WannaCry Scenario: Memorial Health System Emergency
Planning Resources
Scenario Details for IMs
Memorial Health System: Regional Hospital During Peak Flu Season
Organization Profile
- Type: Regional acute care hospital and Level II trauma center
- Size: 400-bed facility, 1,800 employees (450 physicians, 800 nurses, 550 support staff)
- Operations: Emergency services, intensive care, surgical services, inpatient care, outpatient clinics
- Critical Services: 24/7 emergency department (65,000 annual visits), intensive care unit (45 beds), surgical suites (12 operating rooms), patient monitoring systems
- Technology: Integrated EHR system (Electronic Health Records), medical device networks, patient monitoring systems, laboratory information systems, pharmacy systems, administrative networks
Memorial Health System serves a population of 500,000 across a three-county region. The hospital is the only Level II trauma center within 60 miles, making it the critical care destination for serious medical emergencies. Current status: Flu season surge with ED at 150% capacity, ICU completely full, surgical teams working extended schedules.
Key Assets & Impact
What’s At Risk:
- Patient Life Safety: ED has 35 patients awaiting treatment, ICU monitors 45 critical patients, 3 surgeries currently in progress—any system failure during surge conditions directly threatens lives
- Critical Care Operations: EHR system contains allergy information, medication orders, lab results, imaging for 400 current inpatients—clinicians making life-saving decisions without access risk deadly medical errors
- Emergency Services Continuity: Hospital is sole Level II trauma center for region—prolonged system downtime forces ambulance diversion to facilities 60+ miles away, increasing patient mortality during “golden hour”
Immediate Business Pressure
Tuesday evening, peak flu season. Memorial activated surge protocols 6 hours ago. Emergency department treating 35 patients with 12-hour wait times. ICU at full capacity with ventilator-dependent patients. Three surgical teams in active procedures. Hospital just accepted two Level II trauma cases via ambulance when systems began failing.
Dr. Patricia Lee (ED Director) has patients requiring immediate treatment decisions—one with suspected allergic reaction needs medication, but EHR is inaccessible. She cannot verify patient allergies, previous medications, or current conditions. Lab results for 8 patients in ED are trapped in failing systems. Every minute of system downtime increases risk of medical errors that could be fatal.
Critical Timeline:
- Current moment (Tuesday 7pm): Systems failing in real-time, 3 surgeries in progress, ED at crisis capacity
- Stakes: Patient lives directly at risk—wrong medication due to missing allergy data could be fatal, surgical teams losing access to imaging mid-procedure
- Dependencies: 35 ED patients awaiting care, 45 ICU patients on continuous monitoring, regional EMS system routing all trauma cases to Memorial, no alternative Level II trauma center within reasonable transport time
Cultural & Organizational Factors
Why This Vulnerability Exists:
- Patient-centered mission above all else: Hospital culture prioritizes “patient care first”—when IT proposed taking medical device networks offline for security patches, clinical leadership refused due to potential care disruption. Security updates repeatedly delayed for “when it’s less busy” (which never comes during flu season).
- FDA medical device regulations create patch paralysis: Legacy medical equipment (ventilators, patient monitors, infusion pumps) runs on certified Windows systems—applying patches voids FDA certification and manufacturer warranties. IT cannot patch these systems without months-long recertification process. Result: Known vulnerabilities remain unpatched.
- Operational convenience over network segmentation: Clinical staff demanded seamless connectivity between administrative workstations and medical device networks for “workflow efficiency.” Network segmentation proposals rejected as “too restrictive” and “impacting patient care.” Single compromised administrative workstation now threatens entire clinical network.
- Resource constraints during perpetual crisis: Hospital operates under constant surge conditions (flu season, opioid crisis, trauma). No “good time” exists for security maintenance. IT security team consists of 3 people managing 1,800 employee devices plus hundreds of medical devices. Security becomes “when we have time” (never).
Operational Context
How This Hospital Actually Works:
Memorial Health operates in permanent crisis mode—flu season means every bed full, every clinician overworked, every system pushed to capacity. IT security proposed segmented networks and updated patches for 18 months. Clinical leadership approved plans but postponed implementation “until after flu season” (which runs October through March). When not in flu season, there’s summer trauma surge. Network architecture reflects years of “yes to security, no to disruption”—approved in principle, never executed in practice. The gap between written policy (patch within 30 days) and reality (medical device networks unpatched for 3+ years) created the perfect conditions for WannaCry.
