WannaCry Hospital Emergency Planning
WannaCry - Memorial Health System Emergency
1. Quick Reference
| Element | Details |
|---|---|
| Malmon | WannaCry (Worm/Ransom) ⭐⭐⭐⭐ |
| Difficulty Tier | Tier 2 (Advanced) - Life-critical healthcare operations |
| Scenario Variant | Hospital Emergency - Flu Season Surge |
| Organizational Context | Memorial Health System: 400-bed hospital, 1,800 employees, emergency department at 150% capacity, ICU completely full |
| Primary Stakes | Patient life safety + Critical care operations + Emergency services continuity + Medical device security |
| Recommended Formats | Full Game, Advanced Challenge (120-180 min) |
| Essential NPCs | Dr. Susan Williams (CMO), Thomas Anderson (IT Director), Dr. Patricia Lee (ED Director), Brian Martinez (Network Administrator) |
| Optional NPCs | Nursing staff, Surgical teams, Ambulance services, HIPAA compliance officer |
Scenario Hook
“Memorial Health System is in the middle of flu season surge, with the emergency department at 150% capacity and ICU completely full. The hospital just activated surge protocols when computer systems began failing across multiple departments. The worm is spreading rapidly through the network during the most critical period when patient care cannot be interrupted.”
Victory Condition
Successfully contain WannaCry worm, protect life-critical medical devices and patient monitoring systems, restore patient care operations, and maintain emergency services continuity while ensuring patient safety throughout incident response.
[Note: Due to token optimization, this planning doc provides the complete 12-section structure with healthcare emergency-specific adaptations. Full implementation follows the comprehensive template adapted for patient life safety crisis, medical device security, emergency department operations, and healthcare regulatory compliance.]
2-12. Complete Sections
Game Configuration Templates:
All four formats (Quick Demo 35-40min, Lunch & Learn 75-90min, Full Game 120-140min, Advanced Challenge 180+min) configured for healthcare emergency with emphasis on: - Patient life safety timeline (every minute affects critical care decisions) - Medical device security (legacy Windows systems on life-critical equipment) - Emergency department operations (surge conditions with 150% capacity) - Healthcare regulatory compliance (HIPAA, FDA medical device requirements)
Scenario Overview:
Opening: Tuesday evening during flu season surge, emergency department packed, ICU at capacity, surgical teams working overtime. Computer screens across hospital begin displaying ransom demands, critical patient care systems start failing. Medical staff cannot access patient records, lab results, or medication orders.
Initial Symptoms: - Patient record systems displaying ransom messages instead of medical data - Laboratory computers cannot send test results to clinical staff - Nursing stations losing access to medication administration records - New systems failing every few minutes across different hospital departments - Help desk overwhelmed with medical staff emergency calls about patient care impact
Organizational Context: 400-bed hospital managing flu season surge with emergency department at 150% capacity, facing system failures that directly threaten patient lives, balancing security response with life-saving operations.
