WannaCry Scenario: Hospital Emergency
WannaCry Scenario: Hospital Emergency
Planning Resources
Scenario Details for IMs
Hook
“It’s Tuesday evening at Memorial Health System, and the hospital is operating under surge conditions. The emergency department is packed with flu patients, the ICU is at capacity, and surgical teams are working overtime. Suddenly, computer screens across the hospital begin displaying ransom demands, and critical patient care systems start failing. Medical staff are reporting they cannot access patient records, lab results, or medication orders. In a hospital, every second counts, and systems are failing faster than they can be contained.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Emergency Department physician cannot access patient allergy information for critical treatment
- Hour 2: Surgical team loses access to patient imaging during ongoing surgery
- Hour 3: ICU monitoring systems showing connectivity issues affecting patient safety
- Hour 4: Ambulance services report inability to transmit patient data to receiving hospital
Evolution Triggers:
- If network segmentation fails, life-critical medical devices become compromised
- If containment takes longer than 2 hours, patient care operations face dangerous disruption
- If backup systems are accessed, hospital loses all redundancy for critical patient data
Resolution Pathways:
Technical Success Indicators:
- Team implements emergency network segmentation protecting life-critical systems
- Worm propagation contained through rapid patch deployment and network isolation
- Kill switch discovery and activation halts ransomware spread before complete compromise
Business Success Indicators:
- Patient care operations maintained with minimal disruption to life-safety systems
- The Emergency Department continues operations using manual backup procedures when necessary
- Hospital maintains regulatory compliance while managing cybersecurity crisis
Learning Success Indicators:
- Team understands rapid worm propagation mechanics and network-based attacks
- Participants recognize critical importance of patch management in healthcare environments
- Group demonstrates crisis coordination between cybersecurity, medical operations, and patient safety
Common IM Facilitation Challenges:
If Technical Focus Overwhelms Patient Safety:
“Your network analysis is excellent, but the CMO just reported that the Emergency Department cannot access patient medication allergies for incoming trauma cases. How do you balance technical investigation with immediate patient safety?”
If Propagation Speed Is Underestimated:
“While you’re planning your response, the IT Director is watching three more departments lose system access in real-time. This worm is spreading faster than traditional malware – what’s your immediate containment strategy?”
If Healthcare Complexity Is Avoided:
“Dr. Lee needs to know: can the emergency department safely treat patients without electronic medical records, or should they consider diverting ambulances to other hospitals? The state health department is asking about your operational capability, and CMS is expecting a breach notification within their required timeline.”
Success Metrics for Session:
Template Compatibility
This scenario adapts to multiple session formats with appropriate scope and timing:
Quick Demo (35-40 minutes)
Structure: 2 investigation rounds, 1 decision round
Focus: Core worm propagation discovery and immediate network containment
Simplified Elements: Streamlined medical device complexity and regulatory notification
Key Actions: Identify SMB vulnerability, implement emergency network segmentation, activate kill switch
Lunch & Learn (75-90 minutes)
Structure: 4 investigation rounds, 2 decision rounds
Focus: Comprehensive outbreak investigation and patient safety prioritization
Added Depth: Medical device patching constraints and backup system assessment
Key Actions: Complete forensic analysis of EternalBlue spread, coordinate patient care continuity, restore critical systems with validation
Full Game (120-140 minutes)
Structure: 6 investigation rounds, 3 decision rounds
Focus: Complete hospital network worm response with regulatory and regional coordination
Full Complexity: FDA device validation, HIPAA breach assessment, long-term security architecture redesign
Key Actions: Comprehensive network remediation across clinical and administrative systems, coordinate regional healthcare response, implement automated patch management and segmentation
Advanced Challenge (150-170 minutes)
Structure: 7-8 investigation rounds, 4 decision rounds
Expert Elements: Medical device firmware integrity analysis, multi-regulator compliance oversight, complex data recovery under ambiguity
Additional Challenges: Mid-scenario surgical system failure, regulatory inspector arrival, media scrutiny of patient safety impacts
Key Actions: Complete investigation under high-stakes clinical pressure, coordinate multi-agency federal response, implement zero-trust healthcare architecture while ensuring continuous patient care
Quick Demo Materials (35-40 min)
Guided Investigation Clues (for use with “Guided Investigation” option)
Clue 1 (Minute 5): “Network monitoring systems show an unprecedented volume of outbound SMB traffic from multiple internal hospital subnets, scanning for other devices on port 445.”
