The Crucial Role of Dual Incident Response Playbooks in Healthcare Cybersecurity 

Updated on November 17, 2023

As the Chief Information Officer (CIO) of a large hospital system, it is my responsibility to lead the charge in cybersecurity preparedness, and I have done this through a nuanced approach to incident response planning. In an era where healthcare organizations heavily rely on digital systems and sensitive patient data, the threat of cybersecurity incidents looms large; the importance of incident response procedures cannot be overstated. These procedures provide a structured approach to identify, mitigate and recover from security breaches, ensuring the continuity of patient care, safeguarding patient data and maintaining the trust of the community. Effective incident response procedures are not just a best practice; they are a fundamental requirement for the modern healthcare landscape, helping hospitals protect both their patients and their reputation.

To this end, we decided to take a slightly different approach. Instead of having the standard technical incident response playbook most organizations have, I asked my team to help create two different ones: one being the standard Tactical Response Team Incident Response Plan that delves into the technical nuances of incident response. The second is a Command Center Incident Response Plan that provides a high-level overview for our leadership team, allowing them to remain abreast of the technical work and guide our response to cybersecurity incidents. Together, these plans equip our organization to efficiently navigate the complex world of cybersecurity threats.

Command Center Incident Response Plan

Our Command Center Incident Response Plan serves as a guiding light for the hospital’s Leadership Team during cybersecurity incidents. In the healthcare space, we encounter cyber threats on an almost weekly basis, and often the non-technical team feels out of the loop as we decipher the severity of attacks. A playbook created specifically for them helps alleviate their confusion and helps them make decisions more effectively. 

While our technical teams focus on the intricate details of cybersecurity incident response, this plan allows our executives to provide valuable resources and guidance to our dedicated Cybersecurity Incident Response Team. It ensures that our leadership remains informed and ready to make strategic decisions. The playbook includes checklists for our key executives, including the CFO, CHR, CLO, CMO, CAO, CSO, CNE, VP of Facilities and VP of IT. It works in conjunction with the Tactical Response Team Incident Response Plan, guiding the remediation process, recovery of affected systems and reporting procedures required by law. 

Both plans adhere to the best practices defined in the National Institute of Standards and Technology (NIST) incident response lifecycle, consisting of five stages: Preparation, Detection & Analysis, Containment, Eradication & Recovery and Post-Incident Activity. Each stage is comprehensively covered in both plans, offering guidance from both a technical and leadership perspective.

The Power of Dual Playbooks

Speed and Efficiency: Technical teams can act swiftly using the Tactical Response Team Incident Response Plan to contain and mitigate threats. Simultaneously, our executives can focus on their roles with the guidance of the Command Center Incident Response Plan, ensuring the hospital’s broader stability during an incident.

Specialized Expertise: Each playbook caters to the specific expertise and responsibilities of its intended audience. This ensures clarity in roles, minimizing the risk of confusion or miscommunication during a crisis.

Legal Compliance and Reputation Management: The Command Center Incident Response Plan helps executives navigate legal and regulatory complexities while managing public relations, safeguarding our hospital’s reputation.


In the realm of healthcare, where patient data and operational continuity are paramount, cybersecurity preparedness is not an option; it’s a necessity. As the CIO of Palomar Health Hospital, I understand the gravity of our responsibility in this regard. Our dual playbooks, the Command Center Incident Response Plan for leadership and the Tactical Response Team Incident Response Plan for technical teams, exemplify our commitment to efficient and effective cybersecurity incident response. By adopting these plans, we empower our teams to act swiftly and decisively, ensuring minimal disruption to patient care and organizational stability. In an era of ever-evolving cyber threats, these playbooks are not just advisable; they are essential for safeguarding the future of healthcare at our hospital.

Anis Trabelsi headshot copy
Anis Trabelsi
Chief Information Officer at Palomar Health
With extensive security experience, Anis has led the Palomar Health security team since 2016, serving as the former Chief Security Officer and the current Chief Information Officer. As Chief Information Officer, he leads the IT Department, Cybersecurity Office and physical security functions to align key processes with regulatory compliance and with the vision, goals and objectives for reimagining healthcare security at Palomar Health. With an impressive and diverse background, Anis retired as a decorated law enforcement officer in 2016 and served honorably in the United States Marine Corps before that. He holds a master’s degree in management from the University of Redlands and a bachelor’s degree in criminal justice from the University of Phoenix.