Most organizations can point to an incident response plan.

Fewer can tell you, without hesitation, who is in charge, what gets isolated first, who approves emergency spending, and who owns the first message to staff when systems go down.

That gap matters.

In a ransomware event, the first hour is rarely about having perfect information. It is about clear ownership, fast decisions, and calm coordination across IT, operations, legal, communications, and compliance.

If you lead uptime, security, or operational risk in healthcare or an SMB, a short tabletop exercise can expose weak spots before an attacker does. The agenda below is simple enough to run tomorrow and useful enough to improve how your team responds under pressure.

The real test is not the document, it is the response

A written plan has value. But a plan that nobody has practiced often breaks down in the first few minutes of a real incident.

People hesitate.
Decision rights get fuzzy.
Too many people try to lead.
Not enough people know who can approve what.
Critical calls get delayed because nobody is sure who owns them.

That is why tabletop exercises matter. They turn policy into action. They show you whether your team can make decisions with time pressure, uncertainty, and real operational tradeoffs.

A simple ransomware scenario to run with your team

Use this prompt to start the discussion:

It is 7:00 AM. Staff cannot log in. IT confirms ransomware on three servers. What happens next?

This scenario works because it gets to the point quickly. No long setup. No complicated backstory. Just a realistic trigger that forces the team to make decisions.

A 60-minute tabletop agenda you can run tomorrow

0 to 10 minutes: Name the Incident Commander, confirm scope, set decision authority

Start with the basics.

Who is leading the response?
What do you know so far?
What decisions can be made immediately, and who can approve them?

If your team cannot identify the Incident Commander within seconds, that is a signal. You may have a written response plan, but not a usable one.

10 to 25 minutes: Decide what stays up, what gets isolated, and how to stop the spread

This is where operational tradeoffs show up fast.

Which systems are critical enough to protect at all costs?
Which systems need to be isolated now?
Who has authority to shut down access, disconnect devices, or pause workflows?

The goal here is not technical perfection. The goal is to contain the issue without making the disruption worse.

25 to 40 minutes: Call the outside partners and approve emergency spend

Many organizations lose time because they know they need outside help, but have not worked through the order of operations.

This is the moment to confirm:

• Who contacts cyber insurance
• Who contacts outside counsel
• Who engages forensics
• Who can approve emergency spending
• Whether current contact information is easy to access

If those details live in one person’s inbox or memory, the exercise is doing its job by exposing that risk.

40 to 55 minutes: Assign one spokesperson and draft the first messages

Incidents create confusion fast, especially when employees, customers, patients, partners, or regulators may be affected.

Choose one spokesperson.
Draft the first internal message.
Set the external holding statement.
Clarify what would trigger notification requirements.

This part matters because silence creates its own problems. Teams need to know what to say, what not to say, and who owns the message.

55 to 60 minutes: Debrief and assign the top five fixes

Do not end the session when the clock runs out.

End it by capturing the top five issues the exercise exposed, assigning owners, and setting due dates.

Without that step, the tabletop becomes a calendar event instead of an operational improvement.

Keep the roles simple

You do not need a long cast of characters to make this exercise useful. Start with the core group:

• Incident Commander: Owns the response and decision flow
• IT Lead: Confirms technical scope and containment options
• Legal Counsel: Advises on privilege, notification, and exposure
• Cyber Insurance Contact: Helps activate the policy and required steps
• Communications Lead: Owns internal and external messaging
• Privacy or Compliance Lead: Assesses reporting thresholds and regulatory obligations
• Operations or Clinical Lead: Brings the business or care-delivery impact into the room

In healthcare, that last role is especially important. Technical containment decisions can affect patient flow, scheduling, documentation, and other frontline operations. The response cannot live inside IT alone.

