In this commentary, VMIA Chief Information Security Officer, Ian Pham, reflects on a cyber incident exercise that changed his perspective on cyber response planning and the value of learning from other sectors.
When it comes to responding to cyber incidents, too often we focus inward - relying on our own sector's norms, tools, and assumptions. But resilience is not built in isolation. Other sectors, especially those where lives are at stake, have developed robust and structured frameworks that can offer valuable lessons for how we prepare, respond, and recover.
There’s much we can learn from other sectors such as health, where crisis management is second nature, and apply those principles to strengthen our own cyber response. It’s about keeping an open mind, challenging the way we’ve always done things, and being willing to adapt. That perspective became particularly clear to me last year when we had our annual tabletop exercise to assess VMIA’s cyber incident preparedness and response, facilitated by an external cyber consultancy.
A different perspective
To broaden our insights, we invited Ursula Harrisson, our Medical Indemnity Harm Prevention Manager with over 20 years of midwifery experience, to observe the session and offer her unique perspective.
Ursula’s feedback was direct: the exercise would offer minimal value if we were to face a real major cyber incident. Her main concern was that the exercise lacked the resilience and 'muscle memory' training that are essential for effective crisis response. In her words, it simply didn’t replicate the pressure and complexity of a live event.
She then shared her experience from the health sector, introducing me to frameworks such as ISBAR (Introduction, Situation, Background, Assessment, Recommendation) and PROMPT (Practical Obstetric Multi-Professional Training). Collaborative training in clinical practice routinely includes specialist teams, emergency services, and external stakeholders—unlike the traditional approach in cyber, which often focuses only on the immediate response team. Involving all relevant parties in exercises clarifies roles, strengthens coordination, and builds resilience. These tools are the gold standard in preparing clinical teams for emergencies, ensuring that communication is clear, roles are defined, and responses are practised until they become second nature.
Her insights highlighted how these frameworks have shaped the way her team responds to incidents, driving improvements in operational processes, communication, and overall resilience.
“The health sector’s commitment to regular, simulation-based training, clear command structures, and continuous improvement stood in stark contrast to the more ad hoc approach often seen in cyber security.”
Taking Ursula’s feedback on board, I’ve since transformed how my cyber team manages incidents. We’re now embedding more rigorous training, clearer communication protocols and increasing the usage of checklists for quality assurance, as well as adopting elements of proven health frameworks to build our own ‘muscle memory’ for cyber crises.
Lessons for the cyber security community
Hospitals excel at incident response because of their maturity, regulation, and ingrained culture of safety. Cyber security, while evolving rapidly, can learn much from these established practices. At VMIA, we see an opportunity to bridge this gap by supporting our clients with risk maturity assessments and insurance solutions that help build true resilience.
I encourage cyber leaders to embrace new perspectives, question traditional approaches, and learn from sectors that have demonstrated resilience in the face of ongoing change.
By learning from the health sector’s approach to incident management, we can raise the standard of our cyber incident response—ensuring we’re ready not just to react, but to recover and thrive in the face of cyber threats.
Updated