LockBit Scenario: Hospital Emergency Crisis
LockBit Scenario: Hospital Emergency Crisis
Planning Resources
Scenario Details for IMs
Hook
“It’s Tuesday evening at Cedar Valley Medical Center, and the hospital is operating under surge conditions. The Emergency Department is packed with flu patients, the ICU is at capacity, and surgical teams are working overtime. Suddenly, every computer screen across the hospital displays ransom demands, and within minutes, executives receive direct contact from threat actors claiming to have stolen patient data and threatening public release. All systems are encrypted, operations have completely halted, and critical patients are at immediate risk.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Emergency patient needs immediate surgery but cannot access medical history or allergy information
- Hour 2: Threat actors increase pressure by showing screenshots of stolen patient records
- Hour 3: News media reports potential data breach affecting hospital operations
- Hour 4: Law enforcement offers assistance but warns payment may fund further criminal activity
Evolution Triggers:
- If ransom payment is made, attackers may demand additional payments or still release data
- If payment is refused, stolen patient data begins appearing on criminal marketplaces
- If recovery takes longer than 72 hours, threat actors may launch DDoS attacks to prevent recovery
Resolution Pathways:
Technical Success Indicators:
- Team implements emergency paper-based patient care protocols while systems recover
- Backup systems verified clean and restoration process initiated with proper security controls
- Law enforcement coordination established for investigation and potential asset recovery
Business Success Indicators:
- Patient care maintained through manual backup procedures without compromising safety
- Regulatory compliance maintained with proper breach notifications and stakeholder communication
- Business continuity plan activated minimizing operational and financial impact
Learning Success Indicators:
- Team understands double extortion tactics and data theft implications
- Participants recognize importance of backup isolation and business continuity planning
- Group demonstrates crisis decision-making balancing technical, legal, and operational concerns
Common IM Facilitation Challenges:
If Payment Discussion Is Avoided:
“Your technical response is excellent, but the CEO just received another call from the attackers with screenshots of patient records. The board is asking for your recommendation on payment. What factors do you consider?”
If Data Theft Impact Is Underestimated:
“While you’re working on decryption, the legal team reports that HIPAA requires breach notification for all affected patients. How does stolen data change your response strategy?”
If Business Continuity Is Ignored:
“Your investigation is thorough, but Dr. Amanda Rodriguez needs to know: can the Emergency Department safely operate without electronic systems, or should they divert patients to other hospitals?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish hospital emergency crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing ransomware double extortion tactics and healthcare operational vulnerabilities.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of healthcare ransomware challenges. Use the full set of NPCs to create realistic patient safety and regulatory pressures. The two rounds allow threat actors to increase pressure with data release threats, raising stakes. Debrief can explore balance between patient safety and security response.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing patient life safety, data breach implications, regulatory compliance, and business continuity. The three rounds allow for full narrative arc including ransomware’s healthcare-specific impact and double extortion progression.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate system maintenance causing unrelated issues). Make containment ambiguous, requiring players to justify life-safety decisions with incomplete information. Remove access to reference materials to test knowledge recall of ransomware behavior and healthcare security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “Digital forensics reveal LockBit ransomware with complete system encryption across Cedar Valley Medical Center’s 750-bed hospital, 3,200 employees network. Threat actors contacted executives directly claiming to have exfiltrated terabytes of patient records including protected health information, medical histories, and financial data. The hospital is operating under surge conditions with 150% Emergency Department capacity and ICU completely full during flu season.”
Clue 2 (Minute 10): “Network analysis shows attackers maintained persistent access for weeks before ransomware activation, systematically stealing patient data and mapping critical hospital systems. Backup integrity assessment reveals some backup systems were also compromised. Timeline indicates attackers specifically chose flu season surge for maximum operational impact and payment pressure.”
Clue 3 (Minute 15): “Threat actors provided screenshots of stolen patient records as proof of data theft, demanding ransom payment within 72 hours or patient data will be publicly released. Legal team reports HIPAA breach notification requirements for all affected patients. Emergency Department has 45 patients waiting without access to medical histories, medication orders, or allergy information affecting life-critical decisions.”