Key Stakeholders (For IM Facilitation)
- Dr. Susan Williams (Chief Medical Officer) - Managing patient surge and clinical response, must balance security containment with life-saving operations
- Dr. Patricia Lee (Emergency Department Director) - 35 patients in ED awaiting treatment, demanding immediate system access for patient safety
- Thomas Anderson (IT Director) - Watching systems fail in real-time, trying to contain worm while protecting life-critical medical devices
- Brian Martinez (Network Administrator) - Discovering scope of unpatched systems as attack spreads, realizes delayed updates created vulnerability
Why This Matters
You’re not just responding to a ransomware attack—you’re protecting patient lives during a medical surge crisis where every minute of system downtime increases the risk of deadly medical errors. A physician cannot verify patient allergies before administering medication. Surgical teams are losing access to imaging during active procedures. ICU monitoring systems are at risk. The hospital is the only Level II trauma center for 500,000 people—there’s nowhere else to send patients. Your incident response decisions directly impact whether patients live or die tonight.
IM Facilitation Notes
- This is about life safety first, cybersecurity second: Frame every decision around “what keeps patients alive right now.” Players often focus purely on technical containment—remind them ED has 35 patients, 3 surgeries in progress, ICU monitoring 45 critical patients.
- The FDA medical device patch problem is real: Don’t let players dismiss “just patch everything” as easy solution. Medical devices with FDA certification cannot be patched without losing certification and warranty. This is authentic healthcare cybersecurity complexity.
- Operational convenience created the vulnerability: Players will blame IT incompetence—correct this. Clinical leadership blocked segmentation because doctors demanded workflow efficiency. This is organizational culture failure, not IT failure.
- Time pressure is crushing: Hospital is at 150% capacity during surge. There is no “shut everything down safely” option. Life-critical systems cannot be taken offline without moving patients (impossible during surge). Force players to make hard choices with incomplete information under time pressure.
- Regional critical infrastructure dependency: Memorial is the only Level II trauma center within 60 miles. System downtime doesn’t just affect current patients—it affects entire regional EMS system. Ambulance diversion means trauma patients die in transport.
Opening Presentation
*“It’s Tuesday evening at Memorial Health System, and the hospital is operating under surge conditions. The emergency department is packed with flu patients, the ICU is at capacity, and surgical teams are working overtime. Suddenly, computer screens across the hospital begin displaying ransom demands, and critical patient care systems start failing. Medical staff are reporting they cannot access patient records, lab results, or medication orders. In a hospital, every second counts, and systems are failing faster than they can be contained.”
Initial Symptoms to Present:
Key Discovery Paths:
Detective Investigation Leads:
Protector System Analysis:
Tracker Network Investigation:
Communicator Stakeholder Interviews:
Mid-Scenario Pressure Points:
- Hour 1: Emergency department physician cannot access patient allergy information for critical treatment
- Hour 2: Surgical team loses access to patient imaging during ongoing surgery
- Hour 3: ICU monitoring systems showing connectivity issues affecting patient safety
- Hour 4: Ambulance services report inability to transmit patient data to receiving hospital
Evolution Triggers:
- If network segmentation fails, life-critical medical devices become compromised
- If containment takes longer than 2 hours, patient care operations face dangerous disruption
- If backup systems are accessed, hospital loses all redundancy for critical patient data
Resolution Pathways:
Technical Success Indicators:
- Team implements emergency network segmentation protecting life-critical systems
- Worm propagation contained through rapid patch deployment and network isolation
- Kill switch discovery and activation halts ransomware spread before complete compromise
Business Success Indicators:
- Patient care operations maintained with minimal disruption to life-safety systems
- Emergency department continues operations using manual backup procedures when necessary
- Hospital maintains regulatory compliance while managing cybersecurity crisis
Learning Success Indicators:
- Team understands rapid worm propagation mechanics and network-based attacks
- Participants recognize critical importance of patch management in healthcare environments
- Group demonstrates crisis coordination between cybersecurity, medical operations, and patient safety
Common IM Facilitation Challenges:
If Technical Focus Overwhelms Patient Safety:
*“Your network analysis is excellent, but Dr. Williams just reported that the emergency department cannot access patient medication allergies for incoming trauma cases. How do you balance technical investigation with immediate patient safety?”
If Propagation Speed Is Underestimated:
*“While you’re planning your response, Thomas is watching three more departments lose system access in real-time. This worm is spreading faster than traditional malware - what’s your immediate containment strategy?”
If Healthcare Complexity Is Avoided:
*“Dr. Lee needs to know: can the emergency department safely treat patients without electronic medical records, or should they consider diverting ambulances to other hospitals?”
Success Metrics for Session:
Template Compatibility
Quick Demo (35-40 min)
- Focus: Highlight the rapid spread and immediate patient safety impact.
- Guided Investigation: Focus clues on network scanning and initial encryption.
