Incident Response Plans: Your Key to Successfully Mitigate Breach Damage and Expenses

A cyberattack impacts healthcare organizations far beyond the initial days of detection and containment. A single attack can cost your organization millions of dollars in response and recovery fees, regulatory fines and penalties, legal expenses, loss of revenue from downtime, and long-lasting negative reputational harm.

Unfortunately, most healthcare organizations know that even with proactive and compliant data security controls as part of a mature cyber program, this potential nightmare will likely become a reality.

Gone are the days of planning for a potential data breach. Today, every healthcare organization should focus on continuous preparedness and planning for when a breach inevitably occurs.

Yet, nearly a third of healthcare organizations don’t have a cyber response plan to address and minimize breach impact, and many don’t have response plans designed around threat actors’ current and real-world tactics. The challenge? Many organizations don’t have the tools, experience, or resources to successfully conduct tabletop exercises to ensure plans work in times of crisis. And that’s particularly alarming because incident response planning and testing are among the top three most effective cost-mitigation strategies for a breach.

If you’ve never been through a tabletop exercise, or your teams could benefit from a refresher, a walkthrough of a sample exercise that Clearwater experts recently presented via webinar with colleagues from 1stResponder and Jarrard may be helpful.

Stage 1: Cyber crisis management

Let’s set the stage for this sample exercise:

Just before 10 a.m. on what should be a typical Thursday morning, an employee who manages your organization’s primary email account receives a confusing message. A threat actor has accessed hospital data and plans to post it online. To prove it’s a serious threat, the message indicates a critical device has been infected with ransomware.

Immediate panic sets in, and quickly, word spreads to the organization’s CISO. The CISO jumps into action, alerting the information security team to begin threat hunting to determine if the threat is real.

This is the first stage of cyber crisis management, and it doesn’t take long for the Infosec team to track down the device and the ransom note.

Based on this scenario, here are key questions your teams should work through during a tabletop exercise:

  1. What role does threat hunting play in validating threat legitimacy and identifying potential indicators of compromise (IOCs)?
  2. How do your executives interpret IOCs and tactics, techniques, and procedures (TTPs) identified in the threat actor’s communication?
  3. What are the foreseeable implications of the ransomware threat on your operations, patient care, reputation, and financial stability?
  4. How will your CISO effectively assess the credibility of the threat actor’s claims and determine situation severity?
  5. What are the primary and secondary concerns that stem from the threat actor’s claims and the potential presence of ransomware within your network?
  6. Does the threat actor’s email and ransom note provide sufficient evidence (IOCs, TTPs, and actionable information) to warrant any alert, event, incident, or compromise classification level?
  7. Who should you invite to the table to address the ransomware threat and participate in decision-making and response efforts?
  8. Which teams do you need to stand up or activate to effectively respond to the ransomware incident and support your cybersecurity, business continuity, and disaster recovery (BCDR) efforts?
  9. How can your organization ensure the integrity and availability of critical data and systems while responding to the ransomware threat?
  10. Are there any legal or regulatory implications your organization should consider when responding to the ransomware threat and communicating with stakeholders?
  11. Looking ahead, which key internal and external stakeholders should be promptly notified about the ransomware threat and its potential implications?

Stage 2: BCDR validation

Although your Infosec team has found and isolated the device with ransomware, the threat continues to escalate. You discover:

The threat actor didn’t provide all the necessary details. Upon review of the ransom note, the CISO and Information Security team discover the threat actor has also exfiltrated data from your EPIC system along with the database. As events spiral, the IT team informs Infosec about notifications that the EPIC system and phone lines are not working for departments throughout your organization. Before you know it, there is a complete outage. Now, your CISO must quickly make executive decisions about next steps.

Your Infosec team gets busy trying to find out if the threat actor has actually exfiltrated data. Unfortunately, with systems going down, you already know it’s quite likely. On top of that, you understand affected systems contain protected health information (PHI) and other personally identifiable information (PII), both of which your organization is bound to protect.