Pre-Defined Response Options
Option A: Emergency Paper Protocols & Recovery Without Payment
- Action: Activate emergency paper-based patient care protocols, restore systems from clean verified backups, coordinate with FBI about investigation, initiate HIPAA breach notifications, refuse ransom payment.
- Pros: Maintains patient safety through proven manual procedures; demonstrates responsible healthcare security practices; supports law enforcement in combating ransomware.
- Cons: Recovery may take several days affecting hospital operations; stolen patient data will likely be publicly released; potential regulatory fines and patient lawsuits.
- Type Effectiveness: Super effective against Ransomware malmon type; clean backups enable full recovery without funding criminal enterprise.
Option B: Ransom Payment & Rapid Recovery
- Action: Pay ransom to obtain decryption key and prevent data release, restore systems quickly to minimize patient impact, implement enhanced security controls, initiate breach notifications.
- Pros: Fastest path to system restoration for patient care continuity; may prevent public release of patient health information.
- Cons: No guarantee attackers will provide working decryption or refrain from data release; funds criminal enterprise encouraging future attacks; may violate regulations and insurance requirements.
- Type Effectiveness: Not effective against Ransomware malmon type; addresses encryption but doesn’t prevent data theft; funds continued ransomware operations.
Option C: Hybrid Approach with Negotiation
- Action: Engage with threat actors to delay timeline, simultaneously activate paper protocols and restore from backups, coordinate law enforcement, attempt to negotiate data deletion without payment.
- Pros: Buys time for recovery while maintaining patient safety; demonstrates good-faith effort to protect patient data; may achieve data deletion without full payment.
- Cons: No guarantee attackers will honor agreements; extends crisis timeline affecting hospital operations; negotiation may be interpreted as willingness to pay.
- Type Effectiveness: Moderately effective against Ransomware threats; delays attack progression while enabling backup recovery; doesn’t guarantee data protection.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Emergency Patient Safety & Double Extortion Response (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Complete system encryption across all hospital networks including electronic health records, medical imaging, pharmacy systems, and patient monitoring. IT Director Rachel Davis reports, “Every file shows .lockbit extensions. All clinical systems are down. This is total operational paralysis during maximum patient surge.”
- Clue 2 (Minute 10): Network forensics reveal attackers maintained persistent access for approximately three weeks before ransomware activation, systematically exfiltrating patient data. Estimated 500GB of protected health information stolen including medical records, insurance data, and social security numbers.
- Clue 3 (Minute 15): Emergency Department Director Dr. Amanda Rodriguez reports life-critical patient care impact: “I have a trauma patient needing emergency surgery with unknown medication allergies. Lab results cannot reach physicians. Patient monitoring alerts may not function. Every minute without systems creates patient safety risks.”
- Clue 4 (Minute 20): Threat actors contact CEO directly via secure chat, providing screenshots of stolen patient records as proof, demanding $4.5M payment within 72 hours or patient data will be publicly released on criminal marketplaces and leak sites. “We know your insurance coverage limits and have calculated our demand accordingly.”
Response Options:
- Option A: Emergency Paper Protocols with Backup Recovery - Immediately activate hospital emergency paper-based patient care procedures, begin restoration from offline backups, notify OCR of HIPAA breach, coordinate with FBI, refuse ransom payment prioritizing patient safety over data.
- Pros: Maintains patient care through proven downtime procedures; demonstrates responsible healthcare security; supports law enforcement investigation; clean recovery without funding criminals.
- Cons: Paper procedures reduce efficiency affecting surge patient flow; stolen patient data will likely be released creating privacy breach; recovery timeline extends emergency protocols affecting care quality.
- Type Effectiveness: Super effective for Ransomware recovery - clean backups enable restoration; doesn’t prevent data exposure but maintains ethical stance.
- Option B: Payment Negotiation for Data Deletion - Engage threat actors attempting to negotiate reduced payment specifically for verified data deletion and decryption, activate paper protocols as backup, coordinate cyber insurance for potential payment authorization.
- Pros: May prevent patient data exposure through negotiated data deletion; faster potential recovery through decryption; demonstrates prioritization of patient privacy protection.
- Cons: No guarantee attackers will honor data deletion agreement; payment funds criminal operations; may violate regulatory guidance and requirements; sets precedent for future attacks.
