gov/xlibrary/assets/nipp_snapshot_health.pdf


Exercise Planning Team take advantage of these free programs, and take one or more of the following courses:

IS-120.a course, An Introduction to Exercises;

IS-130 course, Exercise Evaluation and Improvement Planning;

IS-139 course, Exercise Design; and

The HSEEP Policy course.

The successful completion of these courses provides Planning Team members with a knowledgeable foundation of exercise design, development, conduct, evaluation, and improvement planning to assist in the creation of successful cyber-oriented scenarios. Information on these courses can be found on the HSEEP Web site in the Training section and Exercise Technical Assistance section, respectively, and on FEMA’s EMI Web site - http://training.fema.gov/EMI/.


http://training.fema.gov/EMI/


Appendix G: Exercise Planning and Support Materials

The following documents are contained in the Exercise Planning and Exercise Conduct folders on the CD:

Facilitator and Planer Guide

Exercise Presentation

Situation Manual

After Action Report/Improvement Plan Template

Exercise Feedback Forms

Participant Feedback Forms

Agenda Template

Sample Invitation

Meeting Minutes Template



Appendix H: Acronym ListAcronym Definition

AAR After Action Report

ATD Admit, Transfer, and Discharge

C&O Concept & Objectives

CEO Chief Executive Officer

CEP Cyber Exercise Program

CFO Chief Financial Officer

CIO Chief Information Officer

CIRT Cyber Incident Response Team

CISO Chief Information Security Officer

CSET Cyber Security Evaluation Tool

CSSP Control Systems Security Program

DHS U.S. Department of Homeland Security

EHR/EMR Electronic Health Record / Electronic Medical Record

EMI Emergency Management Institute

ePHI electronic Protected Health Information

FDA United States Department of Food and Drug Administration

FEMA Federal Emergency Management Agency

FPC Final Planning Conference

HR Human Resources

HSEEP Homeland Security Exercise and Evaluation Program

ICD Implantable Cardioverter Defibrillator



Acronym Definition

ICS Industrial Control Systems

ICS-CERT Industrial Control Systems Cyber Emergency Response Team

IMT Incident Management Team

IP Improvement Plan

IPC Initial Planning Conference

IS Independent Study

IT Information Technology

LLIS Lessons Learned Information Sharing

NCSD National Cyber Security Division

NH-ISAC National Health Information Sharing and Analysis Center

NIPP National Infrastructure Protection Plan

NIST National Institute of Standards and Technology

NSTB National Supervisory Control and Data Acquisition Test Bed

PCI Payment Card Industry

PII Personally Identifiable Information

PPT PowerPoint Presentation

PSA Protective Service Advisors

SCADA Supervisory Control and Data Acquisition

SITMAN Situation Manual

SSA EMO Sector Specific Agency Executive Management Office

TTX Tabletop Exercise

US-CERT United States Computer Emergency Readiness Team



Appendix I: Glossary of TermsTerm Definition

After Action Report

An After Action Report (AAR) is the final product of an exercise. The After Action Report /Improvement Plan (AAR/IP) has two components: an AAR, which captures observations and recommendations based on the exercise objectives, and an Improvement Plan (IP), which identifies specific corrective actions, assigns them to responsible parties, and establishes targets for their completion

Capability A means to accomplish one or more tasks under specific conditions to meet specific performance standards, to meet an intended outcome

Corrective ActionA concrete, actionable step outlined in an IP that is intended to resolve preparedness gaps and shortcomings experienced in exercises or real-world events

Critical Infrastructure

Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on the security, national economic security, national public health or safety, or any combination of these matters

Cyber Attack

An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data; or stealing controlled information

Cyber IncidentAn action taken through the use of computer networks that result in an actual or potentially adverse effect on an information system and/or the information residing therein

Cybersecurity

The prevention of damage to, unauthorized use of, or exploitation of, and, if needed, the restoration of electronic information and communications systems and the information contained therein to ensure confidentiality, integrity, and availability

Cyberspace

A global domain within the information environment consisting of the interdependent network of information systems infrastructures including the Internet, telecommunications networks, computer systems, and embedded processors and controllers



Term Definition

Data CollectorExercise personnel selected from various agencies to evaluate and comment on designated functional areas of expertise; also referred to as an “Observer”

Debrief A forum for Planners, Facilitators and Evaluators to review and provide feedback in a facilitated discussion after the exercise is held.

ExerciseA simulation activity held to train a single operation, command structure, or organization; provides opportunities to test plans and improve response proficiency in a risk-free environment

Exercise Timeline Identifies the planning conferences and tasks necessary for planning and developing an exercise

Facilitated Discussion The focused discussion of specific issues through a Facilitator with functional area or subject matter expertise.

Homeland Security Exercise and Evaluation Program

A capabilities-based and objectives-driven exercise program that provides standardized policy, doctrine, and terminology for the program management and project management (including design and development, conduct, evaluation, and improvement planning) of homeland security exercises

Hot Wash

A facilitated discussion held immediately following an exercise among exercise Players from each functional area. It is designed to capture feedback about any issues, concerns, or proposed improvements Players may have about the exercise. Evaluators can also seek clarification on certain actions and what prompted Players to take them.

Improvement Plan

A grouping of one or more recommendations and action items identified to address weaknesses observed in an event; for each task, the IP lists the corrective action that will be taken, the responsible party or agency, and the expected completion date; included at the end of the AAR

Lessons Learned Information Sharing Web Site (LLIS.gov)

A Web site dedicated to providing knowledge and experience derived from actual incidents, observations, training, and exercises; offers a national network of lessons learned and best practices for emergency response providers and homeland security officials

Malware

A program that is inserted into a system, usually covertly, with the malicious intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim



Term Definition

Moderated DiscussionA facilitated, discussion-based form where a representative from each functional area breakout presents to Participants a summary and results from a group’s earlier facilitated discussion.

Observation A recorded exercise activity

ObserverExercise personnel selected from various agencies to evaluate and comment on designated functional areas of expertise; also referred to as a “Data Collector”

Out-brief An assessment of areas in which an organization is doing very well, and areas which need improvement

Planning Team Member

Any personnel performing a role or assignment as part of an Exercise Planning Team

Program Management

Sets the strategic goals that organizations set out to achieve in their exercise programs; implements and tracks corrective actions for the continuous improvement necessary for surviving a cyber incident while sustaining critical functions

Project Management Coordination of personnel, resources, and strategic goals for a single exercise

Real-World Event An actual incident materializing threats to life, property, community, and the environment

RecommendationThe identification of areas for improvement observed during an exercise or experienced during a real-world event; based on root-cause analysis, recommendations are listed in all AAR/IP’s

Significant Cyber Incident

A set of conditions in the cyber domain that requires increased national coordination

Virus A form of malware that is designed to self-replicate and distribute the copies to other files, programs, or computers

VulnerabilityA physical feature or operational attribute that renders an entity, asset, system, network, or geographic area open to exploitation or susceptible to a given hazard

Worm A self-replicating program that is completely self-contained and self-propagating


"The health sector represents the highest breached industry

with a persistent and cascading cyber attack security threat

landscape. As enterprise security demands accelerate, the

value of nationwide coordinated healthcare cybersecurity

protection, an educated security workforce and access to the

health sector's recognized Information Sharing & Analysis

Center (NH-ISAC) ensure a sound, security risk mitigation

strategy and contribute to a secure and resilient national

healthcare critical infrastructure."

–Press Release: National Health ISAC – May 2012