What good leaders should ask after the exercise

A short debrief can surface more value than the scenario itself. Ask questions like:

• Could everyone identify the Incident Commander right away?
• Were decision rights clear, or did people talk around ownership?
• Did the team know which systems were truly mission-critical?
• Were outside contacts, including insurance and counsel, current and accessible?
• Did anyone discover a hidden dependency that would slow containment?
• Were communications and notification triggers clear?
• What five fixes would reduce confusion the fastest?

These are leadership questions as much as technical ones.

Why this matters even more in healthcare and other regulated environments

In healthcare, ransomware is not just a security issue. It can affect access to systems, staff coordination, patient communications, privacy obligations, and continuity of care.

The same is true in other regulated settings such as finance and education. When downtime intersects with sensitive data, reporting thresholds, and operational disruption, vague plans become expensive very quickly.

That is why a tabletop should test more than the technical response. It should test governance, escalation paths, communication discipline, and ownership under pressure.

The goal of a tabletop is not to prove your team is perfect.

The goal is to find confusion before a real incident does.

One focused hour each year can turn a static plan into something your team can actually run under pressure.

If you own uptime or security in healthcare or SMB environments, make this a recurring exercise, not a one-time discussion. Repetition is what builds confidence, speed, and better decisions when the stakes are real.

If this topic is part of your role, join my newsletter for one practical playbook each week on security, continuity, and IT leadership.

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....

Many organizations treat offboarding like an account shutdown exercise. HR processes the exit. IT disables the email account. The identity record is turned off, and the team moves on.

That sounds complete, but it often is not.

In healthcare, education, and nonprofit environments, the bigger risk usually sits beyond the main account. Access can remain in shared drives, cloud apps, finance tools, vendor portals, and local systems that were never tied back to a central process in the first place.

That is where offboarding breaks down.

Offboarding has three separate control points

A clean exit process should cover three things:

Identity
Who the person is in the system.

Access
What systems and permissions they still have.

Data
What records, files, messages, or histories they can still reach.

Many teams handle the first one well. Fewer handle the second and third with the same discipline.

That gap matters because disabling identity does not always remove downstream access. A person can lose their primary login and still have active permissions in other places. In some cases, those paths remain open for weeks or months.

Where the gap shows up first

This problem tends to surface in the same types of systems:

• Shared drives that contain patient, student, donor, or staff records
• Financial platforms where approval rights were never fully removed
• Vendor portals tied to an old inbox or a personal credential
• Cloud applications authenticated outside the company’s single sign-on process
• Collaboration platforms that still hold sensitive conversations and files
• Password managers or shared service accounts
• Local accounts created outside the HR and IT workflow

These are not edge cases. They are predictable misses.

The common thread is simple: anything outside your standard identity process is easier to overlook.

Why this keeps happening

Most offboarding gaps are not the result of bad intent. They are the result of fragmented ownership.

HR may own the separation workflow. IT may own the directory account. Security may review logs. Department leaders may know which tools the person actually used. Finance may control a separate approval platform. Operations may rely on local accounts no one formally tracks.

When nobody owns the full picture, controls become partial by default.

That is why organizations often think they have an offboarding process when what they really have is a series of disconnected actions.

A simple 90-day audit can tell you the truth

If you want a fast reality check, start with your last 90 days of terminations.

Use a simple review process:

1. Pull the list of employees or contractors who exited in the last 90 days.
2. Identify your 10 most critical systems.
3. Pull last-login or activity reports for those former users.
4. Compare any activity dates to the user’s exit date.

If a former employee still shows activity after separation, you likely have a control gap.

There is another signal to watch for: if a system cannot produce a reliable last-login report, that is a risk in itself. You cannot verify removal if you cannot verify access.

What stronger offboarding looks like

A better process does not need to be complicated. It does need clear ownership.

A practical model looks like this:

1. Identity: one stop point

Use a central identity process, ideally through single sign-on, as the trigger for offboarding. The goal is one reliable action that starts the shutdown sequence.