- Type Effectiveness: Partially effective - may address data theft but funds continued Ransomware operations; no verification of data deletion possible.
- Option C: Patient Diversion with Comprehensive Recovery - Activate regional disaster plan diverting non-critical patients to partner hospitals, focus all resources on backup restoration and security hardening, prioritize keeping Emergency Department operational for life-threatening cases only.
- Pros: Ensures patient safety by reducing operational load during system recovery; allows thorough security remediation; demonstrates responsible crisis management prioritizing lives.
- Cons: Revenue loss from patient diversion; potential community impact from reduced hospital capacity; stolen patient data still publicly released; partnership hospitals may face capacity constraints.
- Type Effectiveness: Moderately effective - balances patient safety with recovery but doesn’t address data theft; protects lives while accepting privacy breach.
Round 2: Data Breach Management & Healthcare Compliance (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (paper protocols) chosen: Dr. Michael Stevens reports paper procedures working but surgical teams delayed accessing archived medical records. “We’re maintaining safety but efficiency dropped 40%. We can sustain emergency operations but not surge volume.”
- Clue 5 (Minute 30): If Option B (negotiation) chosen: Threat actors respond to negotiation by demanding $3M for “data deletion guarantee” - no reduction in price, only separation of decryption and data protection into two payments. No verification mechanism available.
- Clue 5 (Minute 30): If Option C (diversion) chosen: Partner hospitals report reaching capacity - cannot accept additional patient transfers. “Regional healthcare system is saturated. Cedar Valley Medical Center must maintain some operational capability.”
- Clue 6 (Minute 40): CISO Kevin Zhang completes data inventory - patient records for approximately 180,000 individuals potentially compromised including sensitive diagnoses, mental health treatment, HIV status, substance abuse treatment, and financial information. HIPAA breach notification required.
- Clue 7 (Minute 50): Hospital legal counsel reports potential liability exposure: class-action lawsuit risk, OCR investigation and potential fines, state attorney general involvement, patient trust erosion affecting future operations. “The data breach creates long-term institutional consequences beyond immediate crisis.”
- Clue 8 (Minute 55): Cyber insurance carrier confirms policy covers up to $10M for breach response and regulatory fines but explicitly excludes ransom payments. Recovery costs, legal fees, notification expenses, and credit monitoring for 180,000 patients will likely exceed $15M.
Response Options:
- Option A: Comprehensive Healthcare Breach Response - Activate full incident response plan including forensic investigation, patient notification via HIPAA-compliant procedures, credit monitoring services for all affected individuals, media communications plan, OCR cooperation, long-term security improvements.
- Pros: Full compliance with healthcare regulations; demonstrates responsible patient data stewardship; supports law enforcement investigation; positions hospital for best possible regulatory outcome.
- Cons: Major expense for notifications and monitoring; public relations crisis from data breach disclosure; potential loss of patient trust; extended regulatory oversight.
- Type Effectiveness: Super effective for Healthcare Ransomware with Data Theft - comprehensive response ensuring regulatory compliance and patient protection despite breach.
- Option B: Selective Notification with Monitoring - Notify only patients with highest-risk data exposure (sensitive diagnoses, financial information), provide credit monitoring to affected subset, coordinate with regulators on phased disclosure approach, focus resources on operational recovery.
- Pros: Reduced notification costs and public relations impact; targeted protection for most vulnerable patients; allows focus on operational restoration.
- Cons: May violate HIPAA breach notification requirements; differential patient treatment creates ethical concerns; incomplete disclosure may worsen OCR consequences if discovered.
- Type Effectiveness: Partially effective - addresses highest risks but creates compliance and ethical issues; may face increased regulatory penalties.
- Option C: Payment Reconsideration for Data Protection - Re-evaluate ransom payment specifically to prevent data release, accept that some insurance funds could cover “incident response costs” if payment documented as data breach mitigation, prioritize patient privacy over policy.
- Pros: May prevent public data exposure protecting patient privacy; reduces potential liability from data breach; demonstrates patient-first decision making.
- Cons: Likely violates federal guidance and insurance policy terms; no guarantee attackers delete data; funds criminal enterprise; may face legal consequences for payment decision.