- Pre-defined Response: Prioritize immediate containment of the worm and critical system protection.
- Learning: Emphasize the speed of worm propagation and the need for rapid response.
Lunch & Learn (75-90 min)
- Focus: Explore the tension between rapid containment and maintaining critical hospital operations.
- Guided Investigation: Use clues to reveal the EternalBlue vulnerability and the lack of patching on legacy systems.
- Pre-defined Response: Include options for network segmentation, system isolation, and communication protocols with medical staff.
- Learning: Discuss the challenges of patching in healthcare environments and the impact on patient safety.
Full Game (120-140 min)
- Focus: Allow for a full exploration of the incident, from initial spread to recovery planning, balancing technical response with patient care.
- Open Investigation: Players will discover the extent of the infection, the risks to various medical devices, and the compromises made in network design.
- Creative Response: Teams develop a comprehensive strategy that addresses technical containment, communication with stakeholders, and continuity of care.
- Learning: Deep dive into incident response coordination in a life-critical environment, including ethical considerations and regulatory compliance (HIPAA).
Advanced Challenge (150-170 min)
- Focus: High-pressure, complex scenario for experienced teams.
- Open Investigation: Introduce additional complexities like the attacker probing for specific patient data, or the ransomware attempting to disable backup systems.
- Creative Response: Players must develop an advanced recovery plan that addresses data integrity, system restoration for medical devices, and managing public relations during a healthcare crisis.
- Complexity: Remove access to external threat intelligence, making attribution and advanced analysis more challenging. Emphasize the “kill switch” discovery as a critical, high-stakes moment.
Quick Demo Materials (35-40 min)
Guided Investigation Clues (for use with “Guided Investigation” option)
Clue 1 (Minute 5): “Network monitoring systems show an unprecedented volume of outbound SMB traffic from multiple internal hospital subnets, scanning for other devices on port 445.”
Clue 2 (Minute 10): “Security logs indicate successful exploitation attempts of the ‘EternalBlue’ vulnerability (MS17-010) on several legacy Windows 7 machines connected to patient monitoring equipment.”
Clue 3 (Minute 15): “You find a suspicious domain name embedded in the malware code (e.g., ‘iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com’). Research reveals this is associated with a ‘kill switch’ mechanism.”
Pre-Defined Response Options (for use with “Pre-defined Response” option)
Option A: Immediate Network Segmentation
- Action: Quickly segment the hospital network, isolating clinical systems and medical devices from the compromised administrative network.
- Pros: Halts the rapid spread of the worm, protecting life-critical patient care systems.
- Cons: May temporarily disrupt communication between administrative and clinical areas; requires rapid, decisive action.
- Type Effectiveness: Super effective against Worm type malmons.
Option B: Deploy “Kill Switch”
- Action: Register the domain name found in the malware code (if not already registered) or block access to it at the perimeter firewall/proxy.
- Pros: Can immediately stop the encryption functionality and further spread of the WannaCry strain.
- Cons: Requires quick identification of the domain; may only be effective against specific variants; does not remove existing infections.
- Type Effectiveness: Highly effective against Ransomware type malmons (specifically WannaCry).
Option C: Prioritize System Patching
- Action: Identify and immediately patch all unpatched systems vulnerable to EternalBlue, starting with critical patient care devices.
- Pros: Prevents future infections and closes the primary attack vector.
- Cons: Time-consuming in a large, active environment; may require downtime for critical systems during patching; difficult to implement during a live outbreak.
- Type Effectiveness: Effective against Exploit type malmons that leverage known vulnerabilities.
Lunch & Learn Materials (75-90 min, 2 rounds)
Round 1: Rapid Containment & Patient Safety (30-35 min)
Investigation Clues:
- Clue 1 (Minute 5): Network monitoring systems show an unprecedented surge in SMB traffic across hospital subnets. IT Administrator Brian Martinez reports, “We’re seeing automated scanning on port 445 from multiple infected workstations - this isn’t normal user behavior, it’s rapid worm propagation.”
- Clue 2 (Minute 10): Security logs reveal successful exploitation of EternalBlue vulnerability (MS17-010) on legacy Windows 7 systems connected to patient monitoring equipment. The worm is spreading autonomously without user interaction - every unpatched system is vulnerable.
- Clue 3 (Minute 15): Emergency Department Director Dr. Patricia Lee reports critical patient care impact: “We cannot access patient allergy information for trauma cases arriving by ambulance. Lab results aren’t reaching physicians. This is actively threatening patient lives.”
- Clue 4 (Minute 20): A suspicious domain name is discovered embedded in the malware code. Research reveals this is WannaCry’s “kill switch” mechanism - if the domain resolves, encryption halts. The domain is currently unregistered but accessible online.
