LockBit Scenario: Cedar Valley Medical Center Crisis
Planning Resources
Scenario Details for IMs
Cedar Valley Medical Center: Major Hospital Facing Data Theft Ransomware
Organization Profile
- Type: Major acute care hospital and Level I trauma center
- Size: 750-bed facility, 3,200 employees (700 physicians, 1,300 nurses, 1,200 support and administrative staff)
- Operations: Emergency services, intensive care, surgical services, specialized trauma care, inpatient/outpatient services, research programs
- Critical Services: 24/7 Level I trauma center (95,000 annual ED visits), intensive care units (90 beds), surgical suites (24 operating rooms), cardiac care, oncology, maternal-fetal medicine, comprehensive patient monitoring across all departments
- Technology: Enterprise EHR system (Epic), medical device networks, patient monitoring systems, laboratory and imaging systems, financial systems, research databases, backup infrastructure
Cedar Valley Medical Center is the primary Level I trauma center for a metropolitan area of 1.2 million residents. The hospital performs complex surgeries, manages high-acuity patients, and coordinates regional trauma response. Current status: Flu season surge with ED at 150% capacity (45 patients waiting), ICU completely full, all surgical suites in active use.
Key Assets & Impact
What’s At Risk:
- Patient Life Safety: ED treating 45 critical patients, ICU monitoring 90 high-acuity cases, 8 surgeries currently in progress—complete system encryption means no access to patient allergies, medications, lab results, or medical imaging during life-threatening situations
- Critical Care Operations: EHR contains medical histories for 750 current inpatients—physicians making treatment decisions without access to vital patient information risk medication errors, surgical complications, and preventable deaths
- Protected Health Information (PHI): Attackers claim to have exfiltrated patient records for thousands of patients—data breach requires HIPAA notification, OCR investigation, potential millions in fines, reputational damage that affects patient trust and referral patterns for years
Immediate Business Pressure
Tuesday evening, peak flu season. Cedar Valley activated surge protocols at 2pm. Emergency department treating 45 patients with 8+ hour wait times. ICU at absolute capacity with no available beds. Eight surgical teams in active procedures when ransomware activated at 7:15pm. Every screen displays ransom demand: $4.5 million Bitcoin, 72 hours to pay. Threat actors contacted CEO at 7:22pm via encrypted email, provided samples of stolen patient records as proof.
Dr. Amanda Rodriguez (ED Director) has patient with severe chest pain requiring immediate cardiac catheterization. Cannot access patient’s allergy records, previous cardiac history, current medications, or recent lab results. Making treatment decisions blind. Wrong medication could be fatal. Surgical team lost access to pre-operative imaging mid-procedure. ICU cannot access ventilator settings or medication dosing for 90 critical patients. Hospital operations have completely halted during highest patient acuity period.
Critical Timeline:
- Current moment (Tuesday 7:30pm): All systems encrypted, threat actors demanding $4.5M Bitcoin with 72-hour deadline, CEO receiving direct contact claiming patient data theft
- Stakes: Patient lives at immediate risk from lack of access to medical records, data breach affects potentially hundreds of thousands of patients triggering regulatory investigation, hospital cannot operate without systems
- Dependencies: 45 ED patients requiring treatment now, 90 ICU patients on life support, 8 active surgeries, regional trauma system routing Level I cases to Cedar Valley (no alternative trauma center for metro area), regulatory reporting clock started at breach discovery
Cultural & Organizational Factors
Why This Vulnerability Exists:
- Patient care demands override security maintenance: Hospital culture dictates “patient first, systems second”—when IT proposed taking systems offline for security hardening, clinical leadership refused during flu season surge. Security updates postponed for “when it’s less busy.” But trauma center is never less busy—perpetual high-acuity operations mean security maintenance becomes “never the right time.”
- Backup isolation sacrificed for operational speed: Hospital backup systems were designed with rapid restore capability—IT proposed air-gapped backups with 24-hour restore time, but clinical leadership demanded 2-hour restore for patient care continuity. Result: backups remained network-connected for speed, attackers encrypted backups along with primary systems.
- Phishing training fails under operational pressure: Attackers gained initial access via phishing email to hospital administrator during surge conditions. Staff receive security training, but physicians and administrators processing 200+ emails daily during crisis operations don’t have cognitive bandwidth for careful email analysis. Security awareness becomes theoretical when staff are overwhelmed.