- Type Effectiveness: Not effective - violates regulations, doesn’t prevent future attacks, no verification of data deletion; creates legal and ethical problems.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether Cedar Valley Medical Center faces operational challenges with paper procedures (protocol approach), uncertain negotiation outcomes with criminals (payment discussion), or regional capacity constraints (diversion strategy). Regardless of choice, the situation evolves when CISO Kevin Zhang completes assessment revealing 180,000 patients’ protected health information was stolen including highly sensitive medical conditions. Hospital legal counsel details the massive liability exposure, regulatory requirements, and long-term institutional consequences beyond immediate operational recovery. Cyber insurance confirms the financial burden will exceed $15M even with coverage. The team discovers this is not just a technical incident but a fundamental healthcare data protection failure requiring patient notification, regulatory cooperation, media management, and long-term trust rebuilding - all while maintaining emergency patient care during flu season surge and managing potential public data exposure within the 72-hour deadline.
Debrief Focus:
- Recognition of double extortion tactics - encryption plus data theft creating dual pressure
- Balance between patient life safety (immediate), patient privacy protection (stolen data), and regulatory compliance
- Healthcare-specific challenges including breach notification requirements, sensitive medical data, patient trust
- Ransom payment decision-making considering ethics, regulations, effectiveness, and precedent
- Importance of backup isolation and data protection strategies in healthcare ransomware defense
Full Game Materials (120-140 min, 3 rounds)
Round 1: Life-Critical Decision Making & Double Extortion Discovery (35-40 min)
Tuesday evening during peak flu season. Cedar Valley Medical Center is at 150% Emergency Department capacity with ICU completely full when every screen displays LockBit ransom demands. Dr. Michael Stevens faces immediate patient safety decisions as medical records, medication systems, and patient monitoring go dark. Within the hour, threat actors contact the CEO with proof they’ve stolen 500GB of patient data, demanding payment within 72 hours.
Players investigate openly using their role capabilities. Key discoveries available include weeks of persistent access through phishing targeting hospital administrators, the scope of data exfiltration (patient records, financial data, sensitive medical diagnoses), and the compromise of some backup systems.
If team stalls: Dr. Amanda Rodriguez interrupts: “I have a trauma patient needing emergency surgery and I cannot access their medical history or allergy information. Every minute without systems creates patient safety risks. I need a decision on paper protocols or patient diversion now.”
Facilitation questions:
- “You have patients in life-threatening situations without access to their medical records. How does the immediate patient safety threat change your approach to containment?”
- “Threat actors have stolen sensitive patient data including diagnoses and treatment records. How does this double extortion change your payment calculation compared to encryption alone?”
- “Paper protocols can sustain emergency operations but at 40% efficiency during a surge. At what point do you divert patients to other hospitals, and how do you make that decision?”
Round 1→2 Transition
The team’s initial response determines whether Cedar Valley Medical Center faces operational constraints from paper protocols, uncertain negotiations with criminals, or regional capacity pressure from patient diversion. Regardless, CISO Kevin Zhang completes the breach assessment: approximately 180,000 patient records were stolen, including sensitive diagnoses, mental health treatment records, and financial information.
Round 2: Healthcare Data Breach & Regulatory Compliance (35-40 min)
The full scope of the data breach is now clear: 180,000 patient records compromised. HIPAA requires breach notification within 60 days. OCR has initiated an inquiry. Hospital legal counsel details massive liability exposure - class-action lawsuit risk, state attorney general involvement, and potential regulatory fines. Cyber insurance covers up to $10M but excludes ransom payments. Total estimated costs exceed $15M.
If team chose paper protocols in Round 1: Dr. Michael Stevens reports efficiency dropped 40% but patient safety is maintained. Surgical teams are struggling with archived records. “We can sustain emergency operations but not the surge volume indefinitely.”
If team considered payment in Round 1: Threat actors respond by demanding a separate payment for “data deletion guarantee” with no verification mechanism available. Previous experience shows data is rarely actually deleted after payment.
Facilitation questions:
- “180,000 patients’ sensitive medical data is stolen. How do you prioritize between immediate operational recovery and breach notification compliance?”
