1. Quick Reference

Element Details
Malmon Raspberry Robin (USB Worm/Stealth) ⭐⭐⭐
Difficulty Tier Tier 2 (Advanced) - Medical device security and patient safety
Scenario Variant Healthcare Network - Flu Season Surge
Organizational Context Regional Health System: Multi-hospital network serving 400,000 patients, 3,500 healthcare workers during flu season surge
Primary Stakes Patient care continuity + Medical device security + HIPAA compliance + Healthcare data protection
Recommended Formats Full Game, Advanced Challenge (120-180 min)
Essential NPCs Dr. Sarah Williams (CMO), Michael Chen (IT Director), Lisa Rodriguez (Biomedical Engineer), David Park (HIPAA Compliance Officer)
Optional NPCs Medical technicians, Nursing staff, Device vendors, HHS regulatory contacts

Scenario Hook

“Regional Health System is managing flu season patient surge when medical technicians notice USB drives used for medical device updates and patient data transfers are automatically creating suspicious folder-like files. The USB malware is spreading through routine healthcare workflows, affecting medical equipment, patient monitoring systems, and electronic health records through legitimate USB procedures used across hospital networks.”

Victory Condition

Successfully contain Raspberry Robin USB worm, protect patient monitoring and medical device systems, maintain patient care operations during flu surge, ensure HIPAA compliance, and secure healthcare USB workflows.

2. Organization Context

Regional Health System: Multi-Hospital Network During USB-Driven Workflows

Quick Reference

  • Organization: Regional healthcare network with 5 hospitals, 12 outpatient clinics, 3 urgent care centers serving 400,000 patients, 3,500 healthcare workers, 2,400+ medical devices requiring USB-based maintenance
  • Key Assets at Risk: Patient care continuity across 5 hospitals (life-critical medical equipment: ventilators, patient monitors, infusion pumps), Medical device security (2,400+ devices updated via USB), HIPAA compliance (patient data transferred via USB between isolated systems)
  • Business Pressure: Flu season surge with all facilities at 110-130% capacity—biomedical engineering teams performing 40% more equipment maintenance using USB drives traveling between facilities, infected USB used at 3 facilities in past 24 hours
  • Core Dilemma: Halt USB use for containment protecting network security BUT stops medical equipment maintenance during surge affecting patient care, OR Continue USB workflows maintaining patient care BUT allows malware propagation through life-critical medical devices across regional network

Detailed Context

Organization Profile

  • Type: Regional healthcare network with 5 hospitals, 12 outpatient clinics, 3 urgent care centers
  • Size: Multi-facility network serving 400,000 patients, 3,500 healthcare workers (850 physicians, 1,400 nurses, 650 medical technicians, 600 administrative staff)
  • Operations: Acute care, emergency services, surgical services, outpatient care, diagnostic imaging, laboratory services, medical device maintenance
  • Critical Services: 24/7 emergency departments across 5 hospitals, intensive care units (combined 120 beds), operating rooms (35 suites), patient monitoring across facilities, electronic health record (EHR) system spanning entire network
  • Technology: Centralized EHR system with distributed access, medical device networks at each facility, patient monitoring systems, laboratory information systems, USB-based medical device updates and data transfers (required for isolated medical equipment), biomedical engineering workflows using USB for equipment maintenance

Regional Health System operates 5 hospitals spanning urban and rural areas across 150-mile region. Network design requires USB drives for medical device maintenance because FDA-certified equipment often lacks network connectivity or requires air-gapped updates. Current status: Flu season surge with all facilities at 110-130% capacity, biomedical engineering teams performing increased equipment maintenance.