- Weeks-long reconnaissance went undetected: Hospital security monitoring focuses on keeping systems running, not detecting intrusions. IT security team (4 people) manages 3,200 employee devices, hundreds of medical devices, research systems, and administrative networks. Proactive threat hunting is aspirational—they respond to alerts when possible. Attackers moved laterally for weeks exfiltrating data undetected.
Operational Context
How This Hospital Actually Works:
Cedar Valley operates under perpetual high-acuity crisis. Level I trauma center means most complex cases in region—gunshot wounds, motor vehicle accidents, cardiac emergencies, strokes. Hospital cannot refuse patients. Operations run 24/7 at maximum capacity. IT security proposed network segmentation, air-gapped backups, enhanced monitoring—all approved in principle, none implemented due to operational constraints. Clinical leadership fears system downtime more than theoretical security breach. “Patients will die if systems go down” overrides “systems might be compromised someday.” This created perfect conditions: network-connected backups for fast restore, delayed security patches to avoid clinical disruption, minimal intrusion detection due to resource constraints. Attackers exploited the gap between written security policy (comprehensive) and operational reality (security postponed for patient care).
Key Stakeholders (For IM Facilitation)
- Dr. Michael Stevens (Chief Medical Officer) - Managing patient surge and weighing ransom payment decision against patient lives and regulatory requirements
- Rachel Davis (IT Director) - Dealing with complete encryption, assessing compromised backups, coordinating with law enforcement
- Dr. Amanda Rodriguez (Emergency Department Director) - Has 45 waiting patients, demanding immediate decision on payment or alternative solutions for patient safety
- Kevin Zhang (Chief Information Security Officer) - Managing HIPAA breach notifications after discovering data exfiltration, coordinating recovery while threat actors threaten public data release
Why This Matters
You’re not just responding to ransomware—you’re managing a hostage crisis where the hostages are patient lives and private medical records. Physicians cannot treat patients without access to allergy information, medication histories, and lab results. The hospital is the only Level I trauma center for 1.2 million people—diverting ambulances means trauma patients die in transport. Threat actors are professionals who stole patient records and will publish them if ransom isn’t paid. You have 72 hours to decide: pay criminals to restore operations and protect patient privacy, or attempt recovery knowing backup systems may be compromised and data is already stolen. Every hour of downtime increases patient mortality risk. Federal law requires breach notification. There’s no winning choice—only least-bad options.
IM Facilitation Notes
- This is double-extortion ransomware—encryption AND data theft: Players often focus on technical decryption—correct this. Data is already stolen. Even if systems are restored, patient records are in criminals’ hands. Payment might restore operations but doesn’t recover stolen data. Not paying risks public data dump affecting hundreds of thousands of patients.
- Ransom payment is complicated, not simple: Players may suggest “just pay ransom”—explain reality. FBI advises against payment. Insurance may cover ransom but requires law enforcement involvement. Bitcoin payment takes hours to arrange. Hospital board must approve. Payment doesn’t guarantee decryption or data deletion. This is complex business/legal/ethical decision, not simple technical fix.
- Backups are compromised—no easy restore: Players will assume “restore from backup”—reveal backup systems were network-connected and are encrypted too. Some offline backups exist but are 2 weeks old. Restoring 2-week-old patient data during flu season surge creates dangerous treatment gaps. Force players to grapple with bad backup architecture decisions made for operational speed.
- Patient safety creates crushing time pressure: Hospital cannot operate without systems during surge. ED has 45 patients waiting 8+ hours. ICU managing 90 critical patients without access to care plans. Eight surgeries in progress lost imaging access. Physicians are making blind decisions that could kill patients. Players must balance recovery time against immediate patient mortality risk.
- This is realistic modern healthcare ransomware: LockBit targets hospitals specifically. Data exfiltration before encryption is standard. Professional criminals make direct executive contact. 72-hour deadlines create decision pressure. This scenario reflects real incidents at hospitals nationwide—help players understand this isn’t theoretical, it’s current healthcare reality.
