Raspberry Robin Scenario: Healthcare Network USB Outbreak
Planning Resources
Scenario Details for IMs
Regional Health System: Multi-Hospital Network During USB-Driven Workflows
Quick Reference
- Organization: Regional healthcare network with 5 hospitals, 12 outpatient clinics, 3 urgent care centers serving 400,000 patients, 3,500 healthcare workers, 2,400+ medical devices requiring USB-based maintenance
- Key Assets at Risk: Patient care continuity across 5 hospitals (life-critical medical equipment: ventilators, patient monitors, infusion pumps), Medical device security (2,400+ devices updated via USB), HIPAA compliance (patient data transferred via USB between isolated systems)
- Business Pressure: Flu season surge with all facilities at 110-130% capacity—biomedical engineering teams performing 40% more equipment maintenance using USB drives traveling between facilities, infected USB used at 3 facilities in past 24 hours
- Core Dilemma: Halt USB use for containment protecting network security BUT stops medical equipment maintenance during surge affecting patient care, OR Continue USB workflows maintaining patient care BUT allows malware propagation through life-critical medical devices across regional network
Detailed Context
Organization Profile
- Type: Regional healthcare network with 5 hospitals, 12 outpatient clinics, 3 urgent care centers
- Size: Multi-facility network serving 400,000 patients, 3,500 healthcare workers (850 physicians, 1,400 nurses, 650 medical technicians, 600 administrative staff)
- Operations: Acute care, emergency services, surgical services, outpatient care, diagnostic imaging, laboratory services, medical device maintenance
- Critical Services: 24/7 emergency departments across 5 hospitals, intensive care units (combined 120 beds), operating rooms (35 suites), patient monitoring across facilities, electronic health record (EHR) system spanning entire network
- Technology: Centralized EHR system with distributed access, medical device networks at each facility, patient monitoring systems, laboratory information systems, USB-based medical device updates and data transfers (required for isolated medical equipment), biomedical engineering workflows using USB for equipment maintenance
Regional Health System operates 5 hospitals spanning urban and rural areas across 150-mile region. Network design requires USB drives for medical device maintenance because FDA-certified equipment often lacks network connectivity or requires air-gapped updates. Current status: Flu season surge with all facilities at 110-130% capacity, biomedical engineering teams performing increased equipment maintenance.
Key Assets & Impact
What’s At Risk:
- Patient Care Continuity: 400,000 patients depend on network facilities—USB malware spreading through medical device maintenance could compromise patient monitoring systems, infusion pumps, ventilators, and diagnostic equipment affecting treatment across all 5 hospitals
- Medical Device Security: Biomedical engineering teams use USB drives daily to update 2,400+ medical devices (ventilators, patient monitors, infusion pumps, diagnostic equipment)—infected USB drives could compromise life-critical medical equipment during patient care
- HIPAA Compliance & Data Protection: Healthcare workers transfer patient data via USB between isolated systems—USB malware accessing EHR systems creates reportable data breach affecting hundreds of thousands of patient records, triggering federal investigation and millions in potential fines
Immediate Business Pressure
Thursday morning, peak flu season. All 5 hospitals operating at surge capacity. Biomedical engineering teams conducting routine medical device maintenance across facilities—updating ventilator firmware, calibrating patient monitors, transferring diagnostic data. Medical technicians report USB drives automatically creating suspicious folder-like files.
Lisa Rodriguez (Biomedical Engineer) just used a USB drive to update ventilator firmware in ICU at Memorial Hospital. The same USB was used yesterday at Riverside Hospital for patient monitor maintenance, and this morning at Westside Clinic for diagnostic equipment updates. She now realizes the suspicious files appeared after each facility visit. The USB drive has been inserted into medical devices in 3 facilities, potentially infecting life-critical equipment monitoring dozens of patients.
Critical Timeline:
- Current moment (Thursday 9am): USB malware identified, infected USB drives used at 3 facilities in past 24 hours for medical device maintenance
- Stakes: Life-critical medical equipment potentially compromised—ventilators, patient monitors, infusion pumps used for active patient care may be infected
- Dependencies: Biomedical engineering cannot halt USB-based medical device maintenance during surge (equipment requires calibration and updates for patient safety), patient data transfers via USB continue (isolated systems by design), regulatory reporting clock starts at breach discovery
Cultural & Organizational Factors
Why This Vulnerability Exists:
- USB drives are medical workflow necessity, not convenience: FDA-certified medical equipment (ventilators, patient monitors, infusion pumps) often lacks network connectivity or requires air-gapped updates to maintain certification. Biomedical engineering teams MUST use USB drives for equipment maintenance—there’s no alternative. Network-based updates would void manufacturer warranties and FDA certification.
- Air-gapped medical systems require USB data transfers: Patient monitoring systems in ICUs are intentionally isolated from network for safety and regulatory compliance. Healthcare workers use USB drives to transfer patient data between isolated clinical systems and EHR—this is designed workflow, not user convenience. USB is the bridge between air-gapped medical devices and network systems.
- Multi-facility network amplifies USB propagation: Regional Health System operates 5 hospitals, 12 clinics, 3 urgent care centers. Biomedical engineering teams travel between facilities performing maintenance. Single infected USB drive used at Memorial Hospital Tuesday is used at Riverside Hospital Wednesday, Westside Clinic Thursday. One infection point spreads across entire regional network through legitimate biomedical workflows.
- Flu season surge intensifies equipment maintenance: Higher patient volume means more medical equipment in use, more frequent calibration needs, more device failures requiring USB-based diagnostics. Biomedical engineering teams are performing 40% more equipment maintenance during surge. Increased USB activity during surge creates perfect conditions for rapid malware propagation.
Operational Context
How This Healthcare Network Actually Works:
Regional Health System’s distributed model requires USB for medical device management. Centralized biomedical engineering team (45 technicians) travels between facilities maintaining 2,400+ medical devices. Each technician carries USB drives with device firmware, calibration tools, and diagnostic software. Medical devices are intentionally air-gapped—network connectivity would require recertification for every device (millions in cost, years of work). Healthcare workers transfer patient data between isolated systems using USB because network bridging would violate device certification and introduce safety risks. The organization’s security policy prohibits USB on administrative networks, but medical device networks REQUIRE USB by FDA regulatory design. This creates security architecture tension: USB is simultaneously prohibited (administrative policy) and mandatory (medical device reality).
