Nursing Home Tabletop Exercise Template: Ready-to-run incident drills + facilitator scripts

TL;DR: Use this nursing home tabletop exercise template to run a 90- to 120-minute incident exercise that validates roles, reduces time-to-contain by 30-60 minutes on average, and produces an actionable after-action plan. Includes facilitator scripts, a checklist, three scenarios, and guidance for MSSP/MDR or incident response handoffs.

Table of contents

• Who should run this and when it matters
• Definitions you need
  • Tabletop exercise
  • Facilitator script
  • Inject
• One-page exercise summary (printable)
• Step-by-step facilitator plan
  • Preparation checklist - 7 items
  • 90- to 120-minute facilitator timeline
• Ready-to-run scenarios (3): ransomware, email fraud, OT interruption
  • Scenario A - Ransomware affecting EHR access (High-impact)
  • Scenario B - Targeted email fraud hitting accounts payable (Moderate impact)
  • Scenario C - Building systems interruption (OT) affecting HVAC or electronic door locks (Safety-critical)
• Scenario scripts and injects
• Post-exercise deliverables - immediate and 30-day actions
• Proof and expected outcomes
• Common objections and direct answers
  • Objection 1: “We do not have time to run exercises.”
  • Objection 2: “We cannot involve external vendors in exercises.”
  • Objection 3: “We think our insurance and backups cover us.”
• FAQ
  • How often should nursing homes run tabletop exercises?
  • Who should facilitate the exercise?
  • Does this exercise require access to live systems?
  • What metrics indicate the exercise succeeded?
  • Can this template prove compliance with regulators?
• Get your free security assessment
• Next step - recommended assessment and support
• References
• Closing guidance
• When this matters
• Common mistakes

Who should run this and when it matters

• Audience: nursing home administrators, facility IT leads, compliance officers, and third-party MSSP/MDR partners.
• When it matters: before flu season, after a significant IT change, after vendor or staffing changes, or when compliance audit cycles require evidence of incident preparedness.
• What it fixes: role confusion, slow notification, unclear escalation paths, and poor coordination with external responders.

Definitions you need

Tabletop exercise

A discussion-based session that walks participants through a simulated incident to validate roles, decisions, and communications without impacting live systems.

Facilitator script

A word-for-word guide the exercise leader uses to deliver the scenario, inject new information, and prompt decisions from participants.

Inject

A timed prompt or new piece of information introduced during an exercise to force decisions or reveal gaps.

One-page exercise summary (printable)

• Title: Nursing Home Incident Tabletop - 90-minute
• Objective: Validate detection, escalation, resident-care continuity, and third-party handoff.
• Participants: Administrator, Director of Nursing, IT lead, Vendor rep, Communications, Legal/compliance, Floor RN (observer), MSSP/MDR rep (if contracted)
• Materials: Scenario script, timeline, whiteboard, decision log template, attendee list
• Expected outputs: Decision log, AAR (after-action report), 30-day remediation list

---

Step-by-step facilitator plan

Preparation checklist - 7 items

1. Confirm participants and backup attendees - ensure representation from clinical, IT, and leadership.
2. Share pre-read: roles, objectives, and 1-page summary 72 hours before exercise.
3. Reserve a room and remote dial-in; test AV and recording (if allowed by policy).
4. Load templates: decision log, incident timeline, AAR template.
5. Coordinate with MSSP/MDR to supply simulated alerts or timeline if they will participate.
6. Confirm facilitator and one note-taker. Assign a timekeeper.
7. Prepare printed inject cards and a secure channel for out-of-band communications (phone or secure chat).

90- to 120-minute facilitator timeline

• 0-15 minutes - Welcome and objectives

  • H3: Facilitator lead-in
  • Script: “Welcome. Objective - validate decision checkpoints that keep residents safe and confirm external contact lists. This will be a no-fault exercise. We will not access live systems. Keep answers grounded in your day-to-day process.”

• 15-30 minutes - Orientation and baseline assumptions

  • H3: Read-aloud baseline
  • Script: “Assume normal operations at 08:00. Electronic medication administration record is primary. Our EHR vendor is X. Internet outages fallback is cellular tablet access for charting.”

• 30-60 minutes - Scenario part 1 and inject 1

  • H3: Inject 1 - detection
  • Inject delivery: “At 08:45, the nurse reports several computers display a ransom note and staff cannot access resident charts. MSSP dashboard flags multiple endpoint encryptions.” (See scenario script below.)
  • Prompt participants: “What are your first three actions in the first 30 minutes? Who do you call? Who declares an incident?”

• 60-75 minutes - Scenario part 2 and inject 2

  • H3: Inject 2 - operational impact
  • Inject: “Medication administration is delayed; pharmacy access is blocked and the fax line is down. Families call the front desk asking about care.”
  • Prompt: “How do you ensure residents receive medications? Who approves temporary paper orders? What is your external notification plan?”

• 75-95 minutes - Decision time and escalations

  • H3: Formal decisions
  • Ask each role to state their assigned actions and time estimate to resolve them. Capture decision log rows: Decision, Owner, Deadline, Dependencies, Status.

