It all started after chatting with a colleague the other day…
He started telling me about a Tabletop Attack Scenario Exercise (TASE) that he sat through with a health care company. They were going through a mock scenario of a PHI breach. And at one point, the security director asked the procurement team to give him a list of all of the breach notifications they would need to send out based on signed and executed BAAs.
The procurement team said no, they wouldn’t and couldn’t provide such a list.
So the security director went to the legal team, the keepers of all executed contracts (right?). And he asked them for the list of notifications they would need to send based on the BAAs they had reviewed and executed.
Legal said no, they wouldn’t provide such a list. (Almost sounds like a children’s book, doesn’t it?)
Exasperated, the security director realized he was on his own. He would need to build the list himself of all the notifications that would have to be sent out. And, just to plug the value of a TASE: Even if nothing else came out of this exercise, this health care company learned a valuable lesson: They needed to get a tool and design a process for creating a breach notifications list on the fly.
Simply put, Tabletop Attack Scenario Exercises (TASE) help you discover gaps in your operations and processes.
A well crafted TASE becomes a training session. For instance, let’s say your folks aren’t quite sure how they would work with other internal teams or outside vendors and partners? Run one of these exercises and watch your folks feel their way through it until they get comfortable.
And voila, you’ll find that you just created a revised or even brand new process for something you hadn’t even thought about before.
Another example is the BAA story above: Your legal and procurement teams execute and collect all of these BAAs, but no one thinks about how to track all of the breach notifications that are legally binding within each BAA.
These are the types of details that rise to the surface during a TASE.
I’ve personally been involved with or run around 100 of these exercises and I’ve yet to find an organization that didn’t learn something valuable in the process. So if you don’t run these often, it’s a good time to start. Shoot for running them quarterly, and put the effort into creating good attack scenarios. You’ll see the investment pay off.