2. Access: role-based removal

Different jobs create different access footprints. A nurse, controller, case manager, registrar, and operations lead should not all use the same offboarding checklist. Build role-based checklists for the systems and privileges tied to each function.

3. Data: named owner confirmation

Every critical application should have a named owner. That owner should confirm access removal, transfer of files, and disposition of shared records within a defined window, such as 24 hours.

This shifts offboarding from assumption to accountability.

Why regulated organizations should care more

In regulated environments, offboarding is not just an IT housekeeping issue.

Healthcare organizations manage protected health information. Education organizations manage student records. Nonprofits often handle donor, program, financial, and beneficiary data across a wide mix of systems. When access does not match current employment or current role, the issue quickly moves beyond operations and into audit, privacy, and governance territory.

The risk is not only that a former employee can still get in.

The larger concern is that excess access often exists across the board. If former staff still have permissions, current staff may also have access they no longer need. That points to a broader access governance problem, not a one-off offboarding miss.

Questions leaders should ask now

If you want a stronger handle on this issue, start with five questions:

• Which systems are included in our offboarding process today, and which are outside it?
• Can we see last-login activity for every critical application?
• Do we have role-based offboarding checklists, or just a generic termination ticket?
• Does every critical system have a named business owner?
• How quickly do we confirm access removal after an exit?

These questions can reveal weaknesses fast.

Shutting off email is not the same thing as shutting off access.

A complete offboarding process covers identity, permissions, and data exposure. If even one of those areas is left open, the organization is carrying unnecessary risk.

Start with a 90-day review. Check terminated users against your most important systems. Look for post-exit activity. Then assign ownership where the process is still vague.

That one review can tell you whether your offboarding process is really closing the door, or just turning off the lights.

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....

Many board cyber briefings are built to prove compliance.

They show that policies exist, training happened, and audits were cleared. Those things matter. They help establish accountability and reduce obvious gaps.

But they do not answer the question that matters most when systems are down and people are waiting:

Can the organization keep operating under pressure?

That is where real risk sits.

In regulated environments like healthcare and education, boards often receive updates that are technically correct but operationally incomplete. A clean audit may confirm that required controls are in place. It does not confirm that the organization can restore services quickly, make good decisions under stress, or continue serving people during a disruption.

Good governance requires more than evidence of compliance. It requires visibility into resilience.

Compliance Is Necessary, but It Is Not the Same as Readiness

Compliance helps organizations meet a standard. Readiness helps them keep functioning when something goes wrong.

That distinction matters.

An organization may have backups, documented policies, annual training, and favorable audit results. But when an outage hits, leadership still needs answers to practical questions:

• How long will recovery take?
• Who is making decisions?
• What dependencies could slow response?
• What happens if a key person is unavailable?
• What will the disruption cost in operations, reputation, and recovery?

Those are not abstract questions. They shape whether an organization can continue delivering care, instruction, services, or support when systems fail.

Five Better Questions for the Boardroom

Here are five questions that surface operational risk faster than a standard compliance update.

1. If our systems went down tomorrow, how long until we are back up, and when did we last test that?

Compliance often asks whether backups exist.

A stronger board question asks whether recovery actually works.

Backups are only part of the story. The real issue is whether systems can be restored within a time frame the organization can tolerate. That means knowing recovery targets, validating dependencies, and testing restoration under realistic conditions.

If the answer is unclear, outdated, or based on assumptions rather than exercises, the organization may be carrying more risk than leadership realizes.

2. How long does it take us to patch critical issues, and who owns the delays?

Policies can say critical vulnerabilities must be addressed quickly.

That is not the same as knowing how long patching actually takes.

Boards should understand cycle time, exception handling, and where delays tend to happen. Is the issue staffing? Change approvals? Legacy systems? Vendor dependency? Competing priorities?

A measured process gives leadership something real to manage. A written policy without execution data leaves too much hidden.

3. Who can access our most sensitive data today, and when did we last review that list?

Access problems are often quiet until they are not.

