A structured tabletop exercise that reveals every gap in your incident response capability — in 90 minutes
This post is part of the Telehealth & Healthcare Security Series. It builds on the foundational concepts in Why HIPAA Compliance Isn’t Enough: A NIST CSF 2.0 Guide for Telehealth, The Compliance Trap, and Identity Is the Perimeter — and moves from prevention to what happens when prevention fails.
It’s 10:15 AM on a Tuesday. Your practice has 23 patients scheduled for telehealth visits today. The EHR just went dark. The ransom note says you have 48 hours.
The narrative puts you in the chair of the practice manager. Phones are ringing. Two providers are mid-session with patients — one discussing a new psychiatric medication, the other reviewing post-surgical imaging. The front desk is fielding calls from afternoon patients asking to confirm appointments. The billing system is locked. The office manager just tried to send an email to the partners and realized: the email might be compromised too.
What do you do first? Who do you call? What do you tell the patients? What do you tell the staff? Do you know where your incident response plan is — and if you do, have you ever actually walked through it under pressure?
This post gives you the tabletop exercise to answer those questions before an attacker forces you to answer them for real.
10:15 AM
EHR displays ransom note. All clinical workstations locked. The screen reads: “Your files have been encrypted. You have 48 hours to pay $175,000 in Bitcoin or your data will be published.”
10:17 AM
Telehealth platform still running — it’s a separate cloud service. But provider notes can’t be saved. Two providers are mid-session with patients and don’t know what’s happening yet.
10:20 AM
Front desk phones ringing. Afternoon patients calling to confirm appointments. Staff doesn’t know what to tell them. The scheduling system pulls from the EHR — it’s inaccessible.
10:25 AM
Billing system offline. Claims processing halted. Today’s superbills can’t be generated. Yesterday’s claims never transmitted.
10:30 AM
Practice manager realizes: email may also be compromised. The ransomware vector is unknown. Was it a phishing email? If so, who else clicked? Are the attackers reading your emails right now?
10:45 AM
Provider mid-telehealth session asks: “Should I tell the patient what’s happening?” The patient is visibly anxious. The provider can’t access their chart, medication list, or prior notes. The session is effectively clinical guesswork.
Every healthcare practice has an incident response plan. It lives in a binder, a shared drive, or a compliance folder that gets opened once a year during audit season. The plan assigns roles, defines escalation paths, and references policies that were written by someone who may no longer work at the practice. On paper, it looks thorough.
Then ransomware hits at 10:15 on a Tuesday morning, and the plan falls apart in the first five minutes.
A written plan tells you what should happen. A tabletop exercise shows you what actually happens when the pressure is on — who freezes, who takes charge, which phone numbers are wrong, which systems nobody knows how to access, and which assumptions collapse the moment they meet reality.
This exercise is designed for a 90-minute session. You need a facilitator, the participants listed below, and a willingness to be honest about what your practice can and cannot do. The facilitator reads each decision point aloud, gives the team 10–12 minutes to discuss and decide, then captures the responses and any gaps that surface.
Assign each role to a real person in your organization. If one person wears multiple hats — which is common in small practices — that’s fine. The exercise will reveal whether that person can realistically handle both roles during a crisis.
Overall coordination, decision authority, communication with partners and leadership
Patient care continuity decisions, clinical workflow adjustments, provider communication
Technical containment, system isolation, backup verification, forensic coordination
Regulatory notification timelines, breach assessment, documentation requirements, legal coordination
Patient-facing messaging, appointment management, phone scripts, social media monitoring
Revenue cycle impact, claims processing continuity, payer notifications, financial recovery
Each decision point presents a realistic fork in the road. There are no “right” answers — only decisions with consequences. The goal is to surface the gaps, not to pass a test.
The EHR is locked. The ransom note is on every clinical workstation. Staff are looking at you. The clock is running.
Do you:
Discussion questions: Who makes this call? Who do you call? In what order? Is the MSP’s emergency number saved somewhere that isn’t on an encrypted computer? Does anyone know how to physically isolate network segments?
You have 23 telehealth appointments scheduled today. Two providers are mid-session right now. Twelve more patients are expected this afternoon. The telehealth platform is still running — it’s a separate cloud service — but providers have no access to charts, medication lists, or prior notes.
Do you:
Discussion questions: Who communicates with patients? What exactly do you tell them? Do you have a script? How do you handle patients who need prescription refills today? What about patients with urgent clinical needs who can’t wait for systems to come back?
The ransom demand is $175,000 in Bitcoin. The note claims your patient data will be published on a leak site in 48 hours if you don’t pay. Your cyber insurance policy has a $250,000 ransomware coverage limit, but the carrier requires notification within 24 hours and pre-authorization before any payment.
Do you:
Discussion questions: Who has the authority to make this decision? Do the partners need to vote? Does anyone know how to acquire Bitcoin? Do your backups actually work — when was the last time you tested a full restore? Does your insurance policy cover ransom payments, and what are the conditions? Has anyone contacted legal counsel?
