Cdn.ymaws.com
[pic]
Facilitator and
Planner Guide
This page is intentionally left blank.
Table of Contents
Table of Contents ii
Introduction 1
Healthcare Industry Cyber Tabletop Exercise 3
Purpose 3
Exercise Objectives 3
Exercise Schedule 4
General Characteristics 4
Exercise Guidelines 5
Exercise Assumptions and Artificialities 6
Key Exercise Personnel 6
Exercise Technique 7
Facilitation of Scenarios 7
Exercise Structure 8
Exercise Wrap-Up 9
Player Hot Wash 9
Facilitator and Data Collector Debrief 9
Data Collection 9
Developing the After Action Report and Improvement Plan 10
Analyze Data 10
Identify Root Causes and Develop Recommendations 11
Identify Lessons Learned 12
Contact Information 12
Planning Cyber Exercises 13
Exercise Foundation 13
Exercise Foundation Activities 14
Develop the Exercise Planning Team 14
Establishing exercise milestones and key events 14
Timeline and Milestones 14
Exercise type 15
Exercise planning staff experience and availability 15
Participation level 15
Resource constraints 16
Conduct Planning Meetings 16
Exercise Design 17
Exercise Logistics 18
Facility and Meeting Room 18
Food and Refreshments 20
Directions/Parking/Access 20
Appendix A: Facilitator Role and General Guidance 22
Role 22
Group Dynamics 23
Brainstorming 23
Scenario 23
Questions 23
Trivializing the Answers 24
Facilitator Challenges 24
Time Management 24
Focus and Level of Discussion 24
Appendix B: Vignette I: Compromise of electronic Protected Health Information (ePHI) 26
Opening Scenario 26
Facilitator Prompts 26
Inject 1 26
Facilitator Prompts 26
Inject 2 27
Facilitator Prompts 27
Ground Truth – Vignette I: Compromise of electronic Protected Health Information (ePHI) 29
Vignette Objectives 29
General Sequence of Events 29
Overview 29
Appendix C: Vignette II: Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs) 31
Opening Scenario 31
Facilitator Prompts 31
Inject 1 32
Facilitator Prompts 32
Inject 2 32
Facilitator Prompts 32
Ground Truth – Vignette II: Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs) 34
Vignette Objective 34
General Sequence of Events 34
Overview 34
Appendix D: Vignette III: Cash Out - Billing System Disruption 37
Opening Scenario 37
Facilitator Prompts 37
Inject 1 38
Facilitator Prompts 38
Inject 2 38
Facilitator Prompts 38
Inject 3 39
Facilitator Prompts 40
Ground Truth – Vignette III: Cash Out – Billing System Disruption 41
Vignette Objective 41
General Sequence of Events 41
Overview 41
Appendix E: Vignette IV: Medical Device Malfunction 43
Opening Scenario 43
Facilitator Prompts 43
Inject 1 43
Facilitator Prompts 44
Ground Truth – Vignette IV: Medical Device Malfunction 45
Vignette Objective 45
General Sequence of Events 45
Overview 45
Appendix F: Reference Library 47
U.S. Department of Homeland Security and National Healthcare and Public Health Sector Documents 47
Other Federal and Industry Documents 47
Additional Online Resources 47
Appendix G: Exercise Planning and Support Materials 49
Appendix H: Acronym List 50
Appendix I: Glossary of Terms 52
Tables and Figures
Table 1: Sample Agenda of a Four-Hour Exercise 4
Table 2: Cyber Tabletop Exercise Components 8
Table 3: Potential Exercise Participants 16
Table 4: Guidelines of Planning Events Timeline 16
Table 5: Cyber Tabletop Exercise Documents 18
Table 6: U-shape Layout for a Tabletop Exercise 19
Table 7: Key Tabletop Exercise Format Features 19
Figure 1: Cyber Tabletop Exercise Technique 7
Figure 2: Hseep Methodology 13
Introduction
The U.S. Department of Homeland Security (DHS) Cyber Tabletop Exercise (TTX) for the Healthcare Industry is an unclassified, adaptable exercise template developed by the DHS National Cyber Security Division (NCSD) Cyber Exercise Program (CEP) through a partnership with the U.S. Department of Health and Human Services (HHS), the National Health Information Sharing & Analysis Center (NH-ISAC), and subject matter experts (SMEs) from the private Healthcare Industry Sector.
The physical and cyber assets of public and private institutions comprise much of the critical infrastructure upon which our Nation depends. In addition to Healthcare and Public Health, Federally-recognized critical infrastructure sectors include: Agriculture and Food; Banking and Finance; Chemical; Commercial Facilities; Communications; Critical Manufacturing; Dams; Defense Industrial Base; Emergency Services; Energy; Government Facilities; Information Technology; National Monuments and Icons; Nuclear Reactors, Materials and Waste; Postal and Shipping; Transportation Systems; and Water. The cyber component of this infrastructure is a principal enabler of these sectors as well as a technical implementer for other important economic, security, and social systems of our country. Our reliance upon the technologies that comprise this vital infrastructure compels us to remain vigilant in order to prevent disruptions and their subsequent debilitating effects.
Performing rapid identification, information exchange, and cooperative response measures have demonstrated effectiveness at mitigating the undesirable or unanticipated consequences caused by disruptions to our Nation’s cyber infrastructure. Many of these lessons have been learned firsthand – during actual disruptions – but can be integrated into exercise programs to reduce cyber consequences, and improve preparedness and resiliency. NCSD CEP seeks to improve the Nation’s cybersecurity readiness, protection, and incident response capabilities by developing, designing, and conducting cyber exercises at the Federal, state, regional, and international levels, and in cooperation with private sector owners and operators of our Nation’s critical infrastructures.
NCSD CEP employs scenario-based exercises that focus on risks to cyber and information technology infrastructures. Through exercises, Participants are able to validate policies, plans, procedures, processes, and capabilities that enable preparation, prevention, response, recovery, and continuity of operations. The controlled environment of an exercise allows exercise Players to safely explore real-world situations to improve response communication and coordination, and to advance the efficacy of the broad-based public-private critical infrastructure protection partnerships. This TTX developed for the Healthcare Industry is an example of this relationship.
This Facilitator and Planner Guide follows the DHS Homeland Security Exercise and Evaluation Program (HSEEP) recommended guidance and methodology for the development and execution of exercises. The structure that HSEEP provides assists Facilitators and Planners through the process of focusing discussions and completing the tasks necessary to successfully complete exercise objectives. The Guide is not written as a basic “how to” manual. Rather, Facilitators and Planning Team members should have basic-level knowledge of exercise – preferably TTX – design, standardized HSEEP policy and terminology, and adult education or training experience. A common understanding of the fundamentals of cybersecurity and healthcare systems enables the Facilitator and Planning Team members to fully benefit from this Guide.
The Facilitator and Planner Guide is divided into three sections. The first section describes the TTX developed specifically for the Healthcare Industry, and details the structure for conducting and reporting on this exercise. As will be mentioned throughout this Guide, you are encouraged to modify exercise materials to suit the needs or constraints of your event. The second section provides general guidance on the planning, preparation, and development of a cyber TTX while embracing HSEEP policy and methodology. You may wish to follow HSEEP guidance if exercise-specific details are modified.
Nine appendices are included in the final section of this Guide. Four appendices (Appendix B-E) outline vignettes prepared exclusively for this exercise; contain scenario details; a “ground truth” storyline of information that might not be available except through forensic investigation; and information or prompting questions that may be used by the Facilitator to stimulate discussion or to redirect Player actions towards the exercise purpose and objectives. Reference materials – Facilitator role responsibilities and general guidance; exercise planning and support materials; and acronym list and glossary – complete this comprehensive Facilitator and Planner Guide.
Healthcare Industry Cyber Tabletop Exercise
The Department of Homeland Security (DHS) Cyber Tabletop Exercise for the Healthcare Industry provides Participants with the opportunity to gain an understanding of issues associated with a significant, focused cyber attack and to coordinate with other government and private entities in response to a simulated attack. It is for industry’s members, intended only for their internal use. There is no requirement for exercise Participants or stakeholders to report to DHS or any other Federal, state, or local agency regarding any component of the exercise. Sharing of exercise results is strictly at the exercise Participant's and sponsor’s discretion. You are advised to consult with appropriate officials to determine if this exercise meets regulatory or statutory exercise requirements.
1 Purpose
The purpose of the DHS Cyber Tabletop Exercise for the Healthcare Industry is to examine cybersecurity considerations associated with the interruption of Healthcare Infrastructure elements initiated by cyber disruptions. Although physical consequences of these disruptions are important, they are not the principal focus of this exercise. Rather, this exercise focuses on a healthcare facility’s internal and external incident response and coordination efforts following a significant, simulated cyber attack. The intent of the exercise is to improve the facility’s understanding of key cybersecurity concepts; identify strengths and weaknesses; promote changes in attitude and perceptions; and enhance the overall cyber response posture and collective decision-making process of participating organizations and stakeholders. Additionally, this exercise will serve to:
• Create an opportunity for public and private Healthcare Industry stakeholders to explore and address cybersecurity challenges.
• Foster an understanding of the dependencies and interdependencies amongst information technology, business continuity, crisis management, and physical security functions.
• Observe and evaluate cyber incident response protocols.
• Identify shortcomings or gaps in demonstrated capabilities or current plans, policies, and procedures.
2 Exercise Objectives
Objectives are the cornerstone of exercise project management as they drive exercise planning, conduct, and evaluation efforts. Exercising to meet defined objectives serves as a component in the modification or creation of plans, policies, and procedures. The objectives identified for the DHS Cyber Tabletop Exercise for the Healthcare Industry (provided below) focus on improved understanding of concerns affecting the Healthcare and Public Health Sector. Organization-specific objectives may also be included as needed:
1. Explore inter-organizational information sharing and collaboration mechanisms within the Healthcare and Public Health Sector during a cyber incident.
2. Improve understanding of the potential impacts and cascading effects cyber intrusions can have within the Healthcare and Public Health Sector.
3. Examine current organizational cyber incident response policies, plans, and protocols, and identify potential shortcomings or gaps.
