Bolstering Cybersecurity in Healthcare with Cyber Tabletop Exercises
Date: 16 May 2024
Strong cyber defences are perhaps, not as critical, in any industry as they are in the healthcare sector. A single breach or ransomware attack can impact human life. While the shock value of this phrase has been exploited many times over, it continues to emerge everywhere because it’s so true.
Preparing for cyber-attacks and ensuring that they don’t bring healthcare and emergency services to a standstill is of utmost importance today. And tailored cyber attack tabletop exercises can help healthcare organisations achieve this and improve their security posture.
In this blog, we explore how cyber simulation drills are indispensable for the protection of precious healthcare data and of the even more precious human health and life. We also show you how cyber drills can be tailored specifically for the healthcare sector to make them all the more effective. You can also download our Cyber Tabletop Exercise Template today and start customising it for your own cyber simulation drill.
With the bespoke exercises that we at Cyber Management Alliance conduct, the specific goal is to achieve extremely productive outcomes that help enhance cyber crisis decision-making and cyber incident response plans and strategies.
In this blog, we’ll take a quick look at:
- Top Cyber Tabletop Exercise Examples for the Healthcare Sector
- How to Curate Bespoke Cyber Drills for the Healthcare Industry?
- Why Study Recent Cyber Attacks in the Industry?
- Major Cyber Attacks in the Banking and Finance Sector in recent past
Top Cyber Tabletop Exercise Scenarios for the Healthcare Industry
The healthcare industry faces unique cybersecurity and information security challenges. The sector not only handles sensitive patient data but also relies on a complex network of interconnected devices and systems to deliver life-saving services.
Cyber security incidents in healthcare can lead to catastrophic consequences, including the disruption of critical patient care services, theft of sensitive patient data, and significant financial losses.
This environment necessitates a cybersecurity strategy that is both robust and tailored to the specific needs of the sector. This is precisely why tailoring cyber attack simulation drills to threats and risks relevant to the industry is vital.
Here’s a look at the top cyber-attack scenarios that cyber drills for healthcare must focus on:
- Patient Privacy: Tabletop scenarios must focus on data breaches, ransomware attacks on medical devices, and insider threats targeting patient records. Incident Response teams and security team members must build muscle memory for the cyber incident response plan. The exercise scenarios should also help them become better aware of their own roles and responsibilities in case of an attack.
- HIPAA Compliance: It’s important to rehearse for scenarios that put the organisation at a risk of breaching the Health Insurance Portability and Accountability Act (HIPAA). The Act is paramount for healthcare organisations. And it’s important to rehearse a response strategy that ensures compliance with HIPAA in the event of an attack or data breach.
- Medical Device Security: Risk Management with respect to IoT and computer-reliant medical devices is essential for healthcare companies. It is imperative to rehearse for an attack on the security of medical devices and the organisation's ability to respond to related cyber incidents.
How to Tailor Cyber Attack Tabletop Exercises for the Healthcare Industry
While tailoring Cyber Tabletop Exercises for the Medical and Healthcare industry, the scenarios discussed above should be top-of-the-mind. Taking into consideration the unique and major threats that the healthcare sector faces is important.
Cyber drills for healthcare should, essentially, simulate scenarios that healthcare organisations are most likely to encounter, such as ransomware attacks disrupting patient care, breaches of patient data, or attacks on medical devices.
A well-designed exercise will not only test the organisation's cybersecurity incident response but also highlight areas where improvements are needed.
Some of the other important factors to keep in mind while planning and producing a cyber tabletop exercise for the healthcare sector include:
- Realistic Scenarios: Reiterating the above - scenarios should reflect real-world situations that could occur in the healthcare setting. This includes everything from phishing attacks targeting hospital staff to sophisticated breaches of electronic health record systems.
- Interdepartmental Involvement: Cybersecurity is not just an IT issue in healthcare; it involves multiple departments including clinical staff, administration, and support services. Engaging a diverse group of participants will ensure that all important stakeholders understand the risks their organisations face and how they will respond to them in an attack situation.
It’s critical to spend time thinking about the participants in the tabletop exercise. Ensure that all those who will actually be making decisions for how to respond, how to continue delivering healthcare services and how to communicate with external parties participate in the drill. - Regulatory Compliance: Healthcare organisations are subject to various regulations, the most prominent of them being HIPAA. Tabletop exercises should incorporate elements that test compliance with these regulations during a cyber incident.