Based on this escalation, here are the next set of questions your teams should work through during a tabletop exercise:

  1. Given the information the threat actor provided, how should you structure command and control decision-making to effectively respond to this situation?
  2. At which stage is your organization in your incident response plan (IRP) and processes?
  3. Which immediate actions should teams take to contain the breach, restore system functionality, and mitigate further damage?
  4. Considering the potential consequences and ethical considerations of paying ransom, does your organization have a pre-defined strategy and criteria to evaluate if you should comply with the threat actor’s demands?
  5. Considering potential impact on critical systems and patient data, as executives, what are the next steps to validate threat credibility and severity?
  6. Which decisions, responsibilities, and processes does your organization have to promptly notify and engage your cyber insurance provider to initiate claims processes and access support services?
  7. Is there a comprehensive plan to coordinate communication and negotiations with the threat actor and manage other related activities such as legal, regulatory, and public relations?
  8. Considering the confirmed cyberattack and outage affecting EPIC and phone lines, how does this affect the assessment of operational impact and the prioritization of response efforts from an executive level?
  9. Are there any additional third-party cybersecurity firms or legal advisors you should call for specialized expertise and assistance to help respond to the cyberattack and manage potential legal and regulatory implications?

Stage 3: Validating data exfiltration

By late Thursday afternoon, your teams are still discovering issues.

Your CISO and Information Security team have confirmed network traffic packet sizes align with the threat actor’s claim of data exfiltration. With systems down and services disrupted, local news outlets now want comments from your organization about the incident. To add to the criticality of the situation, federal agencies have reached out via email to discuss IOCs and TTPs, indicating a heightened level of concern and interest in the incident. As this nightmare won’t end, your teams also confirm the threat actor has successfully exfiltrated PHI and PII.

During your tabletop exercise, it’s now time for your executives to determine the next best steps to take. Consider these questions:

  1. Given the severity of the incident and potential data exfiltration, how does this impact decision-making process regarding whether to comply with the threat actor’s demands for ransom payment?
  2. Considering the situation’s sensitivity, which key messages should your teams convey to external parties?
  3. How should teams communicate this information to maintain transparency and manage expectations?
  4. To mitigate the impact of system outages and disruptions, are downtime procedures and contingency plans in place for all departments and business functions?
  5. With the EPIC system and phone lines down and services disrupted, how is your organization ensuring continuity of care and providing essential patient services?
  6. How is your organization gathering and maintaining situational awareness regarding the status of critical systems, infrastructure, and business functions the incident has affected?
  7. Given the severity and criticality of the incident, should you activate any specific response plans or protocols at this time?
  8. What are the key considerations for implementing response plans and protocols effectively?
  9. Which communication strategies and channels are teams using to effectively communicate with partners, third-party vendors, and stakeholders about the incident?

Stage 4: Ransomware readiness

It’s Friday morning. Your teams are exhausted and have been working non-stop.

Following repeated connection failures and rumors of a potential cyberattack, third-party partners have terminated their connections as a precautionary measure. Local news is gathering. A news station says it received a tip about a cyberattack on your organization and is looking for confirmation.

At the same time, based on the IOCs and TTPs you previously provided to the FBI, a local field agent arrives. This agent indicates the agency has been monitoring this threat group’s activities. The FBI offers assistance to help manage the incident. In addition, the FBI is initiating an investigation and requests your organization’s support. This includes providing a designated work area, access to physical space, information systems, infrastructure, etc.

