Large Group Facilitator Guide: WannaCry – Hospital Emergency

Large Group Facilitator Guide: WannaCry – Hospital Emergency

Tip

Quick Reference

• Format: Multi-Team Coordination
• Session length: 120 min + 25 min debrief
• Teams: Alpha (Forensics) / Bravo (Network/Infrastructure) / Charlie (Business Impact)
• Variants: US (Memorial Health System) / UK (Royal Hospital Manchester)
• Expertise level: Beginner to intermediate (suitable as a first large group session)
• Central dilemma: Isolate subnets and halt clinical systems, or maintain medical operations while the worm is still spreading – and this decision recurs every round
• For format selection, IC briefing, and general facilitation mechanics, see the Large Group Facilitation Guide.

21 Artifacts at a Glance

No red herring in this scenario. The killswitch domain ($10 fix) is often underutilized in Round 2 – watch for teams that discover it but don’t act on it.

Tier	Team	Card	Key Content
R1	Alpha	Initial Indicator 1: Ransomware Detonation Cluster – 87 Hosts	EDR mass alert; 87 hosts in 14 minutes; MHS-DC-01 encrypted; worm still spreading
R1	Alpha	Initial Indicator 2: EternalBlue Exploit Traffic – SMBv1	NURS-WS-022 identified as patient zero; SMBv1 exploit crossed subnet boundaries in 60 seconds
R1	Bravo	Initial Indicator 1: Network-Wide SMBv1 Scan Traffic	3 subnets with no SMB restrictions; medical device subnet now scanning; MHS-SW-CORE-01 can isolate
R1	Bravo	Initial Indicator 2: Flat Network – Subnet Topology	2019 EMR integration opened cross-subnet SMB path; Guest WiFi isolated and unaffected
R1	Charlie	Initial Indicator 1: Clinical Systems Failure – Mass Impact	3 surgeries without imaging; ICU 28 patients; pharmacy orders manual; ambulance diversion decision by 15:00 UTC
R1	Charlie	Initial Indicator 2: Flu Season Context – Why Timing Is Catastrophic	$26,100 ransom; flu surge peak week; nearest hospital also at capacity; 3-day deadline
R2-3	Alpha	Deep Analysis 1: Patient Zero – NURS-WS-022 Reconstruction	nurse.k victim not suspect; Windows 7 with internet-accessible SMBv1; MS17-010 entry point
R2-3	Alpha	Deep Analysis 2: WannaCry Variant Analysis – Killswitch Status	Killswitch domain mhsinfra-update-cdn.net costs $10; C2 unreachable; payment mechanism broken
R2-3	Alpha	Deep Analysis 3: Encrypted vs. Clean Host Inventory	MHS-BAK-01 clean; MHS-DC-01 encrypted; MHS-FS-002 survived because SMBv1 disabled 2023; tape backup from 02:00 UTC
R2-3	Bravo	Deep Analysis 1: Killswitch Registration – Stop the Spread	Register domain immediately; DLY-WS-001 online with dialysis patient; worm scan rate 3,200/min
R2-3	Bravo	Deep Analysis 2: Medical Device Infection Assessment	Dialysis workstation DLY-WS-003/004 offline and clean; ventilators/pumps protected by proprietary firmware; PACS vendor 48 hr
R2-3	Bravo	Deep Analysis 3: Recovery Network Architecture Plan	4-phase plan; critical path through MHS-DC-01 rebuild; core clinical systems by 21:30 UTC
R2-3	Charlie	Deep Analysis 1: Financial Exposure – Insurance and Recovery Costs	Ransom $26,100 vs recovery ~$950K; forensic scope determines regulatory penalty range
R2-3	Charlie	Deep Analysis 2: Compliance Breach Notification Analysis	WannaCry doesn’t exfiltrate – but OCR/ICO requires proof PHI not accessed; 12,000–18,000 patients
R2-3	Charlie	Deep Analysis 3: Mutual Aid and Regional Coordination	Ambulance diversion at 14:45 UTC; 35 existing patients can’t transfer; portable EMR workstations offered
R4-5	Alpha	Development 1: Backup Restoration Verified – Clean Baseline Confirmed	MHS-BAK-01 isolated at 14:31 UTC; DC rebuilt 17:45 UTC; 14-hour data gap in backup
R4-5	Alpha	Development 2: MS17-010 Patch Deployment Status	61 Windows 7 workstations patched overnight at 30 min each; DLY-WS-003/004 cannot be patched; SMBv1 disabled on all corporate hosts
R4-5	Bravo	Development 1: Killswitch Registration Confirmed – Spread Stopped	Inbound TCP/445 rule added 15:35 UTC; 17 WannaCry B attempts stopped; external scanning continues
R4-5	Bravo	Development 2: Long-Term Medical Device Network Redesign	3 root causes all 9 years old; redesign $85,000; 6 weeks implementation; jump server with MFA
R4-5	Charlie	Development 1: EMR Restored – Clinical Operations Resuming	7 hours downtime; ambulance diversion lifted 21:30 UTC; paper downtime held 7 hours; 34/72 nursing workstations complete
R4-5	Charlie	Development 2: Board Briefing – Causes, Costs, and Commitments	2017 patch undeployed in 2026; 3 Board commitments; 15,000+ patient notifications; no patients harmed