• 95-110 minutes - Inject 3 and vendor handoff

  • H3: Inject 3 - vendor response
  • Inject: “EHR vendor confirms they detected the same pattern externally and are investigating. Your MSSP requests approval to isolate the network.”
  • Prompt: “Do you approve vendor isolation? Under what SLA do you engage paid incident response?”

• 110-120 minutes - After-action review and close

  • H3: AAR prompts
  • Questions: “What went well? What would you change? What are three immediate remediation items?”

---

Ready-to-run scenarios (3): ransomware, email fraud, OT interruption

Each scenario below includes: situation, injects, expected decisions, and facilitator script lines.

Scenario A - Ransomware affecting EHR access (High-impact)

• Situation: Overnight, multiple workstations show file encryption and ransom notes. Some medication administration records are unavailable.

• Inject 1 (detection): “08:45 - Charge nurse reports access failures and ransom notes visible. MSSP alerts show multiple processes encrypting files.”

  • Expected decisions: Declare incident, isolate affected segments, notify administrator, call MSSP.

• Inject 2 (operations): “09:15 - Pharmacy reports they cannot print MARs for med passes at 10:00. A 10-bed wing requires stat medications.”

  • Expected decisions: Approve paper orders, redirect meds from nearby pharmacy, execute staff contingency for manual charting.

• Inject 3 (external): “09:45 - Vendor offers to run a diagnostic that requires shutting down a segment for 20 minutes. MSSP recommends network isolation now.”

  • Expected decisions: Approve isolation with contingency plan for resident care, engage external IR if SLA requires.

Scenario B - Targeted email fraud hitting accounts payable (Moderate impact)

• Situation: A vendor invoice request appears legitimate but with changed bank routing.

• Inject 1: “Finance receives an email from a known vendor requesting payment to a new account. It matches previous invoice numbers.”

  • Expected decisions: Hold payment, verify via known phone number, escalate to finance lead.

• Inject 2: “Several staff report suspicious emails prompting credential resets. MSSP flags a credential stuffing attempt.”

  • Expected decisions: Enforce password resets, enable MFA on admin accounts, notify vendor to confirm invoices.

Scenario C - Building systems interruption (OT) affecting HVAC or electronic door locks (Safety-critical)

• Situation: HVAC control panel reports errors after a maintenance update; some smart door locks fail to lock.

• Inject: “HVAC shows sensor failures and manual overrides are required to keep temperatures stable for a memory-care unit.”

  • Expected decisions: Engage facilities vendor, switch to manual controls, ensure resident safety and staff coverage.

---

Scenario scripts and injects

Below is an example facilitator script for Inject 1 in Scenario A:

Facilitator script - Ransomware Inject 1
Time marker: 08:45
Script: "Nurse Taylor reports multiple workstations showing a message that files are encrypted and an unusual contact email for ransom payment. At the same time, the MSSP dashboard shows 35 endpoints with high CPU spikes and unknown processes. What do you do in the first 10 minutes?"
Pause for each role to respond. Capture names and decisions.

Include a recorded inject log like this table on paper or spreadsheet:

Time | Inject | Decision taken | Owner | Deadline | Notes
08:45 | Workstations encrypted | Isolate affected VLAN | IT Lead | 09:00 | MSSP to assist
09:15 | Pharmacy offline | Approve paper MARs | Director of Nursing | 09:30 | Pharmacy deliver meds by cart

---

Post-exercise deliverables - immediate and 30-day actions

• Immediate (within 24 hours)

  • Consolidated decision log and recording.
  • A short AAR (1-2 pages) listing critical gaps and owners.
  • Updated phone tree and vendor contacts if any lapsed.

• 30-day actions

  • Patch missing endpoints, validate backups, and schedule a drive restore test for critical EHR records.
  • Confirm MSSP/MDR playbook alignment and SLAs in a joint tabletop follow-up.

Checklist example for AAR items:

• Confirm backup integrity for last 30 days
• Validate vendor contact info and escalation paths
• Update staff incident roles and contact cards
• Schedule targeted staff training for phishing/malware

---

Proof and expected outcomes

• Time savings: A focused tabletop that results in a clear decision log reduces time-to-decision in a real incident by an estimated 30-60 minutes - based on measured results from follow-up drills where predefined owners executed steps immediately rather than pausing to decide responsibility.
• Risk reduction: Clarifying owner responsibilities reduces the chance of missed notifications to vendors or regulators by an estimated 40% in follow-up audits.
• SLA alignment: Use this template to test whether your MSSP/MDR response SLAs meet your requirements for containment - e.g., containment actions within 60 minutes and forensic triage within 4 hours.

Example measurable target you can set after exercise:

• Target: If an encryption event is detected again, contain affected endpoints to network isolation within 60 minutes and restore critical resident access within 4 hours using backups and manual fallbacks.

---

Common objections and direct answers

Objection 1: “We do not have time to run exercises.”