Over time, permissions accumulate. Contractors stay active longer than expected. Former roles keep access they no longer need. Temporary exceptions become permanent. None of this is unusual, which is exactly why it deserves attention.

Boards do not need a technical dump. They need confidence that access to sensitive systems and data is reviewed regularly, justified clearly, and reduced when it is no longer needed.

That is how organizations limit exposure before an incident exposes it for them.

4. If our lead IT person is out for two weeks, can someone else step in using clear runbooks without dropping the ball?

Single points of failure are not only technical.

They also show up in people, process knowledge, vendor relationships, and undocumented workarounds.

Many organizations rely heavily on one or two trusted individuals who know how systems really work. That may feel efficient day to day. It becomes a serious risk during an outage, leadership transition, or extended absence.

Boards should ask whether critical responsibilities are documented, repeatable, and supported by clear runbooks. If not, continuity may depend too much on memory and availability.

5. What would a likely incident cost us in downtime, notifications, and recovery, and can we absorb it?

Cyber risk is often discussed in broad terms.

Boards need it translated into operational and financial impact.

What would a realistic incident mean for downtime, patient care, classroom disruption, customer service, regulatory response, legal support, communications, and recovery costs? How much of that can the organization absorb without major strain?

Insurance may help offset some losses. It does not reduce the need for leadership to understand the impact beforehand.

A board that understands incident cost is in a better position to make smarter investment, staffing, and resilience decisions.

What Boards Really Need From Cyber Briefings

A useful cyber briefing should do more than confirm that boxes were checked.

It should help leadership see where the organization is strong, where it is exposed, and what needs attention now. That means shifting at least part of the conversation from policy status to operational performance.

Boards do not need more jargon.

They need clear answers to practical questions like:

• What could interrupt service?
• How long could that interruption last?
• What have we tested?
• Where are we relying too heavily on one system, one vendor, or one person?
• What is improving, and what is still unresolved?

That kind of briefing supports better governance because it makes risk visible in terms leadership can act on.

Good governance does not eliminate risk.

It makes risk visible, and it tests whether the organization can keep operating through pressure.

That is the difference between being audit-ready and being disruption-ready.

And in healthcare, education, and other regulated environments, that difference matters more than many board packets admit.

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....

I’m grateful.
Grateful for every message, every share, and every person who supported the book and pushed this launch forward.

Thank you for helping bring more clarity, confidence, and calm into how healthcare leaders approach modernization. This win isn’t just about a book ranking — it’s about pushing better uptime, better care, and better outcomes into the spotlight.

If you’d like to help keep the momentum going, I’ve shared how you can support the book in the first comment.

More to come — and thank you again.

— Wylie

Want to continue supporting the effort? Learn how you can help at: https://www.zerodowntimecare.com/thank-you/

This content was originally posted on LinkedIn.

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....

A milestone the I’ve been working toward for nearly a year is now complete.

I wrote this book for healthcare leaders who are carrying the weight of outcomes, operations, and compliance—often while navigating technology that wasn’t built for today’s demands.

If we’ve worked together, you already know my mission: make technology feel less like a threat and more like a stable, strategic engine for better patient care. That mission is at the heart of this book.

For launch day, we’ve set the Kindle edition to $0.99 as we push to land on the Amazon Best Seller list.

If you pick up a copy, I’d love to hear what resonates. And if there’s a leader in your network who’s wrestling with modernization, feel free to pass it along.

Thank you for celebrating this milestone with me.

Here’s the Amazon link — Kindle version discounted for the initial launch. Kindle purchases help the most with the achieving bestseller status. Appreciate you!

This content was originally posted on LinkedIn.

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....

I wrote a book.

After nearly a year of writing and revising, Zero-Downtime Care launches in 2 days — Tuesday, November 18 at 9:00 AM CT on Amazon.

It’s a plain-English playbook for healthcare executives and business leaders who want to modernize technology without chaos or downtime.