Opening Presentation
“It’s Tuesday evening at Cedar Valley Medical Center, and the hospital is operating under surge conditions. The emergency department is packed with flu patients, the ICU is at capacity, and surgical teams are working overtime. Suddenly, every computer screen across the hospital displays ransom demands, and within minutes, executives receive direct contact from threat actors claiming to have stolen patient data and threatening public release. All systems are encrypted, operations have completely halted, and critical patients are at immediate risk.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Emergency patient needs immediate surgery but cannot access medical history or allergy information
- Hour 2: Threat actors increase pressure by showing screenshots of stolen patient records
- Hour 3: News media reports potential data breach affecting hospital operations
- Hour 4: Law enforcement offers assistance but warns payment may fund further criminal activity
Evolution Triggers:
- If ransom payment is made, attackers may demand additional payments or still release data
- If payment is refused, stolen patient data begins appearing on criminal marketplaces
- If recovery takes longer than 72 hours, threat actors may launch DDoS attacks to prevent recovery
Resolution Pathways:
Technical Success Indicators:
- Team implements emergency paper-based patient care protocols while systems recover
- Backup systems verified clean and restoration process initiated with proper security controls
- Law enforcement coordination established for investigation and potential asset recovery
Business Success Indicators:
- Patient care maintained through manual backup procedures without compromising safety
- Regulatory compliance maintained with proper breach notifications and stakeholder communication
- Business continuity plan activated minimizing operational and financial impact
Learning Success Indicators:
- Team understands double extortion tactics and data theft implications
- Participants recognize importance of backup isolation and business continuity planning
- Group demonstrates crisis decision-making balancing technical, legal, and operational concerns
Common IM Facilitation Challenges:
If Payment Discussion Is Avoided:
“Your technical response is excellent, but the CEO just received another call from the attackers with screenshots of patient records. The board is asking for your recommendation on payment. What factors do you consider?”
If Data Theft Impact Is Underestimated:
“While you’re working on decryption, the legal team reports that HIPAA requires breach notification for all affected patients. How does stolen data change your response strategy?”
If Business Continuity Is Ignored:
“Your investigation is thorough, but Dr. Torres needs to know: can the emergency department safely operate without electronic systems, or should they divert patients to other hospitals?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish hospital emergency crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing ransomware double extortion tactics and healthcare operational vulnerabilities.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of healthcare ransomware challenges. Use the full set of NPCs to create realistic patient safety and regulatory pressures. The two rounds allow threat actors to increase pressure with data release threats, raising stakes. Debrief can explore balance between patient safety and security response.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing patient life safety, data breach implications, regulatory compliance, and business continuity. The three rounds allow for full narrative arc including ransomware’s healthcare-specific impact and double extortion progression.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate system maintenance causing unrelated issues). Make containment ambiguous, requiring players to justify life-safety decisions with incomplete information. Remove access to reference materials to test knowledge recall of ransomware behavior and healthcare security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Digital forensics reveal LockBit ransomware with complete system encryption across Cedar Valley Medical Center’s 750-bed hospital network. Threat actors contacted executives directly claiming to have exfiltrated terabytes of patient records including protected health information, medical histories, and financial data. The hospital is operating under surge conditions with 150% emergency department capacity and ICU completely full during flu season.”
Clue 2 (Minute 10): “Network analysis shows attackers maintained persistent access for weeks before ransomware activation, systematically stealing patient data and mapping critical hospital systems. Backup integrity assessment reveals some backup systems were also compromised. Timeline indicates attackers specifically chose flu season surge for maximum operational impact and payment pressure.”
Clue 3 (Minute 15): “Threat actors provided screenshots of stolen patient records as proof of data theft, demanding ransom payment within 72 hours or patient data will be publicly released. Legal team reports HIPAA breach notification requirements for all affected patients. Emergency department has 45 patients waiting without access to medical histories, medication orders, or allergy information affecting life-critical decisions.”
Pre-Defined Response Options
Option A: Emergency Paper Protocols & Recovery Without Payment
- Action: Activate emergency paper-based patient care protocols, restore systems from clean verified backups, coordinate with law enforcement about investigation, initiate HIPAA breach notifications, refuse ransom payment.
- Pros: Maintains patient safety through proven manual procedures; demonstrates responsible healthcare security practices; supports law enforcement in combating ransomware.
- Cons: Recovery may take several days affecting hospital operations; stolen patient data will likely be publicly released; potential regulatory fines and patient lawsuits.
- Type Effectiveness: Super effective against Ransomware malmon type; clean backups enable full recovery without funding criminal enterprise.
Option B: Ransom Payment & Rapid Recovery
- Action: Pay ransom to obtain decryption key and prevent data release, restore systems quickly to minimize patient impact, implement enhanced security controls, initiate breach notifications.
- Pros: Fastest path to system restoration for patient care continuity; may prevent public release of patient health information.