It’s 2:00 PM. A local reporter calls the front desk asking about “reports of a cyberattack at your practice.” A patient has posted on Facebook that their appointment was cancelled and they were told it was “a computer problem.” Your staff are texting each other on personal phones. A partner’s spouse called asking what’s going on.
Do you:
Discussion questions: Who is authorized to speak to media? Do you have a pre-approved holding statement? What about social media — who monitors it, and who responds? What do you tell staff they can and cannot say? What do you tell patients who ask directly?
It’s been 48 hours. The forensic team has confirmed that patient data was exfiltrated before the encryption. This is now a reportable breach. The regulatory clock has started — and it may have started 48 hours ago when you first discovered the incident.
Do you know:
Discussion questions: Do you have the HHS breach portal bookmarked? Do you know the NYS Attorney General’s notification requirements? Has your compliance officer ever filed a breach report? Do you have outside counsel on retainer for breach response? Does your insurance carrier have a breach coach, and do you have their contact information?
Your MSP has confirmed that systems can be restored from backup, but the process will take 3–5 business days. Some data from the past 24 hours may be lost. During that time, your practice needs to continue operating — patients need care, prescriptions need to be written, and bills need to be submitted.
During the 3–5 day recovery window:
Discussion questions: Have you ever tested a full backup restore? Do you know how long it takes? What is the actual RPO (Recovery Point Objective) of your backups — how much data will you lose? Do you have paper-based fallback procedures documented and accessible?
The tabletop exercise isn’t the deliverable — the improvement log is. After the exercise, the facilitator leads a structured debrief to capture: what went well, what gaps were discovered, specific action items with owners and deadlines, and the date for the next exercise. Every finding becomes a tracked item with a name and a due date. If it doesn’t have an owner and a deadline, it won’t get done.
| Gap Identified | Severity | Action Required | Owner | Deadline | Status |
|---|---|---|---|---|---|
| MSP emergency number not accessible offline | Critical | Print emergency contact card for all staff; laminate and post at every workstation | Practice Manager | +7 days | Open |
| No paper charting procedures documented | Critical | Develop paper-based fallback SOPs; print and store in break room and front desk | Lead Clinician | +14 days | Open |
| Backup restore never tested | High | Schedule full restore test with MSP; document actual recovery time | IT Lead / MSP | +30 days | Open |
Schedule the next exercise before leaving the room. Quarterly is the recommended cadence. Put it on the calendar, assign the facilitator, and commit to a date. If you walk out of the room without a next date, the improvement log becomes another document that sits in a folder and never gets revisited.
Every practice needs documented paper-based fallback procedures. This is not archaic — it is operational resilience. When ransomware locks every screen in your office, the practices that keep seeing patients are the ones that planned for exactly this moment.
Can your practice still operate without any digital systems?
Paper fallback procedures should be printed, stored in a known physical location, and reviewed during every tabletop exercise. If the procedures are stored only on a computer, they won’t be accessible when you need them most.
When was the last time your practice ran a tabletop exercise — not a plan review, an actual exercise with people in a room making decisions under a scenario?
If ransomware hit right now, who would you call first? Do you have that number memorized or saved on a device that might be encrypted?
Do your backups work? When was the last time you actually tested a restore — not confirmed backups are running, but restored data and verified it?
Could your practice see patients for a week using only paper? Do staff know the procedures, and are the forms printed and accessible?
Do you have a pre-approved media statement for a cyber incident — written, reviewed by counsel, and accessible without digital systems?
Does your cyber insurance policy require specific notification timelines that you’re aware of — and can you meet them?
If you hesitated on any of these, your incident response capability has gaps that will cost you time, money, and patient trust when an attack occurs.
Venuto, J. (2026, February). The compliance trap: Why “HIPAA compliant” medical groups still get hacked. Security Medic Consulting Blog. https://sm911.github.io/CFS-2.0/govern/gv-rm/hipaa_compliance_trap.html
Venuto, J. (2026, February). Why HIPAA compliance isn’t enough: A NIST CSF 2.0 guide for telehealth. Security Medic Consulting Blog. https://sm911.github.io/CFS-2.0/govern/gv-rm/telehealth_nist_csf_hipaa_guide.html
Venuto, J. (2026, March). Identity is the perimeter: Telehealth access control that actually holds. Security Medic Consulting Blog. https://sm911.github.io/CFS-2.0/protect/pr-aa/telehealth_identity_access_control.html
National Institute of Standards and Technology. (2024). Cybersecurity framework 2.0. https://www.nist.gov/cyberframework
U.S. Department of Health and Human Services. (2024). HIPAA breach notification rule. https://www.hhs.gov/hipaa/for-professionals/breach-notification/index.html
The gap between having a plan and surviving an incident is a 90-minute exercise. Let’s run it together.
A facilitated 90-minute ransomware tabletop exercise customized to your practice: realistic scenario development, structured decision points, post-exercise gap analysis, and a prioritized improvement roadmap — tailored to your team, your systems, and your risk profile.
Hudson Valley CISO
A Division of Security Medic Consulting
Fractional CISO Services | Incident Response | Healthcare Security