Response Options:
- Option A: Emergency Network Segmentation - Immediately segment the hospital network isolating clinical systems from administrative networks, disconnect non-critical systems from the network, prioritize protection of life-critical patient care equipment.
- Pros: Halts worm propagation to patient safety systems; enables emergency department to continue operations; protects medical device networks.
- Cons: Requires rapid decisive network isolation affecting hospital-wide connectivity; administrative functions severely disrupted; inter-departmental communication limited.
- Type Effectiveness: Super effective against Worm - prevents autonomous spread to life-critical systems but creates operational challenges.
- Option B: Deploy Kill Switch - Register or access the domain found in malware code to activate WannaCry’s kill switch, halting encryption functionality while maintaining network connectivity for patient care.
- Pros: Immediately stops encryption and further spread without network disruption; allows continued patient care operations; elegant technical solution.
- Cons: Only effective against this specific WannaCry variant; doesn’t remove existing infections; requires quick technical execution during crisis.
- Type Effectiveness: Highly effective against WannaCry Ransomware specifically; elegant solution for this variant but doesn’t address all worm characteristics.
- Option C: Patient Care Priority with Selective Isolation - Focus on protecting emergency department and ICU systems through targeted network isolation, allow worm to continue spreading in administrative areas temporarily while prioritizing patient safety.
- Pros: Maintains life-critical patient care capabilities; targeted approach minimizes operational disruption; clear patient safety prioritization.
- Cons: Worm continues propagating in administrative systems; may eventually reach patient care areas; differential security creates complexity.
- Type Effectiveness: Partially effective - protects highest-priority systems but allows continued worm propagation in lower-priority areas.
Round 2: System Recovery & Healthcare Compliance (30-35 min)
Investigation Clues:
- Clue 5 (Minute 30): If Option A (segmentation) was chosen: Dr. Williams reports that surgical teams cannot access patient imaging for ongoing procedures due to network isolation. “We need those systems reconnected for patient safety - but carefully.”
- Clue 5 (Minute 30): If Option B (kill switch) was chosen: While encryption has stopped, infected systems still contain the worm and will reactivate if the kill switch domain becomes unavailable. Comprehensive patching is still required.
- Clue 5 (Minute 30): If Option C (selective) was chosen: The worm has now spread to backup systems in administrative areas, and pharmacy systems are experiencing connectivity issues affecting medication dispensing.
- Clue 6 (Minute 40): Hospital administration discovers that several patient care systems cannot be immediately patched due to FDA medical device regulations requiring validated software configurations. “We can’t just apply Windows patches to life-critical equipment - we need vendor approval and validation.”
- Clue 7 (Minute 50): Chief Medical Officer Dr. Williams receives questions from the state health department about whether the hospital can safely continue operations or should divert ambulances to other facilities. “We need a clear answer about operational capability and patient safety.”
- Clue 8 (Minute 55): Analysis reveals that hospital backup systems were not fully isolated and some may also be encrypted. The recovery strategy must account for potential backup compromise while maintaining regulatory compliance and patient safety.
Response Options:
- Option A: Comprehensive Emergency Response - Activate hospital emergency operations center, coordinate with other regional hospitals for patient load sharing, implement full network remediation with vendor support for medical devices, engage regulatory authorities for compliance guidance.
- Pros: Full incident response with proper healthcare coordination; ensures patient safety through regional cooperation; demonstrates responsible healthcare security practices.
- Cons: Major operational disruption requiring emergency protocols; potential reputation impact from public incident disclosure; significant costs for emergency response and recovery.
- Type Effectiveness: Super effective for Healthcare Worm Incidents - comprehensive response ensuring patient safety and regulatory compliance.
- Option B: Staged Recovery with Patient Care Continuity - Maintain emergency patient care using manual paper-based procedures, implement phased network restoration starting with life-critical systems, coordinate vendor support for medical device security patching validation.
- Pros: Balances patient care continuity with security recovery; minimizes patient impact through manual procedures; targeted approach to complex medical device challenges.
- Cons: Extended recovery timeline for full system restoration; staff burden from manual procedures during flu surge; potential patient care quality impacts.
- Type Effectiveness: Moderately effective - maintains patient safety while enabling gradual secure recovery.
- Option C: Rapid Patch Deployment with Accept Risk - Immediately deploy EternalBlue patches to all systems including medical devices, accept short-term FDA validation risks to prevent continued worm spread, implement enhanced monitoring to detect any device functionality issues.
- Pros: Fastest path to closing vulnerability and preventing reinfection; demonstrates decisive security action; minimizes worm propagation window.
