1. Cyber Calamity
Exercise Briefing
TBD

2. Welcome and Overview Facilitator Name
[Title (e.g., Exercise Director or Lead Planner)]
[Organization]

3. Exercise Overview Exercise scope: Table Top Exercise Approx 2 Hours
The exercise is conducted in a no-fault learning environment wherein capabilities, plans, systems, and processes will be evaluated.
The exercise scenario is plausible, and events occur as they are presented.
All players receive information at the same time.
Mission area(s): Response, Recovery

4. Objectives and Core Capabilities
Capability 3 Continuity of Health Services Delivery
Objective 4- Discuss Strategies to Protect Health Care Information Systems and Networks

5. Objectives and Core Capabilities
Discuss Strategies to Protect Health Care Information Systems and Networks
Discuss inter-organizational information sharing and collaboration
Discuss alternate facilities for transport when IT structure is down
Improve the understanding of potential impacts and cascading effects that cyber intrusions can have

6. Participant Roles and Responsibilities
Players: Respond to situation presented based on current plans, policies, and procedures
Observers: Support players in developing responses, but do not participate in moderated discussion
Facilitators: Provide situation updates and moderate discussions
Evaluators: Observe and document player discussions

7. Exercise Structure
This exercise will be a multimedia, facilitated exercise. Players will participate in 2 Scenarios:
Scenario 1: Compromise of electronic Protected Health Information (ePHI)
Scenario 2: Corrupted Electronic Health Records/Electronic Medical Records (EHRs/EMRs)

8. Exercise Guidelines
This is an open, low-stress, no-fault environment. Varying viewpoints, even disagreements, are expected
Base your responses on the current plans and capabilities of your organization
Decisions are not precedent setting; consider different approaches and suggest improvements
Issue identification is not as valuable as suggestions and recommended actions that could improve [mission area] efforts; problem-solving efforts should be the focus
[Other applicable exercise guidelines as needed]

9. Assumptions and Artificialities
The exercise is conducted in a no-fault learning environment wherein capabilities, plans, systems, and processes will be evaluated
The exercise scenario is plausible, and events occur as they are presented
All players receive information at the same time

10. Exercise Schedule
Registration 0800 Welcome and Instructions 0830 Scenario Scenario Hotwash 1015

11. Scenario 1: Compromise of Electronic Protected Health Information Data

12. Scenario 1
The nursing staff at your healthcare facility has noticed that over the past several months that a part-time security guard has repeatedly shown up at least an hour earlier than his shift is scheduled to begin. The guard is well- liked and has worked at the facility for over five years.

13. Scenario 1
Six months ago the guard’s fiancé (also an employee at your facility), along with 25 other support employees, were laid off. Three months later, several administrative and finance employees at your facility received an from the guard’s fiancé with an invitation to check out her latest vacation pictures from Tahiti by clicking on a link to Upon clicking the link, an error message – 404 Error File Not Found – was displayed. Some employees replied to the sender that there was an error message; others did nothing.
Provide Handout #1

14. Scenario 1: Key Issues
Facility's ability to recognize unusual activity
Employees access issues post employment
Affected information and ability to retain/protect it
Provide Participants Hanout 1.a
Facilitators: Provide an example.

15. Scenario 1: Discussion
Who would be notified about a cybersecurity incident? For example, would your emergency manager be notified? Would clinical personnel be notified?
Does a significant cybersecurity situation result in the standing up of your emergency response committee?
In conjunction with your emergency response plan, do you have a continuity of operations plan (COOP) in the event of a cybersecurity incident?
A suggestion may be made to contact outside support. Who would you contact?
How do you activate your emergency response (or cybersecurity response) plan?

16. Scenario 2: Corrupted Electronic Health Records/Electronic Medical Records

17. Scenario 2
Several weeks ago the software on your EHR/EMR system was updated and despite some very minor initial problems, the system has been operating well. You are experiencing clinical support computers that are receiving data slowly, do not respond, or freeze. Patient care is increasingly delayed as physicians and clinicians authenticate and verify patient EHR/EMR information through labor intensive and time-consuming, downtime manual paper procedures (e.g., patient questioning; contacting families).

18. Scenario 2 cont…
Amidst the treatment of patients with corrupt EHRs/EMRs, the center becomes rapidly overwhelmed and as new patients arrive, only life- threatening emergencies are accepted for emergency department treatment. Trauma staff members are complaining that the EHR/EMR system has virtually ground to a halt and is unusable. Administrator priorities shift to reaffirming EHR/EMR data integrity..
Provide Handout #2

19. Scenario 2: Key Issues Ability to care for patients
Ability to accept emergency vehicles
Lost information
Provide Handout #2.a

20. Scenario 2: Discussion
Facilitator will ask additional questions based on Discussions
General Questions
How does not being able to enter new orders electronically affect how care is delivered in your healthcare organization or hospital?
What contingency plans (e.g., paper charting) do you have in place for this type of event?
How do you communicate with physicians, nurses, and other personnel to make them aware of the situation? Are these communication methods or channels dependent on the use of technology?

21. Scenario 2: Discussion
What actions will you take to ensure lines of communication remain open?
What actions will you take to maintain patient safety, including medication safety?
What other kinds of decisions have to be made?
Does this information impact your response? How so?

22. Hot Wash Strengths Decision Making and Incident Management Operations
Recovery
Areas for Improvement

23. Closing Comments