4. Insert additional organization-specific objectives.
3 Exercise Schedule
As shown in the schedule below, the DHS Cyber Tabletop Exercise for the Healthcare Industry is scheduled for four hours of exercise play; however, overall and individual breakout session duration is ultimately at your discretion and can be modified as necessary. Although following a schedule, exercise discussion times are open-ended and Participants are encouraged to take their time in arriving at in-depth decisions – without time pressure. While the Facilitator maintains an awareness of time allocation for each vignette discussion, it is not a requirement that the group complete every vignette action item to deem the exercise a success.
|Registration |8:00 a.m. – 8:30 a.m. |
|Opening Plenary (Welcome, Introduction, and Guidelines) |8:30 a.m. – 9:00 a.m. |
|Vignette I |9:00 a.m. – 9:30 a.m. |
|Vignette II |9:30 a.m. – 10:05 a.m. |
|Break (at Facilitator’s discretion) |10:05 a.m. – 10:20 a.m. |
|Vignette III |10:20 a.m. – 10:55 a.m. |
|Vignette IV |10:55 a.m. – 11:30 a.m. |
|Closing Plenary (Hot Wash and Closing Comments) |11:30 a.m. – 12:00 p.m. |
Table 1: Sample Agenda of a Four-Hour Exercise
4 General Characteristics
A cyber tabletop exercise (TTX) is a facilitated discussion of a scenario in a formal or informal, stress-free environment. It is designed to be an open, thought-provoking exchange of ideas on various issues regarding a hypothetical, simulated cyber incident, and can be used to enhance general awareness, validate current plans and procedures, and assess the systems and activities that lie within the framework of cyber incident response and recovery. It is effective for examining policies, plans, personnel contingencies, information sharing, and interagency coordination, as well as for discovering gaps, or unclear or overlapping responsibilities.
The dynamic nature of scenario development for a TTX allows modifications or refinements of scenario elements up to the moment that the scenario is introduced to exercise Players. This exercise will presumably be an example, ensuring that each scenario “inject” is tailored to the specific Participant base. Likewise, the Exercise Planning Team may prepare injects “on the fly” so that Player actions can be appropriately guided or re-focused to address a specific issue.
A scenario “ground truth” document provides key information and details necessary to accurately depict scenario conditions and events that drive exercise play to ensure that objectives can be met. Ground truth information forms the foundation of the scenario that the Facilitator uses as a basis when addressing Player inquiries regarding the nature of the scenario. Further, scenario ground truth is included in each vignette for this exercise and may be referenced by the Facilitator to gain an in-depth understanding of the situation.
For the DHS Cyber Tabletop Exercise for the Healthcare Industry, Facilitators will provide scenario vignette information to stimulate Participant discussion. The facilitated discussion poses key questions that focus on expected behavior; defined roles and responsibilities; existing plans; coordination; and cascading effects, amongst others, to support the exercise goals and objectives. Participants should share their subject matter expertise in the groups’ discussion of issue areas to reach a resolution; discussions may also be guided through Facilitator prompts. Documentation of this process is the foundation for subsequent data analysis and development of the After Action Report/Improvement Plan (AAR/IP).
1 Exercise Guidelines
The following should serve as guidelines for exercise conduct:
• This is an open, low-stress, no-fault environment. Varying and contradictory viewpoints should be anticipated and encouraged.
• Participant’s responses should be based on their knowledge of current plans, capabilities (e.g., exclusive use of existing assets), and insights derived from training.
• Decisions are not precedent-setting and may not reflect an organization’s final position on a given issue. This is an opportunity to discuss and present multiple options and possible solutions.
• Assume hypothetical cooperation and support from other responders and agencies.
• Problem-solving efforts should be the focus. Identifying issues is not as valuable as suggestions and recommended actions.
• Situation updates, and written materials and resources provided, are the basis for discussion.
• Although incident management, and current cybersecurity plans and policies used by participating organizations provide a foundation for Player action; such actions and decisions made during the exercise should not be constrained by these plans or other current, real-world plans and management concepts. Exercise discussions will promote opportunities to enhance existing plans and concepts.
2 Exercise Assumptions and Artificialities
In any exercise a number of assumptions and artificialities may be necessary to complete scheduled conduct in the time allotted. During this exercise, the following apply:
• The scenario is plausible and events occur as they are presented.
• There is no “hidden agenda,” nor any trick questions.
• All Players receive information at the same time.
• The scenario is not derived from current intelligence.
• Players can make reasonable assumptions as necessary.
• The exercise findings are not for attribution.
• Local Players should assume that while concentrating on local response, Federal and state responders are initiating their own respective plans, procedures, and protocols.
5 Key Exercise Personnel
One of the most important factors of a successful exercise is skilled planning and design by the Exercise Planning Team. The Exercise Planning Team oversees, and is ultimately responsible for, the exercise foundation, design, development, and often the conduct and evaluation. The team determines exercise objectives, tailors the scenario to meet the exercising entity’s needs, and develops documentation used in evaluation, control, and simulation. Planning Team members also help to develop and distribute pre-exercise materials, and conduct exercise planning conferences, briefings, and training sessions. Because Planning Team members are highly involved in the exercise, they are ideal selections for Facilitators, Controllers, and Evaluators. Other important exercise roles include the following:
• Players/Participants respond to the situation presented based on their respective SME knowledge of current plans, procedures, and insights derived from training and experience.
• Observers watch the exercise and are not Participants in the discussion.
• Facilitators ideally are individuals with functional area expertise that facilitate exercise discussion. The Facilitator is responsible for keeping the discussion focused on exercise objectives and ensuring all key issues are explored (time permitting).
• Data Collectors are responsible for gathering relevant data arising from facilitated discussions during the exercise. They will then use this information to collectively develop the After Action Report/Improvement Plan (AAR/IP).
6 Exercise Technique
The theoretical technique employed within each vignette is based on an input ⇒ action ⇒ output paradigm. Participants will respond to issues or events described in the general scenario or from specific injects. Facilitators should be prepared to assist Players during discussions while utilizing the prompts included in the scenario vignettes (included as appendices to this Guide). The following depicts the general flow of this interactive technique:
[pic]
Figure 1: Cyber Tabletop Exercise Technique
7 Facilitation of Scenarios
The four vignette scenarios offered in this exercise package were developed to support the exercise objectives, and to provide generic and qualitative descriptions of situations relevant to the overall exercise goal(s). The opening vignette scenario may be used as the context or starting point for Participants to identify major concerns and formulate their responses to the Facilitator, who will also manage the time allotted for each vignette.
To develop the scenarios, a team of industry SMEs and experienced Exercise Developers examined the unique cyber issues and challenges facing organizations within the Healthcare Industry Sector.
Each interactive vignette addresses a different cybersecurity issue within the Healthcare Industry. The vignette themes are:
|Vignette I |Compromise of electronic Protected Health Information (ePHI) |
|Vignette II |Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs) |
|Vignette III |Cash Out – Billing System Disruption |
|Vignette IV |Medical Device Malfunction |
A summarization of the scenario overview, sector-specific materials prepared by the Scenario Development Team, and scenario injects for each sector, are included as appendices to this Guide.
8 Exercise Structure
First and foremost: this exercise should not be viewed as a test. Rather, it is an opportunity for participating organizations to examine plans, policies, and procedures; improve coordination and confidence; augment skills; refine roles and responsibilities; reveal weaknesses and resource shortcomings or gaps; and build teamwork. As this event will be self-assessed, evaluation criteria will be determined by each participating organizations.
During this exercise, Players will discuss issues in-depth, and develop decisions through paced and facilitated decision-making processes typically experienced during real-world conditions.
The major elements of the DHS Cyber Tabletop Exercise for the Healthcare Industry include:
|Opening Plenum |The opening plenum is an orientation that provides administrative information and sets the stage for the |
| |remainder of the exercise. It includes an explanation of the interactive process, setting ground rules, a |
| |charge to the Participants, and the introductory scenario. |
|Interactive Sessions |Following the opening plenum, Participants will adjourn to their respective breakout areas, and engage in |
| |interactive dialogue focused on exercise objectives; Facilitators will encourage discussions through a list of|
| |focused questions. |
|Summary Plenum |The summary plenum concludes the interactive portion of this exercise and is often known as a “hot wash” |
| |(discussed in the following section, Exercise Wrap-Up: Player Hot Wash). |
Table 2: Cyber Tabletop Exercise Components
In addition to developing discussion points, Facilitators will find general prompts to initiate and maintain discussion amongst exercise Participants in the appendices of this Guide. These prompts may include:
• What do you know?
• How might you know this?
• What other information needs exist?
• How do you intend to obtain this information?
• With whom do you share this information?
• What actions would you take/intend to take at this point in time?
At the completion of each vignette, the breakout groups will review their activities and prepare materials, to include significant outcomes, concerns, and critical issues from exercise play, for the summary plenum.
9 Exercise Wrap-Up
1 Player Hot Wash
Immediately following the exercise, a hot wash allows Players to provide immediate exercise feedback, as well as the opportunity for self-assessment and discussion surrounding the major issues and outcomes of the exercise. The hot wash also provides the Data Collectors with the opportunity to clarify points or collect any missing information from the Players while it is still fresh in their minds and before they leave the area. To supplement the information collected during the player hot wash, the Facilitator should distribute Participant Feedback Forms to ascertain the level of satisfaction with the exercise, identify issues or concerns, and seek input on any areas for improvement Participants may have identified. Participant feedback forms completed during the hot wash are later used to help develop the AAR/IP.
2 Facilitator and Data Collector Debrief
The Facilitators and Observers/Data Collectors should conduct a separate debrief immediately following the Player hot wash. This forum enables Facilitators and Observers/Data Collectors to provide an overview of observations (e.g., individual breakout table, functional area, geographic region); reconcile conflicting exercise outcomes; highlight common themes; and to discuss both strengths and areas for exercise improvement.
10 Data Collection
Facilitators and Data Collectors must keep accurate written records of Player discussions, actions, and decisions, as well as to note strengths, deficiencies, and unresolved issues. Knowing which events are important makes data collection manageable, eliminates superfluous information, and provides information most useful for the after action process.
An effective Facilitator or Observer/Data Collector should be aware and familiar with the following elements during plenary or breakout discussions:
• Existing organizational plans, policies, or procedures to achieve the stated exercise objective and demonstrate the appropriate capabilities.
• Deviations from those plans and implementation procedures.
• Roles and responsibilities of Players with actions and decisions related to the exercise objectives and capabilities.
• Decisions made by exercise Players.
• Recommendations offered by Players.
• Any unresolved issues discussed during the exercise.
Prior to this exercise, the Facilitator should instruct the Data Collectors to keep an accurate written record of what is observation and discussion as Players identigy actions, make decisions, and discuss their capabilities during the exercise. This information should be collected at the conclusion of the exercise.
