Bolstering Cybersecurity in Healthcare with Cyber Tabletop Exercises

Date: 16 May 2024

Featured Image

Strong cyber defences are perhaps, not as critical, in any industry as they are in the healthcare sector. A single breach or ransomware attack can impact human life. While the shock value of this phrase has been exploited many times over, it continues to emerge everywhere because it’s so true. 

Preparing for cyber-attacks and ensuring that they don’t bring healthcare and emergency services to a standstill is of utmost importance today. And tailored cyber attack tabletop exercises can help healthcare organisations achieve this and improve their security posture. 

In this blog, we explore how cyber simulation drills are indispensable for the protection of precious healthcare data and of the even more precious human health and life. We also show you how cyber drills can be tailored specifically for the healthcare sector to make them all the more effective. You can also download our Cyber Tabletop Exercise Template today and start customising it for your own cyber simulation drill. 

With the bespoke exercises that we at Cyber Management Alliance conduct, the specific goal is to achieve extremely productive outcomes that help enhance cyber crisis decision-making and cyber incident response plans and strategies.

In this blog, we’ll take a quick look at: 

  1. Top Cyber Tabletop Exercise Examples for the Healthcare Sector
  2. How to Curate Bespoke Cyber Drills for the Healthcare Industry?
  3. Why Study Recent Cyber Attacks in the Industry?
  4. Major Cyber Attacks in the Banking and Finance Sector in recent past

Top Cyber Tabletop Exercise Scenarios for the Healthcare Industry 

The healthcare industry faces unique cybersecurity and information security challenges. The sector not only handles sensitive patient data but also relies on a complex network of interconnected devices and systems to deliver life-saving services.  

Cyber security incidents in healthcare can lead to catastrophic consequences, including the disruption of critical patient care services, theft of sensitive patient data, and significant financial losses. 

This environment necessitates a cybersecurity strategy that is both robust and tailored to the specific needs of the sector. This is precisely why tailoring cyber attack simulation drills to threats and risks relevant to the industry is vital. 

Here’s a look at the top cyber-attack scenarios that cyber drills for healthcare must focus on: 

  • Patient Privacy: Tabletop scenarios must focus on data breaches, ransomware attacks on medical devices, and insider threats targeting patient records. Incident Response teams and security team members must build muscle memory for the cyber incident response plan. The exercise scenarios should also help them become better aware of their own roles and responsibilities in case of an attack. 

  • HIPAA Compliance: It’s important to rehearse for scenarios that put the organisation at a risk of breaching the Health Insurance Portability and Accountability Act (HIPAA). The Act is paramount for healthcare organisations. And it’s important to rehearse a response strategy that ensures compliance with HIPAA in the event of an attack or data breach.  

  • Medical Device Security: Risk Management with respect to IoT and computer-reliant medical devices is essential for healthcare companies. It is imperative to rehearse for an attack on the security of medical devices and the organisation's ability to respond to related cyber incidents.


Back To the Top

cyber tabletop scenarios

How to Tailor Cyber Attack Tabletop Exercises for the Healthcare Industry

While tailoring Cyber Tabletop Exercises for the Medical and Healthcare industry, the scenarios discussed above should be top-of-the-mind. Taking into consideration the unique and major threats that the healthcare sector faces is important. 

Cyber drills for healthcare should, essentially, simulate scenarios that healthcare organisations are most likely to encounter, such as ransomware attacks disrupting patient care, breaches of patient data, or attacks on medical devices. 

A well-designed exercise will not only test the organisation's cybersecurity incident response but also highlight areas where improvements are needed. 

Some of the other important factors to keep in mind while planning and producing a cyber tabletop exercise for the healthcare sector include: 

  1. Realistic Scenarios: Reiterating the above - scenarios should reflect real-world situations that could occur in the healthcare setting. This includes everything from phishing attacks targeting hospital staff to sophisticated breaches of electronic health record systems. 

  2. Interdepartmental Involvement: Cybersecurity is not just an IT issue in healthcare; it involves multiple departments including clinical staff, administration, and support services. Engaging a diverse group of participants will ensure that all important stakeholders understand the risks their organisations face and how they will respond to them in an attack situation. 

    It’s critical to spend time thinking about the participants in the tabletop exercise. Ensure that all those who will actually be making decisions for how to respond, how to continue delivering healthcare services and how to communicate with external parties participate in the drill. 

  3. Regulatory Compliance: Healthcare organisations are subject to various regulations, the most prominent of them being HIPAA. Tabletop exercises should incorporate elements that test compliance with these regulations during a cyber incident.