At this stage of your tabletop exercise, your teams should address:

  1. How does terminating third-party connections impact your organization’s ability to respond effectively to the potential cyberattack?
  2. Which measures should your teams take to mitigate disruptions this precautionary measure has caused?
  3. In light of the FBI’s involvement and offer of assistance, what steps should your organization take to coordinate with law enforcement agencies and leverage their support to help manage the incident, particularly regarding threat intelligence sharing and investigation collaboration?
  4. Considering the FBI’s request for cooperation, which logistical and operational challenges may arise in providing access to physical space, information systems, and infrastructure?
  5. How can your organization effectively address these challenges while maintaining security and confidentiality?
  6. How should your organization effectively communicate with the local news outlet and respond to inquiries about the rumored cyber-attack while ensuring transparency and controlling information dissemination?
  7. What are the potential implications of the FBI’s investigation on your incident response efforts?
  8. How should your organization adapt its BCDR and IR plans to accommodate law enforcement involvement and ensure compliance with any legal or regulatory requirements?
  9. Given the disruption the cyberattack caused, including downtime of the EPIC system and phone lines, how can your organization effectively leverage cross-functional collaboration between IT, clinical staff, executive leadership, and external partners such as the FBI and third-party IR firms to ensure continuity of patient care, communication, and incident response efforts while mitigating the impact of the attack?

Stage 5: Ransom negotiations

It’s early Sunday morning, and everyone involved has been working around the clock to contain damage and restore systems.

Your executive team realizes there is an urgent need to bolster your organization’s ransomware readiness and BCDR capabilities. EPIC and phone lines are still down, so your organization’s ability to provide critical patient care and communication is still severely impacted. In response to the escalating crisis, your executive team decides to enlist the expertise of a private IR firm to help manage the situation and mitigate ransomware damage. The FBI also provides valuable support, enhancing your organization’s incident response capabilities and facilitating collaboration with other agencies like local law enforcement.

In this scenario, the executive decision to hire the external IR firm highlights your organization’s need for specialized expertise and resources to effectively respond to the cyberattack. FBI involvement showcases the importance of collaboration between law enforcement agencies and healthcare organizations to combat cyber threats.

Drawing on this, as part of your tabletop exercise, it’s now time to talk about:

  1. Which specific roles and responsibilities should go to internal teams, external partners such as the IR firm, and law enforcement agencies like the FBI to ensure a coordinated and effective response while minimizing further disruption to your operations?
  2. Which communication strategies and protocols should you implement to keep stakeholders informed and engaged throughout the incident response process, particularly given the ongoing challenges with EPIC and phone lines?
  3. How does the collaboration between partner agencies exemplify the importance of leveraging external expertise and resources in responding to cyber incidents?
  4. Which strategies can your organization employ to strengthen partnerships with external stakeholders for enhanced incident response capabilities in the future?
  5. How can your organization leverage the IR firm and FBI expertise to identify and mitigate ransomware attack damage, including containment of the threat, restoration of systems, and preservation of evidence for forensic analysis?
  6. Considering the ongoing impact on critical patient care and communication channels, how can your executive team prioritize and allocate resources to bolster ransomware readiness and BCDR capabilities in response to the attack?

Stage 6: To pay or not to pay?

Whether or not to pay ransomware may be one of your team’s most difficult decisions on this journey. The FBI does not support paying ransom in a cyberattack. The agency says there’s no guarantee you’ll get your data back, and it encourages more illegal activity. However, many unique factors will impact your executives’ decision-making. And, whether or not you pay the ransom will guide the next steps your teams will take as they continue to respond and recover from this hypothetical — but all too real — incident.

Stage 7: After-action review

Every tabletop exercise should wrap up with an after-action item review. This can help you evaluate what works in your plans and processes and what you should improve before you’re faced with an actual breach.


  1. Did you invoke your incident response plan during the exercise?
  2. When was the last update for the plan?
  3. Did your teams effectively follow the plan during the tabletop exercise?
  4. Which playbooks, processes, and methods did your teams use in response to the simulated event?
  5. How effective were these resources in guiding your response actions?
  6. In your sample exercise, what was the level of collaboration with external agencies, such as the IR firm, FBI, and other relevant entities?
  7. How well did this collaboration facilitate information sharing and coordinated response efforts?

Is it time for your organization to conduct a tabletop exercise? Contact us to discuss how we can help you plan and executive a highly effective tabletop that will enhance your organization’s readiness for a cyberattack.


Sign up to receive our monthly newsletter featuring resources curated specifically to your concerns.

Related Blogs

With Us