- Communication and Coordination: Effective communication and coordination are crucial during a cyber incident. This is especially critical for healthcare organisations. Lack in communication about how to keep delivering services during an attack can have a crippling effect on the organisation and on patients. Cyber Attack Tabletop Exercises should test and improve the internal and external communication protocols, including coordination with external agencies if necessary.
Our Cyber Crisis Tabletop Exercise Checklist covers all the key points to keep in mind when designing your cyber attack drill in greater detail. Read it in conjunction with our Cyber Tabletop Exercise PPT to ensure you conduct the most productive exercise possible.
Studying Past Attacks to Improve Effectiveness of Cyber Drills
To maximise the impact of tabletop exercises for healthcare, integrating real-world cyber threats specific to the sector can be really helpful. This involves studying past cyber incidents within the sector and incorporating these insights into the exercise.
By simulating actual events, such as a recent ransomware attack that targeted a hospital, participants can gain a deeper understanding of the tactics used by cybercriminals and how to effectively counter them. This approach not only enhances the realism of the exercise but also ensures that the lessons learned are directly applicable to real-world scenarios.
Incorporating case studies of actual cyber attacks in the medical and healthcare industries can greatly enrich tabletop exercises. These case studies provide valuable lessons on how similar incidents were handled, what worked well, and what could have been done differently.
The section below gives you a detailed insight into the major recent cyber attacks on healthcare organisations across the globe. You could pick any which sound most relevant to your organisation and study the impact.
You can then use these attacks to ask relevant questions during your exercise such as - “What would we do if our patient data was leaked?” or “How would we ensure continuous delivery of emergency services if we are hit by a ransomware attack?” These real-life examples serve as powerful tools for learning and preparation.
You might also want to refer to our AIIMS Ransomware Attack Timeline to gain a better understanding of how the attack on this major healthcare organisation in India unfolded, what the impact was and how it was handled.
Recent Cyber Attacks in the Healthcare Industry
Event Date |
Impacted Org |
Incident |
Threat Actor |
Impact |
Source |
April 24, 2024 |
Kaiser Permanente |
Kaiser Permanente data breach may impact 13.4 million patients |
Unknown |
Healthcare service provider Kaiser Permanente disclosed a data security incident that may impact 13.4 million people in the United States as the organisation said that information from "approximately 13.4 million current and former members and patients" was leaked to third-party trackers installed on its websites and mobile applications. |
|
March 15 and 29, 2024 |
NHS Dumfries and Galloway |
Scottish health service says ‘focused and ongoing cyber attack’ may disrupt services, and a ransomware group leak stolen data |
INC Ransom |
NHS Dumfries and Galloway, part of the Scottish healthcare system, announced that it was the target of a focused and ongoing cyber attack. The health board announced there “may be some disruption to services as a result of this situation”. Cyber extortionists have published to their darkweb blog sensitive patient data stolen from NHS Dumfries and Galloway, in a bid to demand money from the local health board. |
|
February 22, 2024 |
UnitedHealth-Change Health |
UnitedHealth subsidiary Optum hack linked to BlackCat ransomware |
BlackCat Ransomware and its affiliates |
In a statement published on their dark web leak site today, BlackCat said that they allegedly stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc." The ransomware gang claims that they stole source code for Change Healthcare solutions and sensitive information belonging to many partners, including the U.S. military's Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and tens of other healthcare insurance providers. |
|
February 01 and 28, 2024 |
Lurie Children's Hospital |
Rhysida ransomware demands $3.6 million for children’s stolen data |
Rhysida Ransomware |
The Rhysida ransomware gang has listed Lurie Children's on its extortion portal on the dark web, claiming to have stolen 600 GB of data from the hospital. Rhysida ransomware now offers to sell the stolen data for 60 BTC ($3,700,000) to a single buyer. |
|
November 14, 2023 |
Pharmacy provider Truepill |
Pharmacy provider Truepill data breach hits 2.3 million customers |
Unknown |