  4. Communication and Coordination: Effective communication and coordination are crucial during a cyber incident. This is especially critical for healthcare organisations. Lack in communication about how to keep delivering services during an attack can have a crippling effect on the organisation and on patients. Cyber Attack Tabletop Exercises should test and improve the internal and external communication protocols, including coordination with external agencies if necessary.

Our Cyber Crisis Tabletop Exercise Checklist covers all the key points to keep in mind when designing your cyber attack drill in greater detail. Read it in conjunction with our Cyber Tabletop Exercise PPT to ensure you conduct the most productive exercise possible.  

Back To the Top

New call-to-action

Studying Past Attacks to Improve Effectiveness of Cyber Drills  

To maximise the impact of tabletop exercises for healthcare, integrating real-world cyber threats specific to the sector can be really helpful. This involves studying past cyber incidents within the sector and incorporating these insights into the exercise. 

By simulating actual events, such as a recent ransomware attack that targeted a hospital, participants can gain a deeper understanding of the tactics used by cybercriminals and how to effectively counter them. This approach not only enhances the realism of the exercise but also ensures that the lessons learned are directly applicable to real-world scenarios. 

Incorporating case studies of actual cyber attacks in the medical and healthcare industries can greatly enrich tabletop exercises. These case studies provide valuable lessons on how similar incidents were handled, what worked well, and what could have been done differently. 

The section below gives you a detailed insight into the major recent cyber attacks on healthcare organisations across the globe. You could pick any which sound most relevant to your organisation and study the impact.

You can then use these attacks to ask relevant questions during your exercise such as - “What would we do if our patient data was leaked?” or “How would we ensure continuous delivery of emergency services if we are hit by a ransomware attack?” These real-life examples serve as powerful tools for learning and preparation.

You might also want to refer to our AIIMS Ransomware Attack Timeline to gain a better understanding of how the attack on this major healthcare organisation in India unfolded, what the impact was and how it was handled.  

Back To the Top

New call-to-action

Recent Cyber Attacks in the Healthcare Industry 


Event Date

Impacted Org


Threat Actor



April 24, 2024

Kaiser Permanente

Kaiser Permanente data breach may impact 13.4 million patients


Healthcare service provider Kaiser Permanente disclosed a data security incident that may impact 13.4 million people in the United States as the organisation said that information from "approximately 13.4 million current and former members and patients" was leaked to third-party trackers installed on its websites and mobile applications.

Kaiser Permanente Data Breach

March 15 and 29, 2024

NHS Dumfries and Galloway

Scottish health service says ‘focused and ongoing cyber attack’ may disrupt services, and a ransomware group leak stolen data

INC Ransom

NHS Dumfries and Galloway, part of the Scottish healthcare system, announced that it was the target of a focused and ongoing cyber attack. The health board announced there “may be some disruption to services as a result of this situation”. Cyber extortionists have published to their darkweb blog sensitive patient data stolen from NHS Dumfries and Galloway, in a bid to demand money from the local health board.

NHS Dumfries and Galloway Cyber Attack

February 22, 2024

UnitedHealth-Change Health

UnitedHealth subsidiary Optum hack linked to BlackCat ransomware

BlackCat Ransomware and its affiliates

In a statement published on their dark web leak site today, BlackCat said that they allegedly stole 6TB of data from Change Healthcare's network belonging to "thousands of healthcare providers, insurance providers, pharmacies, etc." The ransomware gang claims that they stole source code for Change Healthcare solutions and sensitive information belonging to many partners, including the U.S. military's Tricare healthcare program, the Medicare federal health insurance program, CVS Caremark, MetLife, Health Net, and tens of other healthcare insurance providers.

Change Healthcare Ransomware Attack Timeline

February 01 and 28, 2024

Lurie Children's Hospital

Rhysida ransomware demands $3.6 million for children’s stolen data

Rhysida Ransomware

The Rhysida ransomware gang has listed Lurie Children's on its extortion portal on the dark web, claiming to have stolen 600 GB of data from the hospital. Rhysida ransomware now offers to sell the stolen data for 60 BTC ($3,700,000) to a single buyer.

Lurie Children's Hospital Cyber Attack

November 14, 2023

Pharmacy provider Truepill

Pharmacy provider Truepill data breach hits 2.3 million customers


Postmeds, doing business as ‘Truepill,’ is sending notifications of a data breach informing recipients that threat actors accessed their sensitive personal information as the incident impacted 2,364,359 people.

