WannaCry Scenario: Memorial Health System Emergency
Scenario Details for IMs
Opening Presentation
“It’s Tuesday evening at Memorial Health System, and the hospital is operating under surge conditions. The emergency department is packed with flu patients, the ICU is at capacity, and surgical teams are working overtime. Suddenly, computer screens across the hospital begin displaying ransom demands, and critical patient care systems start failing. Medical staff are reporting they cannot access patient records, lab results, or medication orders. In a hospital, every second counts, and systems are failing faster than they can be contained.”
Initial Symptoms to Present:
- “Patient record systems displaying ransom messages instead of medical data”
- “Laboratory computers cannot send test results to clinical staff”
- “Nursing stations losing access to medication administration records”
- “New systems failing every few minutes across different hospital departments”
Key Discovery Paths:
Detective Investigation Leads:
- Network forensics reveal rapid lateral movement using SMB vulnerability exploitation
- File system analysis shows systematic encryption of patient data and medical records
- Log analysis reveals attack origination from single unpatched workstation in administrative area
Protector System Analysis:
- Real-time monitoring shows worm spreading through hospital network faster than containment
- Critical system assessment reveals medical devices and patient monitors at risk
- Network topology analysis shows incomplete segmentation between clinical and administrative systems
Tracker Network Investigation:
- Traffic analysis reveals massive SMB scanning and exploitation across hospital subnets
- Network propagation patterns show attack moving toward life-critical medical device networks
- Communication flow analysis indicates potential spread to ambulance and emergency service networks
Communicator Stakeholder Interviews:
- Medical staff report immediate patient care impact from system failures
- IT staff explain delayed patching on medical systems due to FDA device regulations
- Hospital administration reveals network design compromises made for operational convenience
Mid-Scenario Pressure Points:
- Hour 1: Emergency department physician cannot access patient allergy information for critical treatment
- Hour 2: Surgical team loses access to patient imaging during ongoing surgery
- Hour 3: ICU monitoring systems showing connectivity issues affecting patient safety
- Hour 4: Ambulance services report inability to transmit patient data to receiving hospital
Evolution Triggers:
- If network segmentation fails, life-critical medical devices become compromised
- If containment takes longer than 2 hours, patient care operations face dangerous disruption
- If backup systems are accessed, hospital loses all redundancy for critical patient data
Resolution Pathways:
Technical Success Indicators:
- Team implements emergency network segmentation protecting life-critical systems
- Worm propagation contained through rapid patch deployment and network isolation
- Kill switch discovery and activation halts ransomware spread before complete compromise
Business Success Indicators:
- Patient care operations maintained with minimal disruption to life-safety systems
- Emergency department continues operations using manual backup procedures when necessary
- Hospital maintains regulatory compliance while managing cybersecurity crisis
Learning Success Indicators:
- Team understands rapid worm propagation mechanics and network-based attacks
- Participants recognize critical importance of patch management in healthcare environments
- Group demonstrates crisis coordination between cybersecurity, medical operations, and patient safety
Common IM Facilitation Challenges:
If Technical Focus Overwhelms Patient Safety:
“Your network analysis is excellent, but Dr. Williams just reported that the emergency department cannot access patient medication allergies for incoming trauma cases. How do you balance technical investigation with immediate patient safety?”
If Propagation Speed Is Underestimated:
“While you’re planning your response, Thomas is watching three more departments lose system access in real-time. This worm is spreading faster than traditional malware - what’s your immediate containment strategy?”
If Healthcare Complexity Is Avoided:
“Dr. Lee needs to know: can the emergency department safely treat patients without electronic medical records, or should they consider diverting ambulances to other hospitals?”