Postmeds, doing business as ‘Truepill,’ is sending notifications of a data breach informing recipients that threat actors accessed their sensitive personal information as the incident impacted 2,364,359 people. |
|
November 14, 2023 |
Medical transcription services provider, PJ&A |
PJ&A says cyber attack exposed data of nearly 9 million patients |
Unknown |
PJ&A (Perry Johnson & Associates) warned that a cyber attack in March 2023 exposed the personal information of almost nine million patients as the company said the threat actors breached their network and had access between March 27 and May 2, 2023. |
|
November 13, 2023 |
Sutter Health |
845,000 patients affected by Sutter Health vendor breach |
Unknown |
The sensitive data of 845,000 Sacramento, Calif.-based Sutter Health patients was compromised in a ransomware attack on its online contact-management vendor Welltok, a Virgin Pulse company. The vendor, which enables Sutter Health to inform patients and members through notifications, told the health system that 845,000 of its patients were affected by a September breach in which a ransomware group attacked the file transfer tool the vendor uses i.e. MOVEit. |
|
November 13, 2023 |
Otsego Memorial Hospital, Michigan |
Michigan hospital confirms cyber attack |
Unknown |
Gaylord, Mich.-based Otsego Memorial Hospital confirmed that it was the victim of a cyber attack in October. Hospital officials said they do not believe patient data was compromised during the attack. The attack forced the hospital to shut down its IT system temporarily. |
|
November 9, 2023 |
McLaren Health Care |
McLaren Health Care says data breach impacted 2.2 million people |
The ALPHV (BlackCat) Ransomware Group |
McLaren Health Care (McLaren) notified nearly 2.2 million people of a data breach that occurred between late July and August, 2023, exposing sensitive personal information. |
|
November 1, 2023 |
ICMR |
Records of nearly 815 million Indians were compromised |
A threat actor with the alias ‘pwn0001’ |
This breach came to light after a US cybersecurity firm brought the following details to light: A threat actor with the alias ‘pwn0001’ claimed that they could sell records of 815 million Indians, including names, ages, phone numbers, Aadhaar numbers and addresses. pwn0001 shared a sample, which had 1 lakh phone numbers and Aadhaar numbers. The sample dataset includes personal information of children as young as 10. |
|
October 25, 2023 |
Redcliffe Labs |
Millions of highly sensitive patient records exposed |
Unknown |
Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that contained over 12 million records of medical diagnostic scans, test results, and other potentially sensitive medical records. The total number of records was significant, at a count of 12,347,297 with a total size of 7TB. Upon further investigation, the documents were marked as belonging to an India-based company called Redcliffe Labs. |
|
October 15, 2023 |
Morrison Community Hospital |
5GB of data stolen from the hospital |
The ALPHV (BlackCat) Ransomware Group |
The ALPHV/BlackCat ransomware group claimed to have hacked the Morrison Community Hospital and added it to its dark web Tor leak site. The group claimed to have stolen 5TB of patients’ and employees’ information, backups, PII documents, and more. The gang also published a sample as proof of the stolen data. |
|
September 25, 2023 |
MNGI Digestive Health |
ALPHV claims to have hit MNGI Digestive Health |
The ALPHV (BlackCat) Ransomware Group |
ALPHV’s claimed they have stolen data that belonged to MHGI Digestive Health. They warned that the company should contact them within 48 hours or all 2+TB of data will be automatically published online. As proof of claim, they uploaded some images from diagnostic tests, but without legible corresponding patient IDs or details. |
|
September 19, 2023 |
The Kfar Shaul Mental Health Center in Israel's capital of Jerusalem |
Israeli psychiatric hospital in Jerusalem hit with cyber attack |
Unknown |
The Kfar Shaul Mental Health Center in Israel's capital of Jerusalem was hit with a suspected cyber attack |
|
September 16, 2023 |
Sanford Health |
Personal information of thousands of Sanford Health patients potentially compromised |
Unknown |
The imaging vendor Sanford Health uses for its mobile heart screen trucks, DMS Health Technologies, experienced a data security incident between March 27 and April 24, 2023. According to Sanford Health, patient information was potentially compromised including name, date of birth, date of service, physician name and exam type. |
|
August 27, 2023 |
Prospect Medical |
Rhysida claims ransomware attack on Prospect Medical, threatens to sell data |
Rhysida Ransomware |