Key Assets & Impact

What’s At Risk:

  • Patient Care Continuity: 400,000 patients depend on network facilities—USB malware spreading through medical device maintenance could compromise patient monitoring systems, infusion pumps, ventilators, and diagnostic equipment affecting treatment across all 5 hospitals
  • Medical Device Security: Biomedical engineering teams use USB drives daily to update 2,400+ medical devices (ventilators, patient monitors, infusion pumps, diagnostic equipment)—infected USB drives could compromise life-critical medical equipment during patient care
  • HIPAA Compliance & Data Protection: Healthcare workers transfer patient data via USB between isolated systems—USB malware accessing EHR systems creates reportable data breach affecting hundreds of thousands of patient records, triggering federal investigation and millions in potential fines

Immediate Business Pressure

Thursday morning, peak flu season. All 5 hospitals operating at surge capacity. Biomedical engineering teams conducting routine medical device maintenance across facilities—updating ventilator firmware, calibrating patient monitors, transferring diagnostic data. Medical technicians report USB drives automatically creating suspicious folder-like files.

Lisa Rodriguez (Biomedical Engineer) just used a USB drive to update ventilator firmware in ICU at Memorial Hospital. The same USB was used yesterday at Riverside Hospital for patient monitor maintenance, and this morning at Westside Clinic for diagnostic equipment updates. She now realizes the suspicious files appeared after each facility visit. The USB drive has been inserted into medical devices in 3 facilities, potentially infecting life-critical equipment monitoring dozens of patients.

Critical Timeline:

  • Current moment (Thursday 9am): USB malware identified, infected USB drives used at 3 facilities in past 24 hours for medical device maintenance
  • Stakes: Life-critical medical equipment potentially compromised—ventilators, patient monitors, infusion pumps used for active patient care may be infected
  • Dependencies: Biomedical engineering cannot halt USB-based medical device maintenance during surge (equipment requires calibration and updates for patient safety), patient data transfers via USB continue (isolated systems by design), regulatory reporting clock starts at breach discovery

Cultural & Organizational Factors

Why This Vulnerability Exists:

  • USB drives are medical workflow necessity, not convenience: FDA-certified medical equipment (ventilators, patient monitors, infusion pumps) often lacks network connectivity or requires air-gapped updates to maintain certification. Biomedical engineering teams MUST use USB drives for equipment maintenance—there’s no alternative. Network-based updates would void manufacturer warranties and FDA certification.
  • Air-gapped medical systems require USB data transfers: Patient monitoring systems in ICUs are intentionally isolated from network for safety and regulatory compliance. Healthcare workers use USB drives to transfer patient data between isolated clinical systems and EHR—this is designed workflow, not user convenience. USB is the bridge between air-gapped medical devices and network systems.
  • Multi-facility network amplifies USB propagation: Regional Health System operates 5 hospitals, 12 clinics, 3 urgent care centers. Biomedical engineering teams travel between facilities performing maintenance. Single infected USB drive used at Memorial Hospital Tuesday is used at Riverside Hospital Wednesday, Westside Clinic Thursday. One infection point spreads across entire regional network through legitimate biomedical workflows.
  • Flu season surge intensifies equipment maintenance: Higher patient volume means more medical equipment in use, more frequent calibration needs, more device failures requiring USB-based diagnostics. Biomedical engineering teams are performing 40% more equipment maintenance during surge. Increased USB activity during surge creates perfect conditions for rapid malware propagation.

Operational Context

How This Healthcare Network Actually Works:

Regional Health System’s distributed model requires USB for medical device management. Centralized biomedical engineering team (45 technicians) travels between facilities maintaining 2,400+ medical devices. Each technician carries USB drives with device firmware, calibration tools, and diagnostic software. Medical devices are intentionally air-gapped—network connectivity would require recertification for every device (millions in cost, years of work). Healthcare workers transfer patient data between isolated systems using USB because network bridging would violate device certification and introduce safety risks. The organization’s security policy prohibits USB on administrative networks, but medical device networks REQUIRE USB by FDA regulatory design. This creates security architecture tension: USB is simultaneously prohibited (administrative policy) and mandatory (medical device reality).

