Poison Ivy Scenario: Medical Practice Patient Data
Healthcare Surveillance • PoisonIvy
STAKES
Patient safety + Clinical data integrity + Privacy compliance + Practice continuity
HOOK
Clinical and front-office staff report charts opening without assigned provider activity, unexplained overnight access to patient notes, and recurring remote cursor movement in exam-room workstations. Network review shows encrypted outbound sessions from endpoints handling patient records while standard scans remain inconclusive.
PRESSURE
- Decision deadline: Wednesday 3:30 PM
- Patient scope: 8,000 active patients
- Incident exposure: $2.1 million projected incident response and patient-remediation exposure
FRONT • 120 minutes • Intermediate
Healthcare Surveillance • PoisonIvy
NPCs
- Dr. Michael Stevens (Practice Lead): Balances care continuity with incident response decisions
- Jennifer Walsh (Office Manager): Coordinates scheduling, intake, and patient communications
- Tom Nakamura (IT Consultant): Leads endpoint triage and containment sequencing
- Dr. Amanda Park (Associate Physician): Escalates treatment and chart-integrity risks from clinical workflows
SECRETS
- Clinical endpoints retained broad remote-administration trust relationships during rapid tooling changes
- Access boundaries around sensitive charting workflows exceeded least-privilege expectations
- Covert activity prioritized patient treatment and note repositories before visible disruption
Poison Ivy Scenario: Medical Practice Patient Data
Healthcare Surveillance • PoisonIvy
STAKES
Patient safety + Clinical data integrity + Privacy compliance + Practice continuity
HOOK
Clinical and front-office staff report charts opening without assigned provider activity, unexplained overnight access to patient notes, and recurring remote cursor movement in exam-room workstations. Network review shows encrypted outbound sessions from endpoints handling patient records while standard scans remain inconclusive.
PRESSURE
- Decision deadline: Wednesday 3:30 PM
- Patient scope: 6,000 active patients
- Incident exposure: C$1.6 million projected incident response and patient-remediation exposure
FRONT • 120 minutes • Intermediate
Healthcare Surveillance • PoisonIvy
NPCs
- Dr. Michael Tremblay (Practice Lead): Balances care continuity with incident response decisions
- Sarah Kim (Office Manager): Coordinates scheduling, intake, and patient communications
- Daniel Santos (IT Consultant): Leads endpoint triage and containment sequencing
- Dr. Priya Sharma (Associate Physician): Escalates treatment and chart-integrity risks from clinical workflows
SECRETS
- Clinical endpoints retained broad remote-administration trust relationships during rapid tooling changes
- Access boundaries around sensitive charting workflows exceeded least-privilege expectations
- Covert activity prioritized patient treatment and note repositories before visible disruption
Planning Resources
For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:
Poison Ivy Medical Practice Planning Document
Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.
Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:
Poison Ivy Medical Practice Scenario Slides
Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support
Scenario Details for IMs
Hook
“It is Monday at 8:40 AM at Lakewood Internal Medicine. Staff preparing morning appointments notice patient records opening without assigned clinicians, unexplained after-hours chart access, and intermittent workstation control loss in clinical rooms. Technical review confirms recurring outbound encrypted sessions from systems that process protected health information. Leadership must contain the incident while preserving patient safety and care continuity.”
“Initial command alert logged at 8:40 AM. Regional context: US.”
“Practice scope: 15 physicians, 50 employees, and 8,000 active patients.”
“It is Monday at 8:40 AM at Toronto Midtown Medical Centre. Staff preparing morning appointments notice patient records opening without assigned clinicians, unexplained after-hours chart access, and intermittent workstation control loss in clinical rooms. Technical review confirms recurring outbound encrypted sessions from systems that process patient health information. Leadership must contain the incident while preserving patient safety and care continuity.”
“Initial command alert logged at 8:40 AM. Regional context: Canada.”
“Practice scope: 12 physicians, 40 employees, and 6,000 active patients.”