- Cons: May violate FDA medical device requirements; potential device malfunction from unvalidated patching; regulatory and liability exposure.
- Type Effectiveness: Effective against Worm propagation but creates significant regulatory and patient safety risks.
Round Transition Narrative
After Round 1 → Round 2:
The team’s initial response determines whether the hospital faces network isolation challenges (segmentation approach), kill switch dependency concerns (domain-based solution), or continued worm propagation (selective approach). Regardless of choice, the situation evolves when hospital administration realizes that medical devices cannot be quickly patched due to FDA regulatory requirements for validated software configurations. Chief Medical Officer Dr. Williams must answer the state health department’s question about whether Memorial Health System can safely continue patient care operations or should activate emergency diversion protocols. The team discovers that hospital backup systems may also be compromised, complicating recovery strategies. The incident now requires balancing immediate patient safety, regulatory compliance with FDA medical device requirements, regional healthcare coordination, and comprehensive network recovery - all during peak flu season when patient care cannot be interrupted.
Debrief Focus:
- Recognition of worm propagation mechanics and rapid network spread
- Balance between immediate containment and patient safety continuity
- Healthcare-specific challenges including FDA medical device regulations
- Kill switch discovery and implementation as emergency response technique
- Importance of backup isolation in healthcare environments
Full Game Materials (120-140 min, 3 rounds)
Round 1: Initial Outbreak & Emergency Response (35-40 min)
Opening Scenario:
It’s Tuesday evening at Memorial Health System, and the 400-bed hospital is experiencing the worst flu season surge in five years. Every ICU bed is occupied, the emergency department has a three-hour wait time, and surgical teams are working through a backlog of postponed procedures. Nurses are caring for patients in hallway beds, and the entire facility is operating under surge capacity protocols.
In the IT department, Network Administrator Brian Martinez is monitoring evening system backups when his screen fills with alerts. “Thomas, we have a problem,” he calls to IT Director Thomas Anderson. “I’m seeing massive SMB traffic across the network - it looks like automated scanning on port 445 from dozens of internal addresses.”
Before Thomas can respond, Dr. Patricia Lee bursts into the IT office. “Our emergency department systems just went down. Patient records, lab results, medication orders - everything is showing ransom messages. We have critical patients arriving and cannot access their medical histories or allergy information. This is a patient safety emergency.”
Chief Medical Officer Dr. Susan Williams joins moments later, her phone ringing continuously. “State health is asking whether we can safely operate or need to divert ambulances. I need answers now - what are we dealing with, and how do we protect patient lives?”
Team Action: Each player takes 2 actions to investigate the incident using their role’s capabilities. The IM should track what the team discovers based on their investigation choices.
Investigation Discoveries (based on role and approach):
Detective-focused investigations:
- Network forensics reveal WannaCry ransomware worm exploiting EternalBlue vulnerability (MS17-010) in unpatched Windows systems
- File analysis shows systematic encryption of patient data, medical records, and clinical databases with military-grade encryption
- Timeline reconstruction indicates initial infection from single administrative workstation, followed by rapid autonomous propagation
- Malware analysis discovers embedded kill switch domain name that could halt encryption if properly activated
Protector-focused investigations:
- Real-time monitoring shows worm spreading faster than manual containment efforts - hundreds of systems infected per hour
- Critical system assessment reveals patient monitoring equipment, medical imaging, and pharmacy systems at imminent risk
- Network architecture review shows incomplete segmentation between clinical and administrative systems due to operational convenience
- Backup integrity assessment discovers some backup systems may already be compromised
Tracker-focused investigations:
- Traffic analysis reveals automated SMB vulnerability exploitation creating network storm affecting hospital connectivity
- Propagation mapping shows worm moving toward life-critical medical device networks in ICU and emergency department
- External communication analysis indicates potential command-and-control connectivity attempts from infected systems
- Network topology assessment reveals legacy Windows 7 systems on medical equipment cannot be easily patched or isolated
Communicator-focused investigations:
- Medical staff interviews reveal immediate patient care impact: inability to access allergy information for trauma cases, missing lab results for treatment decisions
- IT staff explain that Windows security patches were delayed on medical systems to avoid disrupting patient care and violating FDA device validation requirements
- Hospital administration reveals network design compromises made for operational convenience between departments
- State health department officials asking about hospital operational status and whether emergency patient diversion is necessary
NPC Interactions:
- Dr. Susan Williams (CMO): Focuses relentlessly on patient safety. “Every minute without electronic medical records increases risk of medication errors and treatment delays. If we can’t access patient histories, should we activate emergency diversion protocols?”