Effective notes will assist when writing the final analysis. During this exercise, it is important for Facilitators and Data Collectors to concentrate on listening and recording the discussions and actions as they unfold, specifically what is discussed by the group as it relates to the exercise objectives. Lengthy and detailed writing during the exercise can cause data collectors to miss important discussions among Participants. Notes should identify and capture:
Who (name or position) made the decision/raised a particular issue.
What the decision/issue discussed was.
Why the decision/issue was made/raised (e.g., the “trigger”).
How the group reached the decision (the process) and whether or not there was group consensus around the accuracy of a given issue.
11 Developing the After Action Report and Improvement Plan
One of the end goals of the exercise is to produce an AAR/IP to capture events as they occurred during an exercise, provide analysis of the events relative to your exercise objectives, and suggest development actions to enhance or improve participating agencies’ planning and response capabilities.
The After Actin Report (AAR) provides a comprehensive overview of the exercise, describes best practices and strengths observed, and identifies areas for improvement. The Improvement Plan (IP) outlines corrective actions stemming from the exercise with projected completion dates to assigned organizations as assigned by a senior executive from the participating organization. By addressing corrective actions in the IP, your organization can continually undertake preparedness activities to ensure an improved cybersecurity posture.
The Facilitator must determine when exercise write-ups are due and ensure that Data Collectors are given a no later than date for submission. It is strongly recommended that the AAR portion of the AAR/IP be completed in a single voice utilizing the Homeland Security Exercise and Evaluation Program (HSEEP) AAR/IP template.
12 Analyze Data
The goal of data analysis is to transform the data collected during exercise conduct into a comprehensive and manageable narrative that addresses demonstrated strengths as well as areas for improvement. Considerations for preliminary analysis include whether:
• Exercise objectives were met;
• Players were adequately trained to meet the objectives;
• Discussions/actions identified any resource limitations that could inhibit Players’ ability to meet the objectives;
• Players were familiar with the applicable plans, policies, and procedures; and
• Strengths were identified.
Data Collectors combine their observations and review exercise materials to reconstruct events, and analyze decisions and interactions across organizations and functional areas to achieve broad objectives outcomes. Steps taken to analyze the data include:
1. Reviewing exercise discussion notes.
2. Comparing Player discussions to existing plans, identifying deviations, and rationalizing the root-cause of actions (or inactions).
3. Identifying tangible recommendations to resolve issues.
1 Identify Root Causes and Develop Recommendations
To produce an AAR/IP with recommendations for enhancing preparedness capabilities, it is critical for Data Collectors to discover not only what happened, but why events happened. Data Collectors must search for the root-cause of why an expected action did not occur or was not performed as expected for each identified issue. A “root-cause” is the source or underlying reason behind an identified issue (as uncovered during data analysis) from which the Data Collector can identify improvement in the form of corrective actions. To arrive at a root-cause, an Observer/Data Collector should attempt to trace each event back to its origin. Root-cause analysis may require the review and evaluation of applicable statutes, training programs, policies, and procedures to determine the fundamental causal factor.
Data Collectors should use the following questions as a guide for developing recommendations for improvement:
• Were the exercise objectives met?
• Did the discussions imply that all Players would be able to successfully complete the tasks necessary to execute the activity in a real-world situation? If not, why?
• What are the key decisions associated with each activity?
• Did the discussions suggest that all Players are adequately trained to complete the activities or tasks needed to demonstrate a highlighted capability?
• Did the discussion identify any resource shortcomings or gaps that could inhibit the ability to execute an activity?
• Do the current plans, policies, and procedures support the performance of activities? Are Players familiar with these documents?
• Do personnel from multiple organizations need to work together to perform a task, activity, or capability? If so, are agreements or relationships in place to support the coordination required?
• What was learned from this exercise?
• What are strengths, areas for improvement, and recommended solutions, if any?
2 Identify Lessons Learned
According to HSEEP, “lessons learned” are positive and negative knowledge and experience derived from observations and historical study of operations, training, and exercises. A lesson learned is not only a summary of what did or did not go wrong; it provides information that might later be relevant and provide valuable insight into how a similar problem may be approached in the future, or what changes may be needed to improve performance (e.g., plans and policies; organizational structure; leadership and management; training; equipment).
The Lessons Learned Information Sharing () network is a secure, collaborative DHS portal dedicated to providing knowledge and experience derived from actual cyber threats and attacks; and training and exercises. LLIS offers a national network of lessons learned and best practices for private and public sectors, and includes a library of exclusive documents and other user-submitted materials related to cybersecurity and other all-hazards incidents.
13 Contact Information
For questions, concerns, or recommendations for improving the DHS Cyber Tabletop Exercise for Healthcare Industry, please contact DHS CEP at CEP@HQ..
For questions concerning health information technology standards, regulation, policies, and guidelines, please contact HHS at CIP@.
For National Health Information Sharing and Analysis Center (NH-ISAC) questions and comments, please email contact@.
Planning Cyber Exercises
Cyber exercise planning addresses project management through the foundation, design, and development of individual exercises. It focuses on establishing individual exercise objectives, which take into account what each participating organization seeks to accomplish during the exercise, such as an organization’s Cyber Incident Response Team (CIRT) responding to malware disruption of critical business operations. The principles and processes used to develop cyber exercises are informed by Homeland Security Exercise and Evaluation Program (HSEEP) policy and methodology, and may adapted to meet the unique characteristics of your cyber exercise.
Figure 2: Hseep Methodology
1
2
3 Exercise Foundation
It is important to establish the groundwork for the design, development, conduct, and evaluation of an exercise. In order to build an exercise foundation, participating entities should do the following:
• Establish a purpose.
• Create a base of support.
• Identify communities of interest.
• Identify an Exercise Planning Team.
• Establish exercise timelines and milestones.
• Schedule planning events.
These elements can also be considered a checklist of activities for Exercise Planners to complete during the foundational phase of the exercise planning process. These activities may differ depending on exercise type, complexity, and the time and resources available for the planning effort; Planners should adapt these activities to the needs of their exercise. Exercise design and development should center on activities that will help Players meet the defined exercise objectives. Sustaining a strong exercise foundation is often an iterative effort.
An important part of the groundwork for an exercise is identifying the purpose of the exercise, an Exercise Planning Team, and exercise Participants. The purpose of the exercise should be clearly identified in a broad statement highlighting the reason for the cyber exercise (e.g., examination of an organization’s capacity to respond to a cyber attack). It should be briefed to senior members of an organization to gain their support and to ensure consistency with the entities’ strategic objectives. The purpose and the objectives then help the Exercise Planning Team identify additional subject matter experts (SMEs) to be involved in exercise planning and evaluation. A purpose for the DHS Cyber Tabletop Exercise for the Healthcare Industry exercise has been developed for your consideration and is presented both in this Guide and the Situation Manual (SITMAN). You may modify the purpose to suit your needs.
4 Exercise Foundation Activities
1 Develop the Exercise Planning Team
The Planning Team develops the exercise objectives and documents to be used during exercise conduct and evaluation. They conduct planning meetings, briefings, and training sessions to prepare Participants for the exercise. Successful Planning Teams maintain an organized structure, have clearly defined roles and responsibilities, and employ individuals with relevant skills based on functional areas (e.g., Chief Information/Technology Officer, Information Technology [IT] technician,) in addition to respective SMEs (e.g. familiarity with strategic plans and policy, experience working with private sector owners, cyber attack response).
2 Establishing exercise milestones and key events
Timelines and milestones are crucial to smooth, timely progress when planning an exercise. Exercise Planners determine the optimal planning timelines and milestones with respect to the complexity of the exercise and the resource realities of the participating entities.
5 Timeline and Milestones
Exercise Planners must consider several key factors when developing an exercise planning timeline and milestones:
1 Exercise type
HSEEP describes seven types of exercises of which five have applicability to the cyber realm. Each type of exercise is either discussions-based or operations-based. These types include:
▪ Seminar: A seminar is an informal discussion designed to orient Participants to new or updated plans, policies, or procedures.
▪ Workshop: A workshop resembles a seminar, but is employed to build specific products, such as a draft plan or policy.
▪ Tabletop Exercise (TTX): A TTX involves key personnel discussing simulated scenarios in an informal setting. TTXs can be used to assess current plans, policies, and procedures.
▪ Game: A game is a simulation of operations that often involves two or more teams, usually in a competitive environment, using rules, data, and procedure designed to depict an actual or assumed real-life situation.
▪ Functional Exercise (FE): An FE is an operations-based exercise that examines and/or validates the coordination, command, and control between various multi-agency coordination centers.
2 Exercise planning staff experience and availability
An experienced team of Exercise Planners dedicated full-time to their exercise activities generally requires less time to plan an exercise, than a team of inexperienced Planners only able to devote a portion of their time to their respective tasks.
3 Participation level
Single-entity exercises generally need less time for coordination whereas the coordination of multiple agencies, with varying levels of government, and/or with private sector entities could substantially add to planning time requirements. Players must be chosen carefully to adequately represent their organization and have the appropriate authority to commit organizational resources to the corrective action process. Based on past sector-specific exercises, there are common Participants – internal and external – to a facility to be considered:
|Internal |External |
|Physician/Business Owner |Suppliers/Distributors/Venders |
|Management |Federal/State/Local Law Enforcement |
|Physical/Facility Security |State/Local Emergency Management |
|IT Support Personnel |Regulating Agencies |
|Cyber Incident Response Team |National Healthcare Information Sharing and Analysis Centers |
|Public Affairs |Sector Coordinating Councils |
|Corporate Communications |Government Coordinating Councils |
|Legal |Professional Associations |
Table 3: Potential Exercise Participants
4 Resource constraints
Some or all of the exercise Participants may face resource constraints that need to be considered – staffing issues in particular can be a challenge as most Exercise Planners are usually involved in performing their regular responsibilities.
6 Conduct Planning Meetings
The Exercise Planning Team should establish a timeline that identifies key planning meetings and milestones to effectively structure exercise design and development. Information on an organization program management, its objectives, and its flexibilities and limitations should guide the number and type of meetings; the HSEEP meeting structure is intentionally flexible and need not be followed verbatim. Exercise planning meetings serve as milestones to review and validate the Planners’ work. However, the work itself is performed prior to each of these the meetings.
To ensure all organizations’ exercise objectives are met, planning meeting Participants should include most of the lead planning authorities from those organizations. The Planning Team should be selected carefully because they will be exposed to the scenario prior to the exercise and, as trusted agents, not allowed to discuss details of the scenario or other exercise specifics with Players prior to the event; Planning Team members are not expected to play in the exercise.