Initial Symptoms to Present:
- “Clinical workstations show intermittent remote cursor movement during active appointments”
- “Chart systems report unexplained after-hours access to treatment notes”
- “Provider-facing systems open patient records without assigned clinician input”
- “Outbound encrypted sessions recur from endpoints tied to sensitive charting”
Key Discovery Paths:
Detective Investigation Leads:
- Timeline analysis shows covert control activity preceding obvious workflow disruption
- Access records indicate focused interest in treatment notes and medication histories
- Host artifacts suggest sustained observation rather than immediate destructive impact
Protector System Analysis:
- Endpoint triage confirms covert-control indicators across charting and intake systems
- Permission audits reveal overbroad access in sensitive clinical documentation pathways
- Containment strategy must preserve evidence without compromising active patient care
Tracker Network Investigation:
- Beaconing and staged transfers show coordinated exfiltration patterns
- Lateral movement traces prioritize systems with high clinical context value
- Traffic profile indicates deliberate data collection operations across practice workflows
Communicator Stakeholder Interviews:
- Clinical teams require immediate guidance on safe chart reliance and workflow fallback
- Patient-facing staff need approved communication language under evolving uncertainty
- Oversight and legal stakeholders need documented confidence levels for disclosure timing
Mid-Scenario Pressure Points:
- Hour 1: Clinical teams cannot confirm integrity of active treatment-plan notes
- Hour 2: Unauthorized access to medication histories creates immediate safety concern
- Hour 3: Leadership must decide if normal scheduling can continue without expanded controls
- Hour 4: Trust risk escalates as incident scope remains unresolved across patient records
Evolution Triggers:
- If containment is delayed, additional charting and treatment artifacts are exposed
- If systems are reset too early, evidential confidence and legal defensibility degrade
- If patient communication lags, trust and care continuity pressure intensifies
Resolution Pathways:
Technical Success Indicators:
- Covert access paths are removed and clinical systems are restored to trusted baselines
- Forensic timeline and evidential chain are preserved for regulator and legal review
- Access governance is hardened for treatment and note-management repositories
Business Success Indicators:
- Care continuity decisions remain defensible under documented risk analysis
- Patient communication remains timely and aligned with verified incident facts
- Compliance posture is sustained through coordinated oversight engagement
Learning Success Indicators:
- Team recognizes long-duration surveillance behavior in outpatient clinical settings
- Participants balance evidence discipline with real-time care delivery pressure
- Group coordinates clinical, technical, and compliance decision-making effectively
Common IM Facilitation Challenges:
If Teams Rush to Restore Without Scope Confidence:
“What minimum evidence threshold do you require before asserting chart integrity for active patients?”
If Teams Delay Oversight Coordination:
“OCR and state oversight channels request incident status, breach-assessment methodology, and documented controls used to protect affected patient records.”
“IPC Ontario and CPSO oversight contacts request incident status, breach-assessment methodology, and documented controls used to protect affected patient records under PHIPA.”
If Teams Ignore Clinical Safety Dependencies:
“Which workflows require immediate fallback controls in the next hour to reduce patient harm risk?”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 2 investigation rounds, 1 decision round
Focus: Detect covert clinical surveillance and set immediate safety controls
Key Actions: Scope exposure, preserve evidence, and issue initial patient-risk posture
Lunch & Learn (75-90 minutes)
Structure: 4 investigation rounds, 2 decision rounds
Focus: Coordinate endpoint triage, patient communication, and compliance escalation
Key Actions: Build scope confidence, protect high-risk charts, align oversight updates
Full Game (120-140 minutes)
Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end outpatient healthcare surveillance response under care-delivery pressure
Key Actions: Balance clinical continuity with defensible containment and notification sequencing
Advanced Challenge (150-170 minutes)
Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Ambiguous scope, competing patient-impact priorities, and evidence-quality disputes
Additional Challenges: Escalating patient trust concerns and compressed leadership decision windows
Quick Demo Materials (35-40 min)
Guided Investigation Clues
- Clue 1 (Minute 5): Security operations at Lakewood Internal Medicine confirms covert endpoint control in charting and intake systems.
- Clue 2 (Minute 10): Dr. Amanda Park confirms unauthorized views of treatment notes, medication histories, and visit summaries tied to this week’s high-risk patient cohort reviews.
- Clue 3 (Minute 15): Dr. Michael Stevens opens an emergency huddle and states that patient care cannot pause while the team investigates potential unauthorized access. Jennifer Walsh reports that scheduling and chart workflows are unstable across multiple exam rooms. Tom Nakamura confirms persistent remote-control artifacts and requests immediate host isolation with evidence preservation. Dr. Amanda Park flags concern that active treatment plans may have been viewed outside normal care teams.
- Clue 1 (Minute 5): Security operations at Toronto Midtown Medical Centre confirms covert endpoint control in charting and intake systems.
- Clue 2 (Minute 10): Dr. Priya Sharma confirms unauthorized views of treatment notes, medication histories, and visit summaries tied to this week’s high-risk patient cohort reviews.