- Cons: No guarantee attackers will provide working decryption or refrain from data release; funds criminal enterprise encouraging future attacks; may violate regulations and insurance requirements.
- Type Effectiveness: Not effective against Ransomware malmon type; addresses encryption but doesn’t prevent data theft; funds continued ransomware operations.
Option C: Hybrid Approach with Negotiation
- Action: Engage with threat actors to delay timeline, simultaneously activate paper protocols and restore from backups, coordinate law enforcement, attempt to negotiate data deletion without payment.
- Pros: Buys time for recovery while maintaining patient safety; demonstrates good-faith effort to protect patient data; may achieve data deletion without full payment.
- Cons: No guarantee attackers will honor agreements; extends crisis timeline affecting hospital operations; negotiation may be interpreted as willingness to pay.
- Type Effectiveness: Moderately effective against Ransomware threats; delays attack progression while enabling backup recovery; doesn’t guarantee data protection.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Emergency Patient Safety & Double Extortion Response (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Complete system encryption across all hospital networks including electronic health records, medical imaging, pharmacy systems, and patient monitoring. IT Director Rachel Davis reports, “Every file shows .lockbit extensions. All clinical systems are down. This is total operational paralysis during maximum patient surge.”
- Clue 2 (Minute 10): Network forensics reveal attackers maintained persistent access for approximately three weeks before ransomware activation, systematically exfiltrating patient data. Estimated 500GB of protected health information stolen including medical records, insurance data, and social security numbers.
- Clue 3 (Minute 15): Emergency Department Director Dr. Amanda Rodriguez reports life-critical patient care impact: “I have a trauma patient needing emergency surgery with unknown medication allergies. Lab results cannot reach physicians. Patient monitoring alerts may not function. Every minute without systems creates patient safety risks.”
- Clue 4 (Minute 20): Threat actors contact CEO directly via secure chat, providing screenshots of stolen patient records as proof, demanding $4.5M payment within 72 hours or patient data will be publicly released on criminal marketplaces and leak sites. “We know your insurance coverage limits and have calculated our demand accordingly.”
Response Options:
- Option A: Emergency Paper Protocols with Backup Recovery - Immediately activate hospital emergency paper-based patient care procedures, begin restoration from offline backups, notify HIPAA breach authorities, coordinate with FBI, refuse ransom payment prioritizing patient safety over data.
- Pros: Maintains patient care through proven downtime procedures; demonstrates responsible healthcare security; supports law enforcement investigation; clean recovery without funding criminals.
- Cons: Paper procedures reduce efficiency affecting surge patient flow; stolen patient data will likely be released creating privacy breach; recovery timeline extends emergency protocols affecting care quality.
- Type Effectiveness: Super effective for Ransomware recovery - clean backups enable restoration; doesn’t prevent data exposure but maintains ethical stance.
- Option B: Payment Negotiation for Data Deletion - Engage threat actors attempting to negotiate reduced payment specifically for verified data deletion and decryption, activate paper protocols as backup, coordinate cyber insurance for potential payment authorization.
- Pros: May prevent patient data exposure through negotiated data deletion; faster potential recovery through decryption; demonstrates prioritization of patient privacy protection.
- Cons: No guarantee attackers will honor data deletion agreement; payment funds criminal operations; may violate HIPAA guidance and federal regulations; sets precedent for future attacks.
- Type Effectiveness: Partially effective - may address data theft but funds continued Ransomware operations; no verification of data deletion possible.
- Option C: Patient Diversion with Comprehensive Recovery - Activate regional disaster plan diverting non-critical patients to partner hospitals, focus all resources on backup restoration and security hardening, prioritize keeping emergency department operational for life-threatening cases only.
- Pros: Ensures patient safety by reducing operational load during system recovery; allows thorough security remediation; demonstrates responsible crisis management prioritizing lives.
- Cons: Revenue loss from patient diversion; potential community impact from reduced hospital capacity; stolen patient data still publicly released; partnership hospitals may face capacity constraints.
- Type Effectiveness: Moderately effective - balances patient safety with recovery but doesn’t address data theft; protects lives while accepting privacy breach.
Round 2: Data Breach Management & Healthcare Compliance (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (paper protocols) chosen: Dr. Stevens reports paper procedures working but surgical teams delayed accessing archived medical records. “We’re maintaining safety but efficiency dropped 40%. We can sustain emergency operations but not surge volume.”