Opening Delivery

This is Group A “Crisis Curve” – the attack announces itself in Round 1 and is still happening. The urgency is “it’s still happening” – unlike LockBit’s “it’s over” paralysis, WannaCry’s drama is active spread.

Brief the IC: same as all Multi-Team Coordination sessions – synthesize across teams, not the loudest voice.

WannaCry has region variants. The IM should confirm which region is in play before briefing – or run with a region that fits the group’s context.

“It is 14:37 UTC. Memorial Health System’s SIEM is showing mass EDR alerts. 87 hosts have reported ransomware activity in the last 14 minutes – and the alerts are still coming in. You are the incident response team. Turn over your cards.”

“It is 14:37 UTC. Royal Hospital Manchester’s SIEM is showing mass EDR alerts. 87 hosts have reported ransomware activity in the last 14 minutes – and the alerts are still coming in. You are the incident response team. Turn over your cards.”

Critical note: Teams will want to know what the malware is in Round 1. That is correct. Do not rescue them. The investigation is the process. If a team asks “is this WannaCry?” – the answer is: “Your evidence will tell you. What do you have so far?”

Round-by-Round Facilitation Notes

Round 1 – Initial Indicators

Released: All 6 R1 cards at session open

Alpha discovers: Mass detonation still in progress; EternalBlue exploit crossing subnets; NURS-WS-022 as earliest detection

Bravo discovers: Flat network with no SMB restrictions; medical device subnet now scanning; MHS-SW-CORE-01 can isolate subnets

Charlie discovers: Clinical operations in immediate patient safety territory; ransom is $26,100 (almost irrelevant vs. recovery cost); nearest hospital at capacity

IC synthesis: Bravo knows which subnets are still propagating. Charlie doesn’t know which clinical systems are in those subnets. The isolation-vs-operations tension is the Round 1 dilemma – and it recurs.

IM navigation prompt: “Ask Bravo: what subnets are still actively propagating right now? Ask Charlie: which clinical systems are in those subnets?”

End-of-round check: Has the IC acknowledged the worm is still spreading? Has anyone mentioned the killswitch possibility?

Timing: 20–25 min

Round 2 – Deep Analysis, First Pass

Released: 3 cards per team at start of Round 2

Alpha discovers: Killswitch domain registration ($10, 5 minutes) stops new infections; nurse.k is victim not suspect; payment mechanism is broken

Bravo discovers: Killswitch registration: has anyone done it yet?; dialysis patient DLY-WS-001 online; 3,200 scan attempts/min

Charlie discovers: Recovery cost ~$950K vs. $26,100 ransom; but payment mechanism is broken; 12,000–18,000 patients may require notification

IC synthesis: Alpha has the killswitch fix. Bravo is managing a live patient risk (DLY-WS-001). The IC must push Alpha’s killswitch finding to action immediately, not defer to the briefing cycle.

IM navigation prompt: “Ask Alpha: is there anything in your analysis that requires immediate action right now, before the next briefing?”

Note: The killswitch fix ($10, 5 minutes, stops spread) is the most impactful quick win in any M&M session. Many groups discover it and don’t act on it. If it hasn’t been actioned by mid-Round 2, prompt: “You have a finding that could stop the spread. Is that action in progress?”

Timing: 25 min

Round 3 – Deep Analysis, Second Pass

No new artifacts – teams continue with R2-3 material.

