1 Healthcare Facility Business Continuity Plan Tabletop Exercise: CYBER ATTACK

2 Exercise Guidelines This exercise will be held in an open, low-stress, no-fault environment. Varying viewpoints, even disagreements, are expected. Respond to the scenario using your knowledge or current plans and capabilities (i.e. you may use only existing assets) and insights derived from your training. Decisions are not precedent setting and may not reflect our organization’s final position on a given issue. This exercise is an opportunity to discuss and present multiple options and possible solutions. Issue identification is not as valuable as suggestions and recommended actions that could improve response efforts. Problem-solving efforts should be the focus. Information gathered during exercise will be reviewed to assess modification to the relevant Business Continuity Plan(s).

3 Business Continuity PlanThe Business Continuity Plan should address the following: Who is affected? Prioritize mission essential services. Prioritize mission essential equipment. Prioritize units to be brought up Recovery of medical records for billing purposes.

4 Module 1: Initial Incident Actions and MitigationScenario Background: September 29, 2016 / 0800 hrs. A report on planned hacktivist actions against U.S. interests has been received from The Void, and the report was confirmed by various cyber security firms. The report is specific to the Health Sector. Key Issues Preventive measures/mitigation. Situation assessment. Decision making and authority.

5 Module 1: Questions Identify any critical issues, decisions, requirements, or questions that should be addressed. Who would receive this information? Who would it be communicated to? Do we feel compelled to take any preventative measures? How do variables in the threat information that we received - such as timeframe, credibility, and specificity – impact our decision making and prevention efforts? Discuss the coordination efforts that would occur in this type of incident. What tools do we use to support cyber prevention? How do we share cyber threat information internally? How do we share information externally, with groups like law enforcement entities? Do we feel compelled to activate our response plans, business continuity plans, an incident management team (IMT)? If so, just Information Solutions, or include representatives from other departments and leadership? Who should make up the IMT?

6 Module 2: Incident ResponseScenario Update: September 29, 2016 / 0900 hrs. Many weeks ago, our security event console indicated the detection of suspicious network activities. Our system administrator conducted his daily check on the system backup server and discovered a backup error message. Upon further investigation, he did not find any additional errors, nor did he notice anything unusual. The system administrator logged the error message according to our standard logging procedures. One week ago, the database server on our corporate local area network crashed. After an automatic reboot, operations appeared normal, but shortly afterwards IT Support received several phone calls from users in the Accounting Department reporting that their network appeared to be slow. By noon that same day, additional calls were received from users in other departments, to the point where IT support became overwhelmed and considered escalating the problem to management.

7 Module 2: Incident ResponseScenario Update: continued One hour ago, we learned that our facility is The Void’s primary target, and they’re wreaking havoc on our company. They’re illegally transfer our money, sending customers fraudulent invoices, and threatening extortion. They’ve also disabled our internal internet, impacting systems that we use to communicate with patients, providers and staff. Our computers are starting to lock out.

8 Module 2: Incident ResponseKey Issues Detection. Resources. Downtime. Plans and policies. Communication to organization/customers. Service continuity.

9 Module 2: Questions Focus on ways we would notify stakeholders and share information to combat this attack. Communication Issues: What internal and external messages would need to be developed? How are they being distributed? Who leads the public information process? What about planned notifications? How do we do this internal and external to our organization?

10 Module 2: Questions Cyber Issues:How would we/how would you detect malicious activity of unknown origin on our systems? What are your top priorities at this time? How would we/how would you quickly respond to a suspected cyber attack? How are decisions made about protecting system/data versus investigating this problem as a crime? Who makes the decision? What tools or assets do we have/do you have to assist us in detecting unauthorized activity? What type of detection hardware and/or software do we use? How successful or unsuccessful has this software/hardware been in detecting and/or preventing this activity?

11 Module 2: Questions Cyber Issues:How would we/how would you conduct an assessment of this situation? What resources do we have or could we request for network forensics? Where do we receive our cyber response technical assistance? Do we have plans, procedures or policies in place to access this assistance?

12 Module 2: Questions Cyber Issues:What are the needed resources and where would we/where would you get them? Do our current mutual aid agreements address cyber specific resources and staff? Do we have a Cyber Response Team? What is their composition/ skill set?

13 Module 2: Questions Additional Response Considerations:At what point do we contact law enforcement? Who makes contact, and who do we contact? What are the business implications of the scenario? How would we determine them, e.g. brand, reputation or financial impact? Are IS/IT and business continuity functions coordinated with physical security? Would all three then be collaborating with public relations, human resources, and legal departments: Would you activate HICS and the HCC?

14 Module 3: Incident Resolution, Recovery and Continuity of OperationsScenario Update: November 24, 2016 / 1300 hrs. We’ve been at this for about many weeks now. It all started with a general threat warning issued by The Void, saying that they’d be attacking U.S. interests with “zero day” attacks. Then, our organization conducted a security audit that uncovered a terminated employee with system access. A week later, an employee found a USB drive in the parking garage and proceeded to use it. Unbeknownst to the employee

15 Module 3: Incident Resolution, Recovery and Continuity of OperationsScenario Update: November 24, 2016 / 1300 hrs. Things started to fall apart from here, as our employees started receiving and opening phishing s from The Void, the database server crashed resulting in a slow network and slow productivity; several illegal transfers of our money were made; and false invoices were distributed to a number of our clients. And it didn’t stop there. To add insult to injury, the hackers sent an indicating that the company’s network had been infiltrated and various components taken over; threatened to cripple the company’s network and expose proprietary company data unless they received $1 million; and, finally, brought our website down, crippling our ability to communicate with each other and our customers.

16 Module 3: Incident Resolution, Recovery and Continuity of OperationsScenario Update: November 24, 2016 / 1300 hrs. Thankfully, through close collaboration with law enforcement and security consultants, we were able to stop the attack, but not before it caused significant damage to our business, in the form of loss of census/patient admitting, as well as market share and profit losses. The community didn’t have faith that their records would be kept confidential.

17 Module 3: Questions Identify any critical issues, decisions, requirements, or questions that should be addressed. If our organization is disconnected from its network access during the cyber attack, what procedure would you use to restore connectivity? What are the systems that should be prioritized first for repair or restoration? How could we coordinate patient treatment with other health and medical providers, e.g. clinics? Based on the information presented, what are your top priorities at this time?

18 Module 3: Questions What costs associated with our agency’s operations during the crisis are reimbursable? How will reimbursement be obtained? How are costs tracked? What records or paperwork is needed to do so? How long will it take to recover the patient records if we were down for one month? How long will it take to bill those records? Is extra staff required? What is the recovery strategy around the data center? Do we need to consider relocation? How can we improve training programs so that we are better prepared for a cyber attack in the future? How are interdependencies coordinated? Who should they be coordinated with?

19 Business Continuity PlanThe Business Continuity Plan should address the following: Who is affected? Prioritize mission essential services. Prioritize mission essential equipment. Prioritize units to be brought up Recovery of medical records for billing purposes.

20 Exercise ParticipantsNursing POM Marketing and Communications Administration Finance Human Resources Emergency Management Los Angeles County EMS Agency

21 Thank you