Organize a cyber crisis management exercise for the hospital

Phishia has structured its exercises around four phases, adapted to the hospital context (university hospitals, general hospitals, hospital groups).

Phase 1 – Framing and designing the exercise

Objective: to define a useful, realistic exercise that is aligned with the institution’s challenges.

Set up a project group: management, IT/CISO, care management, quality/risk management, communication, etc.

Define objectives:

test the management of ransomware encrypting the HIS,
test the switch to degraded mode in the emergency department,
validate communication with the ARS and the media, etc.

Defining the scope: isolated institution or regional hospital group, departments involved, duration of the exercise.

During this phase, Phishia provides feedback on incidents that have actually occurred in hospitals in order to propose a credible scenario that is neither too simple nor too crippling.

Phase 2 – Preparing the scenario and materials

Objective: to construct an immersive but fully controlled crisis.

We first write a coherent scenario (e.g., targeted phishing → account compromise → encryption → impact on critical services), then we prepare the main “injections”: fictitious emails (management, ARS, press, patients), a few simulated calls, and messages from service providers or hosting companies.

Finally, we produce the essential materials: player guide, instructions for facilitators, and observation grid.

Everything is prepared so that, on D-day, the exercise can take place without affecting the production IS: zero technical risk for the hospital.

Phase 3 – Conducting the exercise with the hospital crisis unit

Objective: to place the crisis unit in conditions as close as possible to a real attack.

Roles :

• Players:

Senior management, medical management, care management, IT department, chief information security officer, medical information department, communications, critical services, etc.

They receive information as it comes in and make decisions as they would in a real situation.

• Phishia facilitators:

Play the role of external actors: ARS, ANSSI, CERT, service providers, journalists, patients, etc.

Steer the process, adjust the pace, and inject information at the right moment.

• Observers:

Note reactions, obstacles, and best practices.

Do not participate in decisions.

• The process:

Creation of a hospital crisis unit (room, tools, reports).
Launch of the scenario: first weak signals, technical alerts, calls from clinical departments, etc.
Gradual increase in pressure: teams must decide to switch to degraded mode, make medical decisions, prioritize the applications to be restored, and orchestrate internal and external communication.

Throughout the session, Phishia facilitators set the pace of the crisis, and observers neutrally record what is actually happening.

Phase 4 – Feedback and improvement plan

We begin with a debriefing to gather participants’ impressions: what worked well, what caused problems, and the main points of friction.

Phishia then conducts a detailed analysis of the process (crisis unit, decisions, coordination, contingency mode) in light of national best practices. This analysis results in a prioritized action plan: updating procedures, BCP/PRA and contingency plans, improving directories and reflex sheets, and strengthening team preparedness (awareness, targeted training).

The objective is clear: after the exercise, your hospital should be significantly better prepared than before.