Alpha finishes host inventory; confirms MHS-DC-01 encrypted (DC rebuild critical path). Bravo builds recovery architecture; confirms 4-phase plan. Charlie works regulatory notification requirements; OCR/ICO proof-of-no-exfiltration challenge.

IC synthesis: Paper downtime was activated around 14:40 UTC; recovery plan predicts core systems by 21:30 UTC – does that timeline fit the paper downtime ceiling?

IM navigation prompt if teams have finished their cards: “Bravo has a recovery plan. Charlie has a paper downtime ceiling. Ask the IC: does the recovery timeline fit?”

Timing: 20–25 min

Round 4 – Developments

Released: 2 cards per team at start of Round 4

Alpha: Backup verified clean; DC rebuilt 17:45 UTC; 14-hour data gap in backup

Bravo: Killswitch confirmed stopped spread; inbound 445 firewall rule finally added; long-term redesign plan

Charlie: EMR restored; ambulance diversion lifted 21:30 UTC; 7 hours paper downtime held

IC synthesis: What decisions led to the no-patient-harm outcome? What was closest to going wrong?

Timing: 20–25 min

Round 5 – Board Briefing (Optional if Time Allows)

Charlie: Board briefing preparation; 2017 patch still undeployed in 2026; 3 Board commitments. Bravo: Root cause analysis – 3 root causes all 9 years old. Alpha: Patch deployment complete; long-term medical device vulnerability remains.

Use Round 5 only if you have 180 min total; otherwise move to debrief after Round 4.

The Central Dilemma

Isolate subnets to stop the worm, or maintain clinical operations for the patients already inside – and this decision recurs every round.

Unlike LockBit (one-time board decision), WannaCry’s central dilemma is structural and repeating. The IC is the tiebreaker between Alpha/Bravo (isolate now) and Charlie (maintain care). The dilemma is never cleanly resolved because both sides are right.

Each round the isolation decision re-presents itself at a different layer:

• Round 1: Isolate the clinical subnet? (Bravo wants to; Charlie points to 3 surgeries in progress)
• Round 2: Register the killswitch? (Alpha/Bravo say yes; the dialysis patient is the constraint)
• Round 3: Block SMB/445 at subnet boundaries? (This breaks the EMR integration – which is already down)
• Round 4: Lift ambulance diversion? (34/72 nursing workstations complete – is that enough?)

The IC must answer each instance of the dilemma with available information, knowing the answer will be partially wrong.

The OCR compliance question: WannaCry encrypts data but doesn’t exfiltrate it. Does encryption-without-exfiltration trigger HIPAA breach notification? Charlie’s card provides OCR guidance – but the answer requires forensic proof of non-access, which creates a significant evidentiary burden.

The ICO/GDPR question: WannaCry encrypts data but doesn’t exfiltrate it. Does encryption-without-exfiltration trigger GDPR breach notification? Charlie’s card provides ICO guidance – but the answer requires forensic proof of non-access, which creates a significant evidentiary burden.

Information Asymmetry Map

Alpha knows	Bravo knows	Charlie knows	IC must synthesize
NURS-WS-022 patient zero; EternalBlue entry; killswitch fix exists	Which subnets still propagating; medical device subnet active scanning; MHS-SW-CORE-01 can isolate	3 surgeries in progress; clinical system names and locations	Bravo’s subnet propagation map + Charlie’s clinical system locations – which clinical systems are in the subnets still spreading?
MS17-010 is the vulnerability; MHS-FS-002 survived because SMBv1 was disabled	2019 EMR integration opened the cross-subnet SMB path	Financial and regulatory exposure	The EMR integration (Charlie’s key system) is the reason the worm can cross subnets (Bravo’s finding)
Payment mechanism broken; killswitch stops new infections	DLY-WS-001 dialysis patient still online; 3,200 scan attempts/min	Ransom $26,100 is almost irrelevant vs. recovery cost; 3-day deadline meaningless	Killswitch action (Alpha) protects the dialysis patient (Bravo) – these two findings must connect

Common Failure Modes

1. Killswitch discovery without action

What it looks like: Alpha team identifies the killswitch domain in Round 2 and adds it to their briefing notes, but no one registers it before the Cross-Team Briefing.

IM response: “You have a finding that could stop the spread. Is that action in progress, or is it waiting for the IC decision?”