- “Insurance won’t cover ransom payment, and total breach costs are massive regardless. How does this financial reality affect your response strategy?”
- “The public is about to learn that their most sensitive health information was stolen. How do you communicate this while maintaining trust in the hospital?”
Round 2→3 Transition
The immediate crisis shifts from operational survival to institutional accountability. Patient care is stabilizing through backup procedures, but the fundamental questions remain: How did this happen, who is responsible, and how does Cedar Valley Medical Center rebuild patient trust when their most sensitive data has been stolen?
Round 3: Healthcare System Resilience & Institutional Recovery (40-45 min)
Opening: Three weeks after the attack. Systems are 80% restored, but the institutional damage is deepening. Patient advocacy groups are demanding accountability. Regulatory investigation has expanded. Competitor hospitals are marketing their security practices. The board convenes a strategic review.
Investigation focus areas:
- Security architecture review reveals systemic weaknesses: delayed patching to avoid clinical disruption, inadequate backup isolation, insufficient security staffing, flat network architecture connecting administrative and clinical systems
- Patient trust assessment shows appointment cancellations up 30%, with patients transferring to competitor hospitals citing data security concerns
- Regulatory analysis indicates the breach notification process has exposed gaps in the hospital’s overall data governance framework
Pressure events:
- Patient advocacy group demands public accountability hearing before the hospital board, with media coverage guaranteed
- Several patients with sensitive diagnoses (mental health, HIV treatment, substance abuse) file individual lawsuits claiming specific harm from data exposure
- FDA announces expanded investigation into healthcare cybersecurity practices industry-wide, using Cedar Valley Medical Center as a case study
- Board of directors commissions independent security audit and questions whether leadership adequately prioritized cybersecurity investment
Facilitation questions:
- “The board asks why security updates were delayed to avoid clinical disruption. How do you balance the genuine tension between system availability for patient care and security patching?”
- “Patients with sensitive diagnoses are suffering specific harm from their data exposure. How does this personalized impact change your thinking about data protection investment?”
- “Regulators are using your breach to set industry precedent. Is this a threat or an opportunity to shape healthcare cybersecurity standards?”
Victory conditions for full 3-round arc:
- Patient safety maintained throughout the crisis through effective emergency protocols and clinical decision-making
- Comprehensive breach response with regulatory compliance and transparent patient communication
- Security architecture redesign addressing the root causes: patch management, backup isolation, network segmentation, clinical system protection
- Governance framework ensuring cybersecurity investment is balanced with clinical operational needs
Debrief Focus
- How double extortion creates unique pressure in healthcare where both patient safety (encryption) and patient privacy (data theft) are simultaneously threatened
- The tension between clinical system availability and security patching - how healthcare organizations can manage both
- Regulatory compliance as both obligation and framework for effective response
- The long-term institutional cost of healthcare data breaches beyond immediate financial impact
- Building healthcare cyber resilience without compromising the clinical mission
Advanced Challenge Materials (150-170 min)
Red Herrings & Misdirection
- Equipment malfunctions: Several medical devices in the ICU report intermittent alerts unrelated to the ransomware - teams must distinguish between cyber impact and normal equipment behavior during high-utilization surge conditions.
- Vendor access confusion: A legitimate medical device vendor was performing scheduled remote maintenance at the time of the attack - teams may pursue this as the initial access vector, wasting investigation time.
- Staffing correlation: A recently hired IT contractor had elevated network access and started two weeks before the attack - teams may investigate an insider threat that doesn’t exist.
- Prior complaints: Emergency Department staff had reported system slowness for weeks before the attack, but forensic analysis reveals this was caused by surge-related volume, not attacker activity.
Removed Resources & Constraints
- Hospital’s incident response retainer firm has a conflicting engagement and cannot deploy for 72 hours
- Kevin Zhang is on medical leave – the interim security lead has limited ransomware experience
- Hospital board requires executive committee approval for any expenditure over $500K, creating delays during crisis response
- Clinical staff resist paper protocols, insisting “we’ve always had computers” and creating friction with the response team
Enhanced Pressure
- A specific pediatric patient’s parents learn their child’s medical records (including developmental disability diagnosis) were stolen and go to local news media
- Hospital employees discover their own personnel records (including salary, disciplinary history, and health insurance claims) were part of the stolen data
- Competing hospital system runs targeted recruitment ads to Cedar Valley Medical Center nursing staff, citing “superior cybersecurity infrastructure”
- State health department considers temporary suspension of Cedar Valley Medical Center’s trauma center certification pending security assessment
Ethical Dilemmas
- Patient safety vs. investigation thoroughness: Rapid system restoration reduces investigation quality, potentially missing persistence mechanisms. But every hour without systems creates patient risk. When do you prioritize speed over completeness?