Truepill Data Breach

November 14, 2023

Medical transcription services provider, PJ&A

PJ&A says cyber attack exposed data of nearly 9 million patients


PJ&A (Perry Johnson & Associates) warned that a cyber attack in March 2023 exposed the personal information of almost nine million patients as the company said the threat actors breached their network and had access between March 27 and May 2, 2023.

PJ&A Cyber Attack

November 13, 2023

Sutter Health

845,000 patients affected by Sutter Health vendor breach


The sensitive data of 845,000 Sacramento, Calif.-based Sutter Health patients was compromised in a ransomware attack on its online contact-management vendor Welltok, a Virgin Pulse company. 

The vendor, which enables Sutter Health to inform patients and members through notifications, told the health system that 845,000 of its patients were affected by a September breach in which a ransomware group attacked the file transfer tool the vendor uses i.e. MOVEit.

Sutter Health Data Breach

November 13, 2023

Otsego Memorial Hospital, Michigan

Michigan hospital confirms cyber attack


Gaylord, Mich.-based Otsego Memorial Hospital confirmed that it was the victim of a cyber attack in October. Hospital officials said they do not believe patient data was compromised during the attack. The attack forced the hospital to shut down its IT system temporarily.

Otsego Hospital Cyber Attack

November 9, 2023

McLaren Health Care

McLaren Health Care says data breach impacted 2.2 million people

The ALPHV (BlackCat) Ransomware Group

McLaren Health Care (McLaren) notified nearly 2.2 million people of a data breach that occurred between late July and August, 2023, exposing sensitive personal information.

McLaren Healthcare Ransomware Attack

November 1, 2023


Records of nearly 815 million Indians were compromised

A threat actor with the alias ‘pwn0001’

This breach came to light after a US cybersecurity firm brought the following details to light: A threat actor with the alias ‘pwn0001’ claimed that they could sell records of 815 million Indians, including names, ages, phone numbers, Aadhaar numbers and addresses. pwn0001 shared a sample, which had 1 lakh phone numbers and Aadhaar numbers. The sample dataset includes personal information of children as young as 10.

ICMR Data Breach

October 25, 2023

Redcliffe Labs

Millions of highly sensitive patient records exposed 


Cybersecurity Researcher, Jeremiah Fowler, discovered and reported to WebsitePlanet about a non-password protected database that contained over 12 million records of medical diagnostic scans, test results, and other potentially sensitive medical records.

The total number of records was significant, at a count of 12,347,297 with a total size of 7TB. Upon further investigation, the documents were marked as belonging to an India-based company called Redcliffe Labs.

Redcliffe Labs Data Breach

October 15, 2023

Morrison Community Hospital

5GB of data stolen from the hospital

The ALPHV (BlackCat) Ransomware Group

The ALPHV/BlackCat ransomware group claimed to have hacked the Morrison Community Hospital and added it to its dark web Tor leak site. The group claimed to have stolen 5TB of patients’ and employees’ information, backups, PII documents, and more. The gang also published a sample as proof of the stolen data.

Morrison Community Hospital Ransomware Attack

September 25, 2023

MNGI Digestive Health

ALPHV claims to have hit MNGI Digestive Health 

The ALPHV (BlackCat) Ransomware Group

ALPHV’s claimed they have stolen data that belonged to MHGI Digestive Health. They warned that the company should contact them within 48 hours or all 2+TB of data will be automatically published online. As proof of claim, they uploaded some images from diagnostic tests, but without legible corresponding patient IDs or details.

MNGI Digestive Health Data Breach

September 19, 2023

The Kfar Shaul Mental Health Center in Israel's capital of Jerusalem

Israeli psychiatric hospital in Jerusalem hit with cyber attack


The Kfar Shaul Mental Health Center in Israel's capital of Jerusalem was hit with a suspected cyber attack

Israeli Psychiatric Hospital Cyber Attack

September 16, 2023

Sanford Health

Personal information of thousands of Sanford Health patients potentially compromised


The imaging vendor Sanford Health uses for its mobile heart screen trucks, DMS Health Technologies, experienced a data security incident between March 27 and April 24, 2023. According to Sanford Health, patient information was potentially compromised including name, date of birth, date of service, physician name and exam type. 

Sanford Health Third-Party Data Breach

August 27, 2023

Prospect Medical

Rhysida claims ransomware attack on Prospect Medical, threatens to sell data

Rhysida Ransomware

The Rhysida ransomware gang claimed responsibility for the massive cyber attack on Prospect Medical Holdings, claiming to have stolen 500,000 social security numbers, corporate documents, and patient records.

