SPOILER ALERT: If you haven't caught up on Season 2 of The Pitt, go watch before reading below.
If you work in Healthcare or data security, you probably felt a knot in your stomach watching The Pitt last night. In the episode “1:00 PM” the threat of a ransomware attack forced the hospital to “go analog." Doctors were scrambling for paper charts. Nurses struggled with errors in medication orders. Clinicians were flying blind without patient histories.
It's great TV. It's also a scary, accurate depiction of the effects a cyberattack can have on a hospital system and what an outage means for patient care. A nurse can miss a critical allergy. A clinician treating an unconscious patient has no access to their history. Errors like these don't just compromise care, they can be fatal. Indeed, when ransomware hits, the digital infrastructure that keeps patients safe can completely vanish.
The Recovery Montage That Isn't
Hollywood loves a quick fix. On screen, systems are usually back online by the next episode—or by the end of the season as we can assume will happen in Season 2 of The Pitt.
But in reality, recovery is far more complicated. It doesn't happen in a 60-minute window. It's a grueling process that tests every aspect of a healthcare organization's resilience. The average hospital system takes 17 days to recover from a ransomware attack, though more complex incidents can extend for weeks or months. During that time, "downtime protocols" that were designed for brief outages are stretched far beyond their intended use. Surgeries get canceled, ambulances are diverted, and emergency departments may need to close their doors to new patients and risk compromising care.
The impact on patient care is measurable. Studies have shown that cyberattacks on healthcare organizations are associated with increased mortality rates and higher rates of medical errors when clinicians can't access complete patient histories. Years of digital transformation have made healthcare more efficient, but they've also created a knowledge gap: manual processes that were once routine are no longer practiced regularly. Paper charts may be stored off-site or in archives. Communication workflows built around digital systems may have no analog backup.
The recovery process itself is complex. It's not simply a matter of restoring systems from backup. Healthcare organizations must work with third-party validators, perform extensive forensics to understand the attack vector, ensure attestation that systems are truly clean, and rebuild in an environment free from contamination.
And that's assuming the backups themselves haven't been compromised. In 96% of cyberattacks, threat actors specifically target backup repositories, understanding that without clean backups, healthcare organizations have limited options for recovery.
While patient care disruption is the most critical initial impact of a cyber event, the financial impact is also substantial. The real costs extend beyond the immediate ransom demands or recovery expenses. They include lost revenue from canceled procedures, regulatory fines, increased insurance premiums, legal costs, and long-term reputational damage that can take years to repair.
Cyber Resilience: Preparing for When, Not If
The question healthcare organizations face isn't whether they'll be targeted but when. Healthcare experiences more ransomware attacks than any other critical infrastructure sector. So preparation is essential.
In Healthcare, cyber resilience focuses on two critical objectives:
Maintaining patient continuity of care during an attack
Recovering as quickly as possible to restore full operational capacity
Here's what healthcare organizations can do to build cyber resilience:
Build your minimum viable hospital: Process and people matter as much as technology. Healthcare organizations need to define what their Minimum Viable Hospital (MVH) looks like. That means defining the essential functions required to maintain safe patient care during a complete systems outage.
In traditional disaster recovery, tier 0/1 applications can range into the hundreds. But the loss of trust incurred during a cyber event and the complications of recovery make it essential to identify the few core applications that are absolutely necessary for a baseline of functioning. Teams can prioritize restoration of systems most critical to maintaining continuity of care and reduce the impact on patients during an outage.
Implement proactive threat monitoring: When an attacker manages to slip past endpoint protection tools, early detection becomes critical. Proactive monitoring that identifies anomalous access patterns, unexpected data movements, or suspicious credential usage can provide the time needed to contain an attack before widespread encryption begins. Attackers often dwell in networks before detection for days or even weeks, giving them ample opportunity to map systems, escalate privileges, and position themselves for maximum impact. Reducing this window significantly improves outcomes.
Ensure immutable backups are truly immutable: Since attackers specifically target backups because these systems determine whether an organization can recover without paying a ransom. Using an immutable architecture with air-gapped, write-once-read-many (WORM) technology helps keep that safety net intact, even if credentials are stolen or administrative access is compromised. However, immutability isn't just a feature checkbox. It needs to be architected correctly, tested regularly, and validated as part of incident response planning.
Support rapid identity and access recovery: When attackers infiltrate a healthcare network, they often compromise Active Directory and identity systems. When identity systems are down, all the applications depending on identity infrastructure are down too. Recovery can be complex and time consuming, extending downtimes for critical applications. But having a secure, isolated method to recover identity as quickly as possible is critical to rebuilding a functioning hospital system.
Quickly identify clean recovery points: One of the most challenging aspects of recovery is determining which backup snapshots are clean and which may contain malware or evidence of attacker presence. Searching for a clean recovery point can add days or weeks to the overall recovery timeline, extending downtime when every minute counts for patient care. Modern backup solutions should be ableto quickly scan snapshots for indicators of compromise, malware signatures, and anomalous behaviors that suggest attacker activity. Without this visibility, organizations face a difficult choice: restore potentially compromised data and risk reinfection, or spend critical time manually validating each snapshot.
Know where your sensitive data actually lives: Protected health information (PHI) doesn't just live in electronic health record (EHR) systems. It proliferates across file shares, backup systems, collaboration platforms, and applications that may not be tracked by IT. Healthcare organizations need comprehensive data classification and discovery capabilities to understand their actual data footprint to ensure this data is adequately protected. This reduces the possibility of exfiltration during a cyber event, which can trigger HIPAA violations, fines, and loss of patient trust. You can't protect what you can't see, and you can't prioritize recovery for systems you didn't know contained sensitive patient information.
Develop an orchestrated recovery plan: Recovery from a major cyberattack requires carefully orchestrated sequencing to bring systems back online in the right order, with dependencies mapped and validated. Which systems need to come up first to support the most critical patient care functions? What are the downstream dependencies? An orchestrated recovery plan with documented runbooks, assigned responsibilities, and tested procedures can significantly reduce recovery time.
Maintain a clean recovery environment: Healthcare organizations need an isolated recovery environment (IRE), a secure, network-segmented space where systems can be restored and validated without risk of reinfection. Without this clean room, organizations risk recovering compromised systems that simply reinfect the entire environment. An IRE allows forensic analysis, malware scanning, and system validation before bringing resources back into production.
Closer to Reality
CIOs and security leaders might wonder "What if this happens to us?" The answer lies in the preparation happening right now. Most downtime protocols were written for brief system reboots or network outages. They weren’t designed for weeks-long incidents where every digital system has been compromised with a loss of trust preventing recovery to production.
Relying on paper charts and manual workflows for extended periods isn't a sustainable plan.Building cyber resilience now, before an attack occurs, is the only way to ensure that if your organization has to go analog, you have a tested and validated path back to digital operations.
The episode of The Pitt that felt uncomfortable to watch? That's not a worst-case scenario. For many healthcare organizations, it's becoming a realistic possibility. The question is whether your organization will be prepared.