One hundred thirty health systems were hit by cyberattacks in a single 90-day period in 2025. I don't share that number to alarm you. I share it because it's the clearest possible signal that the threat landscape has fundamentally changed and most organizations' contingency plans haven't caught up.
I was talking recently with Christian Lindmark, the CTO at Stanford Health Care. He said he doesn't worry as much anymore about losing a data center. Twenty or thirty years ago, that was a legitimate concern. Server rooms of that era were genuinely fragile. The industry responded by moving workloads into world-class colocation facilities. That largely solved the problem.
But in solving it, we kept the contingency planning. We kept the expensive disaster recovery (DR) environments, the real-time storage replication, the geographic separation, and the after-hours failover drills. We've been optimizing that capability ever since, while a completely different kind of threat has become the dominant concern.
The question Christian and I kept returning to: why are we still architecting our resilience strategy around a threat we're rarely experiencing, when the threat we're actually facing gets a fraction of that investment?
What a Cyberattack Actually Takes From You
This distinction matters more than almost anything else in this conversation.
When a tornado hits your data center, your infrastructure is damaged but your trust in the environment remains intact. You know what happened. You can fail over into a known-good environment and pick up where you left off. That's what your disaster recovery site was built for and it works well for that purpose.
A ransomware attack is fundamentally different. The infrastructure is largely fine. Everything is physically where it was. What's been destroyed is your ability to trust any of it, because you don't know what the attackers modified. Mandiant describes this as the "loss of trust," and it changes everything about how recovery has to work.
Mandiant's M-Trends 2026 report makes the current threat explicit. Sophisticated ransomware operators have evolved well beyond encryption and data theft. They now prioritize a structured takeover of what Mandiant calls the "trusted service infrastructure": identity services, virtualization management, and especially backup infrastructure. The goal isn't just to lock your files. It's to destroy your ability to recover.
The path to total compromise almost always begins with identity. Mandiant documented 2025 attacks where threat actors exploited misconfigured Active Directory Certificate Services to create accounts impersonating administrators. They then stole entire AD databases in single operations and then weaponized Group Policy Objects to push ransomware across thousands of endpoints simultaneously. This turned the organization's own management fabric into a distribution engine.
They targeted backup infrastructure next, mapping configurations and deleting backup copies systematically. In cases where data survived on immutable storage, the management plane was gone—and it required weeks of vendor engagement just to begin recovery.
Why Your DR Environment Probably Can't Save You
Here's the part that makes everyone, including me, a little uncomfortable. I spent years helping organizations build disaster recovery infrastructure and I understand what that investment represents.
The trust relationship that makes your DR environment useful in a physical disaster is the exact same trust relationship that makes it untrustworthy in a cyber event. They share the same identity fabric. So if an attacker has achieved domain administrator privileges in your production environment, your DR environment is almost certainly compromised too.
When identity is fundamentally compromised, defenders can't simply reset passwords because the attacker possesses the cryptographic keys required to complete the reset. The result is often a forced Greenfield recovery where a new Active Directory forest has to be built from scratch. Mandiant notes this form of recovery imposes a staggering operational tax as timelines stretch from days to weeks.
The situation is compounded by re-compromise risk: in documented cases, attackers embedded persistence mechanisms into hypervisor templates so that restoring systems from what appeared to be trusted sources redeployed attacker-controlled backdoors. The organization's own recovery process became a distribution mechanism for the threat.
Mandiant's framework for "Active Resilience" is explicit on this point: a single control plane bypass can result in an unrecoverable event when the recovery fabric shares the fate of the production environment. The recovery path has to be architecturally severed from the attack surface.
A Different Way to Think About the DR Investment
Christian's framing is the most practical way I've found to approach this because it doesn't require starting from scratch or going back to the board for a major capital commitment.
His observation was simple: the investment in DR environments was built around a mindset that made sense when physical infrastructure was genuinely fragile. That mindset has diminishing returns today. What he started asking was whether health systems could redirect some of that ongoing investment toward something that actually addresses the threat they're most likely to face.
Instead of building a purpose-built Isolated Recovery Environment (IRE) from scratch, you split your existing DR environment into two distinct personas. You keep the portion designed for fast physical failover, because physical events still happen. But you carve out a small portion and treat it as something fundamentally different.
The critical insight is about what kind of separation actually matters. In a physical disaster, you need geographic distance. In a cyber event, you need security distance. An IRE could sit in racks right next to your production environment and still serve its purpose, as long as it has its own identity fabric, its own hardened access controls, and its own connection to logically air-gapped backup data, completely divorced from the corporate Active Directory an attacker has already compromised.
Mandiant is specific here: integrating backup platforms with corporate Active Directory means a single compromised credential can delete both production and recovery data. An attacker with Domain Admin credentials can un-configure anything your IT team configured. If you can build it, they can destroy it. A recent incident made this concrete: a nation-state actor compromised the identity control plane of a manufacturing organization, logged in as an authenticated backup administrator, and was still unable to delete data from the organization's Rubrik deployment. That outcome was the result of secure-by-design architecture that anticipated this scenario in advance.
Starting Without Boiling the Ocean
Here's where organizations get stuck. The instinct is to conduct a full business impact analysis, document every application, and issue an RFP for an external firm to build a comprehensive IRE. That approach usually produces 18 to 24 months of consulting before anything is actually built, which is a difficult expenditure to justify when operating margins are already under pressure.
Start from the bottom up instead. Begin with a single question: what does it take to recover Tier Zero?
Tier Zero is identity: Active Directory, DNS, DHCP, the Global Catalog. Nothing else runs without identity. You stand up the smallest viable nucleus of an isolated environment, connect it to your vaulted backup data, and practice recovering identity. You measure how long it takes. You document what breaks. You reset to factory defaults and run it again. The moment a Tier Zero recovery drill completes on a Thursday afternoon without anyone needing to lift a finger, you have achieved meaningful, provable risk reduction. Then you build the automation to recover the next critical application. At every step, you're getting real return on the effort invested and building the muscle memory that can't be created any other way.
You will learn more from a stumbling first drill than from months of planning, and at every stage you're reducing real risk rather than producing documentation.
Where This Leaves Us
Traditional disaster recovery still has a place. Physical events happen and the infrastructure you've built for fast failover retains real value. What Mandiant's frontline investigations make clear is that sophisticated ransomware operators have specifically engineered their attacks to destroy your ability to recover using the tools you've built for physical disasters. The identity control plane is the primary target. Backup infrastructure is targeted deliberately. If your DR environment shares the same identity fabric as production, it cannot be trusted in a cyber event.
Building a trustworthy isolated recovery capability, training your team to use it, and developing the automation to run reliable drills, all within the constraints of a stretched budget and an overloaded team, is genuinely hard work. There's no shortcut that makes it easy. But after hundreds of ransomware recoveries in healthcare, there is a real and growing body of knowledge about what works. The path forward doesn't require perfection. It requires a start.
If you'd like to talk through what a practical 12-month cyber resilience roadmap could look like for your organization, grounded in experience from real recoveries and accounting for the people and process dimensions alongside technology, I'd be glad to have that conversation.
Data and findings referenced throughout this post are drawn from Mandiant's M-Trends 2026 Special Report. The conversation with Christian Lindmark was conducted as part of the Building Cyber Resilience in Healthcare video series.