Prospect Medical Ransomware Attack

August 14, 2023

VNS Health

VNS Health confirms data breach at TMG Health resulted in data of 103,775 consumers being leaked

Clop ransomware (MOVEit)

VNS explained that the TMG Health data breach resulted in an unauthorised party being able to access consumers’ sensitive information, which included their names, Social Security numbers, addresses, dates of birth, billing information, and medical information.

VNS Health Data Breach

July 29, 2023

The Chattanooga Heart Institute

The Chattanooga Heart Institute notified 170,450 about March “data security incident”

Karakurt threat actors

Karakurt threat actors had claimed to have attacked them and to have exfiltrated 158 GB of data. There was no proof of claim offered, but Karakurt wrote: Employees and patients’ private data will soon be available for everyone. Medical records, test results, diagnoses, social security numbers, passports, addresses, phone numbers, financial data and other documents are going to be uploaded. 

Chattanooga Heart Institute Cyber Attack

July 28, 2023

Centres for Medicare and Medicaid

Centres for Medicare and Medicaid notify 645,000 Medicare members about MOVEit breach 

Clop Ransomware (MOVEit)

The Centres for Medicare and Medicaid (CMS) posted a notice on its site about a data breach at one of its contractors, Maximus Federal Services, Inc. Maximus was one of hundreds of victims of the zero-day attack on MOVEit file transfer software by the Clop ransomware gang. CMS said that approximately 645,000 Medicare numbers had their information caught up in the attack.

CMS Data Breach

July 19, 2023

Tampa General Hospital

Tampa General Hospital said confidential data of 1.2 million patients hacked


A “criminal group” stole confidential information of about 1.2 million Tampa General Hospital patients, including Social Security numbers, the hospital announced. The theft of information came to light after the hospital detected “unusual activity” on its computer systems. 

Tampa General Hospital Data Breach

July 6, 2023

bioMérieux - a French Biotechnology company 

bioMérieux announced third-party data breach involving MOVEit 

Clop Ransomware (MOVEit)

bioMérieux explained that the incident resulted in an unauthorised party being able to access consumers’ sensitive information.

bioMerieux Data Breach

July 5, 2023

Murfreesboro Medical Clinic & SurgiCenter

Murfreesboro Medical Clinic & SurgiCenter notified 559,000 of data breach


MMC explained that the incident resulted in an unauthorised party being able to access consumers’ sensitive information including protected health information and insurance information.

MMC Data Breach

June 29, 2023

NHS UK, and University of Manchester

More than a million NHS patients’ details compromised after cyber attack


NHS details of more than a million patients were compromised in a cyber attack. The ransomware attack on the University of Manchester affected an NHS patient data set that held information on 1.1 million patients across 200 hospitals

NHS UK Data Breach

June 29, 2023

The US Health and Human Services Department

At least 100,000 could have had data exposed after US health department was hit by global cyber attack

Clop Ransomware (MOVEit)

At least 100,000 people could have had their data compromised by a hack of contractors at the Department of Health and Human Services, making it the latest US government agency to be caught up in the sweeping cyber attack connected to the MOVEit attack.

US Health & Human Services Department Data Breach

June 22, 2023


CoxHealth confirms patient information leaked following Intellihartx, LLC data breach

Clop Ransomware

The incident resulted in an unauthorised party gaining access to consumers’ names, Social Security numbers, dates of birth, addresses and protected health information.

CoxHealth Data Breach

June 12, 2023

Atlanta Women’s Health Group

Atlanta Women’s Health Group files notice of data breach affecting 33k+ patients


The incident apparently resulted in patients’ protected health information being subject to unauthorised access.

Atlanta Women's Health Group Data Breach

June 7, 2023

Nova Scotia Healthcare

Data on as many as 100,000 Nova Scotia healthcare staff stolen in MOVEit breach

Clop ransomware (MOVEit)

Data stolen included Social insurance numbers, addresses and banking information of employees of Nova Scotia Health, the public service and the IWK Health Centre, which is a major paediatric hospital and trauma centre.

Nova Scotia Data Breach

May 31, 2023

Mission Community Hospital

Another hospital hit by ransomware: Mission Community Hospital

RansomHouse threat actors

RansomHouse threat actors claimed responsibility for the attack and provided a number of files as proof. They claim to have downloaded 2.5 TB of data.

