Regulatory Toolkit

HIPAA Security Rule & HC3
Tabletop Exercise Toolkit

The HIPAA Security Rule (45 CFR Part 164) requires covered entities and business associates to protect electronic Protected Health Information (ePHI) — including documented security incident response testing. HC3 (HHS Health Sector Cybersecurity Coordination Center) issues weekly threat briefings identifying active threats targeting healthcare. Skyhigh maps exercises to both.

Start Free Today → View Pricing Contact Sales 🎯 Take the Free HIPAA Security Assessment →
⚠️ This toolkit is an educational resource for healthcare security exercise program design. HIPAA compliance requires assessment by qualified healthcare compliance professionals and legal counsel. This is not legal or compliance advice.
300M+
US Healthcare Records Protected
§164.308–316
Security Rule Safeguards
HC3 Weekly
HHS Threat Advisories
Healthcare Sector
Coverage
Understanding HIPAA & HC3 Requirements
The HIPAA Security Rule establishes a national standard for protecting ePHI across three safeguard categories. HHS HC3 provides the sector-specific threat intelligence context that makes your exercises realistic and audit-relevant.
🏥
HIPAA Security Rule — Three Safeguard Categories
The Security Rule organizes ePHI protection into three categories: Administrative Safeguards (§164.308) — policies, training, IR procedures, contingency plans; Physical Safeguards (§164.310) — facility access, workstation controls; and Technical Safeguards (§164.312) — access controls, audit controls, encryption. Tabletop exercises directly validate Administrative Safeguards — the most frequently cited gap in HHS OCR audits.
🔴
HHS HC3 — Active Healthcare Threat Intelligence
The HHS Health Sector Cybersecurity Coordination Center (HC3) publishes weekly threat intelligence specific to healthcare — ransomware campaigns targeting hospitals, medical device vulnerabilities, and sector-specific TTPs. HC3 advisories name specific threat actors (Rhysida, BlackCat, Royal) and provide IOCs. Skyhigh's scenario library incorporates current HC3-identified threats to ensure your exercises reflect today's threat landscape.
📋
§164.308(a)(6) — Security Incident Procedures
HIPAA explicitly requires covered entities to implement policies and procedures to address security incidents — including identifying, responding to, mitigating, and documenting security incidents. Tabletop exercises are the standard method for testing these procedures. Every Skyhigh exercise generates an After Action Report that documents the incident response drill, gap findings, and remediation steps — directly satisfying §164.308(a)(6).
HIPAA Security Rule Mapping
How Skyhigh tabletop exercises map to HIPAA Security Rule safeguard requirements — Administrative, Physical, and Technical — plus the Breach Notification Rule.
HIPAA Requirement Safeguard Description Skyhigh Coverage Evidence Generated
§164.308(a)(1) — Risk Analysis Conduct accurate and thorough risk assessment of ePHI Direct Risk scenarios surface gaps in ePHI protection; systematic gap documentation
§164.308(a)(5) — Security Awareness Training Regular training on security policies and procedures Core Each exercise counts as a documented training event for §164.308(a)(5)
§164.308(a)(6) — Security Incident Procedures Implement procedures to respond to security incidents Core Exercise AAR is direct §164.308(a)(6) incident response testing documentation
§164.308(a)(7) — Contingency Plan BCP/DR plan for critical systems containing ePHI Direct BCP exercises validate contingency plan effectiveness and identify gaps
§164.310 — Physical Safeguards Facility/workstation access controls Supporting Physical breach scenarios (workstation theft, unauthorized access) surface gaps
§164.312 — Technical Safeguards Access control, audit controls, encryption Direct Technical gap analysis from scenarios; access control testing during exercises
§164.314 — Business Associate Agreements Security controls for third-party BA relationships Direct Vendor breach scenarios test BA notification and response procedures
Breach Notification Rule 60-day breach notification to HHS and patients Core Breach notification timeline drills; 60-day reporting procedure testing
Healthcare Exercise Program Features
Purpose-built capabilities for healthcare covered entities and business associates managing HIPAA Security Rule compliance and HC3 threat alignment.
🏥
§164.308(a)(5) Training Documentation
Every Skyhigh exercise generates a dated training record with participants, topics covered, and learning outcomes — exactly what HHS OCR audits request for §164.308(a)(5) security awareness training. Export PDFs showing your annual exercise calendar to demonstrate an active, documented training program.