- Thomas Anderson (IT Director): Overwhelmed by worm propagation speed. “I’m watching systems fail faster than we can isolate them. This isn’t like traditional malware - it’s spreading autonomously through our network infrastructure.”
- Dr. Patricia Lee (ED Director): Managing life-threatening patient situations without IT systems. “I have trauma patients with unknown medication allergies, cardiac cases without previous EKGs for comparison, and no lab connectivity. We need solutions immediately.”
- Brian Martinez (Network Admin): Discovering root causes and vulnerabilities. “The hospital delayed Windows patches on medical device networks to maintain FDA validation. Those legacy systems are now the primary vulnerability enabling worm spread.”
Pressure Events:
- Minute 10: Ambulance en route with critical stroke patient - ED needs immediate access to patient’s medication history to determine clot-busting therapy eligibility
- Minute 20: Surgical team mid-procedure loses access to patient imaging system - must decide whether to continue surgery with incomplete information
- Minute 30: ICU monitoring systems showing connectivity issues - patient safety alarms may not reach nursing stations
- Minute 35: State health department demands status update on hospital operational capability and patient safety protocols
Round 1 Response Strategy:
Teams must develop initial response balancing immediate worm containment with patient safety continuity. Options might include emergency network segmentation, kill switch deployment, selective system isolation, or patient care prioritization. The team must decide whether to recommend emergency patient diversion protocols or maintain operations with manual backup procedures.
Facilitation Questions:
- “How do you balance stopping worm propagation with maintaining life-critical patient care systems?”
- “What is your recommendation to Dr. Williams about emergency department operational status?”
- “How do you address the FDA medical device patching challenges while the worm is actively spreading?”
Victory Conditions:
- Worm propagation contained before reaching all life-critical systems
- Patient safety maintained through emergency protocols
- Clear communication established with medical leadership about operational capability
Round 2: Medical Device Security & Recovery Planning (35-40 min)
Opening Scenario:
The team’s Round 1 response has created a new operational reality. If they chose network segmentation, hospital departments are now isolated from each other, creating care coordination challenges. If they deployed the kill switch, encryption has stopped but infected systems remain vulnerable. If they chose selective isolation, the worm continues spreading in administrative areas.
Dr. Williams convenes an emergency meeting. “We need to plan recovery while maintaining patient care. Biomedical Engineering just informed me that many of our medical devices cannot be patched without vendor validation - we’re talking ventilators, patient monitors, infusion pumps. How do we secure these systems against this worm?”
Investigation Clues:
- Clue 1 (Minute 45): Biomedical Engineering reports that patient monitoring equipment runs on Windows 7 Embedded systems that cannot accept standard Windows patches without breaking FDA medical device certifications. “We need vendor-validated patches for each device type - that process normally takes weeks.”
- Clue 2 (Minute 55): Hospital administration discovers that backup systems in administrative areas have also been encrypted by WannaCry. Recovery strategies must account for backup compromise while maintaining patient care operations.
- Clue 3 (Minute 65): Chief Financial Officer reports that cyber insurance policy requires specific incident documentation and law enforcement notification. “We need forensic evidence of how the infection occurred and formal response documentation for insurance claims.”
- Clue 4 (Minute 75): State health regulators contact the hospital regarding HIPAA breach assessment requirements. “You must determine within 60 days whether patient protected health information was accessed or exfiltrated during this ransomware incident.”
NPC Interactions:
- Dr. Susan Williams: Concerned about extended recovery timeline. “We cannot operate indefinitely with manual paper procedures during flu season surge. When can we safely restore electronic health records and medical device connectivity?”
- Thomas Anderson: Coordinating with medical device vendors. “Every manufacturer has different patching timelines and validation requirements. Some vendors want to send technicians on-site - that could take days or weeks across all our equipment.”
- Brian Martinez: Analyzing backup integrity. “Some of our backup systems were connected to the network and also encrypted. We need to identify clean restore points that predate the initial infection.”
- Hospital Legal Counsel: Concerned about regulatory compliance. “We need proper documentation for HIPAA breach assessment, insurance claims, and potential regulatory review. This incident response must be thoroughly documented.”
Pressure Events:
- Minute 50: Major medical device vendor reports that patch validation for patient monitors will take 2-3 weeks - current manufacturer testing timeline
- Minute 60: CFO indicates that without proper incident documentation, cyber insurance may not cover recovery costs and business interruption losses
- Minute 70: State regulatory agency requests formal notification of cybersecurity incident impacting patient care operations
- Minute 80: News media reports “Memorial Health System computer systems down due to cyberattack” - public relations crisis emerges
Round 2 Response Strategy:
Teams must develop comprehensive recovery strategy addressing medical device security validation, backup system restoration, regulatory compliance documentation, and public communication. They must balance immediate operational needs with proper incident response procedures and long-term security improvements.