Key Stakeholders
- Dr. Sarah Williams (Chief Medical Officer) - Managing patient surge operations while USB malware spreads through medical device networks
- Michael Chen (IT Director) - Discovering USB-based worm bypassing network security through healthcare workflows
- Lisa Rodriguez (Biomedical Engineer) - Investigating how infected USB drives are compromising medical equipment and patient monitoring
- David Park (HIPAA Compliance Officer) - Assessing patient data exposure and regulatory reporting requirements
Why This Matters
You’re not just responding to a USB worm—you’re protecting medical device integrity across a regional healthcare network where USB drives are mandatory for patient safety, not user convenience. Biomedical engineers cannot stop using USB drives without halting medical equipment maintenance during flu season surge. The same USB used to update life-critical ventilators also transfers patient data between isolated systems. Your containment strategy must work within healthcare regulatory constraints where USB is both the vulnerability vector and the essential medical workflow. Ban USB and patients lose critical care. Allow USB and malware spreads. There’s no clean answer.
IM Facilitation Notes
- USB is healthcare necessity, not negligence: Players will suggest “ban USB drives immediately”—correct this. Medical devices REQUIRE USB for FDA-compliant updates and maintenance. Air-gapped medical equipment REQUIRES USB for data transfer. This is regulatory constraint, not poor security practice.
- Multi-facility propagation is rapid and legitimate: One infected USB drive used across 5 hospitals in 48 hours through normal biomedical workflows. This isn’t negligence—it’s how regional healthcare networks function. Biomedical engineers travel between facilities performing maintenance.
- Life-critical equipment is at risk: Infected USB drives were used to update ventilators monitoring ICU patients, patient monitors in ED, infusion pumps delivering medication. Players must balance containment with patient safety—pulling medical devices offline affects active patient care.
- HIPAA breach reporting triggers immediately: Once malware is confirmed on systems containing patient data, 60-day regulatory reporting clock starts. Players cannot “wait and see”—breach notification to patients and HHS is mandatory. This creates immediate external pressure beyond technical containment.
- No good options exist: Every response has patient safety consequences. Halt USB use → equipment maintenance stops → devices fail during patient care. Continue USB use → malware spreads → more systems compromised. Force players to make difficult choices with imperfect information under regulatory time pressure.
Opening Presentation
“It’s Thursday morning at Regional Health System during peak flu season, with hospitals operating at surge capacity and medical staff using USB drives for routine medical device updates and patient data transfers. Medical technicians report that USB drives are automatically creating files that appear to be normal folders, but accessing them causes medical equipment anomalies. The USB malware is spreading through legitimate healthcare workflows, affecting patient monitoring systems and electronic health records.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Patient monitoring system failures during flu surge threatening patient safety in intensive care units
- Hour 2: Medical technicians report USB drives are required for emergency medical equipment calibration
- Hour 3: HIPAA officer discovers infected USB accessed electronic health records containing patient information
- Hour 4: Healthcare regulators question medical device security and patient safety during USB malware outbreak
Evolution Triggers:
- If response is delayed, USB malware may compromise life-critical medical equipment threatening patient outcomes
- If containment fails, HIPAA breach notifications required as USB propagation affects patient data systems
- If medical workflow disruption is severe, patient care operations face regulatory and safety compliance issues
Resolution Pathways:
Technical Success Indicators:
- USB malware removed from all healthcare systems while maintaining medical device functionality
- Medical network security enhanced to detect USB-based propagation without disrupting patient care
- Healthcare workflow protection implemented balancing USB requirements with security controls
Business Success Indicators:
- Patient safety maintained throughout USB malware response during flu season surge operations
- HIPAA compliance demonstrated through appropriate data protection and breach assessment
- Medical device security improved without compromising healthcare operational requirements
Learning Success Indicators:
- Team understands healthcare USB security challenges and medical workflow constraints
- Participants recognize medical device security requirements and patient safety priorities
- Group demonstrates incident response balancing healthcare operations with security remediation
Common IM Facilitation Challenges:
If Patient Safety Is Overlooked:
“Your USB security response is thorough, but Dr. Williams reports that infected medical devices are affecting patient monitoring during flu surge. How do you balance malware removal with immediate patient safety requirements?”
If Healthcare Workflow Complexity Is Ignored:
“While analyzing USB propagation, Lisa explains that medical technicians must use USB drives to update life-critical equipment that can’t be networked for safety reasons. How does this change your containment approach?”
If HIPAA Implications Are Minimized:
“David discovered that infected USB drives have accessed electronic health record systems containing patient data. How do you assess potential HIPAA breach notification requirements while managing patient care continuity?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Rounds: 1
- Actions per Player: 1
- Investigation: Guided
- Response: Pre-defined
- Focus: Use the “Hook” and “Initial Symptoms” to quickly establish healthcare USB malware crisis. Present the “Guided Investigation Clues” at 5-minute intervals. Offer the “Pre-Defined Response Options” for the team to choose from. Quick debrief should focus on recognizing USB-based propagation and healthcare security challenges.
Lunch & Learn (75-90 min)
- Rounds: 2
- Actions per Player: 2
- Investigation: Guided
- Response: Pre-defined
- Focus: This template allows for deeper exploration of healthcare USB security challenges. Use the full set of NPCs to create realistic patient surge and medical device security pressures. The two rounds allow discovery of patient data exposure risks and medical equipment impact, raising stakes. Debrief can explore balance between patient safety and security response.
Full Game (120-140 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Focus: Players have freedom to investigate using the “Key Discovery Paths” as IM guidance. They must develop response strategies balancing patient safety, medical device security, HIPAA compliance, and healthcare workflow requirements. The three rounds allow for full narrative arc including USB worm propagation scope and medical equipment impact assessment.
Advanced Challenge (150-170 min)
- Rounds: 3
- Actions per Player: 2
- Investigation: Open
- Response: Creative
- Complexity: Add red herrings (e.g., legitimate medical device USB procedures causing false positives). Make containment ambiguous, requiring players to justify patient safety decisions with incomplete information about medical equipment infection. Remove access to reference materials to test knowledge recall of USB worm behavior and healthcare security principles.
