Raspberry Robin Scenario: Healthcare Network USB Outbreak

Raspberry Robin Scenario: Healthcare Network USB Outbreak

Northern Health Alliance: NHS hospital network with 3 hospitals and 5,000 employees
Healthcare USB Outbreak • RaspberryRobin
STAKES
Patient care continuity + Medical-device integrity + Data-protection compliance + Public trust
HOOK
Clinical teams report USB drives creating folder-like shortcut files on maintenance workstations, unexplained process launches on patient monitoring consoles, and intermittent charting delays in care units. Security telemetry shows repeated outbound sessions from systems used for medical-device support while routine endpoint checks remain inconclusive.
PRESSURE
  • Decision deadline: 5:30 PM
  • Clinical scope: NHS hospital network with 3 hospitals and 5,000 employees
  • Regulatory notice window: 72 hours
FRONT • 120 minutes • Intermediate
Northern Health Alliance: NHS hospital network with 3 hospitals and 5,000 employees
Healthcare USB Outbreak • RaspberryRobin
NPCs
  • Dr. Amara Okonkwo (Medical Director): Owns patient-safety priorities and executive decisions during the outbreak
  • James Mitchell (CTO): Coordinates infrastructure triage and continuity of critical hospital systems
  • Rajesh Patel (CISO): Leads containment, forensics, and coordination with NCSC
  • Dr. Charlotte Webb (Clinical Lead): Represents frontline treatment constraints in A&E and intensive care
SECRETS
  • Routine USB workflows remained embedded in medical-device maintenance and data-transfer procedures
  • Clinical and administrative support pathways shared removable-media dependencies without hardened controls
  • Early indicators suggest staging behavior before overt service interruption

Planning Resources

Tip📋 Comprehensive Facilitation Guide Available

For detailed session preparation support, including game configuration templates, investigation timelines, response options matrix, and round-by-round facilitation guidance, see:

Raspberry Robin Healthcare Network Planning Document

Planning documents provide 30-minute structured preparation for first-time IMs, or quick-reference support for experienced facilitators.

Note🎬 Interactive Scenario Slides

Ready-to-present RevealJS slides with player-safe mode, session tracking, and IM facilitation notes:

Raspberry Robin Healthcare Network Scenario Slides

Press ‘P’ to toggle player-safe mode • Built-in session state tracking • Dark/light theme support

Scenario Details for IMs

Hook

Initial Symptoms to Present:

Warning🚨 Initial User Reports
  • “USB drives used for device maintenance are creating suspicious shortcut files on clinical support workstations”
  • “Patient monitoring consoles show unexplained process execution after routine removable-media procedures”
  • “Clinical charting systems intermittently delay updates across multiple wards”
  • “Security monitoring detects recurring outbound sessions from systems tied to medical-device support”

Key Discovery Paths:

Detective Investigation Leads:

  • Artifact review links propagation to removable-media use in standard maintenance workflows
  • Timeline reconstruction shows low-noise staging before visible disruption in care operations
  • Scope analysis connects clinical support stations, records systems, and bedside monitoring pathways

Protector System Analysis:

  • Network segmentation review shows removable-media workflows bridging otherwise separated environments
  • Device assurance checks reveal verification gaps for critical monitoring and infusion equipment
  • Containment planning must preserve patient-safety telemetry while reducing spread risk

Tracker Network Investigation:

  • Telemetry reveals recurring command traffic from systems touched by USB maintenance procedures
  • Lateral movement indicators map across multiple hospitals in the network
  • Propagation pace suggests secondary payload enablement risk if response sequencing fails

Communicator Stakeholder Interviews:

  • Clinical leaders require clear thresholds for manual fallback and patient transfer decisions
  • Communications teams need defensible language on service continuity and data confidence
  • Governance teams require timely evidence summaries to support regulator and authority updates

Mid-Scenario Pressure Points:

  • Hour 1: Critical care teams report unreliable monitoring feeds during peak admissions
  • Hour 2: Biomedical staff warn that maintenance delays could affect urgent device calibration
  • Hour 3: Data-governance teams confirm regulated records were accessed from infected stations
  • Hour 4: External authorities request immediate confidence statements on patient-safety controls

Evolution Triggers:

  • If removable-media controls lag, propagation continues through routine clinical maintenance activity
  • If evidence is overwritten early, regulatory and legal defensibility degrades rapidly
  • If clinical communications are delayed, public trust erodes faster than technical recovery

Resolution Pathways:

Technical Success Indicators:

  • Propagation paths are eliminated while preserving essential clinical operations
  • Device-integrity checks validate safe operation of critical monitoring and infusion systems
  • Recovery sequencing includes durable removable-media controls and telemetry baselines

Business Success Indicators:

  • Patient care continuity remains stable under documented manual fallback procedures
  • External updates remain accurate, timely, and aligned with verified evidence
  • Decision-making balances operational pressure with compliance and safety obligations

Learning Success Indicators:

  • Team recognizes removable-media propagation patterns in healthcare environments
  • Participants demonstrate incident leadership under patient-safety and compliance pressure
  • Group coordinates clinical, technical, and governance stakeholders through uncertainty

Common IM Facilitation Challenges:

If Teams Focus Only on Technical Cleanup:

“Clinical operations report delayed treatment decisions from inconsistent monitoring data. What immediate safeguards protect patients while containment continues?”

If Teams Delay Governance Notifications:

“Regulators and incident authorities request an initial impact statement before your forensic scope is complete. What do you communicate now, and what evidence threshold do you require for stronger claims?”

If Teams Ignore Operational Constraints:

“Biomedical engineers confirm removable media is still required for emergency maintenance on critical devices. How do you reduce spread risk without interrupting lifesaving treatment?”

Success Metrics for Session:

Template Compatibility

This scenario adapts to multiple session formats with appropriate scope and timing:

Quick Demo (35-40 minutes)

Structure: 2 investigation rounds, 1 decision round
Focus: Establish removable-media outbreak mechanics and immediate patient-safety controls
Key Actions: Confirm scope, secure frontline workflows, and set first authority update

Lunch & Learn (75-90 minutes)

Structure: 4 investigation rounds, 2 decision rounds
Focus: Balance clinical continuity, forensic confidence, and regulated notification duties
Key Actions: Prioritize critical devices, preserve evidence, and align leadership communication

Full Game (120-140 minutes)

Structure: 6 investigation rounds, 3 decision rounds
Focus: End-to-end healthcare-network response under operational and governance pressure
Key Actions: Coordinate cross-hospital remediation, validate device integrity, and restore trust posture

Advanced Challenge (150-170 minutes)

Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Ambiguous telemetry, contested risk thresholds, and cascading service pressure
Additional Challenges: Conflicting clinical priorities, vendor dependencies, and regulator scrutiny

Quick Demo Materials (35-40 min)

Guided Investigation Clues

Pre-Defined Response Options

  • Option A: Containment-First Clinical Protection

    • Action: Restrict removable media to controlled stations, isolate affected support segments, and enforce immediate clinical fallback playbooks.
    • Pros: Rapidly reduces propagation risk while preserving high-priority treatment pathways.
    • Cons: Creates bottlenecks for biomedical maintenance and slows non-urgent workflows.
    • Type Effectiveness: Super effective for immediate spread reduction in USB-driven outbreaks.

  • Option B: Continuity-First Operational Balancing

    • Action: Keep most services online with heightened monitoring, targeted isolation, and staged workstation remediation.
    • Pros: Maintains broader care throughput during surge demand.
    • Cons: Extends exposure window and increases evidential uncertainty.
    • Type Effectiveness: Moderately effective with higher governance risk.

  • Option C: Verification-First Governance Approach

    • Action: Prioritize forensic certainty and critical-device verification before broad system restoration decisions.
    • Pros: Strengthens regulatory defensibility and long-term trust posture.
    • Cons: Slower operational recovery under active clinical pressure.
    • Type Effectiveness: Moderately effective when evidence quality is the primary constraint.

Lunch & Learn Materials (75-90 min, 2 rounds)

Round 1: Discovery and Clinical Safeguards (30-35 min)

Round 2: Compliance Exposure and Recovery Decisions (30-35 min)

Debrief Focus

  • How removable-media workflows in healthcare create high-consequence pathways for stealthy propagation
  • Which evidence thresholds are required before issuing patient-safety and continuity assurances
  • How to sequence containment, device verification, and regulated notifications under clinical pressure
  • What governance and engineering controls should be hardened for future resilience