The Rhysida ransomware gang claimed responsibility for the massive cyber attack on Prospect Medical Holdings, claiming to have stolen 500,000 social security numbers, corporate documents, and patient records. |
|
August 14, 2023 |
VNS Health |
VNS Health confirms data breach at TMG Health resulted in data of 103,775 consumers being leaked |
Clop ransomware (MOVEit) |
VNS explained that the TMG Health data breach resulted in an unauthorised party being able to access consumers’ sensitive information, which included their names, Social Security numbers, addresses, dates of birth, billing information, and medical information. |
|
July 29, 2023 |
The Chattanooga Heart Institute |
The Chattanooga Heart Institute notified 170,450 about March “data security incident” |
Karakurt threat actors |
Karakurt threat actors had claimed to have attacked them and to have exfiltrated 158 GB of data. There was no proof of claim offered, but Karakurt wrote: Employees and patients’ private data will soon be available for everyone. Medical records, test results, diagnoses, social security numbers, passports, addresses, phone numbers, financial data and other documents are going to be uploaded. |
|
July 28, 2023 |
Centres for Medicare and Medicaid |
Centres for Medicare and Medicaid notify 645,000 Medicare members about MOVEit breach |
Clop Ransomware (MOVEit) |
The Centres for Medicare and Medicaid (CMS) posted a notice on its site about a data breach at one of its contractors, Maximus Federal Services, Inc. Maximus was one of hundreds of victims of the zero-day attack on MOVEit file transfer software by the Clop ransomware gang. CMS said that approximately 645,000 Medicare numbers had their information caught up in the attack. |
|
July 19, 2023 |
Tampa General Hospital |
Tampa General Hospital said confidential data of 1.2 million patients hacked |
Unknown |
A “criminal group” stole confidential information of about 1.2 million Tampa General Hospital patients, including Social Security numbers, the hospital announced. The theft of information came to light after the hospital detected “unusual activity” on its computer systems. |
|
July 6, 2023 |
bioMérieux - a French Biotechnology company |
bioMérieux announced third-party data breach involving MOVEit |
Clop Ransomware (MOVEit) |
bioMérieux explained that the incident resulted in an unauthorised party being able to access consumers’ sensitive information. |
|
July 5, 2023 |
Murfreesboro Medical Clinic & SurgiCenter |
Murfreesboro Medical Clinic & SurgiCenter notified 559,000 of data breach |
Unknown |
MMC explained that the incident resulted in an unauthorised party being able to access consumers’ sensitive information including protected health information and insurance information. |
|
June 29, 2023 |
NHS UK, and University of Manchester |
More than a million NHS patients’ details compromised after cyber attack |
Unknown |
NHS details of more than a million patients were compromised in a cyber attack. The ransomware attack on the University of Manchester affected an NHS patient data set that held information on 1.1 million patients across 200 hospitals |
|
June 29, 2023 |
The US Health and Human Services Department |
At least 100,000 could have had data exposed after US health department was hit by global cyber attack |
Clop Ransomware (MOVEit) |
At least 100,000 people could have had their data compromised by a hack of contractors at the Department of Health and Human Services, making it the latest US government agency to be caught up in the sweeping cyber attack connected to the MOVEit attack. |
|
June 22, 2023 |
CoxHealth |
CoxHealth confirms patient information leaked following Intellihartx, LLC data breach |
Clop Ransomware |
The incident resulted in an unauthorised party gaining access to consumers’ names, Social Security numbers, dates of birth, addresses and protected health information. |
|
June 12, 2023 |
Atlanta Women’s Health Group |
Atlanta Women’s Health Group files notice of data breach affecting 33k+ patients |
Unknown |
The incident apparently resulted in patients’ protected health information being subject to unauthorised access. |
|
June 7, 2023 |
Nova Scotia Healthcare |
Data on as many as 100,000 Nova Scotia healthcare staff stolen in MOVEit breach |
Clop ransomware (MOVEit) |
Data stolen included Social insurance numbers, addresses and banking information of employees of Nova Scotia Health, the public service and the IWK Health Centre, which is a major paediatric hospital and trauma centre. |
|
May 31, 2023 |
Mission Community Hospital |
Another hospital hit by ransomware: Mission Community Hospital |
RansomHouse threat actors |
RansomHouse threat actors claimed responsibility for the attack and provided a number of files as proof. They claim to have downloaded 2.5 TB of data. |
|
May 30, 2023 |
Enzo Biochem |