Quick Demo Materials (35-40 min)
Guided Investigation Clues
Clue 1 (Minute 5): “USB forensics reveal Raspberry Robin worm propagating through LNK files disguised as medical folders used in Regional Health System’s routine healthcare workflows. Medical device analysis shows USB drives used for equipment updates and patient data transfers are spreading infection across hospital networks. Patient monitoring systems displaying anomalies affecting intensive care units during flu season surge operations.”
Clue 2 (Minute 10): “Network analysis shows USB-based propagation bypassing traditional healthcare network security controls designed for internet threats. Medical workflow assessment reveals healthcare staff must use USB drives to maintain life-critical equipment that cannot be networked for patient safety and regulatory reasons. Timeline indicates infection spreading for weeks through legitimate medical device maintenance and patient data transfer procedures.”
Clue 3 (Minute 15): “HIPAA officer discovers infected USB drives accessed electronic health record systems containing patient protected health information. Patient monitoring equipment failures during flu surge threatening patient safety in intensive care units. Healthcare regulators questioning medical device security and patient data protection during USB malware outbreak requiring immediate incident response and potential breach notification assessment.”
Pre-Defined Response Options
Option A: Emergency USB Lockdown & Medical Device Protection
- Action: Implement immediate USB access restrictions on all healthcare systems, establish emergency medical device maintenance protocols using sanitized USB drives, deploy USB security controls preventing worm propagation, coordinate HIPAA breach assessment for patient data exposure.
- Pros: Completely stops USB worm propagation protecting medical equipment and patient data; demonstrates responsible healthcare security practices; maintains HIPAA compliance through appropriate breach response.
- Cons: USB restrictions may disrupt critical medical device maintenance during flu surge; emergency protocols require significant healthcare staff training; patient care operations face temporary workflow adjustments.
- Type Effectiveness: Super effective against Worm malmon type; USB access controls prevent autonomous healthcare network propagation through medical workflows.
Option B: Selective USB Remediation & Medical Equipment Priority
- Action: Remediate confirmed infected systems prioritizing life-critical medical equipment, implement USB monitoring without complete lockdown, maintain essential medical device workflows, conduct targeted patient data breach assessment.
- Pros: Balances USB security with medical device operational requirements; minimizes disruption to patient care during flu surge; enables continued medical equipment maintenance.
- Cons: Selective approach risks continued USB propagation during remediation period; medical workflow exceptions create security gaps; partial response may complicate HIPAA breach assessment.
- Type Effectiveness: Moderately effective against Worm threats; reduces but doesn’t eliminate USB propagation through healthcare workflows; delays complete healthcare security restoration.
Option C: Phased Healthcare Workflow Remediation & Patient Safety Focus
- Action: Phase USB security controls by hospital department, prioritize patient safety systems for immediate remediation, establish secure medical device maintenance procedures, coordinate regulatory notifications while maintaining healthcare operations.
- Pros: Protects patient safety through prioritized medical equipment remediation; enables continued hospital operations during phased response; demonstrates healthcare-appropriate security practices.
- Cons: Phased approach extends USB worm propagation timeline; lower-priority departments remain vulnerable during staged remediation; complex coordination across multiple hospital systems.
- Type Effectiveness: Partially effective against Worm malmon type; prioritizes patient care over complete security remediation; doesn’t guarantee healthcare network protection during extended response.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Discovery & Patient Safety Assessment (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Biomedical Engineer Lisa Rodriguez reports that medical technicians are finding suspicious files on USB drives used for routine medical device updates. “The USB drives are creating files that look like folders named ‘Medical_Devices’ and ‘Patient_Data’ - but when you click them, systems start behaving strangely.”
- Clue 2 (Minute 10): USB forensics reveal Raspberry Robin worm using LNK file disguises to spread through healthcare workflows. The malware propagates automatically when USB drives are inserted for medical device maintenance or patient data transfers - exactly how healthcare workers use USB daily.
- Clue 3 (Minute 15): IT Director Michael Chen discovers the infection has spread to patient monitoring systems in the ICU. “We’re running at flu surge capacity with every bed occupied - and now infected medical equipment is displaying calibration errors and connection issues.”
- Clue 4 (Minute 20): Network analysis shows USB drives are bridging air-gapped medical device networks. Life-critical equipment that’s intentionally isolated from hospital networks for safety reasons is being infected through USB maintenance procedures. “We designed these systems to be isolated - but USB maintenance is the connection vector.”
Response Options:
- Option A: Immediate USB Lockdown - Disable all USB ports on healthcare systems hospital-wide, establish emergency procedures for medical device maintenance using sanitized USB drives, prioritize patient safety equipment for manual remediation.
- Pros: Completely stops worm propagation; protects patient data from further USB exposure; demonstrates decisive security action.
- Cons: Disrupts critical medical device maintenance during flu surge; biomedical engineers must develop workarounds for life-critical equipment; patient care workflows severely impacted.
- Type Effectiveness: Super effective - immediately halts USB worm propagation but creates significant healthcare operational challenges.
- Option B: Monitored USB with Medical Priority - Implement USB monitoring software on healthcare systems, prioritize life-critical medical equipment for immediate cleaning, allow continued USB use with enhanced logging and alerts.
- Pros: Balances security with medical device operational needs; maintains patient care capabilities; enables tracking of USB propagation.
- Cons: Worm continues spreading during monitoring period; medical workflow interruptions for USB cleaning; doesn’t guarantee protection of all systems.
- Type Effectiveness: Moderately effective - reduces but doesn’t eliminate propagation; prioritizes patient safety over complete containment.
- Option C: Air-Gapped Medical Network Protection - Focus remediation on isolated medical device networks, establish strict USB sanitization protocols for patient care equipment, accept continued infection in non-critical systems temporarily.
- Pros: Protects highest-risk patient safety systems; maintains life-critical medical equipment functionality; targeted approach to patient care priorities.
- Cons: Non-patient-care systems remain infected; differential security creates confusion; potential patient data exposure on administrative systems.
- Type Effectiveness: Partially effective - protects critical systems but allows propagation in lower-priority areas.
Round 2: HIPAA Compliance & Healthcare Operations (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (lockdown) was chosen: Dr. Sarah Williams reports that biomedical engineers can’t calibrate ventilators in the ICU due to USB restrictions. “We have flu patients on ventilators that require daily calibration checks - this is a patient safety emergency.”