Clue 2 (Minute 10): “Security logs indicate successful exploitation attempts of the ‘EternalBlue’ vulnerability (MS17-010) on several legacy Windows 7 machines connected to patient monitoring equipment.”
Clue 3 (Minute 15): “You find a suspicious domain name embedded in the malware code (e.g., ‘iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com’). Research reveals this is associated with a ‘kill switch’ mechanism.”
Pre-Defined Response Options (for use with “Pre-defined Response” option)
Option A: Immediate Network Segmentation
- Action: Quickly segment the hospital network, isolating clinical systems and medical devices from the compromised administrative network.
- Pros: Halts the rapid spread of the worm, protecting life-critical patient care systems.
- Cons: May temporarily disrupt communication between administrative and clinical areas; requires rapid, decisive action.
- Type Effectiveness: Super effective against Worm type malmons.
Option B: Deploy “Kill Switch”
- Action: Register the domain name found in the malware code (if not already registered) or block access to it at the perimeter firewall/proxy.
- Pros: Can immediately stop the encryption functionality and further spread of the WannaCry strain.
- Cons: Requires quick identification of the domain; may only be effective against specific variants; does not remove existing infections.
- Type Effectiveness: Highly effective against Ransomware type malmons (specifically WannaCry).
Option C: Prioritize System Patching
- Action: Identify and immediately patch all unpatched systems vulnerable to EternalBlue, starting with critical patient care devices.
- Pros: Prevents future infections and closes the primary attack vector.
- Cons: Time-consuming in a large, active environment; may require downtime for critical systems during patching; difficult to implement during a live outbreak.
- Type Effectiveness: Effective against Exploit type malmons that leverage known vulnerabilities.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Rapid Containment & Patient Safety (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Network monitoring systems show an unprecedented surge in SMB traffic across hospital subnets. The Network Administrator reports, “We’re seeing automated port 445 scanning from multiple infected workstations – this isn’t normal user behavior, it’s rapid worm propagation.”
- Clue 2 (Minute 10): Security logs reveal successful exploitation of EternalBlue vulnerability (MS17-010) on legacy Windows 7 systems connected to patient monitoring equipment. The worm is spreading autonomously without user interaction – every unpatched system is vulnerable.
- Clue 3 (Minute 15): Emergency Department Director Dr. Patricia Lee reports critical patient care impact: “We cannot access patient allergy information for trauma cases arriving by ambulance. Lab results aren’t reaching physicians. This is actively threatening patient lives.”
- Clue 4 (Minute 20): A suspicious domain name is discovered embedded in the malware code. Research reveals this is WannaCry’s “kill switch” mechanism – if the domain resolves, encryption halts. The domain is currently unregistered but accessible online.
Response Options:
- Option A: Emergency Network Segmentation - Immediately segment the hospital network isolating clinical systems from administrative networks, disconnect non-critical systems from the network, prioritize protection of life-critical patient care equipment.
- Pros: Halts worm propagation to patient safety systems; enables Emergency Department operations to continue; protects medical device networks.
- Cons: Requires rapid decisive network isolation affecting hospital-wide connectivity; administrative functions severely disrupted; inter-departmental communication limited.
- Type Effectiveness: Super effective against Worm – prevents autonomous spread to life-critical systems but creates operational challenges.
- Option B: Deploy Kill Switch - Register or access the domain found in malware code to activate WannaCry’s kill switch, halting encryption functionality while maintaining network connectivity for patient care.
- Pros: Immediately stops encryption and further spread without network disruption; allows continued patient care operations; elegant technical solution.
- Cons: Only effective against this specific WannaCry variant; doesn’t remove existing infections; requires quick technical execution during crisis.
- Type Effectiveness: Highly effective against WannaCry Ransomware specifically; elegant solution for this variant but doesn’t address all worm characteristics.
- Option C: Patient Care Priority with Selective Isolation - Focus on protecting Emergency Department and ICU systems through targeted network isolation, allow worm to continue spreading in administrative areas temporarily while prioritizing patient safety.
- Pros: Maintains life-critical patient care capabilities; targeted approach minimizes operational disruption; clear patient safety prioritization.
- Cons: Worm continues propagating in administrative systems; may eventually reach patient care areas; differential security creates complexity.
- Type Effectiveness: Partially effective – protects highest-priority systems but allows continued worm propagation in lower-priority areas.
Round 2: System Recovery & Healthcare Compliance (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (segmentation) was chosen: The CMO reports that surgical teams cannot access patient imaging for ongoing procedures due to network isolation. “We need those systems reconnected for patient safety – but carefully.”
