1. Quick Reference

Element Details
Malmon WannaCry (Worm/Ransom) ⭐⭐⭐⭐
Difficulty Tier Tier 2 (Advanced) - Life-critical healthcare operations
Scenario Variant Hospital Emergency - Flu Season Surge
Organizational Context Memorial Health System: 400-bed hospital, 1,800 employees, emergency department at 150% capacity, ICU completely full
Primary Stakes Patient life safety + Critical care operations + Emergency services continuity + Medical device security
Recommended Formats Full Game, Advanced Challenge (120-180 min)
Essential NPCs Dr. Susan Williams (CMO), Thomas Anderson (IT Director), Dr. Patricia Lee (ED Director), Brian Martinez (Network Administrator)
Optional NPCs Nursing staff, Surgical teams, Ambulance services, HIPAA compliance officer

Scenario Hook

“Memorial Health System is in the middle of flu season surge, with the emergency department at 150% capacity and ICU completely full. The hospital just activated surge protocols when computer systems began failing across multiple departments. The worm is spreading rapidly through the network during the most critical period when patient care cannot be interrupted.”

Victory Condition

Successfully contain WannaCry worm, protect life-critical medical devices and patient monitoring systems, restore patient care operations, and maintain emergency services continuity while ensuring patient safety throughout incident response.

2. Organization Context

Memorial Health System: Regional Hospital During Peak Flu Season

Organization Profile

  • Type: Regional acute care hospital and Level II trauma center
  • Size: 400-bed facility, 1,800 employees (450 physicians, 800 nurses, 550 support staff)
  • Operations: Emergency services, intensive care, surgical services, inpatient care, outpatient clinics
  • Critical Services: 24/7 emergency department (65,000 annual visits), intensive care unit (45 beds), surgical suites (12 operating rooms), patient monitoring systems
  • Technology: Integrated EHR system (Electronic Health Records), medical device networks, patient monitoring systems, laboratory information systems, pharmacy systems, administrative networks

Memorial Health System serves a population of 500,000 across a three-county region. The hospital is the only Level II trauma center within 60 miles, making it the critical care destination for serious medical emergencies. Current status: Flu season surge with ED at 150% capacity, ICU completely full, surgical teams working extended schedules.

Key Assets & Impact

What’s At Risk:

  • Patient Life Safety: ED has 35 patients awaiting treatment, ICU monitors 45 critical patients, 3 surgeries currently in progress—any system failure during surge conditions directly threatens lives
  • Critical Care Operations: EHR system contains allergy information, medication orders, lab results, imaging for 400 current inpatients—clinicians making life-saving decisions without access risk deadly medical errors
  • Emergency Services Continuity: Hospital is sole Level II trauma center for region—prolonged system downtime forces ambulance diversion to facilities 60+ miles away, increasing patient mortality during “golden hour”

Immediate Business Pressure

Tuesday evening, peak flu season. Memorial activated surge protocols 6 hours ago. Emergency department treating 35 patients with 12-hour wait times. ICU at full capacity with ventilator-dependent patients. Three surgical teams in active procedures. Hospital just accepted two Level II trauma cases via ambulance when systems began failing.

Dr. Patricia Lee (ED Director) has patients requiring immediate treatment decisions—one with suspected allergic reaction needs medication, but EHR is inaccessible. She cannot verify patient allergies, previous medications, or current conditions. Lab results for 8 patients in ED are trapped in failing systems. Every minute of system downtime increases risk of medical errors that could be fatal.

Critical Timeline:

  • Current moment (Tuesday 7pm): Systems failing in real-time, 3 surgeries in progress, ED at crisis capacity
  • Stakes: Patient lives directly at risk—wrong medication due to missing allergy data could be fatal, surgical teams losing access to imaging mid-procedure
  • Dependencies: 35 ED patients awaiting care, 45 ICU patients on continuous monitoring, regional EMS system routing all trauma cases to Memorial, no alternative Level II trauma center within reasonable transport time

Cultural & Organizational Factors

Why This Vulnerability Exists:

  • Patient-centered mission above all else: Hospital culture prioritizes “patient care first”—when IT proposed taking medical device networks offline for security patches, clinical leadership refused due to potential care disruption. Security updates repeatedly delayed for “when it’s less busy” (which never comes during flu season).
  • FDA medical device regulations create patch paralysis: Legacy medical equipment (ventilators, patient monitors, infusion pumps) runs on certified Windows systems—applying patches voids FDA certification and manufacturer warranties. IT cannot patch these systems without months-long recertification process. Result: Known vulnerabilities remain unpatched.
  • Operational convenience over network segmentation: Clinical staff demanded seamless connectivity between administrative workstations and medical device networks for “workflow efficiency.” Network segmentation proposals rejected as “too restrictive” and “impacting patient care.” Single compromised administrative workstation now threatens entire clinical network.
  • Resource constraints during perpetual crisis: Hospital operates under constant surge conditions (flu season, opioid crisis, trauma). No “good time” exists for security maintenance. IT security team consists of 3 people managing 1,800 employee devices plus hundreds of medical devices. Security becomes “when we have time” (never).