- Clue 5 (Minute 30): If Option B (negotiation) chosen: Threat actors respond to negotiation by demanding $3M for “data deletion guarantee” - no reduction in price, only separation of decryption and data protection into two payments. No verification mechanism available.
- Clue 5 (Minute 30): If Option C (diversion) chosen: Partner hospitals report reaching capacity - cannot accept additional patient transfers. “Regional healthcare system is saturated. Cedar Valley must maintain some operational capability.”
- Clue 6 (Minute 40): CISO Kevin Zhang completes data inventory - patient records for approximately 180,000 individuals potentially compromised including sensitive diagnoses, mental health treatment, HIV status, substance abuse treatment, and financial information. HIPAA breach notification required.
- Clue 7 (Minute 50): Hospital legal counsel reports potential liability exposure: class-action lawsuit risk, OCR investigation and potential fines, state attorney general involvement, patient trust erosion affecting future operations. “The data breach creates long-term institutional consequences beyond immediate crisis.”
- Clue 8 (Minute 55): Cyber insurance carrier confirms policy covers up to $10M for breach response and regulatory fines but explicitly excludes ransom payments. Recovery costs, legal fees, notification expenses, and credit monitoring for 180,000 patients will likely exceed $15M.
Response Options:
- Option A: Comprehensive Healthcare Breach Response - Activate full incident response plan including forensic investigation, patient notification via HIPAA-compliant procedures, credit monitoring services for all affected individuals, media communications plan, regulatory cooperation, long-term security improvements.
- Pros: Full compliance with healthcare regulations; demonstrates responsible patient data stewardship; supports law enforcement investigation; positions hospital for best possible regulatory outcome.
- Cons: Major expense for notifications and monitoring; public relations crisis from data breach disclosure; potential loss of patient trust; extended regulatory oversight.
- Type Effectiveness: Super effective for Healthcare Ransomware with Data Theft - comprehensive response ensuring regulatory compliance and patient protection despite breach.
- Option B: Selective Notification with Monitoring - Notify only patients with highest-risk data exposure (sensitive diagnoses, financial information), provide credit monitoring to affected subset, coordinate with regulators on phased disclosure approach, focus resources on operational recovery.
- Pros: Reduced notification costs and public relations impact; targeted protection for most vulnerable patients; allows focus on operational restoration.
- Cons: May violate HIPAA breach notification requirements; differential patient treatment creates ethical concerns; incomplete disclosure may worsen regulatory consequences if discovered.
- Type Effectiveness: Partially effective - addresses highest risks but creates compliance and ethical issues; may face increased regulatory penalties.
- Option C: Payment Reconsideration for Data Protection - Re-evaluate ransom payment specifically to prevent data release, accept that some insurance funds could cover “incident response costs” if payment documented as data breach mitigation, prioritize patient privacy over policy.
- Pros: May prevent public data exposure protecting patient privacy; reduces potential liability from data breach; demonstrates patient-first decision making.
- Cons: Likely violates federal guidance and insurance policy terms; no guarantee attackers delete data; funds criminal enterprise; may face legal consequences for payment decision.
- Type Effectiveness: Not effective - violates regulations, doesn’t prevent future attacks, no verification of data deletion; creates legal and ethical problems.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether Cedar Valley faces operational challenges with paper procedures (protocol approach), uncertain negotiation outcomes with criminals (payment discussion), or regional capacity constraints (diversion strategy). Regardless of choice, the situation evolves when CISO Zhang completes assessment revealing 180,000 patients’ protected health information was stolen including highly sensitive medical conditions. Hospital legal counsel details the massive liability exposure, regulatory requirements, and long-term institutional consequences beyond immediate operational recovery. Cyber insurance confirms the financial burden will exceed $15M even with coverage. The team discovers this is not just a technical incident but a fundamental healthcare data protection failure requiring patient notification, regulatory cooperation, media management, and long-term trust rebuilding - all while maintaining emergency patient care during flu season surge and managing potential public data exposure within the 72-hour deadline.