The table below provides guidance on an approximate timeline of planning events, with an overview of each, to be considered in the development of a TTX.
|Planning Meeting |Overview |Timeframe |
|Concept & Objectives |At this meeting Participants complete the exercise foundation. They agree on the |4 months prior to exercise |
|Meeting |exercise objectives, determine the exercise scope, propose the level of play and the |conduct or concurrently with |
| |cyber threat, and reach consensus on exercise planning timelines and key milestones. |Initial Planning Meeting |
|Initial Planning Meeting |At this meeting Participants agree on the plans, policies, and procedures to be |3 months prior to exercise |
| |exercised. They also identify the entities’ level of play, confirm the cyber threat, |conduct |
| |exercise scope, identify ground truth requirements, and reach consensus on control | |
| |and evaluation architectures and plans. | |
|Final Planning Meeting |At this meeting, Participants approve the scenario and the ground truth documents; |3 weeks prior to exercise |
| |approve the control and evaluation architectures, staffing, and communications plans;|conduct |
| |finalize logistical details and level of play commitments; and approve exercise | |
| |materials. | |
Table 4: Guidelines of Planning Events Timeline
7 Exercise Design
Building on the foundation stage of the planning cycle, Exercise Planners utilize the exercise design process to establish the objectives and scope of the exercise, and craft a scenario to test the those objectives. Objectives determine what actions, tasks, and decisions are anticipated to be validated upon completion of the exercise. Scope addresses exercise type, the participation level of each entity, and the duration and location of the exercise. Additionally, the Exercise Planning Team designs and develops the documents to prepare Participants for exercise conduct.
For the DHS Cyber Tabletop Exercise for the Healthcare Industry, the documents listed below have been developed for your consideration. However, they should be reviewed and modified as necessary to suit your needs or constraints. Details included in the vignette scenarios are technically plausible, but notional, and intended only for exercise and training purposes.
|Cyber Tabletop Exercise Documents |
|Exercise Presentation |An exercise presentation provides key information to exercise Participants and is presented during the opening |
| |plenum. It augments the Situation Manual (SITMAN). The presentation provides administrative, logistics, and |
| |background information relevant to the event. It also describes how the TTX will be conducted. |
|Situation Manual |A SITMAN serves as the core document for all Participants. It addresses the following aspects: |
| |Schedule of events |
| |Exercise objectives and scope |
| |Exercise structure (e.g., vignette order) |
| |Instructions for exercise Facilitators, Players, and Observers |
| |Exercise assumptions and artificialities |
| |Exercise rules |
| |Exercise scenario background |
|Facilitator and Planner Guide |A Facilitator and Planner Guide is designed to aid Facilitators and Data Collectors in managing the exercise. |
| |This document provides instructions and examples for Facilitators and Data Collectors to properly capture |
| |information and feedback during the exercise for review and development of an AAR/IP. It also provides scenario|
| |ground truth and question prompts that may be used by the Facilitator to guide Participant discussion. |
|Participant Feedback Forms |Participant Feedback Forms are utilized to gather information for exercise improvements and key outcomes |
| |expressed by the Participants. |
|Exercise Feedback Forms |Exercise Feedback Forms are utilized by Facilitators to collate and summarize Participant feedback on exercise |
| |improvements and key outcomes. |
| |For this exercise, Exercise Feedback Forms can be sent to NH-ISAC, via e-mail at contact@ |
| | |
|After Action Report/Improvement|The AAR/IP provides feedback to participating entities on their performance during the exercise, summarizes |
|Plan |exercise events, and analyzes performance of the tasks identified as important during the planning process. The|
| |IP portion of the AAR/IP includes corrective actions for improvement, timelines for their implementation, and |
| |assignment to responsible parties. A sample AAR/IP template is provided in the Exercise Planning folder of the |
| |CD. |
|Reference Library |Reference materials that are associated with cybersecurity within the Healthcare and Public Health critical |
| |infrastructure sector are located in Appendix F. |
|Exercise Planning and Support |A list of exercise support materials (e.g., sample invitation, feedback forms, Web sites) is located in the |
|Materials |Exercise Planning folder of the CD. |
Table 5: Cyber Tabletop Exercise Documents
8 Exercise Logistics
Logistics is an important aspect of your cyber TTX development and conduct, as it involves the setup of exercise venues and testing of exercise systems; preparations for exercise support staff and Players; execution of planned exercise control; and wrap-up activities.
Setup prepares exercise venues for activities during the event. It entails installing and testing audio/visual (A/V) equipment, presentations, or computer systems; positioning tables and chairs to meet planned arrangements such as seating charts; setting up registration facilities; staging handout materials; and ensuring that all key control, evaluation, and logistics functions are prepared before the exercise starts.
A walkthrough is a part of the setup process that allows members of the Planning Team (e.g., Facilitators) to see their assigned positions and to practice their event responsibilities using the communications tools and other systems planned for the exercise; players are not involved in the walkthrough. A dry-run of briefings and other activities that require coordination amongst the Planning Team can be conducted as part of the walkthrough.
A list of logistical issues to be considered in the development of your cyber TTX is shown below.
9 Facility and Meeting Room
• Select a location large enough to seat all desired Participants and Observers, and is accessible to all invitees. It would be beneficial if the required space was available the day prior to the exercise for setup, walkthrough, and to address remaining technical issues. Identify an area for the Facilitators and Data Collectors to meet prior to and following the exercise; this may be an area that could also serve as a backup meeting space option if unforeseen events occur with the scheduled meeting space.
• The room should have adequate A/V and acoustic capabilities to support a multimedia platform, to include virtual meetings if that is part of your scheme. Your multimedia presentations are key aspects of the TTX as they add realism. In the event of technology incompatibility, venue change, or security hurdles, always have a “Plan B” (e.g., alternate information formats, backup documents) prepared.
• Ensure there are enough tables and chairs to accommodate every Player, Observer, Facilitator, and presenter. A U-shaped layout (see Table 6) is the most conducive to facilitation and Participant interaction. Participants can also be separated into breakout groups based on discipline, organization, or functional area; or, each table incorporates a mix of disciplines to encourage “cross-function” discussions.
Determination of the appropriate room layout for the exercise is at the discretion of your Exercise Planning Team and in consideration of the available meeting space. TTX’s are generally conducted using either a breakout or plenary format as described below.
|Breakout Format |Several breakout groups of varying sizes, seated at different tables |
| |Individual groups consider their own probable actions based on current plans, policies, and procedures|
| |after the scenario is presented to all groups simultaneously |
| |Re-assembly at the plenary session following the conclusion of each vignette |
|Plenary Format |Players grouped together in a single space with no periods of time set aside for small or subgroup |
| |discussions |
| |Requires active facilitation |
| |Ensures that comments and recommendations are heard by all Participants |
Table 7: Key Tabletop Exercise Format Features
• Plan to bring supplies, such as writing utensils, flipcharts and markers, notepads, name badges, etc., for Participants, and encourage the use of these supplies during discussions in order to capture notes or key ideas.
10 Food and Refreshments
• Snacks, refreshments, and/or lunch can be provided to Participants and observers at your discretion. At a minimum, water and coffee are recommended. Plan with your facility or an outside vendor accordingly.
11 Directions/Parking/Access
• Ensure that all exercise players and observers/data collectors are provided with accurate and clear directions to the facility. If possible, post signage in designated parking areas on the date of the exercise. Additionally, include: special instructions if extra time will need to be allotted for security; badging/credentialing requirements (facility or exercise mandated); parking rules and fees, if necessary; etc.
This page is intentionally left blank.
Appendix A: Facilitator Role and General Guidance
1 Role
As a Facilitator for this tabletop exercise (TTX) you are responsible for coordinating your group’s activities throughout the TTX.
Your responsibilities include:
• Directing the movement and flow of the sessions.
• Keeping the discussions on track and at the appropriate level.
• Following established processes.
• Identifying and addressing the appropriate issues.
• Overseeing the creation of the Summary Plenum (hot wash) briefings.
Characteristics of a good Facilitator include the following:
• Ability to keep side conversations to a minimum; keep discussions on track and within established time limits; control group dynamics and strong personalities; and speak competently and confidently about the subject without dominating or steering the conversation.
• Functional area expertise or experience.
• Awareness of participating organization’s current plans, policies, procedures, and capabilities.
• Ability to capture the discussion in notes for inclusion in the After Action Report/Improvement Plan (AAR/IP).
If the exercise is arranged in a multi-table breakout format, facilitated discussion at each table occurs following a scenario brief or inject. After a defined period, facilitated table discussion concludes and a moderated discussion of key findings from each table begins. Players should discuss their responses based on their knowledge of current plans, policies, procedures, and capabilities.
In moderated discussions, a representative from each breakout table presents the key findings and issues, as well as unresolved issues or questions, from the group’s facilitated discussion, to all exercise Players. Time allotment for the discussion – both moderated and facilitated – of each breakout session’s vignette is factored into the exercise agenda, as are the frequently longer discussions during the conclusion of the exercise. For each breakout table’s discussion, the group should be careful to focus only on the material presented for the given vignette.
Facilitators will have a Data Recorder and may have to select an “administrative assistant” (PowerPoint operator) to help the groups prepare the briefing materials to be used during the plenary sessions. Keep in mind that the briefing slides reflect the best efforts of the group – and the Facilitator. Facilitators may want to consider using the assistant to be the “flip-chart writer” to capture the major discussion points. The Facilitator is not the briefer during the plenary sessions. Although several people may seek to speak during each of the plenums, only one individual from the group will present the group’s views. Select the speaker early as it permits the presenter to develop a “briefing mindset” and to work with members of the group to prepare the briefing slides.
2 Group Dynamics
1 Brainstorming
The Facilitator should strive to begin the discussion flow as soon as practical. If problems arise in your group that you cannot resolve, seek assistance from the Monitoring Team immediately. In some tasks you may choose to use brainstorming techniques to generate the large number of ideas needed within your group. Your role as Facilitator is to act as the “official encourager” as well as the “policeman” against improper group and individual behavior. The following rules apply while brainstorming:
• Criticism is not permitted in any verbal or non-verbal form
• Bits and pieces of ideas are encouraged
• No idea is rejected while brainstorming
• A large quantity of ideas is encouraged
• Combining and using pieces of other ideas from the group is encouraged
• All ideas should be recorded as they are stated, in short phrases or words
2 Scenario
Some TTX Participants may not agree or comply with a given scenario because of their own perceptions of what the cause or consequences of a network disruption may be. If your group is unyielding about disregarding the TTX situations as provided, Participants may change elements within the situations as long as they remain within the overall objectives of this TTX. Should your group insist upon conducting its discussions on information significantly different from that provided, note this during your group’s briefing in the vignette’s plenum session.