2. Bravo blocks SMB before checking clinical impact

What it looks like: Bravo wants to immediately block SMB/445 at all subnet boundaries; Charlie hasn’t been consulted about what breaks.

IM response: “Those devices have no patch path. What network-level control replaces host-level patching? And what does Charlie say breaks if you block SMB at the subnet boundary right now?”

3. IC makes isolation decision without knowing subnet-to-clinical-system mapping

What it looks like: IC approves subnet isolation, but nobody has checked which clinical systems are in the subnets being isolated.

IM response: “Before you authorize that isolation: does Charlie know which clinical systems are in the subnets Bravo is about to cut?”

4. Teams treat ransom payment as a real option

What it looks like: Charlie calculates $26,100 vs. recovery cost and recommends payment.

IM response: “Alpha has information about WannaCry’s payment mechanism. Has Charlie seen Alpha’s Round 2 card?”

5. Paper downtime ceiling missed

What it looks like: Teams reach Round 3-4 without anyone connecting the paper downtime activation time (~14:40 UTC) to the recovery timeline (core systems 21:30 UTC = 7 hours later).

IM response: “When was paper downtime activated? How long is it rated for? What does the recovery plan say about core systems?”

6. Charlie regulatory analysis paralysis

What it looks like: Charlie team spends Round 2-3 debating whether WannaCry encryption triggers notification obligations instead of progressing the investigation.

IM response: “The forensic answer to that question depends on evidence your team doesn’t have yet. What can you prepare to do in parallel while that question is still open?”

Discussion Prompts by Tier and Team

Initial Indicators – Round 1

ALPHA – Initial Indicator 1: Ransomware Detonation Cluster – 87 Hosts

• 87 hosts in 14 minutes. What does that tell you about how the worm is moving – and what does it tell you about the network architecture that allowed it?
• The same binary hash appears on every alert. What does that tell you about whether this is a coordinated operator deployment or autonomous worm behavior?
• MHS-DC-01 (the domain controller) is encrypted. What does that mean for recovery operations that will come later?
• What is the single most important action to take in the next five minutes – and who has the authority to authorize it?
• The alerts started at 14:23 UTC. How much network access does the worm still have right now?

ALPHA – Initial Indicator 2: EternalBlue Exploit Traffic – SMBv1

• The worm crossed from 10.1.10.0/24 to the admin network and medical device subnet in 60 seconds. What network controls would have stopped that?
• NURS-WS-022 is identified as the first mover. How do you know it is patient zero and not just the earliest detection?
• The exploit targets SMBv1, which is enabled by default on Windows 7. How many Windows 7 hosts are on the network – and how quickly can you find out?
• Containment of the clinical subnet is already too late. What is the scope of isolation needed now?
• The medical device subnet is now actively propagating. What devices are in that subnet, and does any of them support patient care right now?

BRAVO – Initial Indicator 1: Network-Wide SMBv1 Scan Traffic

• Three networks with no SMB restrictions between them. Who made that configuration decision, and was the risk ever formally assessed?
• The medical device subnet is now scanning. What specific devices are in 10.1.30.0/24, and are any of them directly connected to patients right now?
• If you block SMB/445 at all subnet boundaries right now, what clinical systems break – and is that worse than what is happening now?
• The 2019 EMR integration opened the SMB path. Is that integration still running on systems that are now encrypted?
• MHS-SW-CORE-01 has the power to isolate subnets. Who needs to authorize that change, and can that person be reached in the next 60 seconds?

BRAVO – Initial Indicator 2: Flat Network – Subnet Topology

• The 2019 network change opened the SMB path between subnets. Who owns the change management record for that, and was any risk review conducted?
• Guest WiFi (10.1.40.0/24) is isolated and unaffected. What was different about that network’s design – and why wasn’t that approach used for medical devices?
• Medical device hosts run vendor-locked OS with no patch available. If the worm reaches all of them, what is the recovery path for those devices?
• The network admin is available right now. What authority does the network admin have to make network changes without additional approval?
• Blocking SMB/445 at subnet boundaries would break the EMR integration. What is the clinical impact of that – and is there a clinical team lead who can authorize it?