- Clue 5 (Minute 30): If Option B (kill switch) was chosen: While encryption has stopped, infected systems still contain the worm and will reactivate if the kill switch domain becomes unavailable. Comprehensive patching is still required.
- Clue 5 (Minute 30): If Option C (selective) was chosen: The worm has now spread to backup systems in administrative areas, and pharmacy systems are experiencing connectivity issues affecting medication dispensing.
- Clue 6 (Minute 40): Hospital administration discovers that several patient care systems cannot be immediately patched due to medical device regulations requiring validated software configurations. “We can’t just apply Windows patches to life-critical equipment – we need vendor approval and validation.”
- Clue 7 (Minute 50): The Chief Medical Officer receives questions from health authorities about whether the hospital can safely continue operations or should divert ambulances to other facilities. “We need a clear answer about operational capability and patient safety.”
- Clue 8 (Minute 55): Analysis reveals that hospital backup systems were not fully isolated and some may also be encrypted. The recovery strategy must account for potential backup compromise while maintaining regulatory compliance and patient safety.
Response Options:
- Option A: Comprehensive Emergency Response - Activate hospital emergency operations center, coordinate with other regional hospitals for patient load sharing, implement full network remediation with vendor support for medical devices, engage regulatory authorities for compliance guidance.
- Pros: Full incident response with proper healthcare coordination; ensures patient safety through regional cooperation; demonstrates responsible healthcare security practices.
- Cons: Major operational disruption requiring emergency protocols; potential reputation impact from public incident disclosure; significant costs for emergency response and recovery.
- Type Effectiveness: Super effective for Healthcare Worm Incidents – comprehensive response ensuring patient safety and regulatory compliance.
- Option B: Staged Recovery with Patient Care Continuity - Maintain emergency patient care using manual paper-based procedures, implement phased network restoration starting with life-critical systems, coordinate vendor support for medical device security patching validation.
- Pros: Balances patient care continuity with security recovery; minimizes patient impact through manual procedures; targeted approach to complex medical device challenges.
- Cons: Extended recovery timeline for full system restoration; staff burden from manual procedures during flu surge; potential patient care quality impacts.
- Type Effectiveness: Moderately effective – maintains patient safety while enabling gradual secure recovery.
- Option C: Rapid Patch Deployment with Accept Risk - Immediately deploy EternalBlue patches to all systems including medical devices, accept short-term FDA validation risks to prevent continued worm spread, implement enhanced monitoring to detect any device functionality issues.
- Pros: Fastest path to closing vulnerability and preventing reinfection; demonstrates decisive security action; minimizes worm propagation window.
- Cons: May violate FDA medical device requirements; potential device malfunction from unvalidated patching; regulatory and liability exposure.
- Type Effectiveness: Effective against Worm propagation but creates significant regulatory and patient safety risks.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether the hospital faces network isolation challenges (segmentation approach), kill switch dependency concerns (domain-based solution), or continued worm propagation (selective approach). Regardless of choice, the situation evolves when hospital administration realizes that medical devices cannot be quickly patched due to FDA regulatory requirements for validated software configurations. Chief Medical Officer Dr. Williams must answer the state health department’s question about whether Memorial Health System can safely continue patient care operations or should activate emergency diversion protocols. The team discovers that hospital backup systems may also be compromised, complicating recovery strategies. The incident now requires balancing immediate patient safety, regulatory compliance with FDA medical device requirements, regional healthcare coordination, and comprehensive network recovery – all during peak flu season when patient care cannot be interrupted.
Debrief Focus:
- Recognition of worm propagation mechanics and rapid network spread
- Balance between immediate containment and patient safety continuity
- Healthcare-specific challenges including medical device regulations (FDA in US; MHRA in UK)
- Kill switch discovery and implementation as emergency response technique
- Importance of backup isolation in healthcare environments
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Outbreak & Emergency Response (35-40 min)
It’s Tuesday evening at Memorial Health System, a 400-bed hospital experiencing the worst flu season surge in five years. Every ICU bed is occupied, the emergency department has a three-hour wait time, and surgical teams are working through a backlog of postponed procedures. Nurses are caring for patients in hallway beds, and the entire facility is operating under surge capacity protocols. In the IT department, Network Administrator Brian Martinez is monitoring evening system backups when his screen fills with alerts. “Thomas, we have a problem,” he calls to IT Director Thomas Anderson. “I’m seeing massive SMB traffic across the network – it looks like automated scanning on port 445 from dozens of internal addresses.” Before Thomas can respond, Dr. Patricia Lee bursts into the IT office. “Our emergency department systems just went down. Patient records, lab results, medication orders – everything is showing ransom messages. We have critical patients arriving and cannot access their medical histories or allergy information. This is a patient safety emergency.” Chief Medical Officer Dr. Susan Williams joins moments later, her phone ringing continuously. “State health is asking whether we can safely operate or need to divert ambulances. I need answers now – what are we dealing with, and how do we protect patient lives?”