Facilitation Questions:
- “How do you manage medical device security when vendor patching validation takes weeks?”
- “What is your strategy for backup restoration given that some backup systems were also encrypted?”
- “How do you balance rapid operational recovery with proper forensic documentation for regulatory and insurance requirements?”
Victory Conditions:
- Medical device security strategy developed addressing FDA validation requirements
- Backup restoration plan established with verified clean recovery points
- Regulatory notification and documentation procedures initiated
- Public communication strategy maintains patient and community confidence
Round 3: Long-term Recovery & Security Architecture (40-45 min)
Opening Scenario:
The hospital is now several days into the incident response. Emergency manual procedures are in place, some systems have been restored, but comprehensive recovery is complex. Dr. Williams faces strategic decisions about network architecture redesign, security investment priorities, and operational procedure changes to prevent future incidents.
“This cannot happen again,” Dr. Williams states at a senior leadership meeting. “We need to understand how our network design and patching procedures enabled this worm to spread so rapidly. What systematic changes are needed to protect patient safety while maintaining operational efficiency?”
Investigation Clues:
- Clue 1 (Minute 90): External cybersecurity consultants assess hospital network architecture and identify fundamental design flaws: inadequate segmentation between clinical and administrative systems, operational convenience prioritized over security controls, delayed patching procedures for medical devices.
- Clue 2 (Minute 100): Healthcare Information Sharing and Analysis Center (H-ISAC) intelligence indicates WannaCry affected multiple healthcare organizations nationwide. Peer hospital experiences offer lessons about medical device patching, network segmentation, and backup isolation strategies.
- Clue 3 (Minute 110): IT leadership proposes network redesign with proper clinical/administrative segmentation, enhanced medical device security zones, and isolated backup infrastructure. Implementation would require significant capital investment and temporary service disruptions.
- Clue 4 (Minute 115): Hospital board raises questions about accountability, future prevention, and cost-benefit analysis of proposed security improvements versus operational priorities and patient care investment.
NPC Interactions:
- Dr. Susan Williams: Balancing security investment with patient care resources. “We need better cybersecurity, but we also need new patient monitoring equipment, ICU expansion, and clinical staff. How do we prioritize limited capital budget?”
- Thomas Anderson: Advocating for fundamental network architecture changes. “The root problem is network design that prioritized convenience over security. We need proper segmentation, isolated backup systems, and realistic medical device patching procedures.”
- Hospital CFO: Concerned about security investment ROI. “The proposed network redesign costs $2 million. How do we justify that investment when it doesn’t directly improve patient care or generate revenue?”
- Board Chair: Asking strategic questions. “What accountability exists for the delayed patching that enabled this incident? How do we ensure this doesn’t happen again? What is the total financial impact including recovery costs, business interruption, and reputation damage?”
Pressure Events:
- Minute 95: Cyber insurance adjuster indicates that inadequate network segmentation and delayed patching may reduce claim payout due to “lack of reasonable security controls”
- Minute 105: State health regulators schedule site visit to assess hospital cybersecurity program and compliance with healthcare cybersecurity best practices
- Minute 110: Patient advocacy group raises concerns about patient data security and requests public accountability for security failures
- Minute 120: Hospital medical staff requests formal review of how IT security decisions are made regarding medical device patching and network architecture
Round 3 Response Strategy:
Teams must develop comprehensive recommendations for network architecture redesign, medical device security procedures, backup isolation strategies, and organizational governance of cybersecurity decision-making. They must present cost-benefit analysis addressing both patient care priorities and security investment needs.
Facilitation Questions:
- “How do you redesign hospital network architecture to prevent future worm propagation while maintaining medical device operational requirements?”
- “What governance structure ensures that security decisions appropriately balance patient safety, operational efficiency, and cybersecurity protection?”
- “How do you justify security investment to hospital leadership when resources are limited and patient care needs are immediate?”
Victory Conditions:
- Comprehensive security architecture roadmap developed addressing network segmentation and medical device protection
- Organizational governance framework established for cybersecurity decision-making
- Cost-benefit analysis demonstrates security investment value for patient safety and regulatory compliance
- Lessons learned documented for healthcare sector knowledge sharing
Advanced Challenge Materials (150-170 min, 3 rounds)
Complexity Additions for Advanced Teams
Red Herrings and Ambiguity:
Legitimate System Updates: During the incident, Microsoft releases an emergency security bulletin about EternalBlue that coincidentally causes unrelated connectivity issues on some systems - teams must differentiate between worm impact and legitimate update problems.