Here’s how you can be part of launch day:

1. Grab the Kindle edition on Tuesday at 9:00 AM CT using the launch link I’ll share.
   Concentrating purchases in one format helps push the book onto Amazon’s Best Seller lists.
2. Share it with one colleague who leads healthcare operations, IT, or compliance.
   A single forward or tag does more than any ad I could buy.
3. After you buy, comment or message me “Done.”

Want a preview now?
You can read the Introduction + Chapter One for free. It breaks down how outdated systems quietly undermine care—and how the CARE Modernization™ Framework fixes it.

If you’ve been part of this journey in any way—client, colleague, or connection—thank you.

Excited to lift this off with you on Tuesday.

All the companion tools—Clarity Snapshot, Stakeholder Flight-Plan, Launch-Readiness Checklist, and more—are already live and free at ZeroDowntimeCare.com/tools. Sign up for updates and get the Intro and first chapter now.

This content was originally posted on LinkedIn.

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....

Picture the fire alarm at midnight.

One guard thinks it’s a drill, has a snack, and twenty minutes later half the wing is smoke-logged.

Swap flames for PHI and you’ve got our recent near miss: an after-hours alert brushed off as “probably a test,” triggering fines none of us budgeted for.

Block 45 minutes this week for a no-notice tabletop exercise.

Phones, pagers, personal email—see who shows up and how fast.

How do you make sure your team can tell a drill from the real thing?

Need motivation? 
Watch one of our short Cyber Attack Awareness videos and count how many controls you spot missing. https://www.reintivity.com/how-vulnerable-is-your-greater-chicago-business-to-cyber-attacks/

This content was originally posted on Linkedin.

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....

Ever cleared a new lane on the highway only to see traffic jam up anyway?

That’s what can happen during a cloud-migration: shiny route, hidden bottleneck.

Legacy imaging servers—the ones humming in a back closet—often hold untracked dependencies.
If you flip the switch without spotting them first, files stall, scans repeat, and schedules slide.

Take five minutes today and inventory one DICOM node that predates your youngest team member.
Map every system that still calls it home, then book its retirement before your next cut-over.
Future you—and every patient downstream—will thank you.

Need a step-by-step for zero-downtime hand-offs?

Grab my one-page Launch-Readiness Checklist.

Which dusty server is still hiding in your equipment closet?

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....

Snapped this at the gate this morning. Before a plane leaves, a crew runs checklists, ground teams prep, and the pilot makes the final call.

Security in business works the same way.

Every business needs a security auditor.

You don’t have to be one—but you do need one on your team (and a leader who turns their findings into business wins).

When I help clients build tech teams, here’s the split that actually works:
– Auditors map controls to recognized frameworks (NIST CSF, PCI DSS) and test what’s real—not what’s hoped.
– Leaders translate those controls into budgets, deadlines, and workflows people can run every day.

What “great” looks like in plain English:

• Advice you can act on (not just checklists).
• Communication that calms—clear updates, no scare tactics.
• Ongoing education + teamwork so the same problem doesn’t boomerang.

Next: Conduct a sanity check for your upcoming project(s) to verify where a security auditor and a clean plan fits.

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....

Because attackers don’t just guess—they trick and reuse.

Here’s what actually moves the needle:

1. MFA/passkeys on the money apps (email, payroll, finance, anything customer-facing).
2. Password manager for everyone to end the “Summer2025!” habit.
3. Monthly/quarterly phishing drill: one test, measure report rate, share lessons—no shaming.

Add login alerts on critical systems so strange sign-ins don’t become strange invoices.

Security works when it feels boring and repeatable. If you make these three habits default, you’ll drop a lot of risk without buying another tool.

What’s the one habit you’ll start this week—MFA/passkeys, password manager, or monthly drill?

Get more great content at WylieBlanchard.com... Need a great speaker for your next event, contact us to book Wylie Blanchard now.
Learn what clients are saying about his programs....