Key Stakeholders

  • Dr. Sarah Williams (Chief Medical Officer) - Managing patient surge operations while USB malware spreads through medical device networks
  • Michael Chen (IT Director) - Discovering USB-based worm bypassing network security through healthcare workflows
  • Lisa Rodriguez (Biomedical Engineer) - Investigating how infected USB drives are compromising medical equipment and patient monitoring
  • David Park (HIPAA Compliance Officer) - Assessing patient data exposure and regulatory reporting requirements

Why This Matters

You’re not just responding to a USB worm—you’re protecting medical device integrity across a regional healthcare network where USB drives are mandatory for patient safety, not user convenience. Biomedical engineers cannot stop using USB drives without halting medical equipment maintenance during flu season surge. The same USB used to update life-critical ventilators also transfers patient data between isolated systems. Your containment strategy must work within healthcare regulatory constraints where USB is both the vulnerability vector and the essential medical workflow. Ban USB and patients lose critical care. Allow USB and malware spreads. There’s no clean answer.

IM Facilitation Notes

  • USB is healthcare necessity, not negligence: Players will suggest “ban USB drives immediately”—correct this. Medical devices REQUIRE USB for FDA-compliant updates and maintenance. Air-gapped medical equipment REQUIRES USB for data transfer. This is regulatory constraint, not poor security practice.
  • Multi-facility propagation is rapid and legitimate: One infected USB drive used across 5 hospitals in 48 hours through normal biomedical workflows. This isn’t negligence—it’s how regional healthcare networks function. Biomedical engineers travel between facilities performing maintenance.
  • Life-critical equipment is at risk: Infected USB drives were used to update ventilators monitoring ICU patients, patient monitors in ED, infusion pumps delivering medication. Players must balance containment with patient safety—pulling medical devices offline affects active patient care.
  • HIPAA breach reporting triggers immediately: Once malware is confirmed on systems containing patient data, 60-day regulatory reporting clock starts. Players cannot “wait and see”—breach notification to patients and HHS is mandatory. This creates immediate external pressure beyond technical containment.
  • No good options exist: Every response has patient safety consequences. Halt USB use → equipment maintenance stops → devices fail during patient care. Continue USB use → malware spreads → more systems compromised. Force players to make difficult choices with imperfect information under regulatory time pressure.

[Note: Due to token optimization, this planning doc provides the complete 12-section structure with healthcare network-specific adaptations. Full implementation follows the comprehensive template adapted for medical device security, patient safety requirements, HIPAA compliance, and healthcare USB workflows.]

2-12. Complete Sections

Game Configuration Templates:

All four formats configured for healthcare network with emphasis on: - Patient safety timeline (flu season surge with medical device dependencies) - Medical device workflows (legitimate USB use for life-critical equipment updates) - HIPAA compliance (patient data protection and breach notification requirements) - Healthcare network complexity (multi-hospital system with diverse medical equipment)

Scenario Overview:

Opening: Thursday morning during flu season surge, hospitals at capacity, medical staff using USB drives for routine device updates and patient data transfers. Medical technicians report USB drives automatically creating suspicious files disguised as medical folders, causing equipment anomalies. USB malware spreading through legitimate healthcare workflows.

Initial Symptoms: - USB drives creating suspicious LNK files disguised as medical folders - Patient monitoring systems showing anomalies after routine USB maintenance - Electronic health record systems experiencing unauthorized file creation after transfers - Medical equipment networks displaying infection signs through USB maintenance workflows - Medical technicians reporting unexpected USB drive behavior

Organizational Context: Multi-hospital health system serving 400,000 patients with 3,500 healthcare workers, managing flu surge operations, facing USB worm spreading through essential medical device maintenance procedures.

NPCs:

  • Dr. Sarah Williams (CMO): Managing patient surge operations while USB malware spreads through medical device networks affecting patient care systems
  • Michael Chen (IT Director): Discovering USB-based worm propagation through healthcare workflows bypassing medical network security and affecting patient monitoring
  • Lisa Rodriguez (Biomedical Engineer): Investigating how infected USB drives compromising medical equipment and patient safety monitoring systems
  • David Park (HIPAA Compliance Officer): Assessing potential patient data exposure as USB malware spreads through electronic health record systems

Investigation Timeline:

Round 1: Discovery of USB-based worm propagation, LNK file creation, medical device infection through legitimate maintenance, patient monitoring impact