CHARLIE – Initial Indicator 1: Clinical Systems Failure – Mass Impact

• Three surgical procedures are underway without imaging access. What does that mean practically – and is there any way to get those surgeons partial imaging access without reconnecting compromised systems?
• Paper downtime procedures are rated for 4–6 hours. It is 14:40 UTC. What does the recovery timeline need to look like for that to be sufficient?
• The ICU has 28 patients and 6 on ventilators. Monitoring is active, but medication orders are manual. What could go wrong in the next two hours – and who is managing that risk?
• Ambulance diversion is the next decision. What information does the CMO need from your team to make that call by 15:00 UTC?
• Which department’s system failure is most likely to cause direct patient harm in the next hour, and does that change your team’s priority list?

CHARLIE – Initial Indicator 2: Flu Season Context – Why Timing Is Catastrophic

• The ransom is $26,100. How do you explain to leadership why paying it is not the answer – and what evidence do you use?
• The nearest alternative hospital is also at surge capacity. If you divert ambulances, where are they going, and what is the patient safety impact of the transfer distance?
• The flu surge means this is the worst possible week for an outage. Does that context change any of your response decisions?
• The ransom note says “3 days.” Does that deadline mean anything, given what your team knows about WannaCry’s payment mechanism?
• If the CMO asks your team: “How long until we can accept new ambulances?” – what is your best estimate right now, and how confident are you in it?

Deep Analysis – Rounds 2-3

ALPHA – Deep Analysis 1: Patient Zero – NURS-WS-022 Reconstruction

• nurse.k did nothing wrong. How does your team make sure that message is communicated clearly during and after the incident?
• NURS-WS-022 had internet-accessible SMBv1 with no inbound firewall rule. How many other Windows 7 hosts in the hospital have the same exposure?
• The patch for this vulnerability was published in March 2017. It is now 2026. Who is responsible for the patch not being applied – and is that question appropriate to raise today?
• The attacker used a Tor exit node. What does that tell you about the likelihood of identifying who did this?
• MS17-010 is the entry point. Is that the vulnerability that needs to be addressed before recovery, or is there a more urgent step first?

ALPHA – Deep Analysis 2: WannaCry Variant Analysis – Killswitch Status

• Registering mhsinfra-update-cdn.net costs $10 and takes 5 minutes. Is there any reason not to do this right now?
• The C2 server is unreachable. What does that mean for the possibility of any recovery through the attacker’s own decryption service?
• WannaCry’s payment system was broken in the original 2017 variant. How do you explain this to leadership who may be looking at $26,100 versus $800,000 in recovery costs?
• The variant has a modified killswitch domain. What does that suggest about who created this variant and why they changed it from the original?
• Once the killswitch is registered, the worm stops spreading. How long does it take for that to take effect – and what happens to hosts that are currently mid-encryption?

ALPHA – Deep Analysis 3: Encrypted vs. Clean Host Inventory

• MHS-BAK-01 is clean. How did it survive? Was it isolated intentionally, or did the worm simply not reach it in time?
• MHS-DC-01 is encrypted. What are the specific recovery steps that cannot happen until the DC is rebuilt – and how long does that take?
• MHS-FS-002 survived because SMBv1 was disabled in 2023. Who made that change, and why was it not applied to all servers at the same time?
• 10 medical device hosts are clean because they were offline or proprietary. Are those devices back in use now – and if so, are they still isolated?
• The backup is from 02:00 UTC this morning. Encryption began at 14:23 UTC. What is the data gap, and what patient records fall in that window?

BRAVO – Deep Analysis 1: Killswitch Registration – Stop the Spread

• This action costs $10 and takes 5 minutes. Has it been done yet? If not, what is stopping it?
• DLY-WS-001 is online with a patient on dialysis. If it gets encrypted mid-session, what happens to the patient?
• Registering the killswitch stops new infections. How do you monitor that it is working after registration?
• The worm is generating 3,200 scan attempts per minute. Registering the killswitch slows the spread but the exploit traffic continues. What does that mean for unpatched hosts after the killswitch is active?
• Who on your team has a credit card and access to a registrar right now?