Clinical test data of 2.5 million people stolen from biotech company Enzo Biochem |
Unknown |
Enzo Biochem, a New York-based biosciences and diagnostics company, said that on April 6 it experienced a ransomware attack that involved the “unauthorised access to or acquisition of clinical test information of approximately 2,470,000 individuals.” |
|
May 27, 2023 |
NHS UK |
NHS data breach: trusts shared patient details with Facebook without consent |
Human error |
NHS trusts apparently shared intimate details about patients’ medical conditions, appointments and treatments with Facebook without consent. An investigation uncovered a covert tracking tool in the websites of 20 NHS trusts which has for years collected browsing information and shared it with the tech giant in a major breach of privacy. |
|
May 19, 2023 |
Amazon-owned online pharmacy PillPack |
Cybersecurity attack against Amazon-owned online pharmacy PillPack exposed user health data |
Unknown |
Amazon-owned PillPack reported a cybersecurity attack affecting the accounts of nearly 20,000 customers. An unauthorised person used customer emails and passwords to log into PillPack customer accounts, over 3,000 of which contained prescription information. |
|
May 15, 2023 |
PharMerica |
Ransomware gang steals data of 5.8 million PharMerica patients |
Money Message Ransomware gang |
Pharmacy services provider PharMerica disclosed a massive data breach impacting over 5.8 million patients, exposing their medical data to hackers. |
|
May 11, 2023 |
New Mexico Department of Health |
New Mexico Department of Health data breach exposes decedent health information |
Unknown |
The New Mexico Department of Health (DOH) reported a breach to HHS that impacted 49,000 individuals. The breach occurred when DOH discovered that a spreadsheet containing information about individual deaths in New Mexico had been sent to a journalist. The journalist had requested information under the Inspection of Public Records Act, but the information that was sent included protected health information (PHI). |
|
May 11, 2023 |
Richmond University Medical Center |
Richmond University Medical Center suffers ransomware attack; unclear if patient info compromised |
Unknown |
The extent of the breach, which has crippled online services at the over-470 bed facility, is not currently clear. |
|
May 10, 2023 |
Norton Healthcare |
Norton Healthcare hit with ‘cyber-event’ amid ongoing computer system shutdowns |
Unknown |
Norton Healthcare said it has been victimised by a "cyber-event," and some of its computer network systems remained offline. Norton took several systems offline – including internet and email access – as a precaution. |
|
May 8, 2023 |
Hong Kong group OT&P Healthcare |
Patient data may have been leaked in cyber attack at Hong Kong group OT&P Healthcare |
Unknown |
The personal data and medical history of about 100,000 patients at a Hong Kong healthcare group could have been leaked due to a cyber attack. |
|
May 5, 2023 |
Catholic Health |
Catholic Health announces third-party data breach |
Unknown |
The incident resulted in an unauthorised party gaining access to patients’ names, birthdates, demographic information, Social Security numbers, Medicare numbers, and diagnosis information. |
|
May 4, 2023 |
McPherson Hospital, Inc. |
McPherson Hospital, Inc. notifies over 19k patients of recent data breach |
Unknown |
The incident resulted in an unauthorised party gaining access to consumers’ names, Social Security numbers, dates of birth, medical treatment information, medical billing information, and health insurance information. |
|
April 28, 2023 |
United HealthCare |
United HealthCare reports data breach that may have revealed customers' personal information |
Unknown |
United HealthCare made customers aware of a data breach on April 28, 2023, which temporarily allowed access to personal information for those enrolled in the company's healthcare plans. According to a statement, "suspicious activity" was noticed on the UHC mobile application "that may have led to the disclosure of member information." |
|
April 28, 2023 |
Queensway Carleton Hospital |
Major data breach at Queensway Carleton Hospital might have affected 100,000 patients |
Unknown |
The personal and health information of about 100,000 Queensway Carleton Hospital patients could have been affected by a major data breach, the hospital said. |
|
April 24, 2023 |
Shields Health Care Group |
Shields Health Care Group data breach impacted more than 2.3 million patients |
Unknown |
An unauthorised actor gained access to the systems of Shields Health Care Group (SHCG), exposed drivers’ licence numbers as well as other identification information for more than 2.3 million patients, according to the company. |