- Selective disclosure vs. comprehensive notification: Some stolen records contain especially sensitive diagnoses. Is there an ethical argument for prioritizing notification of highest-risk patients, or must all 180,000 be notified simultaneously?
- Payment to prevent specific harm: If threat actors begin publishing individual patient records with sensitive diagnoses, does the specific, personalized harm to identifiable patients justify payment that general data theft does not?
- Transparency vs. institutional survival: Full public disclosure of security failures helps the healthcare sector learn but could threaten the hospital’s financial viability, ultimately harming the community it serves.
Advanced Debrief Topics
- Healthcare ransomware as a patient safety event, not just a cybersecurity incident
- The systemic conflict between healthcare IT investment in clinical capabilities vs. security infrastructure
- Professional and ethical obligations when patient health information is weaponized
- Building a healthcare cybersecurity culture that clinical staff embrace rather than resist
- Regulatory frameworks as both compliance burden and effective forcing function for security investment
Session Materials
Download or print before the session. Handout files open as standalone pages.
Inject Sequence
The following injects are delivered by the IM at the trigger points described. Read aloud text verbatim. Adjust timing to group pace – a fast-moving group may skip injects; a stuck group may need them early.
Inject 1: Immediate Clinical Operations Halt
Trigger: Initial surge-period service outage report from nursing command center.
Read Aloud:
“At Cedar Valley Medical Center, every major clinical workstation begins showing the same extortion demand screen. Orders and records are unavailable, and Emergency Department is still receiving high-acuity patients.”
Inline Artifact:
Shared drives show file extensions changing and access denied errors on critical patient documents.Discussion Questions:
- Which patient safety functions must be restored first?
- Who owns the decision to shift to paper workflows?
- What services can be temporarily degraded without unsafe impact?
Conditional Branches:
- If the team activates downtime protocol quickly: Clinical operations stabilize at reduced efficiency and can sustain emergency cases.
- If the team delays downtime protocol: Medication and allergy verification backlogs create immediate patient safety risk.
IM Notes:
- Hint if stuck: “What is your first life-safety control when records are unavailable in Emergency Department?”
- Red flag: No owner is assigned for clinical downtime activation within 10 minutes.
- Success indicator: Downtime protocol owner, communication channel, and patient triage thresholds are documented.
Inject 2: Data Theft Proof and Deadline
Trigger: Executive receives encrypted chat message with proof package.
Read Aloud:
“The CEO receives screenshots of patient files and a message claiming more records will be published unless payment is made before the countdown expires.”
Inline Artifact:
Message references internal department naming conventions and recent admissions, indicating deep reconnaissance.Discussion Questions:
- How does proven data theft change your priorities?
- Who decides whether to engage or refuse extortion communications?
- What evidence must be preserved now for legal and investigative needs?
Conditional Branches:
- If the team escalates legal/privacy immediately: Notification planning starts early, reducing deadline risk.
- If the team postpones privacy workstream: Reporting window pressure compounds operational stress later in the scenario.
IM Notes:
- Hint if stuck: “What decisions become urgent now that privacy harm is no longer hypothetical?”
- Red flag: Team treats event only as system outage and ignores breach obligations.
- Success indicator: Legal, privacy, and technical leads align on a shared response timeline.
Inject 3: Backup Integrity Shock
Trigger: Storage team escalates repeated replication and checksum failures.
Read Aloud:
“The storage lead confirms that your primary restore path is unreliable. Clean recovery points exist, but they are incomplete and older than clinical leaders expected.”
Inline Artifact:
Replication dashboard shows last successful immutable snapshot timestamp preceding current surge week.Discussion Questions:
- What minimum viable restoration sequence protects patient care?