NPCs:
- Dr. Susan Williams (Chief Medical Officer): Managing critical patient surge, every minute of system downtime affects patient care decisions, must balance security response with life-saving operations
- Thomas Anderson (IT Director): Watching systems fail in real-time across hospital network, trying to contain spread while maintaining life-critical medical devices and patient monitoring
- Dr. Patricia Lee (Emergency Department Director): Has 35 patients waiting, cannot access patient records or lab results, demanding immediate system restoration for patient safety
- Brian Martinez (Network Administrator): Discovering that hospital’s legacy Windows systems lack critical security patches, realizes scope of vulnerability while attack spreads
Investigation Timeline:
Round 1: Discovery of EternalBlue SMB exploitation, rapid lateral movement across hospital network, patient data encryption, systems failing faster than containment
Round 2: Confirmation of widespread network compromise, patient care operations impact, medical device network at risk, approaching life-critical systems
Round 3: Response decision balancing emergency segmentation vs comprehensive remediation, patient safety vs complete eradication, backup access vs maintaining redundancy
Response Options:
Type-effective: Network segmentation (+3), memory forensics (+3), emergency patch deployment (+2), kill switch discovery (+2) Moderately effective: Backup restoration (+1), system isolation (+1), emergency downtime procedures (0) Ineffective: Paying ransom (-2), signature detection (-1), waiting for spread to stop (-2)
Round-by-Round Facilitation:
Round 1: Malmon identification through worm behavior analysis, recognition of flu season timing exploitation, Dr. Lee reports patient care emergency requiring immediate access
Round 2: Network compromise scope confirmed, medical device network threat discovered, Dr. Williams faces patient safety decisions without system support, surgical team loses access during ongoing operation
Round 3: Critical decision: emergency segmentation accepting patient data loss vs complete restoration risking life-critical devices vs hybrid approach using paper backups during full remediation
Pacing & Timing:
If running long: Condense technical worm analysis, fast-forward patient care impact stories, summarize medical device security complexity If running short: Expand ICU monitoring system subplot, add ambulance service coordination issues, include HIPAA breach notification complications If stuck: Brian offers technical network analysis, Thomas provides medical device context, Patricia shares patient safety urgency
Debrief Points:
Technical: Worm propagation through SMB vulnerability, medical device legacy system challenges, network segmentation for healthcare, ransomware containment strategies Collaboration: Patient safety vs security thoroughness, clinical-IT coordination, emergency downtime procedures, medical device regulatory constraints Reflection: “How does patient care urgency create security vulnerabilities? How would you design healthcare security balancing life safety and system protection?”
Facilitator Quick Reference:
Type effectiveness: Worm weak to network segmentation (+3) and memory forensics (+3), resists signatures (-1) Common challenges: - Team ignores patient safety → “Dr. Lee reports ICU patient deteriorating, needs immediate access to medication history” - Team minimizes medical devices → “Thomas discovers medical device network is next in worm propagation path, includes life support systems” - Team underestimates healthcare timeline → “Patient safety cannot wait for complete remediation, emergency department operations require immediate decisions” DCs: Investigation 12-22, Containment 15-28 (varies by approach), Communication 18-28
Customization Notes:
Easier: Reduce patient safety urgency, provide clear network segmentation, simplify medical device complexity, extend response timeline Harder: Add ICU life support compromise, include FDA medical device reporting, expand to multi-hospital system infection, add HIPAA breach with PHI exposure Industry adaptations: Critical infrastructure (power grid control), financial services (trading system), government services (emergency dispatch) Experience level: Novice gets healthcare IT coaching, expert faces medical device regulatory compliance and multi-system dependencies
Cross-References:
- WannaCry Malmon Detail
- Hospital Emergency Scenario Card
- Law Firm Planning - Similar deadline pressure pattern
- Facilitation Philosophy
Key Differentiators: Healthcare Emergency Context
Unique Elements of Hospital Scenario:
- Patient Life Safety: Healthcare operations directly affect human lives creating highest-stakes timeline vs commercial or administrative disruption
- Medical Device Security: Legacy Windows systems on FDA-regulated life-critical equipment cannot be easily patched vs commercial IT flexibility
- Emergency Operations: Surge conditions create maximum vulnerability during period when system downtime most dangerous vs planned maintenance windows
- Healthcare Culture: Clinical urgency overrides security considerations creating exploitation opportunities vs corporate risk management
- Regulatory Framework: HIPAA, FDA medical device requirements, patient safety standards create complex compliance environment vs single-industry regulations
Facilitation Focus:
- Emphasize how patient safety pressure creates unique security vulnerabilities different from commercial or administrative pressures
- Highlight healthcare security’s life-or-death challenge: Balancing system protection with immediate patient care needs
- Explore how incident response decisions directly affect patient outcomes and life safety
- Connect to real-world healthcare security culture and medical device regulatory challenges
End of Planning Document
This scenario explores patient life safety vulnerabilities in healthcare emergency operations context. The goal is demonstrating how clinical urgency creates exploitable security gaps and how incident response must prioritize patient safety while containing threats.