Debrief Focus:
- Recognition of double extortion tactics - encryption plus data theft creating dual pressure
- Balance between patient life safety (immediate), patient privacy protection (stolen data), and regulatory compliance
- Healthcare-specific challenges including HIPAA breach notification, sensitive medical data, patient trust
- Ransom payment decision-making considering ethics, regulations, effectiveness, and precedent
- Importance of backup isolation and data protection strategies in healthcare ransomware defense
Full Game Materials (120-140 min, 3 rounds)
[Due to token constraints, providing abbreviated full game with key elements]
Round 1: Life-Critical Decision Making & Double Extortion Discovery (35-40 min)
Opening: Tuesday evening, flu surge, ICU capacity, suddenly all screens show ransom demands. CEO receives call from attackers with proof of stolen patient data. Dr. Stevens faces impossible choice between patient safety and data protection.
Investigation Discoveries:
- Detective: LockBit ransomware, weeks of persistent access, systematic data exfiltration of 500GB PHI
- Protector: Complete encryption, backup compromise assessment, medical device impact
- Tracker: Data exfiltration traffic over three weeks, professional ransomware-as-a-service operation
- Communicator: Executive pressure about payment, medical staff unable to provide patient care, legal breach notification requirements
NPC Interactions: Dr. Stevens (patient safety priority), Rachel Davis (backup integrity questions), Dr. Rodriguez (emergency care crisis), Kevin Zhang (data breach scope)
Pressure Events: Trauma patient needs emergency surgery without medical history; threat actors show stolen patient screenshots; media reports breach; FBI offers assistance but opposes payment
Victory Conditions: Patient safety protocols activated; data breach scope understood; ethical payment decision framework established
Round 2: Regulatory Compliance & Breach Management (35-40 min)
Opening: Round 1 response created new reality - must now address HIPAA notifications, OCR reporting, patient trust, media management while maintaining operations.
Investigation Clues: 180,000 patient records compromised including sensitive diagnoses; regulatory requirements for 60-day notification; class-action lawsuit potential; insurance coverage limitations
NPC Interactions: Hospital counsel (liability exposure), CISO (breach notification logistics), Media relations (public trust crisis), Insurance carrier (coverage limits)
Pressure Events: OCR demands incident details; news coverage intensifies; patients calling about data safety; board emergency meeting
Victory Conditions: Comprehensive breach response plan; regulatory compliance maintained; patient communication strategy; long-term security improvements
Round 3: Healthcare System Resilience & Institutional Recovery (35-40 min)
Opening: Beyond immediate crisis - questions about healthcare cybersecurity culture, data protection priorities, institutional trust, prevention strategies.
Investigation Clues: Systemic IT weaknesses from delayed patching for clinical operations; inadequate backup isolation; insufficient security staffing; data protection gaps
NPC Interactions: CFO (financial impact), Chief Compliance Officer (regulatory relationships), Community representatives (patient trust), Security consultant (prevention recommendations)
Pressure Events: Patient advocacy groups demand accountability; regulatory investigation begins; competitor hospitals marketing security; board reviews leadership
Victory Conditions: Sustainable security strategy for healthcare; data protection improvements; regulatory cooperation plan; patient trust rebuilding
Debrief Focus: Double extortion evolution; healthcare data protection obligations; ransomware payment ethics; backup strategies; regulatory compliance integration
Advanced Challenge Materials (150-170 min)
Red Herrings: Coincidental equipment failures; legitimate vendor access; normal network traffic; unrelated patient privacy concerns
Removed Resources: No external ransomware knowledge; Limited CISO experience; Competing executive priorities; Budget constraints
Enhanced Pressure: Specific patient stories affected by data theft; Employee data also stolen; Media investigation of hospital security practices; Competitor hospitals gaining market share
Ethical Dilemmas: Patient safety vs privacy; Payment to prevent data release; Selective notification to reduce costs; Public transparency vs reputation management
Advanced Investigation: Forensic analysis under operational constraints; Data exfiltration scope with incomplete logs; Attribution challenges; Backup verification complexity
Complex Recovery: Some backups compromised requiring selective restoration; Vendor dependencies for medical systems; Regulatory reporting during recovery; Patient care continuity vs security thoroughness
Advanced Debrief Topics: Healthcare ransomware evolution; Data protection in medical environments; Payment decision frameworks; Regulatory relationship management; Patient trust in data-driven healthcare
Debrief Questions:
- “How did patient life safety and privacy protection create competing priorities in your decision-making?”
- “What frameworks should healthcare organizations use for ransomware payment decisions balancing ethics, regulations, and effectiveness?”
- “How do HIPAA breach notification requirements affect incident response strategies compared to non-regulated industries?”
- “What systemic changes would make healthcare more resilient to ransomware while maintaining patient care priorities and operational efficiency?”