When the Ransom Note Arrived, Did Your Team Know What to Do Next?

The short version

A large Queensland government hospital and health service engaged Stealth Cyber to design and facilitate a full-day cyber disruption exercise. The exercise simulated a ransomware attack that disrupted clinical systems, compromised patient data, and forced the leadership team to make real-time decisions about containment, communication, and continuity of care.

The goal was not to test technology. It was to test people, processes, and decision-making under pressure.

Why healthcare organisations run exercises like this

Healthcare is one of the most targeted sectors globally. In Australia, the health sector reported the highest number of data breaches to the OAIC in the second half of 2024, accounting for 12% of all notifications. Ransomware attacks against hospitals have disrupted clinical operations, delayed patient care, and exposed sensitive health records.

The consequences of a cyber incident in healthcare are not limited to data loss or financial cost. Disruption to clinical systems can directly affect patient safety. When electronic medical records go offline, when pathology results cannot be delivered, when medication management systems are unavailable, the impact is measured in clinical risk, not just downtime.

Most healthcare organisations have incident response plans. Fewer have tested those plans under realistic conditions. A tabletop exercise bridges that gap. It puts the plan in front of the people who will need to execute it and tests whether it works when the pressure is real.

What Stealth Cyber designed and delivered

Stealth Cyber designed a bespoke exercise scenario called Operation Silent Pulse. The scenario was built specifically for the hospital and health service, incorporating their systems, their organisational structure, their regulatory obligations, and their real-world threat landscape.

The exercise was structured in four phases, delivered across a full day.

Phase 1: Initial detection. The scenario began with early indicators of compromise. Unusual network activity, a handful of failed logins, and a single workstation behaving unexpectedly. The leadership team had to assess the situation with incomplete information and decide how to respond.

Phase 2: Escalation. The scenario escalated. Ransomware had encrypted file servers and clinical application databases. Electronic medical records were inaccessible. Pathology systems were offline. The team had to activate their incident response plan, coordinate across departments, and begin assessing the impact on patient care.

Phase 3: External pressure. Media enquiries began. The attacker published a sample of stolen patient records on a leak site. Regulatory notification obligations were triggered. The team had to manage communications with patients, media, government stakeholders, and the OAIC while simultaneously managing the technical response.

Phase 4: Recovery and review. The scenario shifted to recovery. Systems needed to be restored in priority order. Clinical operations needed to resume safely. The team had to make decisions about what to bring back online first, how to verify system integrity, and how to communicate the recovery timeline to staff and patients.

Each phase included facilitated discussion, real-time decision points, and injects designed to test specific aspects of the organisation's preparedness.

What the deliverables covered

Following the exercise, Stealth Cyber delivered a comprehensive package of documentation and recommendations.

Incident response plan review. We assessed the existing incident response plan against the decisions and gaps that emerged during the exercise. Where the plan was unclear, incomplete, or untested, we provided specific recommendations for improvement.

Communications plan. We delivered a crisis communications framework covering internal staff communications, patient notifications, media responses, and regulatory reporting. This included template language and escalation criteria for different severity levels.

Operational playbooks. We produced role-specific playbooks for key functions including IT, clinical operations, executive leadership, communications, and legal. Each playbook outlined the specific actions, decisions, and escalation points relevant to that role during a cyber incident.

What exercises like this reveal

Every organisation believes their incident response plan will work until they test it. Exercises consistently reveal gaps that are invisible on paper.

Common findings include unclear escalation paths, assumptions about who is responsible for specific decisions, communication breakdowns between technical and non-technical teams, and a lack of pre-prepared communications for external stakeholders.

In healthcare specifically, exercises often reveal tension between the clinical imperative to maintain patient care and the security imperative to isolate compromised systems. These are not decisions that should be made for the first time during a real incident.

The value of an exercise is not in proving that the plan works. It is in finding out where it does not, while the consequences are still hypothetical.

Who this is for

Stealth Cyber designs and delivers cyber disruption exercises for organisations across all sectors, with particular experience in healthcare, government, professional services, and critical infrastructure.

Our exercises are built for your organisation, not adapted from a generic template. We incorporate your systems, your people, your regulatory environment, and your real threat landscape. We facilitate the exercise, manage the scenario, and deliver actionable documentation that your team can use immediately.

If your organisation has an incident response plan that has never been tested, or if your last exercise was more than 12 months ago, it is time to find out whether your plan holds up under pressure.