- Clue 5 (Minute 30): If Option B or C was chosen: Continued USB worm spread is detected on additional medical systems. The monitoring shows infection propagating to electronic health record workstations during routine patient data transfers.
- Clue 6 (Minute 40): HIPAA Compliance Officer David Park discovers infected USB drives have accessed electronic health record systems containing patient protected health information. “We need to determine if patient data was exfiltrated or if this is just USB propagation. HIPAA breach notification rules require assessment within 60 days.”
- Clue 7 (Minute 50): External analysis reveals Raspberry Robin typically establishes command-and-control connectivity and may download additional payloads. Healthcare network monitoring shows some infected systems attempting to contact external IP addresses. “This isn’t just USB propagation - there may be secondary infections we haven’t detected yet.”
- Clue 8 (Minute 55): State healthcare regulators contact the hospital about medical device cybersecurity requirements following recent federal guidance. “We’re aware you’re experiencing a USB malware incident. How are you protecting patient safety and medical device integrity?”
Response Options:
- Option A: Comprehensive Healthcare Remediation - Complete USB worm removal across all systems (medical and administrative), implement enterprise USB security controls, conduct thorough HIPAA breach assessment with external forensics support, coordinate regulatory notifications.
- Pros: Eliminates all USB infections protecting patient data and medical devices; demonstrates full compliance with HIPAA and medical device security requirements; provides complete incident scope assessment.
- Cons: Extended remediation timeline disrupts flu surge operations; significant costs for forensics and security controls; potential HIPAA breach notification creates patient trust concerns.
- Type Effectiveness: Super effective - comprehensive security restoration with full healthcare compliance but maximum operational disruption.
- Option B: Patient Safety Prioritized Response - Focus remediation on life-critical medical equipment and patient care systems, implement monitoring on administrative systems, conduct targeted HIPAA assessment for confirmed patient data exposure only.
- Pros: Maintains patient safety focus during flu surge; minimizes disruption to critical care operations; demonstrates healthcare-appropriate risk prioritization.
- Cons: Administrative systems may remain infected; potential HIPAA breach assessment may be incomplete; regulatory agencies may question partial response approach.
- Type Effectiveness: Moderately effective - protects patient care but may leave gaps in security and compliance.
- Option C: Healthcare Consortium Collaboration - Engage Healthcare ISAC and peer hospitals for shared intelligence on Raspberry Robin healthcare impacts, request vendor support for medical device security guidance, coordinate with federal healthcare cybersecurity programs (HC3).
- Pros: Leverages healthcare sector expertise on USB worm medical device impacts; vendor collaboration improves medical equipment remediation; federal resources support HIPAA compliance and patient safety.
- Cons: External coordination extends response timeline; admission of limited internal capability; information sharing may reveal sensitive healthcare security gaps.
- Type Effectiveness: Moderately effective - improves response quality through collaboration but extends remediation timeline.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether the hospital faces immediate medical device maintenance crises (lockdown approach) or continued USB worm propagation (monitoring/selective approach). Either way, the situation escalates when HIPAA Compliance Officer David Park discovers that infected USB drives have accessed electronic health record systems containing patient protected health information. This transforms the incident from a technical malware problem to a potential healthcare data breach requiring regulatory assessment and possible patient notification. Additionally, external analysis reveals Raspberry Robin’s command-and-control capabilities, suggesting the USB worm may be downloading secondary payloads to healthcare systems. State regulators contact the hospital about medical device cybersecurity compliance just as the team is managing flu surge patient care and USB malware remediation simultaneously. The incident now requires balancing patient safety, HIPAA compliance, medical device security, and healthcare operational continuity under regulatory scrutiny.
Debrief Focus:
- Recognition of USB-based propagation in healthcare environments
- Balance between patient safety and security response
- HIPAA compliance and breach assessment requirements
- Medical device security challenges and workflow constraints
- Healthcare sector collaboration and regulatory coordination
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Discovery & Healthcare Impact Assessment (35-40 min)
Opening Scenario:
It’s Thursday morning at Regional Health System, and the hospital network is operating at surge capacity with flu season in full swing. All ICU beds are occupied, emergency departments are backed up, and medical staff are working extended shifts. In the midst of this clinical chaos, Biomedical Engineer Lisa Rodriguez receives an unusual report from medical technicians.
“The USB drives we use for ventilator calibrations are creating weird files,” a technician explains. “There are folders appearing that look like ‘Medical_Device_Updates’ and ‘Patient_Monitoring_Data’ - but when you click them, nothing happens. Some of the equipment is showing calibration errors afterward.”
Lisa calls IT Director Michael Chen, who immediately recognizes this doesn’t sound like normal medical device behavior. As they investigate, they discover similar reports from multiple departments: patient monitoring systems, infusion pumps, medical imaging equipment - all accessed via USB for routine maintenance showing anomalous file creation.
Dr. Sarah Williams, Chief Medical Officer, joins the emergency meeting. “We need to understand this quickly. With flu surge, we cannot afford medical equipment failures. Patient safety is paramount.”
Team Action: Each player takes 2 actions to investigate the incident using their role’s capabilities. The IM should track what the team discovers based on their investigation choices.
Investigation Discoveries (based on role and approach):
Detective-focused investigations:
- USB drive forensics reveal Raspberry Robin worm using LNK files disguised as legitimate medical folders
- Analysis shows malware propagates automatically when USB drives are inserted - no user interaction required beyond normal medical device procedures
- Timeline reconstruction indicates infection has been spreading for 2-3 weeks through routine healthcare workflows
- Memory forensics reveal worm establishes persistence and attempts external network connectivity from infected systems
Protector-focused investigations:
- Medical network architecture review shows air-gapped medical device networks designed for patient safety and regulatory compliance
- USB drives are the intentional bridge between isolated patient care systems for maintenance and updates
- Security assessment reveals traditional network-based protections (firewalls, IDS) don’t apply to USB propagation vectors
- Medical device security analysis shows many patient care systems run embedded Windows with limited security controls
Tracker-focused investigations:
- USB propagation mapping shows worm spreading through biomedical engineering maintenance workflows across 3 hospital facilities
- Medical workflow analysis reveals healthcare workers insert USB drives 200+ times daily for routine patient care equipment procedures
- Network monitoring detects some infected systems attempting external connections despite air-gap architecture
- Evidence of USB drives moving between administrative systems (EHR workstations) and patient care equipment creating cross-contamination
Communicator-focused investigations:
- Medical staff interviews reveal USB drives are shared across departments for efficiency - “We have 5 USB drives for 50 medical devices”
- Biomedical engineering reports USB maintenance procedures are vendor-required for warranty and regulatory compliance
- Patient care staff express frustration with any potential equipment restrictions during flu surge operations
- HIPAA officer notes that USB drives used for medical devices also transfer patient data for backup and analysis
Key NPCs and Interactions:
Dr. Sarah Williams (Chief Medical Officer):
- Responsible for patient safety across 400,000-patient health system during flu surge crisis
- Balancing security response with immediate patient care needs and medical equipment functionality
- Under pressure from hospital administration to maintain operations while addressing cybersecurity incident
- Perspective: “I need you to understand - every piece of medical equipment in this hospital is supporting patient lives. We can’t just turn things off because of malware. Tell me what you need to protect patients.”
