Operating theatre paralysed, HIS unavailable, emergency departments overloaded, calls from the media and ARS in quick succession...
This is what more and more CHU, hospital centers and GHT during major computer attacks.
Plans, procedures and BCP/ERP are indispensable, but on the day a crisis erupts, one question dominates:
Have the teams ever experienced this type of situation, even “for real”?
This is exactly the role of a cyber crisis management exercise at the hospital :
make a realistic crisis happen, in a safe environment, so that the next one is no longer a discovery.
Why is a crisis management exercise essential for a hospital?
Better coordination of players in tense situations
Management, IT, CISO, care management, department heads, DIM, communications, biomedical, logistics...
In normal times, everyone knows their perimeter. In a crisis, everyone at the same table.
An exercise to test the responsiveness of the crisis unit, clarify who decides of what, streamline exchanges between business and IT.
Validate plans and gradient modes :
A white plan, a BCP/ERP or cyber procedures are only as good as their implementation. known, including, applicable under stress.
This exercise highlights the reflex cards not found, the obsolete numbers as well as impracticable degraded modes in a care unit.
Reduce the impact of a real attack
Having trained, the teams take on more quickly the right decisions, which makes it easier to maintain care in degraded mode and limit medical consequences, and media impact of an attack on the hospital.
The Phishia approach, designed for hospitals
Phishia has structured its exercises around four phases, adapted to the hospital context (CHU, CH, GHT).
Phase 1 - Framing and exercise design
Objective: define an exercise that is useful, realistic and aligned with the company's challenges.
Setting up a project group : management, DSI/RSSI, care management, quality/risk management, communication, etc.
Definition of objectives :
- test the management of ransomware encrypting the HIS,
- experience the transition to downgraded emergency mode,
- validate communication with ARS and the media, etc.
During this phase, Phishia provides feedback on incidents actually encountered in hospitals, to propose a credible scenario that is neither too simple nor paralyzing.
Phase 2 - Preparing the script and media
Objective: build an immersive but totally controlled crisis.
First, we write a coherent scenario (e.g. targeted phishing → account compromise → encryption → impact on critical services), then we prepare the main “injections” These include fictitious e-mails (from management, ARS, press, patients), a few simulated calls and messages from service providers or hosts.
Finally, we produce essential media A guide for players, instructions for instructors and an observation grid.
Everything is prepared so that, on D-day, the exercise can be carried out without affecting the production IS: zero technical risk for the hospital.
Phase 3 - Conducting the exercise with the hospital crisis unit
Objective: to put the crisis unit in conditions as close as possible to a real attack.
The roles :
- Players :
General management, medical management, care management, IT department, CISO, DIM, communication, critical services, etc.
They receive information as it comes in, and make decisions as they would in a real-life situation.
- Phishia animators :
External stakeholders: ARS, ANSSI, CERT, service providers, journalists, patients, etc.
Control the sequence, adjust the pace, inject information at the right moment.
- Observers :
Note reactions, blockages, best practices.
Not involved in decision-making.
How it works :
- Creation of a crisis unit (room, tools, reports).
- Launching the scenario : early warning signals, technical alerts, clinical calls...
- Gradual pressure build-up : teams have to decide on the switchover to degraded mode, make medical trade-offs, prioritize the applications to be restored, and orchestrate internal and external communications.
Throughout the session, Phishia moderators set the pace for the crisis, and observers keep a neutral record of what actually happens.
Phase 4 - Feedback and improvement plan
We start with a hot debriefing to gather feedback from participants: what worked well, what didn't, and the main sticking points.
Then Phishia leads a cold analysis the process (crisis unit, decisions, coordination, downgraded mode) in relation to national best practices. This analysis results in a prioritized action plan These include updating procedures, BCP and white plans, improving directories and reflex cards, and reinforcing team preparation (awareness-raising, targeted training).
The objective is clear: after exercise, your hospital is significantly better prepared than before.
What Phishia can do for your hospital
A field view of cyber-hospital crises
Our scenarios are based on real-life feedback from the healthcare sector.
Multidisciplinary approach
We involve caregivers and management as much as the IT/IS department: the crisis is not just a technical issue.
Pedagogy and safety
It's a challenging exercise, but one that takes place in a secure environment, with no risk to the IS or to ongoing care.
Link with your other projects
The lessons learned will feed directly into your work on BCP/ERP, incident response, the CaRE program, awareness-raising, and so on.
Want to test your crisis unit before the next attack?
A well-constructed exercise takes just a few hours to complete...
But the day the real crisis arrives, these hours can make all the difference between an overburdened hospital and a hospital in control.
You would like to :
- organize your hospital's first cyber crisis exercise
- professionalizing an existing crisis unit
- build a GHT-wide annual exercise program
Phishia can work with you to design a scenario tailored to your size, organization and maturity level.