Players investigate openly using their role capabilities. Key discoveries available include the EternalBlue exploitation vector, the autonomous worm propagation speed (hundreds of systems per hour), the incomplete network segmentation, the kill switch domain embedded in the malware code, and the medical device patching constraints.
If team stalls: The Department Director interrupts: “We have a packed department and cannot access patient allergy information for incoming trauma cases. An ambulance is ten minutes out with a stroke patient – we need medication history to determine clot-busting therapy eligibility. Do I divert or treat blind?”
Facilitation questions:
- “How do you balance stopping worm propagation with maintaining life-critical patient care systems?”
- “What is your recommendation to the CMO about the Emergency Department’s operational status – continue operations or activate emergency diversion protocols?”
- “You’ve found a kill switch domain in the malware. Do you trust it, or does deploying it introduce unacceptable risk to patient care systems?”
Round 1→2 Transition
The team’s containment approach determines Round 2’s starting conditions. Network segmentation isolates departments from each other, creating care coordination challenges. Kill switch deployment stops encryption but leaves infected systems vulnerable to reactivation. Selective isolation allows continued worm spread in administrative areas. Regardless of choice, the CMO learns that medical devices cannot be quickly patched due to regulatory validation requirements.
Round 2: Medical Device Security & Recovery Planning (35-40 min)
The CMO convenes an emergency meeting: “Biomedical Engineering just informed me that ventilators, patient monitors, and infusion pumps run on Windows 7 Embedded and cannot accept standard patches without breaking device certifications. That process normally takes weeks. Meanwhile, backup systems in administrative areas have also been encrypted.”
New developments beyond Round 1: Cyber insurance requires specific incident documentation and law enforcement notification. Medical device vendor patch validation will take 2-3 weeks. CFO warns that without proper forensic documentation, insurance may not cover recovery costs.
If team focused only on technical recovery: State health regulators contact the hospital regarding HIPAA breach assessment requirements. “You must determine within 60 days whether patient protected health information was accessed or exfiltrated during this ransomware incident.”
Facilitation questions:
- “How do you manage medical device security when vendor patching validation takes weeks but the worm is still present on your network?”
- “Some backup systems were also encrypted. How do you identify clean restore points when the attackers were present for an unknown period before encryption?”
- “The state health department is asking about your operational capability and HIPAA breach notification is due within 60 days. How do you balance rapid recovery with proper regulatory compliance?”
Round 2→3 Transition
The immediate crisis shifts from containment to strategic recovery. Emergency manual procedures are keeping the hospital operational during flu surge, but paper-based medicine is unsustainable. The fundamental questions are no longer “how do we stop the worm” but “how do we rebuild, and how do we prevent this from ever happening again?”
Round 3: Long-term Recovery & Security Architecture (40-45 min)
Opening: Several days post-incident. Emergency manual procedures are in place but staff fatigue is mounting during flu surge. The Chief Medical Officer convenes a senior leadership meeting: “This cannot happen again. We need to understand how our network design and patching procedures enabled this worm to spread so rapidly. What systematic changes are needed?”
Investigation focus areas:
- External consultants identify fundamental design flaws: inadequate segmentation between clinical and administrative systems, operational convenience prioritized over security, delayed medical device patching
- H-ISAC intelligence shows WannaCry hit multiple hospitals nationwide – peer experiences offer lessons about segmentation, patching, and backup isolation
- IT proposes network redesign with proper clinical/administrative segmentation and isolated backup infrastructure – estimated cost significant, requiring capital budget reallocation from patient care equipment
Pressure events:
- Cyber insurance adjuster indicates inadequate security controls may reduce claim payout
- Health regulators schedule a site visit to assess hospital cybersecurity compliance
- Patient advocacy group requests public accountability for security failures
- Hospital board demands accountability report: who knew about the security gaps, and why weren’t they addressed?
Facilitation questions:
- “The network redesign costs $2 million but doesn’t directly improve patient care. How do you justify that investment to a board choosing between cybersecurity and new patient monitoring equipment?”
- “What governance structure ensures future security decisions properly balance patient safety, operational efficiency, and cybersecurity protection?”
- “H-ISAC is asking hospitals to share their incident data to help the sector. How transparent are you about your own security failures?”