Michael Chen (IT Director):
- Healthcare IT background but limited medical device security expertise
- Discovering that traditional IT security approaches don’t translate to medical device environments
- Frustrated by air-gapped medical networks that were designed for safety but create USB dependency
- Reality check: “I can lock down every USB port in the administrative network in 20 minutes. But the medical device networks? Those are managed by biomedical engineering, use proprietary systems, and have patient safety certifications that we can’t touch without vendor approval.”
Lisa Rodriguez (Biomedical Engineer):
- Manages medical equipment maintenance and regulatory compliance across hospital network
- Caught between IT security requirements and medical device operational necessities
- Expert on medical equipment but less familiar with cybersecurity incident response
- Conflict point: “You want to disable USB? How am I supposed to calibrate ventilators supporting flu patients in the ICU? Those devices require daily USB maintenance per manufacturer specifications and FDA guidelines.”
David Park (HIPAA Compliance Officer):
- Responsible for patient data protection and healthcare regulatory compliance
- Concerned about USB drives that transfer patient data being infected with malware
- Must assess HIPAA breach notification requirements if patient data was exposed
- Pressure point: “If infected USB drives accessed electronic health records, we have 60 days to complete breach assessment and potentially notify hundreds of thousands of patients. This is a compliance nightmare during flu season.”
Round 1 Pressure Events:
These occur during the 35-40 minute investigation period, building tension:
- 15 minutes in: ICU reports ventilator calibration error on patient with severe flu complications. Lisa needs USB access to re-calibrate life-critical medical equipment. “This can’t wait - the patient’s oxygenation is deteriorating.”
- 25 minutes in: EHR administrator discovers USB drives used for patient data backups show infection. David Park must assess if protected health information was accessed or exfiltrated. “This triggers HIPAA breach assessment protocols.”
- 30 minutes in: State health department calls inquiring about “cybersecurity incident affecting patient care systems.” News has leaked to regulators. “We need to understand your incident response and patient safety measures.”
Round 1 Conclusion:
After investigations, the team should understand they’re facing USB worm propagation through essential healthcare workflows, affecting both air-gapped medical devices and patient data systems, during peak flu surge when equipment availability is critical for patient safety. Dr. Williams asks: “Based on what you’ve discovered, what’s your response strategy that protects both cybersecurity and patient lives?”
Round 2: Response Strategy & Regulatory Pressure (35-40 min)
Situation Development:
The team’s initial response strategy meets the complex reality of healthcare operations. If they chose to lock down USB access, medical technicians are unable to perform required equipment maintenance. If they implemented selective remediation, the worm continues spreading through shared USB drives. If they focused on monitoring, patient data exposure expands.
More critically, external analysis reveals Raspberry Robin’s typical behavior includes downloading secondary payloads and establishing persistent access - this isn’t just a USB propagation issue.
Opening:
External threat intelligence arrives from Healthcare ISAC: Raspberry Robin infections in healthcare environments have led to follow-on ransomware attacks in multiple hospitals nationwide over the past 6 months. The USB worm serves as initial access for more sophisticated attackers. “You’re not just dealing with USB propagation - you may be facing the beginning of a targeted healthcare attack campaign.”
Simultaneously, David Park completes initial HIPAA breach assessment: infected USB drives accessed EHR systems containing protected health information for approximately 15,000 patients. “Under HIPAA, if we determine patient data was accessed by unauthorized parties, we have breach notification obligations. We need forensic certainty about what happened to patient data.”
Dr. Williams reports growing patient safety concerns: “We have 8 ventilators requiring urgent calibration, 12 infusion pumps needing parameter updates, and 3 patient monitoring systems showing connectivity errors - all due to USB restrictions. We’re managing flu surge with degraded medical equipment capability.”
