Health CIOs and chief information security officers are preparing for ransomware attacks with something more commonly associated with hobby shops than hospitals: tabletop games.
The recent ransomware attack on Chicago-based CommonSpirit Health that shut down EHRs and canceled appointments brought new attention to the damage ransomware can have on health systems and raised questions about how to stop attacks.
Most ransomware preparation revolves around stopping ransomware attacks before they happen. While training staff to avoid clicking on unknown links, implementing multifactor authentication and creating strong passwords is worthwhile, tabletop games allow CIOs to prepare for the worst in a controlled environment.
Aaron Weismann, chief information security officer at Radnor Township, Pa.-based Main Line Health, has been running tabletop ransomware exercises since 2020.
"I think tabletop exercises are effective at training staff how to respond to real-life cyberattacks. They take the edge off one of the most catastrophic events that can happen to an organization," Mr. Weismann told Becker's. "When a ransomware attack hits, people can grab their incident response workbook and say, 'I know what to do.' Along those lines, they provide really great opportunities for information security awareness. You can easily tie phishing, web browsing, portable media, insider threat and other potentially risky organizational activities."
The actual gameplay of a ransomware tabletop exercise tends to differ from a traditional board game. Often, the exercises look more like structured discussions and roundtables than conventional board games.
"We bring in external teams to develop fact patterns based on our industry placement, organizational structure, and identified weaknesses," Mr. Weismann said. "That team then sits down with a group of IT and clinical personnel, including executive leadership. As we proceed through the exercise, we identify what we'll do when and with what tooling or infrastructure. We also identify what we can't do, why, and discuss how we might be able to achieve those goals or objectives in the future."
Mr. Weismann is working to better gamify the exercises and believes the more interactive and immersive the tabletop exercises, the more staff will be prepared for the real thing.
Amar Singh, CEO and CISO at Cyber Management Alliance Limited, a company specializing in cybersecurity training and tabletop exercises, stressed the importance of making sure tabletop exercises are personalized to an organization's cybersecurity needs.
"Through a verbally simulated scenario, we evaluate whether your best-laid response plans are actually viable in the face of a real attack," he said. "During the ransomware tabletop exercise, we work toward creating a real attack environment that's relevant to your business."
Mr. Singh follows up the exercises with an executive summary that allows organizations to review the gaps they still need to address regarding staff training and preparation.
For healthcare organizations, ransomware attacks can be catastrophic because of their ability to disrupt care. The amount of sensitive data healthcare organizations store makes them perfect targets.
As Mr. Singh put it, "They can either steal your data, lock you out of your systems and make your patients suffer or threaten to leak the sensitive personal information if their ransom demands are not met."
"As a community-based healthcare organization, our biggest fears are impacts to patient safety and health outcomes and inability to care for new patients," Mr. Weismann said. "So we want to make sure that we as an organization are preparing for that worst case. If we're attacked and that level of impact doesn't come to fruition, then we're over-prepared and understand how to respond appropriately."
Not all ransomware tabletop games are created equal. Mr. Singh's company offers games that range in scenarios from a simple phishing attack to a nation-state launching a sophisticated multistep attack targeting a healthcare organization.
The rising use of ransomware tabletop games represents the realization that the growing sophistication of ransomware attacks means it's worth the time to prepare for the worst and learn how to mitigate an organization's losses.
"To succeed in defending against a ransomware attack, the first and most important aspect is acknowledging that your existing technological and procedural controls will fail at some point. Once there is acceptance, one then needs to focus on response and recovery," Mr. Singh said. "That's where tabletop exercises come into focus. A regularly conducted, well-designed and professionally facilitated ransomware tabletop exercise can significantly help improve response and recovery times."