How to Run a HIPAA Security Tabletop Exercise at Your Home Health Agency
tabletop exercise

How to Run a HIPAA Security Tabletop Exercise at Your Home Health Agency

A 90-minute tabletop exercise reveals incident response gaps before a real attack exposes them. Here is how to run a realistic tabletop exercise for a home health agency leadership team.

A tabletop exercise is the highest-return security investment a home health agency can make that does not require a technology purchase. Ninety minutes. A conference room. The right scenario. And a willingness to be honest about what the exercise reveals. I have facilitated tabletop exercises at dozens of home health agencies over my career, and the pattern is consistent: agencies that are confident in their incident response plans discover in the first twenty minutes of a realistic scenario that the plan works in theory and not yet in practice. The discoveries range from mildly embarrassing (nobody knows the cyber insurance carrier's claim reporting number) to genuinely alarming (the incident response plan lists a person who left the agency two years ago as the primary security contact).

These discoveries made in a tabletop exercise cost nothing to fix. Made during a real incident at 2am, they cost significantly more.

The Right Scenario for a Home Health Agency Tabletop

The scenario must be realistic enough to generate genuine engagement and reveal real gaps — not so catastrophic that participants disengage because the situation seems implausible. The scenario I use most frequently for home health agencies: it is a Friday afternoon in late October. Several staff members report receiving emails that appear to be from the agency's EHR vendor asking them to update their login credentials through a link in the email. Two administrative staff clicked the link and entered their credentials before the emails were flagged as suspicious. At 5:30pm, the agency's billing coordinator notices that she cannot log into the EHR. By 6pm, the IT vendor's after-hours line confirms that the EHR is inaccessible from the agency's network. Monday morning, seventeen field nurses are scheduled to begin visits at 7am.

This scenario is realistic, specific to home health operations, and time-pressured in a way that generates the decision-making urgency that reveals plan gaps. Adjust the specific details — the vendor, the staff roles, the timing — to match your agency's actual operational context.

Who Belongs in the Room

The tabletop should include the individuals who would be making real decisions during a real incident: the executive director or CEO, the HIPAA Security Officer, the director of clinical operations, the billing director, the HR director if workforce issues could arise, and — critically — the agency's managed security provider representative. Not the IT vendor who manages your network as a side business, but the person who would actually lead the incident response if this scenario were real.

Do not include the entire staff. Tabletop exercises are most effective with 6–12 participants who have genuine decision authority. Too many participants leads to discussion that is too broad and too shallow. Too few leaves blind spots where a missing department's perspective would have revealed a gap.

The Tabletop Format: Inject, Discuss, Decide, Document

The facilitator introduces the scenario and then delivers a series of situation updates — "injects" — that escalate the scenario and force the group to make decisions:

  • Inject 1: The initial phishing report. Who do you call first? What do you do with the devices of the two staff who clicked? At what point do you notify the executive director?
  • Inject 2: It is now 6pm and the EHR is confirmed unavailable. What do you tell the 17 nurses who will arrive at 7am Monday? What is the communication channel? Who sends the message? What exactly does it say?
  • Inject 3: The IT vendor says the outage is ransomware and the attacker is asking for $180,000. Who makes the decision whether to pay? What is the decision framework? What does legal counsel say?
  • Inject 4: It is now Monday at noon. OCR calls and requests information about what happened. Who takes the call? What do you tell them? Has the four-factor HIPAA breach risk assessment been initiated?
  • Inject 5: A patient's family calls to ask whether their mother's information was compromised. What do you tell them? Is that true? How do you know?

The Post-Exercise Action Plan

The tabletop exercise produces value only if the gaps it reveals are documented and addressed. Within 48 hours of the exercise, the HIPAA Security Officer should produce a written summary: the gaps identified during each inject, the responsible party for addressing each gap, and the timeline for remediation. The most common gaps I see identified in home health tabletop exercises: missing cyber insurance contact information in the incident response plan; no documented downtime procedures for field nurses; the four-factor breach risk assessment has never been done and nobody knows who owns it; and the clinical operations team has no role defined in the incident response plan despite having the most immediate operational impact.

Protecting your home health agency starts with understanding exactly where you stand today. ShieldForce delivers a free, no-obligation HIPAA Risk Assessment — thirty minutes with a healthcare cybersecurity expert who has spent three decades inside this industry. You will leave with a clear picture of your gaps, your priorities, and what a fully managed security programme looks like for an organisation exactly like yours.

Schedule Your Free HIPAA Risk Assessment — shieldforce.io/hipaa-assessment

See ShieldForce Advantage Services — shieldforce.io/shieldforce-advantage

View Transparent Pricing from $35/user/month — shieldforce.io/pricing-comparison

Share this post

Topics

#tabletop exercise#incident response#home health#HIPAA compliance#How-To Guide
Free Security Assessment

Ready to Secure Your Business?

Don't let cyber threats put your business at risk. Discover how ShieldForce protects organizations like yours — 24/7.