Team Action: Each player takes 2 actions to develop and implement comprehensive response strategy, considering:
- Medical device security and patient safety protection
- HIPAA compliance and patient data breach assessment
- Healthcare operational continuity during flu surge
- Secondary threat prevention (ransomware follow-on attacks)
Response Options and Consequences:
Comprehensive Medical Device Remediation:
- Implementation: Complete USB malware removal from all medical and administrative systems, implement enterprise USB security controls with medical device exceptions, conduct forensic HIPAA breach assessment with external support, coordinate vendor support for medical equipment re-certification after remediation
- Immediate Effects: Requires temporary medical equipment downtime coordinated with patient care schedules, significant biomedical engineering and IT coordination overhead, external forensics costs $50-100K, potential temporary patient transfer to other facilities
- Outcome: Complete USB worm elimination protects against follow-on attacks, comprehensive HIPAA breach determination supports regulatory compliance, medical device security posture significantly improved, demonstrates healthcare cybersecurity leadership
- Learning: Shows importance of balancing comprehensive security with healthcare operational realities, value of external forensics in healthcare breach assessment
Patient Safety Prioritized Approach:
- Implementation: Immediate remediation of life-critical medical equipment (ICU, OR, Emergency Department), implement USB monitoring on remaining systems, establish sanitized USB workflow for ongoing patient care, conduct targeted HIPAA assessment for confirmed EHR access
- Immediate Effects: Maintains critical patient care capabilities during flu surge, reduces operational disruption through prioritization, balances security with healthcare mission
- Outcome: Life-critical systems protected but administrative systems may remain infected risking follow-on attacks, HIPAA assessment may be incomplete requiring extended investigation, demonstrates patient-centric incident response approach
- Learning: Illustrates healthcare risk prioritization and tradeoffs between comprehensive security and patient care continuity
Healthcare Sector Collaboration:
- Implementation: Engage Healthcare ISAC for Raspberry Robin healthcare intelligence sharing, coordinate with medical device vendors for security guidance and remediation support, request federal healthcare cybersecurity (HC3) assistance, collaborate with peer hospitals on lessons learned
- Immediate Effects: Leverages healthcare sector expertise on medical device malware impacts, vendor collaboration may provide faster remediation paths, federal resources support HIPAA compliance, builds healthcare cybersecurity community
- Outcome: Improved response quality through sector knowledge sharing, potential vendor-supported remediation solutions, federal visibility into healthcare cybersecurity challenges, demonstrates collaborative healthcare security approach
- Learning: Shows value of healthcare sector information sharing and public-private partnership in medical cybersecurity
Phased Healthcare System Remediation:
- Implementation: Phase response by hospital facility and department criticality, start with highest patient impact systems, roll out USB security controls progressively, conduct staged HIPAA assessment as systems are cleaned, maintain communication with regulators on remediation timeline
- Immediate Effects: Minimizes patient care disruption through staged approach, allows learning from initial remediation to improve subsequent phases, demonstrates thoughtful healthcare-appropriate response planning
- Outcome: Extended remediation timeline (2-3 weeks) keeps some systems vulnerable to follow-on attacks longer, progressive approach may complicate HIPAA breach determination, shows responsible healthcare operational risk management
- Learning: Demonstrates phased incident response approach balancing security, operations, and compliance in healthcare environment
Isolation with Medical Contingency:
- Implementation: Isolate infected medical device networks from broader hospital systems, establish temporary medical equipment contingency procedures (manual processes, equipment borrowing from partner hospitals), conduct rapid HIPAA breach forensics while systems isolated, implement complete remediation during planned isolation period
- Immediate Effects: Prevents follow-on attack propagation through network isolation, creates significant operational burden for patient care staff, requires creative medical equipment workarounds, demonstrates maximum security prioritization
- Outcome: Complete protection from additional compromise at cost of major healthcare workflow disruption, compressed remediation timeline under isolation constraints, potential patient care impact requiring close monitoring
- Learning: Shows extreme containment approach in healthcare and resulting operational consequences requiring careful patient safety management
Round 2 Pressure Events:
Building tension during response implementation:
- 15 minutes in: Medical device vendor reports their security guidance for Raspberry Robin remediation requires full equipment recertification after USB malware removal - 3-day process per device. “We can’t just clean the malware and call it safe. Medical device regulations require validation after security incidents.”
- 25 minutes in: Healthcare ISAC shares intelligence that 2 hospitals experiencing Raspberry Robin infections were hit with Conti ransomware 4-6 weeks later. “The USB worm is initial access for follow-on attacks. You’re in the threat actors’ target pipeline.”
- 30 minutes in: HIPAA forensics preliminary findings suggest patient data may have been accessed but no evidence of exfiltration yet - assessment ongoing. “We can’t definitively rule out patient data breach. This may require notification to 15,000 patients and regulators.”
- 35 minutes in: Patient safety incident: An infected infusion pump delivers incorrect medication dose due to malware-related parameter corruption. No patient harm, but Dr. Williams escalates urgency. “This just became a patient safety incident, not just a cybersecurity incident.”
Round 2 Conclusion:
Regardless of chosen approach, the team is managing intersecting healthcare challenges: patient safety during flu surge, HIPAA compliance with potential breach notification, medical device security with regulatory requirements, threat of follow-on ransomware attacks, and state health department oversight. The incident has evolved from USB malware to comprehensive healthcare cybersecurity crisis requiring integration of security, clinical operations, compliance, and regulatory coordination. Dr. Williams states: “We need your final recommendations - I have hospital administration, state regulators, and most importantly 3,500 healthcare workers relying on medical equipment to save patient lives.”
Round 3: Resolution & Healthcare Security Lessons (35-40 min)
Final Situation:
Two weeks after initial discovery, the USB worm remediation effort is reaching conclusion. Depending on the team’s Round 2 response strategy:
If comprehensive remediation achieved: All medical and administrative systems have been cleaned of Raspberry Robin infection. Enterprise USB security controls are in place with medical device exceptions. HIPAA forensics determined patient data was accessed but no evidence of exfiltration - breach notification avoided but close call documented. Medical equipment vendor certifications completed. No follow-on ransomware attack occurred. Healthcare operations returned to normal post-flu surge.
However, the 2-week remediation period required heroic efforts from biomedical engineering, IT, and clinical staff. Medical equipment downtime was carefully managed but resulted in some patient transfers and procedure delays. The $150K external forensics and vendor recertification costs impacted hospital budget. State regulators issued formal cybersecurity improvement requirements.
If patient safety prioritized approach: Life-critical medical equipment was successfully protected throughout flu surge. Patient care was maintained with minimal disruption. However, administrative systems experienced follow-on attack 3 weeks later - BianLian ransomware deployed via remaining Raspberry Robin infections. No patient data encryption occurred (systems isolated in time) but incident response costs escalated. HIPAA breach determination remained incomplete requiring extended investigation.
The experience demonstrates risks of partial remediation and importance of comprehensive security in healthcare even when balancing patient care priorities.
If healthcare sector collaboration: Collaborative approach yielded valuable intelligence on Raspberry Robin healthcare impacts. Medical device vendors provided expedited security guidance reducing remediation timeline by 40%. Federal HC3 support assisted with HIPAA breach assessment at no cost. Peer hospital knowledge sharing improved response quality.
However, external coordination extended initial response timeline, and some healthcare leaders questioned whether internal capabilities were sufficient. The incident contributed to valuable healthcare sector threat intelligence but revealed institutional security gaps.
If phased/isolation approach: Staged remediation successfully balanced patient care with security restoration but extended timeline kept some systems vulnerable. Isolation approach prevented follow-on attacks but created significant operational burden. HIPAA breach assessment benefited from thorough forensics during isolation period - definitive no-breach determination achieved.
The experience shows viable approaches to healthcare incident response but highlights tradeoffs between speed, comprehensiveness, and operational impact.