BRAVO – Deep Analysis 2: Medical Device Infection Assessment

• The dialysis machine hardware is safe but the monitoring workstation is encrypted. How does clinical staff know what to do – and is the charge nurse aware of this right now?
• DLY-WS-003 and DLY-WS-004 are clean because they were offline. Can they be brought back online safely now – and what would that involve?
• Ventilators and infusion pumps use proprietary firmware with no SMBv1. What protected them – and does that teach us anything about how medical device procurement should work?
• The PACS vendor needs 48 hours for on-site support. Imaging is down for at least 48 hours minimum. What clinical workflows cannot continue without imaging?
• BD Medical says 18-month lead time for OS recertification. How does the hospital plan to protect those dialysis workstations in the interim?

BRAVO – Deep Analysis 3: Recovery Network Architecture Plan

• The critical path runs through MHS-DC-01 rebuild. Phase 3 and 4 cannot start until Phase 2 is done. How long does Phase 2 take, and who is doing it?
• Phase 4 requires patching 72 workstations at 30 minutes each. Can multiple teams work in parallel – and is there staffing for that at 17:00 UTC?
• All domain account passwords should be reset assuming compromise. How does clinical staff log into restored systems while that process is ongoing?
• Phase 1 step 2 (SMB block) will break the EMR integration. The EMR is already down. Is there any reason to delay this step?
• The Phase 3 timeline predicts core clinical systems by 21:30 UTC. Paper downtime procedures are rated for 4–6 hours from activation (~14:40 UTC). Does the timeline fit?

CHARLIE – Deep Analysis 1: Financial Exposure – Insurance and Recovery Costs

• The ransom is $26,100. Recovery costs are far higher. How do you frame that comparison for leadership who does not understand why you cannot just pay and decrypt?
• The forensic investigation may determine whether a regulatory notification is required. What actions taken today could reduce the penalty range?
• Leadership will ask how this was allowed to happen. What is the honest answer about the patch management and firewall failures?
• The proposed long-term medical device network fix costs a fraction of total recovery cost. How do you make that investment case?

CHARLIE – Deep Analysis 2: Compliance Breach Notification Analysis

• WannaCry does not exfiltrate data. But OCR requires proof that PHI was not accessed. How does your forensic team demonstrate the negative – and is that achievable?
• Estimated affected patients: 12,000–18,000. What determines where in that range the final number lands, and does that number affect HIPAA obligations?
• The 60-day clock starts at discovery. What date counts as discovery for HIPAA purposes – the incident, or when leadership was formally notified?
• Media notification is required when more than 500 patients are affected. The estimate is 12,000–18,000. Is media notification a question of “if” or “when”?
• OCR investigations can result in fines of $100,000–$1.9M. What factors drive that range, and which factors does the organisation control?

CHARLIE – Deep Analysis 3: Mutual Aid and Regional Coordination

• Ambulance diversion activated – 22 minutes after detection began. Was that fast enough, and what determined the timing?
• The 35 existing patients cannot be transferred. What does paper downtime look like for these patients under flu surge conditions, and how long can clinical staff sustain it?
• The regional network offered portable EMR workstations. What can those workstations actually do – and are they useful for the current situation?
• When should the CMO consider lifting ambulance diversion – and what system restoration milestone triggers that decision?

Developments – Rounds 4-5

ALPHA – Development 1: Backup Restoration Verified – Clean Baseline Confirmed

• The backup was taken at 02:00 UTC. Everything entered between then and the 14:23 UTC encryption is missing from systems. How long will manual reconstruction take, and who is doing it?
• MHS-BAK-01 was isolated at 14:31 UTC – nine minutes after detection. Was that a deliberate protective action, or did the worm simply not reach it in time?
• The domain controller rebuilt at 17:45 UTC. That unlocks EMR restoration. What is the next dependency in the recovery chain after EMR comes online?
• PACS archive is clean and accessible. When can imaging be restored – and what does “PACS archive accessible” mean for radiology operations right now?
• The backup is 14 hours old. What is the risk of the backup itself containing pre-infected state – could the worm have been dormant on a backed-up host before activation?

ALPHA – Development 2: MS17-010 Patch Deployment Status

• 61 Windows 7 workstations required patching at approximately 30 minutes each. How was that workload staffed overnight – and is that sustainable as a maintenance model?
• DLY-WS-003 and DLY-WS-004 cannot be patched. What is the plan for operating those workstations safely until the vendor recertification is complete in 18+ months?
• The medical device patch problem existed before this incident. Who was responsible for tracking that risk, and was it documented anywhere?
• SMBv1 is now disabled on all corporate hosts. Does the 2019 EMR integration that required SMBv1 still work – and if not, what is the replacement?
• If another WannaCry-type worm appears in six months, is the hospital now protected? What remaining vulnerabilities concern your team?