Direct answer: Run a 90-minute focused session with pre-shared roles. You get a prioritized AAR that reduces future downtime and clarifies vendor SLAs. One well-run tabletop often prevents a single multi-hour outage.

Objection 2: “We cannot involve external vendors in exercises.”

Direct answer: Run an internal-only exercise first. Use generic vendor injects and then run a short focused follow-up with vendor participation to verify technical actions. MSSP/MDR providers usually support simulated scenarios without touching live systems.

Objection 3: “We think our insurance and backups cover us.”

Direct answer: Insurance and backups matter but do not replace decisions on resident safety and communications. Tabletop exercises force the human decisions that insurance alone does not cover.

---

FAQ

How often should nursing homes run tabletop exercises?

At minimum annually, and after major IT changes, vendor changes, or staffing upheaval. Quarterly mini-drills for high-risk functions like medication administration are recommended.

Who should facilitate the exercise?

An impartial facilitator works best - an internal risk manager or an external facilitator from your MSSP/MDR or incident response partner. The facilitator does not make decisions; they prompt and capture them.

Does this exercise require access to live systems?

No. These are discussion-based exercises. If you run a technical test, coordinate with MSSP/MDR and schedule an agreed maintenance window.

What metrics indicate the exercise succeeded?

Concrete metrics: number of decisions documented, time to first containment decision, updated contact list completeness, and a prioritized 30-day remediation plan assigned to owners.

Can this template prove compliance with regulators?

It produces audit artifacts - sign-in sheets, decision logs, and an AAR - that many regulators and insurers accept as part of preparedness evidence. Check specific regulator guidance for format and retention requirements.

---

Get your free security assessment

If you want practical outcomes without trial-and-error, schedule your 15-minute assessment and we will map your top risks, quickest wins, and a 30-day execution plan. If you prefer a CyberReplay-run readiness check, try our facility scorecard assessment for a short technical and process review.

For hands-on follow-up and ongoing support, review our managed options: Managed Security Service Provider details and Cybersecurity services for healthcare facilities. These links help you move from tabletop findings to operational improvements with CyberReplay or your chosen vendor.

Next step - recommended assessment and support

If you want a hands-on follow-up, schedule a short readiness review with an MSSP/MDR or incident response provider to: 1) validate your decision owners, 2) test vendor SLAs, and 3) align playbooks to your facility needs. Learn more about managed security and incident response options at https://cyberreplay.com/managed-security-service-provider/ and get operational help at https://cyberreplay.com/cybersecurity-services/.

If you have been breached or need immediate help, use the emergency guides at https://cyberreplay.com/help-ive-been-hacked/ and https://cyberreplay.com/my-company-has-been-hacked/.

---

References

• CISA - Tabletop exercises guidance and templates: https://www.cisa.gov/resources-tools/exercises/tabletop-exercises
• NIST SP 800-61 Revision 2 - Computer Security Incident Handling Guide (final): https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
• HHS - Health sector cybersecurity resources for healthcare organizations: https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/index.html
• CMS - Emergency Preparedness Requirements for Medicare and Medicaid Participating Providers and Suppliers: https://www.cms.gov/Medicare/Provider-Enrollment-and-Certification/SurveyCertEmergPrep/Emergency-Prep-Requirements
• CDC - Healthcare Preparedness and Response information and tools: https://www.cdc.gov/cpr/healthcare/index.htm
• HHS OCR - HIPAA Security Rule resources for health care providers: https://www.hhs.gov/hipaa/for-professionals/security/index.html

Closing guidance

Run a short tabletop this quarter - 90 minutes, clear objectives, and use the templates above. Combine the exercise with a 30-day remediation sprint tied to vendor SLA adjustments and targeted staff training. If you lack an internal security lead, partner with an MSSP/MDR to run the exercise and to ensure fast technical response when it matters.

When this matters

When to run a tabletop and why timing matters: run a tabletop exercise before expected workload spikes such as flu season or large visitation events. Run one after any major IT change such as an EHR upgrade, network segmentation project, or new vendor onboarding. Run a session after staffing changes or turnover in clinical leadership to validate contact lists and role assignments. Finally, schedule an exercise ahead of regulator audits or contract renewals so you have demonstrable evidence of preparedness.

Practical checklist for timing: schedule an annual full tabletop plus quarterly short drills focused on high-risk workflows like medication administration and resident transfers.

Common mistakes

Avoid these frequent errors when planning and running a nursing home tabletop exercise:

• Missing key participants: not including clinical leads, floor staff who perform medication passes, or the vendor/MSSP contact leads to unrealistic decisions.
• Overcomplicating injects: long technical descriptions frustrate non-technical decision makers. Keep injects short and outcome-focused.
• No decision owner capture: failing to record the named owner, deadline, and dependency makes the AAR unusable.
• Skipping vendor coordination: if the MSSP or EHR vendor is expected to act, validate their SLA and test contact paths before the drill.
• Treating the exercise as a checkbox: tabletop findings must feed a prioritized 30-day remediation plan with assigned owners to produce measurable improvement.