Mission Community Hospital Ransomware Attack

May 30, 2023

Enzo Biochem

Clinical test data of 2.5 million people stolen from biotech company Enzo Biochem


Enzo Biochem, a New York-based biosciences and diagnostics company, said that on April 6 it experienced a ransomware attack that involved the “unauthorised access to or acquisition of clinical test information of approximately 2,470,000 individuals.”

Enzo Biochem Data Breach

May 27, 2023


NHS data breach: trusts shared patient details with Facebook without consent

Human error

NHS trusts apparently shared intimate details about patients’ medical conditions, appointments and treatments with Facebook without consent. An investigation uncovered a covert tracking tool in the websites of 20 NHS trusts which has for years collected browsing information and shared it with the tech giant in a major breach of privacy. 

NHS UK Data Privacy Breach

May 19, 2023

Amazon-owned online pharmacy PillPack

Cybersecurity attack against Amazon-owned online pharmacy PillPack exposed user health data


Amazon-owned PillPack reported a cybersecurity attack affecting the accounts of nearly 20,000 customers. 

An unauthorised person used customer emails and passwords to log into PillPack customer accounts, over 3,000 of which contained prescription information. 

PillPack Cyber Attack

May 15, 2023


Ransomware gang steals data of 5.8 million PharMerica patients

Money Message Ransomware gang

Pharmacy services provider PharMerica disclosed a massive data breach impacting over 5.8 million patients, exposing their medical data to hackers.

PharMerica Ransomware Attack

May 11, 2023

New Mexico Department of Health

New Mexico Department of Health data breach exposes decedent health information


The New Mexico Department of Health (DOH) reported a breach to HHS that impacted 49,000 individuals. The breach occurred when DOH discovered that a spreadsheet containing information about individual deaths in New Mexico had been sent to a journalist. The journalist had requested information under the Inspection of Public Records Act, but the information that was sent included protected health information (PHI). 

New Mexico Department of Health data breach

May 11, 2023

Richmond University Medical Center

Richmond University Medical Center suffers ransomware attack; unclear if patient info compromised


The extent of the breach, which has crippled online services at the over-470 bed facility, is not currently clear.

Richmond University Medical Center Ransomware Attack

May 10, 2023

Norton Healthcare

Norton Healthcare hit with ‘cyber-event’ amid ongoing computer system shutdowns


Norton Healthcare said it has been victimised by a "cyber-event," and some of its computer network systems remained offline. Norton took several systems offline – including internet and email access – as a precaution. 

Norton Healthcare Cyber Event

May 8, 2023

Hong Kong group OT&P Healthcare

Patient data may have been leaked in cyber attack at Hong Kong group OT&P Healthcare


The personal data and medical history of about 100,000 patients at a Hong Kong healthcare group could have been leaked due to a cyber attack.

OT&P Healthcare Cyber Attack

May 5, 2023

Catholic Health

Catholic Health announces third-party data breach 


The incident resulted in an unauthorised party gaining access to patients’ names, birthdates, demographic information, Social Security numbers, Medicare numbers, and diagnosis information.

Catholic Health Data Breach

May 4, 2023

McPherson Hospital, Inc.

McPherson Hospital, Inc. notifies over 19k patients of recent data breach


The incident resulted in an unauthorised party gaining access to consumers’ names, Social Security numbers, dates of birth, medical treatment information, medical billing information, and health insurance information.

McPherson Hospital, Inc. Data Breach

April 28, 2023

United HealthCare

United HealthCare reports data breach that may have revealed customers' personal information


United HealthCare made customers aware of a data breach on April 28, 2023, which temporarily allowed access to personal information for those enrolled in the company's healthcare plans. According to a statement, "suspicious activity" was noticed on the UHC mobile application "that may have led to the disclosure of member information." 

United Healthcare Data Breach

April 28, 2023

Queensway Carleton Hospital

Major data breach at Queensway Carleton Hospital might have affected 100,000 patients


The personal and health information of about 100,000 Queensway Carleton Hospital patients could have been affected by a major data breach, the hospital said. 

Queensway Carleton Hospital Data Breach

April 24, 2023

Shields Health Care Group

Shields Health Care Group data breach impacted more than 2.3 million patients


An unauthorised actor gained access to the systems of Shields Health Care Group (SHCG), exposed drivers’ licence numbers as well as other identification information for more than 2.3 million patients, according to the company.

Shields Health Care Group Data Breach


Back to the Top

Ransomware Incident Response Playbook

Get Email Updates on our Latest News

Simply enter you details in the form below to subscribe:

  • Or call us on:
  • +44 (0) 203 189 1422