BRAVO – Development 1: Killswitch Registration Confirmed – Spread Stopped

• The inbound TCP/445 firewall rule was added at 15:35 UTC. That rule should have existed since March 2017. Why didn’t it? Who is responsible for that gap?
• External scanning continues at approximately 17 attempts per hour after the killswitch is registered. What does that volume tell you about how many other actors are targeting this vulnerability?
• 17 WannaCry B execution attempts were stopped by the killswitch. Those were new attempts on not-yet-encrypted hosts. Were those the dialysis workstations that were still online?
• The killswitch costs $12.99 per year to maintain. What happens to the domain registration if it lapses – and who is responsible for renewing it?
• The killswitch stops this specific WannaCry variant. What about other EternalBlue-based malware that does not check for this domain?

BRAVO – Development 2: Long-Term Medical Device Network Redesign

• Three root causes, all 9 years old. All three were present before the 2017 WannaCry attack. Was WannaCry 2017 reviewed at this organisation – and if so, why did none of these controls get added then?
• The redesign costs $85,000. The incident cost far more. How do you present that comparison to the Board in a way that gets approval?
• The 2019 EMR integration used SMB cross-network access. Disabling that path breaks the integration. What is the clinical impact of that, and is there an alternative integration architecture?
• Six weeks of implementation time. Are medical devices safe to reconnect to any network during that period, or do they remain air-gapped?
• After the redesign, medical devices will connect via a jump server with MFA. Who manages that jump server access – IT or Biomedical Engineering?

CHARLIE – Development 1: EMR Restored – Clinical Operations Resuming

• 7 hours of core system downtime, no patients harmed. What specifically prevented patient harm – and which of those safeguards was luck versus design?
• Ambulance diversion was lifted at 21:30 UTC. The emergency department is now accepting new patients into a partially restored environment (34 of 72 nursing workstations complete). Is that the right call?
• Paper downtime procedures were rated for 4–6 hours and held for 7 hours. What would have happened at hour 8 or 9?
• Medical device workstations are awaiting vendor service for 48 hours. What is the impact of running without MED-IMG-001 and MED-IMG-002 for two more days?
• The after-action review will ask: “What went right?” What does your team identify as the two or three decisions that made the difference?

CHARLIE – Development 2: Board Briefing – Causes, Costs, and Commitments

• The Board will ask: “Why was a 2017 patch still undeployed in 2026?” What is the honest answer – and who is accountable?
• Three commitments are being requested from the Board. Are any of them likely to face resistance, and how does the team prepare to address it?
• The breach notification process involves notifying potentially 15,000+ patients and likely the media. Who manages that communication – the General Counsel, the CMO, or the communications team?
• The incident was contained and no patients were harmed. Does that outcome reduce the urgency of Board action, and is that a risk your team needs to manage?
• After the Board briefing, what is the CISO’s most important next action – and what is the CMO’s?

Debrief Focus

1. “The worm was still spreading when you opened your first cards. When did the team actually stop it – and was that the earliest possible moment?”

Surfaces: the gap between discovery and containment action, and what slows down the first decisive response.

2. “The killswitch registration costs $10 and takes 5 minutes. If it was discovered in Round 2 but not actioned until Round 3 – what happened in that gap?”

Surfaces: the difference between knowing and acting; decision latency in incident response.

3. “The isolation decision presented itself in every round, and there was never a clean answer. How does your organization make a decision like that in practice – who has the authority, and what information do they need?”

Surfaces: the governance gap between technical recommendation and clinical authorization.

4. “WannaCry doesn’t exfiltrate data. But the HIPAA notification question required forensic proof of non-access. How realistic is that evidentiary standard in the immediate aftermath of a mass encryption event?”

Surfaces: the regulatory framework’s assumption that forensic investigation happens quickly.

4. “WannaCry doesn’t exfiltrate data. But the GDPR notification question required forensic proof of non-access. How realistic is that evidentiary standard in the immediate aftermath of a mass encryption event?”

Surfaces: same point under GDPR framing.

5. “No patients were harmed. What specifically prevented patient harm – and which of those safeguards was design versus luck?”

Surfaces: the difference between a good outcome and a resilient system.