3 Questions
At times there is a tendency for Participants to ask more questions than necessary to address the situation. They will insist on knowing every detail within the research used to develop a situation (e.g., exactly what are all the factors causing low public confidence?). Your answer can be quite straightforward, “There is no more information than what is described in the situation and other tabletop material.” If Participants insist that more information is required, they should develop it by generating assumptions based on their experience or by presenting other information to the group. Once again, it is important to note these adjustments during plenary session.
Participants may also generate “solution assumptions” that diminish the significance of the problem (e.g., a programmer developed a “one-size-fits-all” computer fix for virus). The Facilitator should reject these assumptions.
4 Trivializing the Answers
Analogous to the excessively broad assumption, is the tendency for Participants to trivialize their answers. They may develop over-simplistic answers to the complex problems set before them. The Facilitator can use a broad answer and encourage the Participants to be more specific. Responses should be focused. Similarly, if Participants deem a consequence not to be critical, the Facilitator should direct them to defend their reasoning. As with many preparation and planning events, no authoritative or accurate projection of the future exists. The TTX is designed for Participants to examine possible future consequences and manage them.
3 Facilitator Challenges
1 Time Management
Because of the limited time during the interactive portion of each vignette, managing the Participants’ responses, necessary discussions, and completing the materials to be used during the Summary Plenary Session will be hard work, but it is not insurmountable. The dynamics of each group preclude creating a single time schedule for getting through the tasks set before your group. You will find that the group dynamics will evolve differently for each group; therefore, some points may be more relevant than others. Depending on your group, develop a mental plan as to how to pace their efforts. Allow time for discussion in each task, and at the end of each vignette allow time for concluding and summarizing all the major points that will be integrated into the briefing material. Injects provided by the Monitoring Group are used not only for the introduction of information, but as regulators that dictate the TTX pace. Do not permit your group to get bogged down by peripheral matters. However, should this occur, prepare a question or a prompt to redirect discussion toward the TTX’s purpose and objectives and the task at hand.
2 Focus and Level of Discussion
Ensuring the group’s discussion focused on the task and at a level necessary to achieve the TTX’s objectives is very important. The truly noteworthy discussions that occur during this TTX will be those that shed new light on those planning and policy issues, or that generate insights that have yet to be considered either by the entity or others within the Healthcare Industry Sector.
Keep in mind what products are required at the end of each session and what will have to be briefed during each plenary session. The level of detail necessary to develop these products should be similar to the level of discussions within the group. Everyone attending the TTX will have an opinion about network disruptions and their associated consequences. Some may be overly vocal and ensures that their opinion dominates the group’s discussions and final outcomes. Others may attempt to change the group’s discussion to be more compatible with the Participant’s experience or at a level in which they can demonstrate their professional experience. Be prepared to deal with this situation quickly and as tactfully as possible. There is no easy solution to this problem, but you may try techniques such as asking the group, “What are some other opinions on this subject?” as a counterbalance, or as a last resort have a quiet word with the individual during a break.
Do your best to keep the group focus on the TTX’s objectives. Should the group get “in the weeds” – and the discussion has merit – create a sidebar discussion group by selecting a small number (2-3 people) to develop a resolution or recommendation for this issue in a short period (not more than 15-20 minutes) and report back to the entire group. It is important to engage everyone in the TTX process and discussions. This assures that all members of the group claim ownership of the group’s decisions and the briefing materials at the end of the TTX.
Issue areas have been developed for this TTX and are available to Facilitators should deafening silence fill your room, or to redirect your group’s discussions back to the objectives of the TTX. Before the TTX begins, review these issue areas and think of a question or two that would stimulate discussion. The best “prompts” are usually generated by the Facilitator using information within the group’s discussion. Convert statements made by Participants into questions to redirect the group back to the task in progress.
Appendix B: Vignette I: Compromise of electronic Protected Health Information (ePHI)
1 Opening Scenario
• The nursing staff members at your healthcare facility have noticed that over the past several months a part-time security guard has repeatedly shown up at least an hour earlier than his shift is scheduled to begin. The guard is well-liked and has worked at the facility for over five years.
• Six months ago the guard’s fiancé (also an employee at your facility), along with 25 other support employees, were laid off. Three months later, several administrative and finance employees at your facility received an email from the guard’s fiancé with an invitation to check out her latest vacation pictures from Tahiti by clicking on a link to . Upon clicking the link, an error message (“404 Error – File Not Found”) was displayed. Some employees replied to the sender that there was an error message; others did nothing.
1 Facilitator Prompts
• What do you know?
• How might you know this?
• What other information needs exist?
• How do you intend to get this information?
• With whom do you share this information?
• What actions would you be taking and/or intend to take?
2 Inject 1
• Two nights ago your Information Technology (IT) operations manager received the daily report from his team stating that the anti-virus software had quarantined several unrecognizable files. Additionally, the security event’s log showed unusual activity on the network by several night shift employees recorded earlier in the day.
• Yesterday your Chief Information Security Officer (CISO) returned from his vacation to a report of three lost laptops.
1 Facilitator Prompts
• How have things changed?
• What other information needs exist?
• How do you intend to get this information?
• With whom do you share this information?
• What actions would you be taking and/or intend to take?
• Do your end users and IT support personnel receive training pertaining to cybersecurity? How often? Is it mandatory? What type of employee security (cyber and physical) employee training programs do you have?
• Are there corporate policies (formal and informal) pertaining to USB thumb drives or other removable storage devices?
• Does your company have formal/informal policies or procedures pertaining to IT account management?
o Do these policies or procedures include protocols for establishing, activating, modifying, disabling and removing accounts?
o Do these policies or procedures include protocols for notifying IT account managers/administrators when users are terminated?
• Does your company terminate information system access (including remote access) upon an employee’s termination?
o Is there a time period defined for the termination of system access?
o Is there a difference in the time period defined for normal and adverse termination?
• Does your company retrieve all information system-related property (e.g., authentication key, system administration's handbook/manual, keys, identification cards, etc.) during the employment termination process?
3 Inject 2
• This morning, your Chief Information Officer (CIO) received an untraceable email with a file containing ePHI and credit card data of a thousand former and current patients. The email states that this information, and that of over 5,000 other patients, will be made available to the highest bidder and invites your organization to make a bid. Bids close tonight at midnight.
1 Facilitator Prompts
• Are there any existing procedures in place to guide you on how to respond to such event?
• Who would you contact about the incident?
• Internally?
• Externally?
• What internal and external messages should be developed? How are they being distributed?
• What are the business implications of the scenario? How would you determine them?
• Would you contact customers? If so, how is your firm’s public relations department involved? What role would you have in shaping the messages for customers and media inquiries?
• At what point would you contact law enforcement?
• Would this situation trigger contact with regulators? Others? Why or why not?
Ground Truth – Vignette I: Compromise of electronic Protected Health Information (ePHI)
1 Vignette Objectives
• Examine the consequences and response mechanisms associated with a cyber-related breach of electronic Protected Health Information (ePHI) and Personally Identifiable Information (PII).
• Improve the understanding of cybersecurity policies, practices, and procedures for securing ePHI.
2 General Sequence of Events
• Hacker hired by insider gains access to an organization’s network.
• Collection of patient data and insurance information for the purpose of selling on the black market.
• Hacker actions result in organization-wide privacy and confidentiality loss, identity theft/fraud, potential civil fines for violation of Federal and state breach statutes, and reputational damage intensified by public exposure.
3 Overview
• As an act of revenge, a part-time security guard at a large hospital hires a hacker to break into the hospital network to steal patients’ protected health data and credit card information. The plan is to sell this information on the black market and split the proceeds between themselves.
• To prepare for his intrusion the hacker conducts cyber reconnaissance of his target network several months before the attack. He uses phishing techniques on hospital employees to obtain several user account credentials. The cyber-identities of these individuals were collected through social networking web sites. Using a hand-sketched map of the facility provided by the security guard, the hacker, disguised as a courier, enters into secure areas of the hospital using counterfeit passes. In order to gain access to a supposedly “air gapped” network, the hacker then locates an unattended computer workstation in a remote, quiet area. With the network credentials the hacker stole before the attack, he is able to gain access to several patient admissions, transfer, and discharge (ATD) databases, where he then downloads medical records and insurance information for over five thousand current and previous patients.
• The hacker also steals several running laptops and thumb drives connected to biomedical devices in an unattended interventional radiology room as he exits the hospital. After the hacker later cracks these stolen computers he discovers that an unencrypted laptop and thumb drives contain a significant amount of ePHI and PII data.
Appendix C: Vignette II: Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs)
1 Opening Scenario
• Your healthcare organization is a major trauma center in a metropolis that triages and treats patients. Patient care is captured, tracked, and reviewed via a remotely accessible Electronic Health Record/Electronic Medical Record (EHR/EMR) system that provides real-time, point-of-care, patient-specific clinical data.
• Several weeks ago the software on your EHR/EMR system was updated and despite some very minor initial problems the system has been operating well. Today it is not. You clinical support computers are very slow and/or do not respond and/or freeze. Patient care is increasingly delayed as physicians and clinicians authenticate and verify patient EHR/EMR information through labor intensive and time-consuming, downtime manual paper procedures (e.g., patient questioning, contact made to families, paper records). Amidst the treatment of patients with corrupt HER’s/EMR’s, the center becomes rapidly overwhelmed and as new patients arrive, only life-threatening emergencies are accepted for emergency department treatment. Trauma staff members are complaining that the EHR/EMR system has virtually ground to a halt and is unusable. Administrator priorities shift to reaffirming EHR/EMR data integrity.
1 Facilitator Prompts
• What does this mean?
• Are there existing procedures to guide you on how to respond to such an incident?
• How does this impact you? Considerations:
o Notification process (internal and external)
o Patient responsibilities
o Intra-center/services/unit coordination and workflow
• What are your “next steps?” Considerations:
o Standard Operating Procedure (organization and/or department/unit)
o Establishing or coordinating a process of authenticating and validating patient EHR/EMR information, and relaying treatment plan information as needed (to provide situational awareness)
o Prioritization of patient treatment based on patient criticality
2 Inject 1
• The center’s off-site information technology (IT) services contractor discovers malware while investigating a high number of complaints of suspicious events and slow network speed. The technicians find that malicious code has infected multiple network-level servers, and possibly desktop and mobile work stations.