Team Action - Part 1: Incident Closure (15-20 min):
Each player takes 1-2 actions to: - Complete any remaining technical remediation or validation - Finalize HIPAA breach assessment and regulatory reporting - Document lessons learned for healthcare security improvement - Present recommendations to hospital leadership for medical device security enhancement
Team Action - Part 2: Healthcare Security Learning (15-20 min):
The IM facilitates group discussion on healthcare cybersecurity lessons:
Facilitation Questions:
- “What makes healthcare cybersecurity different from other industries?”
- Guide toward: Patient safety primacy, medical device constraints, regulatory complexity (HIPAA, FDA), operational continuity requirements, life-critical systems
- “How do USB-based threats challenge traditional network security?”
- Guide toward: Air-gapped systems, physical media propagation, legitimate medical workflows as attack vectors, difficulty of USB monitoring and control
- “What are the unique challenges of medical device security?”
- Guide toward: Embedded systems with limited security, vendor control and certification requirements, long device lifecycles, patient safety testing and validation
- “How should healthcare organizations balance security and patient care?”
- Guide toward: Risk-based prioritization, patient safety as primary concern, graduated response approaches, clinical staff involvement in security decisions
- “What role does healthcare sector collaboration play in cybersecurity?”
- Guide toward: Healthcare ISAC intelligence sharing, vendor partnerships, federal resources (HC3, HHS), peer hospital coordination, regulatory guidance
- “How have USB threats evolved, and what does the future look like?”
- Guide toward: BadUSB attacks, USB firmware manipulation, IoT and medical device proliferation, supply chain USB compromise, zero-trust approaches to removable media
Victory Conditions Assessment:
Technical Success:
Business Success:
Learning Success:
Final Debrief Topics:
Healthcare Security Challenges:
- Patient safety must be primary consideration in all cybersecurity decisions
- Medical devices have unique security constraints due to embedded systems, certifications, and patient safety validation requirements
- HIPAA compliance adds regulatory complexity to breach assessment and incident response
- Healthcare operational continuity requirements during emergencies (flu surge) complicate security response timing
USB Threat Landscape:
- Raspberry Robin demonstrates evolution of USB malware from simple propagation to sophisticated initial access vector
- USB threats challenge traditional network security by bridging air-gapped systems
- Medical device maintenance workflows create legitimate USB usage that’s difficult to restrict
- BadUSB and firmware-level attacks represent next evolution beyond file-based USB malware
Healthcare Incident Response:
- Requires integration of clinical, technical, compliance, and regulatory considerations
- Biomedical engineering and IT must collaborate closely on medical device security
- External support (forensics, vendors, sector ISACs, federal resources) provides valuable capabilities
- Phased and prioritized approaches may be appropriate given patient care constraints
Sector Collaboration:
- Healthcare ISAC provides critical threat intelligence specific to medical environments
- Medical device vendor partnerships essential for security guidance and remediation support
- Federal healthcare cybersecurity resources (HC3, HHS) offer no-cost expertise
- Peer hospital coordination enables shared learning and reduces individual institutional burden
Future Considerations:
- Zero-trust approaches to removable media in healthcare
- Medical device supply chain security and procurement considerations
- Healthcare 5G and IoT security challenges as medical technology evolves
- Artificial intelligence and machine learning in healthcare cybersecurity detection
Round 3 Conclusion:
Dr. Williams addresses the team: “You’ve navigated one of the most complex challenges in healthcare cybersecurity - protecting our patients and their data while maintaining the medical equipment they depend on for survival. Every decision you made had to consider not just technical security, but human lives. This is what healthcare incident response demands, and you’ve demonstrated the thoughtful, patient-centered approach we need. Thank you for keeping our patients safe.”
Advanced Challenge Materials (150-170 min, 3 rounds)
Additional Complexity Layers
For experienced teams seeking maximum challenge, add these complexity elements:
1. Medical Device Regulatory Complexity
FDA and Certification Constraints:
- Medical devices have FDA clearance based on specific software configurations - security patches may invalidate certification
- Vendor-required maintenance procedures cannot be modified without regulatory review process (6-12 months)
- Some medical equipment runs Windows XP or embedded systems that cannot be upgraded or patched
- Biomedical engineering must document and validate all changes to patient care equipment per hospital quality management system
Implementation: Introduce realistic medical device constraints where security best practices conflict with regulatory requirements. Make players navigate FDA medical device regulations, vendor certification limitations, and hospital quality/safety validation processes. Security response must work within healthcare regulatory framework, not against it.
2. Patient Safety Critical Incidents
Real-Time Patient Impact:
- During Round 1: Infected ventilator delivers incorrect tidal volume to ICU patient requiring emergency manual ventilation
- During Round 2: Infusion pump malware corruption causes medication dosing error - patient experiences adverse reaction requiring intervention
- During Round 3: Patient monitoring system failures delay recognition of patient deterioration - near-miss safety event
Clinical Pressure:
- Dr. Williams must file patient safety incident reports to hospital quality committee and state health department
- Risk management attorney involvement due to potential patient harm from cybersecurity incident
- Clinical staff morale impacted by equipment failures threatening patient safety
Implementation: Introduce 1-2 actual patient safety incidents during the scenario (not hypothetical future risks). Make players balance security remediation with immediate patient harm prevention and regulatory patient safety reporting. Create tension between comprehensive security response and clinical urgency.
3. HIPAA Breach Complexity & Regulatory Investigation
Forensic Uncertainty:
- Initial forensics cannot definitively determine if patient data was exfiltrated or just accessed
- USB drives were used by multiple staff across departments - attribution of specific patient data exposure is unclear
- Raspberry Robin command-and-control traffic was observed but content unknown - may or may not include patient data
- External forensics firm provides range estimate: “Anywhere from 5,000 to 50,000 patient records potentially accessed”
Regulatory Pressure:
- OCR (HHS Office for Civil Rights) opens investigation into potential HIPAA breach
- State Attorney General healthcare privacy unit requests incident briefing
- Local media reports “major data breach at Regional Health System” based on regulatory filings
- Patient advocacy groups demand transparency about cybersecurity and data protection
Implementation: Make HIPAA breach determination genuinely ambiguous requiring difficult judgment calls. Introduce regulatory investigations that demand time and attention during active remediation. Create public pressure and patient trust concerns. Force players to make notification decisions with incomplete information under regulatory deadlines.