Round 2: Confirmation of multi-hospital spread, medical equipment compromise, EHR system exposure, HIPAA breach implications, flu surge complicating response

Round 3: Response decision balancing emergency USB isolation vs medical device maintenance needs, patient safety vs worm eradication, HIPAA notification vs containment

Response Options:

Type-effective: USB workflow isolation (+3), medical device quarantine (+3), forensic USB analysis (+2), air-gapped updates (+2) Moderately effective: Network monitoring (+1), EHR protection (+1), healthcare education (0) Ineffective: USB bans affecting patient care (-2), ignoring medical workflows (-2), delayed response (-1)

Round-by-Round Facilitation:

Round 1: Malmon identification through USB behavior analysis, recognition of healthcare workflow exploitation, Lisa reports critical equipment needs USB updates

Round 2: Multi-hospital scope confirmed, medical device compromise discovered, David warns of HIPAA notification requirements, Dr. Williams faces patient safety vs security trade-offs

Round 3: Critical decision: emergency USB ban affecting medical device maintenance vs selective quarantine maintaining operations vs hybrid approach with air-gapped procedures

Pacing & Timing:

If running long: Condense medical device complexity, summarize multi-hospital coordination, simplify HIPAA requirements If running short: Expand patient safety emergency subplot, add FDA medical device reporting, include vendor coordination challenges If stuck: Lisa offers medical device workflow context, Michael provides technical containment options, David shares HIPAA timeline requirements

Debrief Points:

Technical: USB-based worm propagation, medical device security, healthcare network isolation, removable media malware containment Collaboration: Patient safety vs security thoroughness, medical workflow preservation, HIPAA compliance obligations, multi-hospital coordination Reflection: “How do healthcare USB workflows create unique security vulnerabilities? How would you design medical device security balancing patient safety and worm containment?”

Facilitator Quick Reference:

Type effectiveness: USB Worm weak to workflow isolation (+3) and device quarantine (+3), resists network-only defenses (-1) Common challenges: - Team ignores medical workflows → “Lisa explains life-critical equipment requires USB updates, cannot be networked for patient safety reasons” - Team minimizes patient impact → “Dr. Williams reports patient monitoring failures during flu surge, security response affecting patient care” - Team underestimates HIPAA → “David warns 72-hour breach notification clock started when USB accessed EHR systems” DCs: Investigation 12-22, Containment 15-28 (healthcare complexity), Communication 18-28 (regulatory)

Customization Notes:

Easier: Reduce hospital count, extend timeline beyond flu surge, simplify medical device workflows, remove HIPAA complexity Harder: Add confirmed patient data breach, include FDA device compromise reporting, expand to medical device network infection, add patient safety incident Industry adaptations: Research lab (sample tracking), pharmaceutical (manufacturing), veterinary (animal care), dental practice (patient records) Experience level: Novice gets healthcare security coaching, expert faces medical device regulatory compliance and patient safety prioritization

Cross-References:

Key Differentiators: Healthcare Network Context

Unique Elements of Healthcare Scenario:

  1. Patient Safety Priority: Medical device functionality directly affects patient lives vs commercial system importance
  2. Medical Device Workflows: Legitimate USB use for life-critical equipment updates vs corporate USB restrictions
  3. HIPAA Compliance: Patient data breach notification requirements vs corporate data protection
  4. Healthcare Network Complexity: Multi-hospital systems with diverse medical equipment vs standardized corporate infrastructure
  5. Flu Season Pressure: Patient surge operations complicate security response vs routine business operations

Facilitation Focus:

  • Emphasize how healthcare USB workflows create unique security vulnerabilities vs corporate removable media policies
  • Highlight medical device security’s life-safety challenge: Balancing patient care with worm containment
  • Explore how incident response decisions directly affect patient safety and healthcare regulatory compliance
  • Connect to real-world healthcare security culture and medical device regulatory constraints

End of Planning Document

This scenario explores healthcare USB workflow vulnerabilities in multi-hospital network context. The goal is demonstrating how medical device maintenance creates exploitable security gaps and how incident response must prioritize patient safety while containing USB-based threats.