1 Facilitator Prompts
• What types of cybersecurity policies, plans, and/or protocols does your organization have in place to detect, respond to, and/or recover from a cyber incident?
• What types of cybersecurity policies, plans, and/or protocols does your organization have in place for the control system network to detect, respond to, and/or recover from a cyber incident?
o Do you have detection, triage, and response capabilities?
o What constitutes suspicious cybersecurity activities or incidents? Do you know what actions to take when one arises?
• Who directly coordinates with the IT services contractors?
o If technology (e.g., network, server, devices) directly impact safety and health care, how (and by whom) is this information exchanged?
• Do you have umbrella, center-wide standard operating procedures or authorities, or network centralization, which provides organization-wide situational awareness? What is the ease with which information is exchanged/shared between departments (whilst complying with the Health Insurance Portability and Accountability Act [HIPAA])?
3 Inject 2
• IT support determines that the Web and main network servers are infected with a worm that has altered or erased an indeterminate quantity of data fields containing relevant patient health and treatment plan information.
1 Facilitator Prompts
• How are you notified? Is it your responsibility to inform others?
• Would you (and are you authorized to) share this information with patients? With immediate family members? With the public?
o If so, would this be handled directly by the patient’s medical team or through your organization’s public relations department?
• What steps do you take to differentiate between altered and un-altered EHR/EMR information?
o How do you determine which information has been erased or altered, or is unaffected?
• What are alternate methods for capturing patient health and treatment plan information? Are these outlined in current, formalized plans, policies, or procedures?
• How does this affect post-incident HR/MR management?
o Is your current Standard Operating Procedure (SOP) compliant with existing policy or procedures? If not, who initiates the process of updating the SOP? If a SOP is not in place, who leads the effort in developing one?
o Synchronous across the entire center/services/units?
Ground Truth – Vignette II: Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs)
1 Vignette Objective
• Examine the operational impacts of cyber exploitation of HER’s/EMR’s that leads to safety and healthcare clinical errors.
2 General Sequence of Events
• Cyber-disruption.
• Unauthorized disclosure of identifiable ePHI.
• Corrupt patient EHR/EMR information.
• Malicious worm identification.
• Diminished quality of patient care; patient safety and life-threatening issues; legal practice and liability implications; and public exposure and reputational damage.
3 Overview
• A major trauma center in a metropolis that triages and treats patients presenting the gamut of criticality experiences a cyber-disruption that initiates cascading consequences impacting EHRs/EMRs and subsequently, patient care. The center’s off-site IT services contractor discovers malware while investigating a high number of complaints of suspicious events and slow network speed. The nursing staff reports to the help desk that clinical support computers are very slow, do not respond, or freeze. The technicians find that malicious code has infected multiple network-level servers, and possibly desktop and mobile work stations.
• The remotely accessible EHR/EMR system provides real-time, point-of-care, patient-specific clinical data that includes: vital signs, drugs administered, patient allergies, medical history, immunizations, drug-drug interactions, legal permissions, diagnostic tests and imaging reports, observations, therapies, treatment plans, and other safety-related concerns. With network administrator rights, the technician has access to the center’s personnel, insurance, patient, and financial records.
• In preparation for surgery, a nurse confirms a patient’s blood type; a patient transferred onto another floor is placed onto an appropriate hospital bed; do not resuscitate orders for the patient are verified; a physician administers an anticoagulant to a hemophiliac; centrifugation of blood samples are delayed; laboratory results indicate that a patient’s white blood cell count is dangerously high leading to emergent treatment. In each of these actions, medical personnel reviewed the patient’s EHR/EMR to inform the respective treatment plan. Physicians and clinicians became aware of inaccurate EHR/EMR information following a series of near-fatal patient reactions to medical treatments and procedures (e.g., erroneous insulin dosage induces profound diabetic hypoglycemia and subsequent coma). In the subsequent emergent care provided, confusion from questionable EHR/EMR information alerts both medical and IT support personnel.
• IT support determines that the Web and main network servers are infected with a worm that is altering or erasing an indeterminate quantity of data fields containing relevant patient history and treatment plan information. To remediate the situation, affected computers need be re-imaged, servers’ operating systems need be restored from original backup tapes and the application systems re-installed.
• Amidst the treatment of patients with corrupt EHRs/EMRs, the center rapidly becomes overwhelmed and as new patients arrive, only life-threatening emergencies are accepted for emergency department treatment. Administrator priorities shift to reaffirming EHR/EMR data integrity.
This page is intentionally left blank.
Appendix D: Vignette III: Cash Out - Billing System Disruption
1 Opening Scenario
• Six months ago three administrative employees in your healthcare organization receive an email from the facilities’ human resources (HR) department/provider. The email contains what seems to be an attachment that will not open. The employees do not report this problem to anyone. Other employees also receive seemingly “legitimate” emails from HR/payroll asking them to update their password-protected, personal information through hyperlinks embedded in the emails.
• During a routinely scheduled financial audit this week, significant discrepancies are discovered and immediately reported to your Chief Financial Officer (CFO). A quick internal investigation by the CFO exonerates your employees. This investigation determines that an external network intruder has exploited a known – but unpatched – billing system vulnerability and now controls key components of your billing and receivables capabilities. It is determined that the money cannot be recovered, nor can the intruder be identified.
1 Facilitator Prompts
• Describe the threat, vulnerability, and consequence methodologies used in risk assessment. What are the sources of information that contribute to them?
• What physical, information security, and/or other risk management methodologies do you use?
• Describe your employee and end user cybersecurity awareness training? It is standardized across your enterprise? Is it required prior to login permissions?
• Does your business continuity planning address cybersecurity? How often is it exercised?
• Do you have a threat escalation matrix with thresholds and/or triggers for protective actions and incident management?
• How do information technology skillsets differ from information security skills? Do you have sufficient employees with both? How are they organized?
• What are your sources of cyber threat collection and analysis?
• Describe your initial planned response? If no response is planned, discuss who would be in command and why? What are the essential elements of information necessary to support decision-making?
• What actions would you be taking and/or intend to take?
• Do your initial actions account for the possibility of an insider threat and/or compromised email and, if Voice Over Internet Protocol (VOIP), voice and voicemail communications?
• Discuss decision-making related to the notification of law enforcement.
2 Inject 1
• Your healthcare organization hires a third party cyber service to remediate the vulnerability, secure the system, and conduct forensic analysis. This vendor completes the work and states that they believe the intruder has been prevented from further access to your system. You continue efforts to resolve business, legal, and regulatory damages caused by the breach.
1 Facilitator Prompts
• Has leadership of the incident management changed?
• Describe your incident management structure?
• What are the current legal concerns?
• Discuss liability and indemnification contract issues with your partners?
• Does your contract specify who owns the data they collected during the response?
• Discuss initial notifications to regulators?
• What other information needs exist?
• How do you intend to get this information?
• With whom do you share this information?
• What actions would you be taking and/or intend to take?
• What are your biggest challenges in this situation?
3 Inject 2
• Your Chief Executive Officer (CEO) receives an untraceable email from the hacker who claims credit for the fraudulent billing and attempts to extort money from your organization to avert public disclosure. The email includes current, dated screen shots of your billing system and declares that she still has it under her control. The email states that your CEO has 24 hours to pay a ransom of $1 million or she will both delete a portion of your billing database, and offer patient credit card information for sale on the Internet.
1 Facilitator Prompts
• What are your concerns, if any, about contacting law enforcement?
• How developed is your relationship with law enforcement?
• How developed is your relationship with local government?
• What other relationships would be impacted?
• How are these relationships nurtured?
• How will the needs of law enforcement (e.g., evidence collection) impact your mitigation efforts?
• How are these impacts managed?
• Who leads the response?
• What essential elements of information are needed to support incident management?
• Who determines interdependencies and cascading effects?
• Who develops the worst case scenario and other decision support requirements for leadership?
• What are your incident objectives?
• What other information needs exist?
• How do you intend to get this information?
• With whom do you share this information and why?
• What actions would you be taking and/or intend to take?
• How do you manage extortion?
• What are your biggest challenges in this situation?
4 Inject 3
• After notifying law enforcement, your board of directors tries to negotiate with the hacker and delays in paying the ransom; the hacker subsequently deletes 10% of the billing database. In addition to this damage, the intruder’s malware has also caused you to lose the ability to quickly verify patient insurance payments through electronic means. This results in significant delay, and in some cases outright denial, of medical services to non-emergency and all elective-surgery patients. Those denied services are referred to nearby healthcare providers. Despite continued attempts, the IT technicians are unable to regain control of these databases. The intruder then raises the ransom to $5 million and threatens to erase 50% of your database if you fail to make full payment within 24 hours.
• The significant loss of data and increase in patient load at nearby healthcare facilities prompts your organization to disclose and communicate the breach with other healthcare providers in the region. Your limited ability to share data with federal and state service providers, service payroll, and manage bills brings your facility close to temporarily shutting down operations. Your Incident Management Team (IMT) coordinates their response with law enforcement, regulators, and other authorities. Based on the information you provide, some regional healthcare providers also discover similar fraudulent billing due to actions by this intruder. The hacker is attempting to extort money from these other providers as well.
• Your organization becomes non-compliant with Payment Card Industry (PCI) requirements and therefore is subject to penalties and fines. It is estimated that your healthcare organization may have to spend in excess of $3 million to make notification to those patients whose credit card information was stolen, and to provide them with credit monitoring for a year.
1 Facilitator Prompts
• What cybersecurity requirements are contractually required of your third-party service providers, supply chain, and business partners? What standards are used and why?
• Discuss public affairs messaging. Who leads this process? How is it coordinated?
• What are your concerns notifying customers? The public? Regulators? Your supply chain? Your business partners? Elected officials? Industry organizations? Media? Government partners? Corporate Board and shareholders (if applicable)?
• What is the mechanism for sustaining incident response?
• What are your criteria for demobilization of incident response?
• What other information needs exist?
• How do you intend to get this information?
• With whom do you share this information?
• What actions would you be taking and/or intend to take?
• Have your challenges changed?
Ground Truth – Vignette III: Cash Out – Billing System Disruption
1 Vignette Objective
• To examine the interdependencies and cascading effects of, and organizational response to, cyber disruptions in a healthcare billing system.
2 General Sequence of Events
• External network intruder commits fraud followed by extortion.
• Actions by the intruder result in the loss of billing capabilities disrupting patient care, operations, and causing loss of revenue; as a result public exposure and reputational damage ensue.