§164.308 Training Record OCR-Ready Annual Program
🚨
Breach Notification Timeline Drills
HIPAA's 60-day breach notification window is notoriously difficult to meet in practice. Skyhigh breach scenarios embed notification decision points — teams practice determining breach scope, notifying affected patients, reporting to HHS OCR, and for breaches greater than 500 individuals, notifying prominent media. Document the timeline and decisions as evidence of notification procedure testing.
60-Day Notification HHS OCR Patient Notice Media Notice
🔴
HC3 Threat-Informed Scenario Library
Skyhigh's healthcare scenario library is informed by active HC3 threat advisories — including ransomware groups specifically targeting hospitals (Rhysida, BlackCat), medical device vulnerabilities, and healthcare BEC. Rather than generic scenarios, your exercises reflect the actual threats currently targeting your sector, as tracked by HHS HC3 analysts.
HC3 Threat-Informed Ransomware Groups Medical Devices Sector-Specific
Healthcare Tabletop Scenario Library
Six healthcare-specific tabletop scenarios aligned to HIPAA Security Rule requirements and active HC3 threat advisories. All scenarios available on Pro and Team plans.
EMR · RANSOMWARE
Hospital EMR System Ransomware — Mass ePHI Encryption
Ransomware encrypts EHR/EMR systems across multiple hospital sites, forcing diversion of emergency patients. Tests §164.308(a)(7) contingency plan, breach notification (60-day clock begins), HHS OCR reporting, patient care continuity, and recovery prioritization.
§164.308 §164.312 HC3
MEDICAL DEVICES · VULNERABILITY
Connected Medical Device Compromise — Infusion Pump Network
Adversary exploits unpatched vulnerability in networked infusion pumps across an ICU. Tests medical device security response, FDA reporting obligations, clinical workflow continuity, §164.312 technical safeguards gaps, and third-party (device manufacturer) notification procedures.
§164.312 FDA HC3
FINANCIAL · BEC
Health System Business Email Compromise — CFO Impersonation
Sophisticated BEC targets health system finance team, resulting in fraudulent wire transfers. Tests §164.308 administrative safeguards, financial fraud response, legal hold procedures, insurance notification, and whether a BEC meets HIPAA breach notification thresholds.
§164.308 Breach Criteria BEC
THIRD-PARTY · BA
EHR Vendor Data Breach — Business Associate Compromise
A cloud EHR vendor suffers a breach exposing ePHI of 500,000+ patients across multiple covered entity clients. Tests BA agreement notification procedures, joint incident response, HHS OCR reporting, and patient notification obligations when breach originates at a business associate.
§164.308 BA Agreement HHS OCR
INSIDER · PHI
Unauthorized ePHI Access — Insider Curiosity/Theft
A hospital employee is found to have accessed over 2,000 patient records without authorization over 6 months. Tests §164.308(a)(1) risk analysis review, §164.308(a)(6) incident response, HIPAA minimum necessary standard enforcement, workforce sanctions, and breach notification assessment.
§164.308 Minimum Necessary Sanctions
OPERATIONS · DISRUPTION
Multi-Site Health System Cyber-Operational Disruption
Coordinated cyber attack forces simultaneous EHR downtime across 8 hospital sites, requiring paper-based patient care operations for 72+ hours. Tests §164.308(a)(7) contingency plan, manual operation procedures, patient safety protocols, and cross-site incident command structure.
§164.308(a)(7) Contingency Multi-Site
Evidence Artifacts Generated Per Exercise
Every Skyhigh healthcare exercise produces structured documentation artifacts aligned to HIPAA Security Rule requirements — ready for HHS OCR audits, internal compliance reviews, and healthcare legal counsel.
📋
§164.308(a)(6) IR Test Record
Documented incident response drill — direct HIPAA Security Rule compliance evidence
🎓
§164.308(a)(5) Training Log
Dated security training completion record with participants and topics covered
🔔
Breach Notification Timeline
60-day notification procedure drill documentation — HHS OCR submission evidence
📄
Contingency Plan Validation
BCP/DR exercise record — §164.308(a)(7) contingency plan testing evidence

Explore the Full Regulatory Toolkit Library

Skyhigh exercise evidence maps to multiple frameworks simultaneously. One exercise program — complete regulatory coverage.

🏛️ CISA CTEP ⚡ NERC CIP 🇪🇺 NIS2 Directive 🇺🇸 NIST CSF 2.0 ⚙️ IEC 62443 🏭 NIST SP 800-82 🏦 DORA ✈️ TSA Directives 🏥 HIPAA / HC3 🛡️ CMMC 2.0 🌐 ISO 27001 🔴 CISA CPG

Start Building Your Healthcare Cybersecurity Exercise Program

HIPAA §164.308(a)(6) requires documented incident response testing. Launch your first exercise today — free to start.

Start Free Today → View Pricing Contact Sales