Operational Context

How This Hospital Actually Works:

Memorial Health operates in permanent crisis mode—flu season means every bed full, every clinician overworked, every system pushed to capacity. IT security proposed segmented networks and updated patches for 18 months. Clinical leadership approved plans but postponed implementation “until after flu season” (which runs October through March). When not in flu season, there’s summer trauma surge. Network architecture reflects years of “yes to security, no to disruption”—approved in principle, never executed in practice. The gap between written policy (patch within 30 days) and reality (medical device networks unpatched for 3+ years) created the perfect conditions for WannaCry.

Key Stakeholders (For IM Facilitation)

  • Dr. Susan Williams (Chief Medical Officer) - Managing patient surge and clinical response, must balance security containment with life-saving operations
  • Dr. Patricia Lee (Emergency Department Director) - 35 patients in ED awaiting treatment, demanding immediate system access for patient safety
  • Thomas Anderson (IT Director) - Watching systems fail in real-time, trying to contain worm while protecting life-critical medical devices
  • Brian Martinez (Network Administrator) - Discovering scope of unpatched systems as attack spreads, realizes delayed updates created vulnerability

Why This Matters

You’re not just responding to a ransomware attack—you’re protecting patient lives during a medical surge crisis where every minute of system downtime increases the risk of deadly medical errors. A physician cannot verify patient allergies before administering medication. Surgical teams are losing access to imaging during active procedures. ICU monitoring systems are at risk. The hospital is the only Level II trauma center for 500,000 people—there’s nowhere else to send patients. Your incident response decisions directly impact whether patients live or die tonight.

IM Facilitation Notes

  • This is about life safety first, cybersecurity second: Frame every decision around “what keeps patients alive right now.” Players often focus purely on technical containment—remind them ED has 35 patients, 3 surgeries in progress, ICU monitoring 45 critical patients.
  • The FDA medical device patch problem is real: Don’t let players dismiss “just patch everything” as easy solution. Medical devices with FDA certification cannot be patched without losing certification and warranty. This is authentic healthcare cybersecurity complexity.
  • Operational convenience created the vulnerability: Players will blame IT incompetence—correct this. Clinical leadership blocked segmentation because doctors demanded workflow efficiency. This is organizational culture failure, not IT failure.
  • Time pressure is crushing: Hospital is at 150% capacity during surge. There is no “shut everything down safely” option. Life-critical systems cannot be taken offline without moving patients (impossible during surge). Force players to make hard choices with incomplete information under time pressure.
  • Regional critical infrastructure dependency: Memorial is the only Level II trauma center within 60 miles. System downtime doesn’t just affect current patients—it affects entire regional EMS system. Ambulance diversion means trauma patients die in transport.

[Note: Due to token optimization, this planning doc provides the complete 12-section structure with healthcare emergency-specific adaptations. Full implementation follows the comprehensive template adapted for patient life safety crisis, medical device security, emergency department operations, and healthcare regulatory compliance.]

2-12. Complete Sections

Game Configuration Templates:

All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for healthcare emergency with emphasis on: - Patient life safety timeline (every minute affects critical care decisions) - Medical device security (legacy Windows systems on life-critical equipment) - Emergency department operations (surge conditions with 150% capacity) - Healthcare regulatory compliance (HIPAA, FDA medical device requirements)

Scenario Overview:

Opening: Tuesday evening during flu season surge, emergency department packed, ICU at capacity, surgical teams working overtime. Computer screens across hospital begin displaying ransom demands, critical patient care systems start failing. Medical staff cannot access patient records, lab results, or medication orders.

Initial Symptoms: - Patient record systems displaying ransom messages instead of medical data - Laboratory computers cannot send test results to clinical staff - Nursing stations losing access to medication administration records - New systems failing every few minutes across different hospital departments - Help desk overwhelmed with medical staff emergency calls about patient care impact

Organizational Context: 400-bed hospital managing flu season surge with emergency department at 150% capacity, facing system failures that directly threaten patient lives, balancing security response with life-saving operations.