4. Medical Staff Resistance & Healthcare Culture
Clinical Staff Pushback:
- Physicians refuse USB restrictions: “I’m not letting IT tell me I can’t use medical devices to save patients. This is clinical decision-making, not technology policy.”
- Nurses report security measures are making patient care unsafe: “I have 8 patients, half on ventilators, and you want me to wait for ‘sanitized USB drives’? People will die.”
- Biomedical engineering: “We’ve maintained these devices for 15 years using these procedures. Now IT security experts with no medical background are telling us we’re doing it wrong?”
Healthcare Culture Conflicts:
- Hospital administration prioritizes patient satisfaction scores and clinical outcomes over cybersecurity metrics
- Medical staff culture values clinical autonomy and may resist “corporate IT” security mandates
- Quality and safety departments focus on clinical errors and may view cybersecurity as IT problem not patient safety issue
- Legal counsel concerned about liability from security restrictions that could impact patient care
Implementation: Introduce 2-3 explicit conflicts between security response and healthcare culture/clinical autonomy. Make players navigate physician resistance, nursing workflow challenges, and biomedical engineering professional disagreement. Require stakeholder management and communication skills beyond technical security knowledge. Success demands understanding and respecting healthcare mission while advancing security.
5. Resource Constraints & Healthcare Economics
Budget Limitations:
- Hospital operates on thin margins - flu surge already strained budget with overtime and temporary staff
- External forensics, vendor recertification, and USB security controls will cost $200-300K unbudgeted
- CFO questions cybersecurity spending: “We’re a hospital, not a tech company. Why should we spend money on USB security instead of patient care?”
- IT and biomedical engineering are already understaffed - incident response requires overtime or contracted help
Operational Conflicts:
- Flu surge means all staff are working extended hours - incident response cannot add indefinite overtime
- Some remediation approaches require medical equipment downtime when hospital is at capacity
- Patient transfers to other facilities due to equipment unavailability cost $15-20K per patient
- Regulatory fines for HIPAA breach could reach $1.5M+ if breach notification required
Implementation: Enforce realistic healthcare budget constraints. Make players explicitly justify security spending against patient care investments. Create tension between comprehensive security response and healthcare economic realities. Require creative resource allocation and prioritization. No option is “unlimited budget” - all responses have financial consequences players must acknowledge.
6. Multi-Facility Healthcare System Complexity
Distributed Operations:
- Regional Health System operates 3 hospital facilities plus 15 outpatient clinics across county
- Each facility has semi-autonomous IT and biomedical engineering - coordination is challenging
- Medical devices and USB drives are shared between facilities during equipment shortages
- Remediation at one facility may impact others through shared resources and staff
Implementation: Expand scenario beyond single hospital to multi-facility healthcare system. Introduce coordination challenges, resource sharing creating cross-contamination, and distributed decision-making. Make players manage enterprise healthcare incident response with limited central authority.
Advanced Challenge Round Structure
Round 1: Discovery Under Medical Constraints (45-50 min)
Players must investigate Raspberry Robin with: - Medical device regulatory limitations constraining investigation methods - Patient safety incident during investigation requiring immediate clinical response - HIPAA forensic uncertainty about patient data exposure scope - Resistance from clinical staff to security investigation interrupting patient care
Success requires: Balancing technical investigation with patient safety priorities, navigating healthcare regulatory constraints, managing clinical stakeholder resistance, making progress despite medical device access limitations.
Round 2: Response Under Healthcare Complexity (45-50 min)
Players must develop response strategy while managing: - FDA/vendor certification requirements limiting remediation options - Active patient safety incidents due to malware-corrupted medical equipment - Regulatory investigations (OCR, state health department) consuming resources - Medical staff resistance to USB security controls impacting clinical workflows - Budget constraints requiring justification of security spending against patient care investments
Success requires: Healthcare-appropriate response balancing security, patient safety, regulatory compliance, clinical operations, and budget realities. Stakeholder management across clinical, technical, compliance, and regulatory domains. Creative problem-solving within healthcare constraints.
Round 3: Resolution Under Healthcare Scrutiny (45-50 min)
Players must complete incident response while handling: - HIPAA breach determination with forensic uncertainty requiring judgment call - Patient safety incident follow-up and quality/safety reporting requirements - Public and regulatory scrutiny of healthcare cybersecurity program - Long-term medical device security improvement within FDA/vendor constraints - Healthcare staff education and culture change regarding cybersecurity
Success requires: Closure of complex healthcare incident addressing technical, clinical, regulatory, and organizational dimensions. Strategic thinking about healthcare cybersecurity program development. Learning extraction about healthcare-specific security challenges.
Advanced Challenge Debriefing
Focus Areas:
1. Healthcare-Specific Security Decision-Making:
- How did the team balance patient safety and cybersecurity throughout the incident?
- What frameworks or principles guided decisions when security and clinical care conflicted?
- Were they able to maintain patient-centered focus while advancing security objectives?
- How did they navigate situations where “security best practices” were inappropriate for healthcare?
2. Medical Device and Regulatory Complexity:
- How effectively did the team work within FDA/vendor certification constraints?
- What creative approaches did they develop for medical device security given regulatory limitations?
- Were they able to engage biomedical engineering as partners rather than obstacles?
- How did they balance regulatory compliance requirements with security response urgency?
3. Healthcare Stakeholder Management:
- How well did the team communicate with and manage clinical staff resistance?
- What strategies worked for building trust with physicians, nurses, and biomedical engineers?
- Were they able to translate security concerns into patient safety language that resonated with healthcare staff?
- How did they navigate hospital administration, legal counsel, and executive leadership expectations?
4. HIPAA and Privacy Complexity:
- How did the team approach HIPAA breach determination with forensic uncertainty?
- What decision-making framework did they use for breach notification judgment calls?
- How effectively did they manage regulatory investigations while conducting active remediation?
- What lessons did they learn about healthcare privacy and security integration?
5. Healthcare Incident Response Maturity:
- What specific capabilities or approaches are unique to healthcare cybersecurity?
- How should healthcare organizations structure security programs given clinical mission primacy?
- What role should clinical staff play in healthcare cybersecurity governance and incident response?
- How can healthcare organizations build security resilience within resource and regulatory constraints?
Victory Conditions (Advanced Challenge):