Victory conditions for full 3-round arc:
- Comprehensive security architecture roadmap addressing network segmentation, medical device protection, and backup isolation
- Organizational governance framework for cybersecurity decision-making that includes clinical leadership
- Cost-benefit analysis demonstrating security investment value for patient safety and regulatory compliance
- Lessons documented and shared with healthcare sector through H-ISAC
Debrief Questions
- Technical: What made the WannaCry worm propagation uniquely difficult to contain in a hospital environment?
- Operational: How did the patient safety priority conflict with standard cybersecurity containment procedures?
- Regulatory: Why can’t medical devices be patched as quickly as administrative workstations?
- Strategic: If you have to choose between clinical uptime and complete security, how do you make that decision during a crisis?
- Human: How do you manage staff stress and communication during a prolonged operational outage?
- Future-Proofing: What single change to the hospital’s network architecture would have had the biggest impact on this incident?
- Ethical: Under what circumstances (if any) would you consider paying the ransom in a hospital emergency?
Debrief Focus
- How worm propagation mechanics create uniquely urgent crises compared to other malware types – speed of spread forces immediate triage decisions
- The tension between patient safety continuity and cybersecurity best practices when medical devices can’t be patched quickly
- Healthcare-specific regulatory constraints that make incident response fundamentally different from other sectors
- The kill switch discovery as a case study in creative technical response under extreme time pressure
- Long-term security investment challenges when healthcare budgets compete between cybersecurity and patient care
Advanced Challenge Materials (150-170 min, 3+ rounds)
Red Herrings & Misdirection
- Legitimate system updates – Microsoft releases an emergency EternalBlue security bulletin during the incident, causing unrelated connectivity issues on some systems – teams must differentiate worm impact from legitimate update problems
- Insider suspicion – the initial infection point was an administrative workstation with deliberately delayed patching; teams may pursue insider threat investigation that wastes critical time
- Vendor misinformation – medical device vendors provide conflicting guidance about patching timelines and validation requirements; teams must navigate contradictory recommendations
- Insurance coverage dispute – cyber insurance carrier questions whether 24/7 operations without adequate patching constitutes negligence, potentially voiding coverage mid-incident
Removed Resources & Constraints
- No external threat intelligence – teams must discover the WannaCry kill switch through malware analysis rather than provided clues
- Incident response playbook missing – teams must develop healthcare-specific procedures in real-time under clinical pressure
- Limited cybersecurity staff – IT Director Thomas Anderson is the only staff member with security training; all others are general IT support
- Regulatory ambiguity – no clear guidance on whether ransom payment constitutes a HIPAA violation or affects insurance eligibility
Enhanced Pressure
- Surgical system failure – a surgical robot or imaging system fails during a complex procedure, requiring immediate decision-making by the response team and clinical leadership
- State regulatory inspector arrival – an inspector arrives during the incident response to assess “patient safety during technological failure,” requiring management attention
- Media leak – an employee leaks details of the “hospital hack” to local news, creating public panic and family inquiries before official communication is ready
- Regional capacity crisis – neighboring hospitals reach capacity and refuse further diversions, forcing the team to find ways to operate despite the compromise
Ethical Dilemmas
- Ransom payment versus ethics – paying the ransom could restore systems in hours, potentially saving lives; not paying is principled but has a measurable human cost. Who makes the final decision when lives are at stake?
- Patient triage priority – limited recovery resources force a choice: restore ICU patient monitors (highest immediate life safety), the Emergency Department record system (highest volume), or the pharmacy system (critical for all patients). Who decides which patients receive priority?
- Selective disclosure – full transparency about the scope of compromise might cause more public harm through panic than it solves through awareness. Is it ethical to withhold incident details to maintain public calm?
- Rapid patching liability – deploying unvalidated patches to medical devices might cause them to malfunction, but not patching leaves them vulnerable to the worm. Who accepts the liability if a patient is harmed by a patched device?
Advanced Debrief Topics
- How high-consequence industries (healthcare, aviation, utilities) must approach cybersecurity differently than traditional corporate IT – the “fail-safe” requirement
- The ethics of incident response when the primary stakeholder is not a customer or shareholder but a patient whose life depends on system availability
- Why technical debt in healthcare (legacy medical devices) represents a systemic public safety risk that individual hospitals cannot solve alone
- How the “kill switch” strategy in WannaCry represents a fundamental design flaw in the malware that responders must be prepared to exploit
- Balancing technical thoroughness with clinical urgency – when “good enough” security is necessary to save lives