- What evidence confirms a backup set is safe to restore?
- How do you communicate uncertainty to executives without losing trust?
Conditional Branches:
- If the team uses phased restoration: Core triage and medication workflows return sooner with controlled risk.
- If the team attempts broad restore immediately: Recovery slows due to repeated validation failures and conflicting priorities.
IM Notes:
- Hint if stuck: “Which services must return first for safe care, and which can wait?”
- Red flag: Team commits to full restoration timeline without backup validation.
- Success indicator: Recovery plan is sequenced by clinical criticality and approved by operations leadership.
Inject 4: Regulatory Clock Starts
Trigger: Legal escalation meeting with privacy counsel and executive leadership.
Read Aloud:
“Legal counsel confirms the reporting window is active. You need a defensible incident statement now, even though parts of the technical investigation are still incomplete.”
Inline Artifact:
Draft notification template includes incident scope placeholders and mitigation commitments.Discussion Questions:
- What can be stated now with confidence?
- Who approves patient and regulator communications?
- How do you handle unknowns without delaying required action?
Conditional Branches:
- If the team establishes a facts-only notification cadence: Regulatory dialogue remains controlled and credible.
- If the team waits for perfect certainty: Deadline pressure spikes and external trust declines.
IM Notes:
- Hint if stuck: “What is your minimum factual package for timely notification?”
- Red flag: No single owner is assigned for regulator communication approval.
- Success indicator: Notification owner, reviewer chain, and submission timing are agreed in writing.
Inject 5: Media and Community Pressure
Trigger: Call center and press office receive simultaneous inquiry surge.
Read Aloud:
“A major local outlet asks whether patient records were exposed and whether emergency services are safe. Staff are already seeing social media rumors spread faster than official updates.”
Inline Artifact:
Call center queue spikes 4x with patient questions about appointments, records, and safety.Discussion Questions:
- What can front-line staff safely say right now?
- How do you acknowledge impact without speculative statements?
- How do you support patients who fear privacy harm?
Conditional Branches:
- If the team centralizes messaging: Public uncertainty stabilizes and operational teams can focus on recovery.
- If the team allows ad hoc responses: Conflicting statements amplify pressure on clinical and legal teams.
IM Notes:
- Hint if stuck: “Who is authorized to speak externally, and what is the approved message today?”
- Red flag: Different departments issue conflicting public statements.
- Success indicator: Single spokesperson model and update cadence are activated within 30 minutes.
Inject 6: Decision and Debrief Pivot
Trigger: Scenario timebox ends and facilitator transitions to hot wash.
Read Aloud:
“You have prevented immediate clinical collapse, but the organization now faces a long recovery horizon. The next decisions determine whether this becomes a repeat event or a turning point.”
Inline Artifact:
Decision log shows unresolved items on backup architecture, staffing, and communication governance.Discussion Questions:
- Which controls would have changed this outcome most?
- What governance decisions were delayed too long?
- What does this mean for your organization’s readiness?
Conditional Branches:
- If the team defines concrete remediation owners: Post-incident momentum remains high and measurable.
- If the team ends without ownership: Known weaknesses persist into the next quarter.
IM Notes:
- Hint if stuck: “Name the three highest-value changes you can own in the next quarter.”
- Red flag: Debrief focuses on individual fault instead of systemic control gaps.
- Success indicator: Team leaves with prioritized owners, deadlines, and measurable remediation outcomes.
NPC Dialogue Scripts
Verbatim lines for key NPCs at critical decision moments. Deliver in character when players interact with the NPC or when the scene naturally calls for it. Adapt phrasing naturally but preserve the core message.
Chief Medical Officer
Clinical safety decisions during sustained system outage
Can we keep accepting critical patients safely?:
“We can continue emergency intake only if downtime medication checks and allergy verification are enforced immediately. Safety is not negotiable.”
Should we divert non-critical arrivals now?:
“Yes, if triage backlog exceeds our safe threshold. Protecting critical care capacity comes first.”
IT Director
Containment and restoration sequencing
Can you restore everything quickly from backup?:
“Not safely. We need phased recovery with validation, or we risk reintroducing compromised data paths.”