- Clue 3 (Minute 15): Dr. Michael Tremblay opens an emergency huddle and states that patient care cannot pause while the team investigates potential unauthorized access. Sarah Kim reports that scheduling and chart workflows are unstable across multiple exam rooms. Daniel Santos confirms persistent remote-control artifacts and requests immediate host isolation with evidence preservation. Dr. Priya Sharma flags concern that active treatment plans may have been viewed outside normal care teams.
Pre-Defined Response Options
Option A: Evidence-First Clinical Containment
- Action: Isolate affected hosts, preserve artifacts, and restore in staged waves with explicit clinical fallback controls.
- Pros: Improves legal defensibility and long-term trust posture.
- Cons: Near-term operational disruption for appointment flow and chart access.
- Type Effectiveness: Super effective for durable practice recovery.
Option B: Continuity-First Operations
- Action: Keep broad systems online while applying targeted controls around highest-risk workflows.
- Pros: Reduces immediate appointment disruption and throughput loss.
- Cons: Increases probability of continued covert collection and scope growth.
- Type Effectiveness: Partially effective with elevated risk.
Option C: Phased Confidence Restoration
- Action: Prioritize high-acuity patient cohorts and restore lower-risk systems in controlled sequence.
- Pros: Balances patient care urgency with evidence quality.
- Cons: Extended uncertainty can strain patient trust and staff confidence.
- Type Effectiveness: Moderately effective when command discipline is strong.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Clinical Workflow Exposure (30-35 min)
- Opening: Dr. Michael Stevens opens an emergency huddle and states that patient care cannot pause while the team investigates potential unauthorized access. Jennifer Walsh reports that scheduling and chart workflows are unstable across multiple exam rooms. Tom Nakamura confirms persistent remote-control artifacts and requests immediate host isolation with evidence preservation. Dr. Amanda Park flags concern that active treatment plans may have been viewed outside normal care teams.
- Clue 1 (Minute 10): Endpoint telemetry indicates repeated after-hours control sessions on systems handling treatment documentation.
- Clue 2 (Minute 20): Dr. Amanda Park confirms unauthorized views of treatment notes, medication histories, and visit summaries tied to this week’s high-risk patient cohort reviews.
- Opening: Dr. Michael Tremblay opens an emergency huddle and states that patient care cannot pause while the team investigates potential unauthorized access. Sarah Kim reports that scheduling and chart workflows are unstable across multiple exam rooms. Daniel Santos confirms persistent remote-control artifacts and requests immediate host isolation with evidence preservation. Dr. Priya Sharma flags concern that active treatment plans may have been viewed outside normal care teams.
- Clue 1 (Minute 10): Endpoint telemetry indicates repeated after-hours control sessions on systems handling treatment documentation.
- Clue 2 (Minute 20): Dr. Priya Sharma confirms unauthorized views of treatment notes, medication histories, and visit summaries tied to this week’s high-risk patient cohort reviews.
Round 2: Oversight and Patient Protection Decisions (30-35 min)
- Clue 3 (Minute 35): OCR and state oversight channels request incident status, breach-assessment methodology, and documented controls used to protect affected patient records.
- Clue 4 (Minute 45): FBI reports continuing criminal activity where covert access to clinical systems enabled downstream identity misuse and patient-targeted fraud.
- Pressure Event (Minute 55): “Leadership requires your containment and communication decision by Wednesday 3:30 PM.”
- Coordination Note: “Immediate external coordination: FBI plus OCR and State Attorney General channels under HIPAA Privacy and Security Rule obligations.”
- Clue 3 (Minute 35): IPC Ontario and CPSO oversight contacts request incident status, breach-assessment methodology, and documented controls used to protect affected patient records under PHIPA.
- Clue 4 (Minute 45): CCCS reports continuing criminal activity where covert access to clinical systems enabled downstream identity misuse and patient-targeted fraud.
- Pressure Event (Minute 55): “Leadership requires your containment and communication decision by Wednesday 3:30 PM.”
- Coordination Note: “Immediate external coordination: CCCS and RCMP plus IPC Ontario supervisory channels under PHIPA health-information-custodian obligations.”
Debrief Focus
- How covert surveillance changes risk assumptions in outpatient clinical operations
- What evidence quality is required before trust-sensitive patient communications
- Which clinical workflows need prebuilt fallback procedures for future incidents
- How to align cybersecurity response with healthcare oversight and professional obligations