Tabletop Exercises That Don't Waste a Chief's Afternoon

Most tabletop exercises waste a chief's afternoon. I've sat through enough of them to know the pattern. Someone reads a scenario for twenty minutes. People discuss what they would do in general terms. Someone types notes. Then everyone walks out with a PDF they will never open again.

That format works for compliance. It does not work for operations.

If you run a fire or EMS agency, your tabletop needs to produce one thing: a decision list with owners and deadlines. If the exercise ends and nobody has a new task assigned to their name, the exercise failed. Here is the format that actually works, the four scenarios worth your time, and the after-action template that gets used instead of filed.

The Decision-First Format for EMS Tabletop Exercises

The standard corporate TTX is a narrative read-aloud. Someone describes a situation for thirty minutes, then asks for discussion. The problem is that nobody makes a real decision under those conditions. There is no pressure, no clock, and no consequence for being wrong.

The format that works is injection-based. You start with a one-sentence inject that forces a decision. Then you ask a specific question. The answer goes into a decision log. If the answer is "we will figure that out in the moment," that is a gap. You write it down and assign someone to fix it.

Here is how a single inject cycle works:

• The inject: "The vendor just told us the recovery will take 48 hours, not 4."
• The question: "Who makes the call to switch to paper, and what is the exact trigger?"
• The output: Either a named person with a defined condition, or a gap that needs an owner.

Run four to six injects per scenario. Each inject takes ten minutes. That gives you a 90-minute exercise that produces actual work.

Ransomware Mid-Shift: The Operational Crisis Scenario

This is the scenario that keeps me up at night. Ransomware hits your CAD and ePCR systems at the peak of a shift. Local servers are encrypted. Cloud backups are pending. Your crews are still running calls, but they cannot access patient history and they cannot document in the system.

The injects for this scenario should force decisions about:

• The trigger for switching to paper. Who decides, and what conditions have to be met? If the answer is "when the system goes down," that is not specific enough. The system might be slow before it goes down. The decision needs a clear threshold.
• Shift handover. How do you transfer a shift when the digital record is missing? The offgoing crew has information in their heads. The oncoming crew needs that information. If there is no process for a verbal handover with a paper backup, you have a gap.
• The ransom decision. Do you pay to restore clinical data, or do you rely on backups? This is not a technical question. It is a policy question that needs to be answered before it happens, not during.

I wrote about the data-sharing side of this in Mutual Aid and the Data-Sharing Agreement You Don't Have. The same principle applies here. If you have not decided who calls the shots during a ransomware event, you have already lost the time you cannot afford to lose.

ePCR Vendor Cloud Outage: Testing Your Vendor Dependency

Most agencies run their ePCR on a cloud platform. When that platform goes down, you cannot sync, you cannot bill, and you cannot access historical patient records for ongoing care. The vendor might be down for four hours or four days. You do not control that timeline.

The injects for this scenario should test:

• Offline mode verification. How do you confirm that every tablet in the fleet is actually collecting data in offline mode? The answer cannot be "we assume it works." Someone needs to check, and they need a procedure for checking.
• Clinician communication. When a medic cannot pull up a patient's history because the cloud is down, what do they do? Do they call the hospital? Do they rely on the patient's report? The answer needs to be in a protocol, not invented on scene.
• Billing impact. A prolonged outage means delayed billing. If your agency depends on timely reimbursement, a two-week billing gap can cause cash flow problems. The exercise should surface who tracks that and what the escalation looks like.

ED EMR Outage: The Interoperability Gap

Your primary receiving hospital loses its EMR. You cannot transmit reports digitally and the ED cannot receive them. Patient offload slows down. Wall time goes up. Your crews are stuck in the bay with a patient they cannot transfer and a report they cannot send.

This scenario is worth running because it is the most likely of the four. Hospital EMR outages happen regularly. Most agencies do not have a practiced fallback.

The injects should cover:

• The fallback method for transmitting critical patient data. Verbal report, paper printout, or secure fax. Pick one and make sure everyone knows how to use it.
• Wall time management. When the hospital's intake process is crippled by a tech failure, your crews sit. Who tracks that time and who decides to divert? Who communicates with the hospital's incident command?
• Data integrity after restoration. When the EMR comes back, how do you make sure no patient records were lost in the gap? This is a reconciliation problem that needs a process.

Billing Clearinghouse Compromise: The HIPAA Notification Trigger

A third-party billing clearinghouse is breached. PHI for thousands of your patients is exfiltrated. The breach happened at the vendor, but your agency is the covered entity under HIPAA. The notification clock starts ticking whether the vendor is ready or not.

This scenario is uncomfortable because it involves legal exposure and public trust. That is exactly why you should run it.

The injects should test:

• The notification trigger. When does the clock start for patient notification? The answer depends on when you know about the breach, not when the vendor confirms it. If your legal counsel is not in the room for this inject, you have a problem.
• Record verification. How do you determine which specific records were leaked? The vendor will give you a list. You need someone who can verify that list against your own records.
• Public communication. What do you tell the public while the vendor is still investigating? The answer should be drafted in advance, not written under pressure.

The After-Action Template That Gets Used

Standard after-action reports are too long. Nobody reads a ten-page AAR. The format that works is a three-column table.

| The Gap | The Decision or Fix | Owner and Deadline |

|---------|-------------------|-------------------|

| No one knows where the paper charts are stored | Assign logistics chief to audit paper stock and map storage locations | Chief Miller / June 21 |

| No trigger defined for switching to paper mode | Draft SOP with specific conditions and approval chain | IT Director / June 28 |

| Billing clearinghouse breach notification plan does not exist | Work with legal counsel to draft notification template and decision tree | Agency Counsel / July 5 |

That is the entire AAR. Three columns. Actionable items. If a row does not have an owner and a deadline, it does not belong in the report.

Frequently Asked Questions

How long should a public safety tabletop exercise actually take?

Ninety to 120 minutes. The goal is to identify decision gaps, not to simulate every minute of a crisis. Focus on four to six injects per scenario and keep each inject cycle to ten minutes. Anything longer than two hours loses the room.

What is the most important outcome of a cybersecurity TTX for a fire chief?

A concrete decision list with assigned owners and deadlines. If the exercise does not produce a specific task like "update the backup communication plan" with a name and a due date, it was a waste of time.

Why focus on vendor outages instead of just internal hacks?

Most modern EMS agencies depend on cloud-based ePCR and billing tools. A vendor outage is statistically more likely than a targeted internal hack, and it causes the same operational paralysis. You need to test your offline capabilities and your vendor communication paths.

How many scenarios should we run in one session?

One. Pick the scenario most relevant to your current risk profile and run it well. Running two or three scenarios in a single session guarantees that none of them get the attention they need.

Who should be in the room for these exercises?

The chief or director, the IT lead, the shift supervisor, and legal counsel. Without legal counsel in the room, the billing clearinghouse scenario produces a theoretical conversation. The people who would actually make the decisions need to be the ones making them in the room.

Run one of these scenarios using the injection format. Write the three-column AAR and assign the tasks. That is a chief's afternoon well spent.

-- Steven