What do you need from leadership right now?:
“Clear service priorities and approval for controlled network isolation so we stop further spread.”
Department Director
Front-line operations under surge pressure
What is your immediate operational concern?:
“I have high-acuity patients waiting and no digital chart access. I need a firm decision on downtime procedures now.”
What support do you need from incident command?:
“A dedicated runner for lab and medication reconciliation plus frequent updates we can trust.”
Chief Information Security Officer
Breach scope and strategic decision support
How certain are we about data exposure?:
“Evidence indicates patient records were copied before systems were locked. We should act as confirmed exposure.”
What is the biggest strategic risk if we delay decisions?:
“Delay compounds harm: longer outage, tighter reporting windows, and weaker trust recovery.”
Red Herrings
These false leads are built into the scenario. Do not shut down player investigation – let them work through the evidence to the correct conclusion. The goal is productive confusion, not frustration.
Red Herring 2: Scheduled Vendor Remote Session
What points to it:
- A medical device vendor had approved remote maintenance during the same week.
- VPN logs show vendor account login near first alert time.
- Change calendar entry appears adjacent to outage window.
Why it’s wrong: Vendor access was scoped to a segmented device management zone and ended before the first widespread endpoint execution cluster.
IM resolution script: “Vendor activity overlaps in time but does not align with the broader command pattern you are seeing. Treat it as context, not primary cause, and continue with validated indicators.”
Red Herring 3: Seasonal Capacity Slowdown
What points to it:
- Clinical staff reported slowness during surge week.
- Database latency alerts existed before the incident.
- Helpdesk already had a high queue because of patient volume.
Why it’s wrong: Performance degradation from high utilization does not account for file access denial, coordinated command execution, and direct extortion contact.
IM resolution script: “High load explains slower systems, not synchronized lockouts and proof-of-access messages. Separate performance noise from confirmed incident signals.”
Post-Session Gap Analysis
Use this section during the debrief. Each gap is a real security control weakness this scenario is designed to surface. Help participants connect scenario events to their own organization’s readiness.
Gap 1: Clinical Downtime Readiness Is Incomplete (Priority: critical)
What the scenario revealed: Teams hesitated before activating paper workflows, and ownership was unclear in the first 15 minutes.
Why it matters: When clinical systems fail, delays in fallback execution can cause preventable harm.
Suggested remediation:
- Publish a one-page downtime decision matrix approved by medical and IT leadership.
- Run unannounced shift-based downtime drills twice per quarter.
- Track activation time and medication verification delay as key safety metrics.
Debrief question: “What does this mean for your organization’s readiness when digital systems fail during peak patient load?”
### Gap 2: Backup Isolation and Validation Are Insufficient (Priority: high)
What the scenario revealed: Primary replication failed and clean restore points were older than expected for critical services.
Why it matters: Without trusted recovery points, restoration decisions become slower and riskier under pressure.
Suggested remediation:
- Segment backup domains from production trust boundaries.
- Define recovery tiers for clinical, administrative, and auxiliary services.
- Require monthly restore attestations signed by service owners.
Debrief question: “How ready is your organization to recover safely if the first backup path fails?”
### Gap 3: Regulatory Communication Ownership Is Fragmented (Priority: high)
What the scenario revealed: Participants lacked a pre-assigned reporting owner and approval chain for regulator notifications.
Why it matters: Reporting windows do not pause for technical uncertainty, so governance must be ready early.
Suggested remediation:
- Assign primary and backup reporting owners.
- Maintain regulator-ready templates for initial and follow-up notices.
- Exercise legal/communications tabletop drills twice yearly.
Debrief question: “What does this mean for your organization’s readiness to meet regulatory deadlines under operational stress?”
### Gap 4: External Messaging Control Is Underdeveloped (Priority: medium)
What the scenario revealed: Teams needed prompts before assigning spokesperson roles and message boundaries.
Why it matters: Clear communication protects trust and reduces operational noise during recovery.
Suggested remediation:
- Publish a media and patient communication SOP tied to incident severity levels.
- Pre-build patient FAQ templates for service outages and privacy concerns.
- Train department leads on what to say and where to escalate questions.
Debrief question: “What does this mean for your organization’s readiness to communicate clearly during a high-pressure incident?”