• Information sharing with other regional healthcare organizations indicates that they are experiencing a similar cyber attack.
• Credit card information breach results in fines, penalties, and costs associated with credit monitoring.
3 Overview
• Three junior administrative employees from your healthcare organization receive an email that appears to come from your HR department/provider. The email contains an attachment that will not open; none of the employees report the email attachment problem to anyone. Unbeknownst to the employees, the “non-functioning attachment” is a malicious worm that has infected the billing system.
• The hacker then sends phishing emails to 50 additional employees in an attempt to obtain administrative account credentials. The phishing email appears to be sent by the IT help desk, simply states that the user’s network password expired, and provides a hyperlink. Users are lured to click the hyperlink which sends them to a fraudulent Web site where the employee enters their username and password.
• With administrative credentials gained through phishing the intruder exploits a previously unknown vulnerability of the operating system to gain full system privileges. The hacker then accesses your billing system to modify the worm-originated data that sent illegitimate invoices to health sector providers and payers including Medicare, Medicaid and other insurers. Payments are routed to the intruder’s offshore bank account and laundered as quickly as money is received. The hacker’s control of the billing system allows her to alter data and mask her crime for an extended period of time.
• During a routinely scheduled financial audit, your Chief Financial Officer (CFO) is informed that significant fraudulent activity has been discovered. The CFO’s investigation exonerates your employees but suspects that an external network intruder has exploited a software vulnerability and now controls key components of your billing system. The defrauded money cannot be recovered, nor can the intruder be identified. Your CISO hires a third party service to remediate the vulnerability, re-secure your systems, and conduct additional forensics analysis.
• The cybersecurity vendor completes the remediation and believes it has prevented the intruder further access to the system. Your organization continues efforts to resolve business, legal, and regulatory damages and repercussions caused by the attack.
• Your CEO receives an untraceable email from the hacker who claims credit for the fraudulent billing and attempts to extort money from your organization to avert public disclosure. The email includes current, dated screen shots of your billing system and declares that she still has it under her control. The email states that your CEO has 24 hours to pay a ransom of $1 million or she will both delete a portion of your billing database, and offer patient credit card information for sale on the Internet.
• After notifying law enforcement, your board of directors tries to negotiate with the hacker and delays in paying the ransom; the hacker subsequently deletes 10% of the billing database. In addition to this damage the intruder’s malware has also caused you to lose the ability to quickly verify patient insurance payment through electronic means. This results in significant delay, and in some cases outright denial, of medical services to non-emergency and all elective-surgery patients. Those denied services are referred to nearby healthcare providers. Despite continued attempts, the IT technicians are unable to regain control of these databases. The intruder then raises the ransom to $5 million and threatens to erase 50% of your database if you fail to make full payment in 24 hours.
• The significant loss of data and increase in patient load at nearby healthcare facilities leads to your organization disclosing the breach and communicating with other healthcare providers in the region. Your limited ability to share data with federal and state service providers, service payroll, and manage bills, brings your facility close to temporarily shutting down operations. Your IMT coordinates their response with law enforcement, regulators, and other authorities. Based on information you provide, some regional healthcare providers also discover similar fraudulent billing due to actions by this intruder. The hacker is attempting to extort money from these other providers as well.
• Your organization becomes non-compliant with PCI requirements and becomes subject to penalties and fines. It is estimated that your healthcare organization may have to spend in excess of $3 million to notify patients whose credit card information was stolen and provide credit monitoring for a year.
Appendix E: Vignette IV: Medical Device Malfunction
1 Opening Scenario
• The medical device industry has experienced substantial growth in the past decade owing primarily to changes in patient demographics and rapid globalization. Nevertheless the industry continues to face pressures to cut costs and increase product development. A variety of cost cutting measures, including global outsourcing, continue to play a major role in medical device development and manufacturing.
• Activities outsourced include product design, prototyping, manufacturing, and supply chain management. Alongside these are challenges in regulatory compliance and certifying that all components and products are authentic. The reliability and surety of devices are becoming an increasingly public issue. In the wake of several high-profile safety incidents, many manufacturers are taking additional steps to ensure that their products are both safe and effective. It has been reported that several devices with the ability to be reprogrammed remotely via wireless technology, are used within your healthcare organization and have suspect reliability.
1 Facilitator Prompts
• What do you know?
• How might you know this?
• What other information needs exist?
• How do you intend to get this information?
• With whom do you share this information?
• What actions would you be taking and/or intend to take?
• What are your biggest challenges in this situation?
2 Inject 1
• A new generation of implantable cardioverter defibrillators (ICD’s) manufactured by multiple companies with components made in the United States, Asia, and Europe are now used by many healthcare organizations, including your own. The new generation of ICD’s is intended to offer improved reliability and safety over older models, and a “reasonable assurance of safety and effectiveness” is touted by the manufacturers.
• Failure rates of the newer ICD’s across all manufactures have been tracked as below traditional averages. The United States Food and Drug Administration (FDA) has identified firmware as the primary cause of device problems. To gain a competitive advantage, one manufacturer decides to update the firmware in its in-stock ICD’s and incentivizes physicians and suppliers to replace the non-updated implants with the safer, more reliable device.
• Several weeks after undergoing replacement of an implanted device, three very similar reports of “adverse events” – including one death – by patients who received the updated ICD’s at your hospital.
1 Facilitator Prompts
• Are there any existing procedures in place to guide you on how to respond to such event?
• Who would you contact about the incident?
o Internally?
o Externally?
• What internal and external messages should be developed? How are they being distributed?
• What are the business implications of the scenario? How would you determine them?
• Would you contact customers? If so, how is your firm’s public relations department involved? What role would you have in shaping the messages for customers and media inquiries?
• At what point would you contact law enforcement?
• Would this situation trigger contact with regulators? Others? Why or why not?
Ground Truth – Vignette IV: Medical Device Malfunction
1 Vignette Objective
• Explore intra- and inter-organizational response practices resulting from cyber-induced, malfunctioning implanted medical devices.
2 General Sequence of Events
• Creation of a vulnerability in a medical device component.
• Shipment of faulty components for manufacture and use in United States healthcare facilities and elsewhere.
• Devices implanted in patients directly link to life threatening conditions.
3 Overview
• The medical device industry has experienced substantial growth in the past decade owing primarily to changes in patient demographics and rapid globalization. Nevertheless, the industry continues to face pressures to cut costs and increase product development. A variety of cost cutting measures, including global outsourcing, continue to play a major role in medical device development and manufacturing.
• Activities outsourced include product design, prototyping, manufacturing, and supply chain management. Alongside these are challenges in regulatory compliance and certifying that all components and products are authentic. The reliability and surety of devices are becoming an increasingly public issue. In the wake of several high-profile safety incidents, many manufacturers are taking additional steps to ensure that their products are both safe and effective. It has been reported that several devices with the ability to be reprogrammed remotely via wireless technology, are used within your health care organization and have suspect reliability.
• In concert with a large international criminal organization, a foreign corporation produces compromised microchips to be embedded in a new generation of ICDs. The criminal organization orchestrates the delivery of the compromised chips to the United States and Europe where the ICD s devices will be manufactured. These flaws go undetected during pre-market testing conducted by device manufacturers or by the FDA, respectably, and a “reasonable assurance of safety and effectiveness” is promoted by the manufacturers. The new generation of devices is intended to offer improved reliability and safety over older models. Some models provide the ability to be reprogrammed remotely with wireless technology to update software and personalize settings.
• Compromised chips enable the corruption of firmware resulting in time-delayed binary malware generated within the device after a firmware update. Over 25 thousand of these devices have been implanted into patients in the United States alone. A similar number of new generation ICDs are in-stock around the country potentially affecting an untold number of patients.
• Failure rates of the newer ICDs across all manufactures have been below traditional averages. The FDA has identified firmware as the primary cause of device problems. To gain a competitive advantage, one manufacturer decides to update the firmware in its in-stock ICDs and encourages physicians and suppliers to replace the non-updated implants with the “safer, more reliable” device or to update the firmware through wireless means in implanted devices.
• Several weeks after undergoing a replacement or updating of an implanted device, three very similar cases of an “adverse event” – including one death – in patients who received updated ICDs within your hospital are reported.
Appendix F: Reference Library
1 U.S. Department of Homeland Security and National Healthcare and Public Health Sector Documents
1. Healthcare and Public Health Sector-Specific Plan: An Annex to the National Infrastructure Protection Plan
2. National Infrastructure Protection Plan: Healthcare and Public Health Sector Snapshot
3. HHS: Basic Security for the Small Healthcare Practice Checklists V1.0
2 Other Federal and Industry Documents
1. National Institute of Standards and Technology (NIST) – An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act Security Rule (SP-800-66-Revision 1)
2. NIST – Computer Security Incident Handling Guide (SP800-61rev1)
3. NIST – Computer Security Incident Handling Guide (SP800-61rev2), Draft
4. NIST – Security Architecture Design Process for Health Information Exchanges (NISTIR-7497)
3 Additional Online Resources
1. The National Health Information Sharing and Analysis Center (NH-ISAC)
2. United States Computer Emergency Readiness Team (US-CERT)
3. How to Subscribe to US-CERT Publications
4. US-CERT – National Cyber Awareness System
5. NIST – Computer Security Resource Center
6. Homeland Security Exercise and Evaluation Program (HSEEP)
7. HSEEP Library
8. Federal Emergency Management Agency’s (FEMA’s) Emergency Management Institute (EMI)
9. Lessons Learned Information Sharing ()
Developing cyber exercises requires not only exposure to exercise design, but an understanding of the theoretical foundation supporting it as well. FEMA has developed a series of online, Independent Study (IS) courses that provide that base. It is recommended that members of the Exercise Planning Team take advantage of these free programs, and take one or more of the following courses:
• IS-120.a course, An Introduction to Exercises;
• IS-130 course, Exercise Evaluation and Improvement Planning;
• IS-139 course, Exercise Design; and
• The HSEEP Policy course.
The successful completion of these courses provides Planning Team members with a knowledgeable foundation of exercise design, development, conduct, evaluation, and improvement planning to assist in the creation of successful cyber-oriented scenarios. Information on these courses can be found on the HSEEP Web site in the Training section and Exercise Technical Assistance section, respectively, and on FEMA’s EMI Web site - .