Insider Threat Suspicion: The initial infection point was an administrative workstation with delayed patching - security team suspects potential insider involvement or negligence requiring sensitive investigation during crisis response.
Vendor Misinformation: Medical device vendors provide conflicting guidance about patching timelines and system validation requirements - teams must navigate contradictory vendor recommendations during time-critical decisions.
Insurance Complexity: Cyber insurance policy has specific exclusions and requirements that weren’t clearly communicated - teams discover coverage limitations mid-incident requiring financial contingency planning.
Removed Resources (Test Knowledge Recall):
- No access to external threat intelligence about WannaCry kill switch mechanism - teams must discover through malware analysis
- No pre-existing incident response playbooks for ransomware in healthcare settings - teams develop procedures in real-time
- Limited external cybersecurity consultant support - teams must rely on internal capabilities and peer hospital collaboration
- No clear regulatory guidance on HIPAA breach assessment for ransomware - teams must interpret regulations under ambiguity
Enhanced Pressure:
Media Escalation: Local news stations request interviews about hospital cybersecurity incident - public relations crisis management required alongside technical response.
Patient Advocacy: Patient advocacy groups demand immediate disclosure of potential protected health information exposure - teams must manage external stakeholder communications during active investigation.
Regulatory Scrutiny: State health department initiates formal investigation concurrent with incident response - teams must support regulatory review while managing recovery operations.
Competitive Impact: Competing regional hospital publicly advertises their cybersecurity capabilities and patient safety protections - market competition pressure during crisis.
Advanced Facilitation Techniques:
Incident Evolution Based on Team Decisions:
- If teams choose rapid patching without vendor validation: Introduce medical device malfunction requiring emergency procedure adjustment
- If teams prioritize kill switch over comprehensive response: Kill switch domain becomes intermittently unavailable causing encryption to restart
- If teams delay regulatory notification: Introduce compliance violation escalation requiring executive accountability
- If teams inadequately document forensics: Insurance claim denied requiring alternate funding for recovery costs
Multi-stakeholder Perspectives:
- Introduce conflicting priorities between medical leadership (patient care continuity), IT leadership (comprehensive security), hospital administration (cost containment), and legal counsel (liability management)
- Require teams to navigate organizational politics while managing technical incident response
- Create scenarios where optimal technical response conflicts with operational or financial constraints
Ethical Dilemmas:
Ransom Payment Decision: Introduce scenario where ransom payment could restore systems faster than backup recovery during life-threatening patient surge - teams must debate ethical implications of funding criminal enterprise versus patient safety.
Triage Decisions: Force teams to prioritize which medical systems to restore first when resources are limited - ICU monitoring versus emergency department records versus surgical imaging.
Disclosure Timing: Create tension between immediate public disclosure for transparency versus delayed notification to avoid panic during flu surge when hospital capacity is critical.
Comprehensive Debrief Framework:
Technical Learning Objectives:
- Worm propagation mechanics and autonomous spread characteristics
- Kill switch discovery and implementation as emergency response technique
- Network segmentation strategies for healthcare environments
- Medical device cybersecurity challenges and FDA validation requirements
Operational Learning Objectives:
- Balance between rapid incident response and patient safety continuity
- Healthcare-specific constraints on security controls and patching procedures
- Backup isolation importance and disaster recovery planning
- Regulatory compliance requirements during cybersecurity incidents (HIPAA, FDA)
Strategic Learning Objectives:
- Organizational governance for cybersecurity decision-making in healthcare
- Cost-benefit analysis for security investment in resource-constrained environments
- Stakeholder communication during crisis including patients, regulators, media, and board
- Long-term security architecture planning balancing operational needs and protection
Behavioral Learning Objectives:
- Crisis decision-making under ambiguity and time pressure
- Cross-functional collaboration between clinical, IT, legal, and administrative teams
- Ethical reasoning about competing priorities (patient safety, security, costs, transparency)
- Leadership communication during high-stakes organizational crisis
Final Advanced Challenge Scenario Arc
The Perfect Storm:
Teams face simultaneous challenges requiring prioritization and trade-offs: - Active worm propagation threatening life-critical systems - Patient surge requiring maximum operational capacity - Regulatory investigation demanding accountability and documentation - Media crisis requiring public communication strategy - Financial constraints limiting response resources - Medical device patching complexities preventing rapid remediation - Backup compromise requiring creative recovery strategies - Organizational politics creating decision-making friction
Success requires:
- Technical excellence in worm containment and system recovery
- Operational wisdom in balancing patient safety with security response
- Strategic thinking about long-term security architecture investment
- Leadership capability in managing multiple stakeholder perspectives
- Ethical reasoning about competing values and priorities