Tabletop Exercises for HIPAA Incident Response

45 CFR 164.308(a)(6) requires covered entities to implement policies and procedures to address security incidents. What it does not say, and what matters for a small clinic, is that unexercised procedures do not count as maintained. A tabletop is the cheapest way to test the procedures before a real attack does.

A working tabletop takes ninety minutes, four roles, and a scribe. Everything else is detail.

Why ransomware

Ransomware is the scenario every small clinic should exercise first. HHS has published a dedicated fact sheet covering ransomware under HIPAA, and the incident patterns against small practices have been consistent for years: encrypted workstations, locked EHRs, ransom notes, and an immediate operational crisis.

A ransomware tabletop also touches every other safeguard. The backup plan gets tested. The emergency mode operation plan from the contingency planning guide gets exercised. The breach notification decision tree gets walked. The BAA inventory from the asset inventory guide comes into play when the team has to notify the EHR vendor.

The four roles

A small-clinic tabletop needs four named roles. One person can hold two of them, but every role should be filled.

• Incident Commander. Owns the response, makes the calls, and decides when to escalate. Usually the practice administrator or Security Officer.
• Scribe. Captures every decision, every assumption, every pause. The scribe is the most valuable role in the exercise because the notes become the evidence.
• Clinical Lead. Represents patient care. Answers the question of how the scenario affects scheduled patients, active exams, and medication orders.
• External Comms. Handles the hypothetical calls to vendors, law enforcement, cyber insurance, and the media. For small clinics, this role practices saying no comment to reporters and yes to the insurance breach hotline.

A working ransomware scenario

A usable scenario reads like this. At 8:15 AM on a Tuesday, the front desk PC displays a ransom note demanding payment in Bitcoin. The EHR is unreachable from that workstation. Three patients are already in the waiting room. The first provider has a full schedule starting at 9:00 AM.

From that opening, the facilitator delivers injects to pressure the team.

• Inject at minute 15: a second workstation shows the same ransom note.
• Inject at minute 30: the EHR vendor’s status page reports no issues, so the attack is clearly local.
• Inject at minute 45: a patient calls asking why their appointment confirmation did not go through.
• Inject at minute 60: a local reporter calls the front desk asking whether the clinic was hit by ransomware.
• Inject at minute 75: the cyber insurance carrier is on the line and wants a preliminary incident report.

The team works through each inject. The scribe captures every decision.

What the scribe should capture

Five things belong in the scribe notes.

• The timeline of events and decisions, with timestamps.
• Every assumption the team made when they did not have information.
• Every point where the team paused because no one knew the answer.
• The external parties contacted and why.
• The breach-notification analysis the team performed, referencing 45 CFR 164.400-414.

The pauses are the most important. They are where the incident response plan has gaps. The HIPAA annual review checklist is where those gaps become backlog items.

The hot wash

Immediately after the exercise, spend thirty minutes on the debrief. Three questions structure it. What worked. What did not. What changes in the plan, the training, or the tooling would have changed the outcome. Write the answers down before people leave the room.

Specific common findings in small-clinic ransomware tabletops: the backup restore point is older than the team assumed, no one knows the cyber insurance incident hotline number, and the EHR vendor’s after-hours support path is undocumented. Each of those becomes a follow-up task.

Connecting to the rest of the program

The tabletop is not a standalone event. It feeds the contingency plan revision, validates the asset inventory, and stress-tests the workstation use policy when the team discusses how the ransomware entered in the first place. Platforms such as PHIGuard keep the tabletop date, scribe notes, and resulting task list attached to the incident response control so the evidence is always retrievable.

What to do next

Pick a date in the next sixty days. Block ninety minutes. Assign the four roles and one scribe. Use the scenario above as a starting point. The first tabletop is always the hardest and also the most informative.