Appendix G: Exercise Planning and Support Materials
The following documents are contained in the Exercise Planning and Exercise Conduct folders on the CD:
• Facilitator and Planer Guide
• Exercise Presentation
• Situation Manual
• After Action Report/Improvement Plan Template
• Exercise Feedback Forms
• Participant Feedback Forms
• Agenda Template
• Sample Invitation
• Meeting Minutes Template
Appendix H: Acronym List
|Acronym |Definition |
|AAR |After Action Report |
|ATD |Admit, Transfer, and Discharge |
|C&O |Concept & Objectives |
|CEO |Chief Executive Officer |
|CEP |Cyber Exercise Program |
|CFO |Chief Financial Officer |
|CIO |Chief Information Officer |
|CIRT |Cyber Incident Response Team |
|CISO |Chief Information Security Officer |
|CSET |Cyber Security Evaluation Tool |
|CSSP |Control Systems Security Program |
|DHS |U.S. Department of Homeland Security |
|EHR/EMR |Electronic Health Record / Electronic Medical Record |
|EMI |Emergency Management Institute |
|ePHI |electronic Protected Health Information |
|FDA |United States Department of Food and Drug Administration |
|FEMA |Federal Emergency Management Agency |
|FPC |Final Planning Conference |
|HR |Human Resources |
|HSEEP |Homeland Security Exercise and Evaluation Program |
|ICD |Implantable Cardioverter Defibrillator |
|ICS |Industrial Control Systems |
|ICS-CERT |Industrial Control Systems Cyber Emergency Response Team |
|IMT |Incident Management Team |
|IP |Improvement Plan |
|IPC |Initial Planning Conference |
|IS |Independent Study |
|IT |Information Technology |
|LLIS |Lessons Learned Information Sharing |
|NCSD |National Cyber Security Division |
|NH-ISAC |National Health Information Sharing and Analysis Center |
|NIPP |National Infrastructure Protection Plan |
|NIST |National Institute of Standards and Technology |
|NSTB |National Supervisory Control and Data Acquisition Test Bed |
|PCI |Payment Card Industry |
|PII |Personally Identifiable Information |
|PPT |PowerPoint Presentation |
|PSA |Protective Service Advisors |
|SCADA |Supervisory Control and Data Acquisition |
|SITMAN |Situation Manual |
|SSA EMO |Sector Specific Agency Executive Management Office |
|TTX |Tabletop Exercise |
|US-CERT |United States Computer Emergency Readiness Team |
Appendix I: Glossary of Terms
|Term |Definition |
|After Action Report |An After Action Report (AAR) is the final product of an exercise. The After Action Report /Improvement|
| |Plan (AAR/IP) has two components: an AAR, which captures observations and recommendations based on the|
| |exercise objectives, and an Improvement Plan (IP), which identifies specific corrective actions, |
| |assigns them to responsible parties, and establishes targets for their completion |
|Capability |A means to accomplish one or more tasks under specific conditions to meet specific performance |
| |standards, to meet an intended outcome |
|Corrective Action |A concrete, actionable step outlined in an IP that is intended to resolve preparedness gaps and |
| |shortcomings experienced in exercises or real-world events |
|Critical Infrastructure |Systems and assets, whether physical or virtual, so vital to the United States that the incapacity or |
| |destruction of such systems and assets would have a debilitating impact on the security, national |
| |economic security, national public health or safety, or any combination of these matters |
|Cyber Attack |An attack, via cyberspace, targeting an enterprise’s use of cyberspace for the purpose of disrupting, |
| |disabling, destroying, or maliciously controlling a computing environment/infrastructure; or |
| |destroying the integrity of the data; or stealing controlled information |
|Cyber Incident |An action taken through the use of computer networks that result in an actual or potentially adverse |
| |effect on an information system and/or the information residing therein |
|Cybersecurity |The prevention of damage to, unauthorized use of, or exploitation of, and, if needed, the restoration |
| |of electronic information and communications systems and the information contained therein to ensure |
| |confidentiality, integrity, and availability |
|Cyberspace |A global domain within the information environment consisting of the interdependent network of |
| |information systems infrastructures including the Internet, telecommunications networks, computer |
| |systems, and embedded processors and controllers |
|Data Collector |Exercise personnel selected from various agencies to evaluate and comment on designated functional |
| |areas of expertise; also referred to as an “Observer” |
|Debrief |A forum for Planners, Facilitators and Evaluators to review and provide feedback in a facilitated |
| |discussion after the exercise is held. |
|Exercise |A simulation activity held to train a single operation, command structure, or organization; provides |
| |opportunities to test plans and improve response proficiency in a risk-free environment |
|Exercise Timeline |Identifies the planning conferences and tasks necessary for planning and developing an exercise |
|Facilitated Discussion |The focused discussion of specific issues through a Facilitator with functional area or subject matter|
| |expertise. |
|Homeland Security Exercise and |A capabilities-based and objectives-driven exercise program that provides standardized policy, |
|Evaluation Program |doctrine, and terminology for the program management and project management (including design and |
| |development, conduct, evaluation, and improvement planning) of homeland security exercises |
|Hot Wash |A facilitated discussion held immediately following an exercise among exercise Players from each |
| |functional area. It is designed to capture feedback about any issues, concerns, or proposed |
| |improvements Players may have about the exercise. Evaluators can also seek clarification on certain |
| |actions and what prompted Players to take them. |
|Improvement Plan |A grouping of one or more recommendations and action items identified to address weaknesses observed |
| |in an event; for each task, the IP lists the corrective action that will be taken, the responsible |
| |party or agency, and the expected completion date; included at the end of the AAR |
|Lessons Learned Information Sharing Web |A Web site dedicated to providing knowledge and experience derived from actual incidents, |
|Site () |observations, training, and exercises; offers a national network of lessons learned and best practices|
| |for emergency response providers and homeland security officials |
|Malware |A program that is inserted into a system, usually covertly, with the malicious intent of compromising |
| |the confidentiality, integrity, or availability of the victim’s data, applications, or operating |
| |system or of otherwise annoying or disrupting the victim |
|Moderated Discussion |A facilitated, discussion-based form where a representative from each functional area breakout |
| |presents to Participants a summary and results from a group’s earlier facilitated discussion. |
|Observation |A recorded exercise activity |
|Observer |Exercise personnel selected from various agencies to evaluate and comment on designated functional |
| |areas of expertise; also referred to as a “Data Collector” |
|Out-brief |An assessment of areas in which an organization is doing very well, and areas which need improvement |
|Planning Team Member |Any personnel performing a role or assignment as part of an Exercise Planning Team |
|Program Management |Sets the strategic goals that organizations set out to achieve in their exercise programs; implements |
| |and tracks corrective actions for the continuous improvement necessary for surviving a cyber incident |
| |while sustaining critical functions |
|Project Management |Coordination of personnel, resources, and strategic goals for a single exercise |
|Real-World Event |An actual incident materializing threats to life, property, community, and the environment |
|Recommendation |The identification of areas for improvement observed during an exercise or experienced during a |
| |real-world event; based on root-cause analysis, recommendations are listed in all AAR/IP’s |
|Significant Cyber Incident |A set of conditions in the cyber domain that requires increased national coordination |
|Virus |A form of malware that is designed to self-replicate and distribute the copies to other files, |
| |programs, or computers |
|Vulnerability |A physical feature or operational attribute that renders an entity, asset, system, network, or |
| |geographic area open to exploitation or susceptible to a given hazard |
|Worm |A self-replicating program that is completely self-contained and self-propagating |
"The health sector represents the highest breached industry with a persistent and cascading cyber attack security threat landscape. As enterprise security demands accelerate, the value of nationwide coordinated healthcare cybersecurity protection, an educated security workforce and access to the health sector's recognized Information Sharing & Analysis Center (NH-ISAC) ensure a sound, security risk mitigation strategy and contribute to a secure and resilient national healthcare critical infrastructure."
–Press Release: National Health ISAC – May 2012
-----------------------
|Facilitators |
|The use of Facilitators generally allows more manageable control over |
|discussion direction as they can draw information from Players to present a |
|clear picture of issues and objectives. Active facilitation ensures that the |
|discussion remains focused on issues and policies. |
|A sample AAR/IP template is |
|included in Appendix G of this|
|Guide should you choose to use|
|it. |
| Membership |
|To become an member, an |
|information sheet of the registration |
|process is provided in the Reference |
|Materials section of this Guide. |
| members have exclusive access |
|to AARs; a comprehensive, online |
|repository of documents; and a secure, |
|validated network to generate and |
|disseminate lessons learned and best |
|practices. |
|What is HSEEP? |
|HSEEP is a capabilities- and performance-based exercise |
|program that was developed to provide common exercise |
|policy and program guidance to constitute a national |
|standard for exercises. It includes use of consistent |
|terminology, design process, evaluation tools, and |
|documentation standards. HSEEP reflects community best |
|practices as well as lessons learned from previous and |
|existing exercise programs. HSEEP is designed to be |
|adaptable to any exercise program. Because cyber events |
|often have physical consequences affecting our critical |
|infrastructure it is important that cyber exercise |
|designers employ planning techniques and terms used by |
|the emergency management community. |
|Tabletop Exercise Staffing Recommendations: |
|U-shaped Layout |
|At least two Observers/Data Collectors to capture information. |
|Breakout Tables |
|[pic]$&'mnsu¢£¤¹º»¼éêëùúûü) * + X Y Z [ ˆ ‰ Š “ |
|áÍ»³¡»”?³?³?…³³?³?t³³?³?i³³?³?^³[?]?j¼"[pic]h„ ƒU[pic][?]?j!"[pic]h„ |
|ƒU[pic][?]?j†![pic]h„ ƒU[pic]h„ ƒ0JÛ[?]?jë [pic]h„ ƒU[pic]h„ ƒh„ |
|ƒ5?CJ$OJQJaJ$"h„ ƒ5?B* CJHOJQJaJ$ph `jh„ ƒU[pic]"h„ ƒ5?B* CJ$OJQJaJOne |
|Facilitator and one Observer/Data Collector will be needed for each |
|table. |
Table 6: U-shape Layout for a Tabletop Exercise
................
................
In order to avoid copyright disputes, this page is only a partial summary.
To fulfill the demand for quickly locating and searching documents.
It is intelligent file search solution for home and business.
Related searches
- getroman com reviews
- acurafinancialservices.com account management
- acurafinancialservices.com account ma
- getroman.com tv
- http cashier.95516.com bing
- http cashier.95516.com bingprivacy notice.pdf
- connected mcgraw hill com lausd
- education.com games play
- rushmorelm.com one time payment
- google cdn jquery ui
- google cdn jquery
- cdn jquery