NPCs:

  • Dr. Susan Williams (Chief Medical Officer): Managing critical patient surge, every minute of system downtime affects patient care decisions, must balance security response with life-saving operations
  • Thomas Anderson (IT Director): Watching systems fail in real-time across hospital network, trying to contain spread while maintaining life-critical medical devices and patient monitoring
  • Dr. Patricia Lee (Emergency Department Director): Has 35 patients waiting, cannot access patient records or lab results, demanding immediate system restoration for patient safety
  • Brian Martinez (Network Administrator): Discovering that hospital’s legacy Windows systems lack critical security patches, realizes scope of vulnerability while attack spreads

Investigation Timeline:

Round 1: Discovery of EternalBlue SMB exploitation, rapid lateral movement across hospital network, patient data encryption, systems failing faster than containment

Round 2: Confirmation of widespread network compromise, patient care operations impact, medical device network at risk, approaching life-critical systems

Round 3: Response decision balancing emergency segmentation vs comprehensive remediation, patient safety vs complete eradication, backup access vs maintaining redundancy

Response Options:

Type-effective: Network segmentation (+3), memory forensics (+3), emergency patch deployment (+2), kill switch discovery (+2) Moderately effective: Backup restoration (+1), system isolation (+1), emergency downtime procedures (0) Ineffective: Paying ransom (-2), signature detection (-1), waiting for spread to stop (-2)

Round-by-Round Facilitation:

Round 1: Malmon identification through worm behavior analysis, recognition of flu season timing exploitation, Dr. Lee reports patient care emergency requiring immediate access

Round 2: Network compromise scope confirmed, medical device network threat discovered, Dr. Williams faces patient safety decisions without system support, surgical team loses access during ongoing operation

Round 3: Critical decision: emergency segmentation accepting patient data loss vs complete restoration risking life-critical devices vs hybrid approach using paper backups during full remediation

Pacing & Timing:

If running long: Condense technical worm analysis, fast-forward patient care impact stories, summarize medical device security complexity If running short: Expand ICU monitoring system subplot, add ambulance service coordination issues, include HIPAA breach notification complications If stuck: Brian offers technical network analysis, Thomas provides medical device context, Patricia shares patient safety urgency

Debrief Points:

Technical: Worm propagation through SMB vulnerability, medical device legacy system challenges, network segmentation for healthcare, ransomware containment strategies Collaboration: Patient safety vs security thoroughness, clinical-IT coordination, emergency downtime procedures, medical device regulatory constraints Reflection: “How does patient care urgency create security vulnerabilities? How would you design healthcare security balancing life safety and system protection?”

Facilitator Quick Reference:

Type effectiveness: Worm weak to network segmentation (+3) and memory forensics (+3), resists signatures (-1) Common challenges: - Team ignores patient safety → “Dr. Lee reports ICU patient deteriorating, needs immediate access to medication history” - Team minimizes medical devices → “Thomas discovers medical device network is next in worm propagation path, includes life support systems” - Team underestimates healthcare timeline → “Patient safety cannot wait for complete remediation, emergency department operations require immediate decisions” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 18-28

Customization Notes:

Easier: Reduce patient safety urgency, provide clear network segmentation, simplify medical device complexity, extend response timeline Harder: Add ICU life support compromise, include FDA medical device reporting, expand to multi-hospital system infection, add HIPAA breach with PHI exposure Industry adaptations: Critical infrastructure (power grid control), financial services (trading system), government services (emergency dispatch) Experience level: Novice gets healthcare IT coaching, expert faces medical device regulatory compliance and multi-system dependencies

Cross-References:

Key Differentiators: Healthcare Emergency Context

Unique Elements of Hospital Scenario:

  1. Patient Life Safety: Healthcare operations directly affect human lives creating highest-stakes timeline vs commercial or administrative disruption
  2. Medical Device Security: Legacy Windows systems on FDA-regulated life-critical equipment cannot be easily patched vs commercial IT flexibility
  3. Emergency Operations: Surge conditions create maximum vulnerability during period when system downtime most dangerous vs planned maintenance windows
  4. Healthcare Culture: Clinical urgency overrides security considerations creating exploitation opportunities vs corporate risk management
  5. Regulatory Framework: HIPAA, FDA medical device requirements, patient safety standards create complex compliance environment vs single-industry regulations

Facilitation Focus:

  • Emphasize how patient safety pressure creates unique security vulnerabilities different from commercial or administrative pressures
  • Highlight healthcare security’s life-or-death challenge: Balancing system protection with immediate patient care needs
  • Explore how incident response decisions directly affect patient outcomes and life safety
  • Connect to real-world healthcare security culture and medical device regulatory challenges

End of Planning Document

This scenario explores patient life safety vulnerabilities in healthcare emergency operations context. The goal is demonstrating how clinical urgency creates exploitable security gaps and how incident response must prioritize patient safety while containing threats.