RansomwareResponseforHealthcare:The72-HourPlaybook

Ransomware incidents in healthcare are categorically different from ransomware in any other sector. Encrypted systems do not just disrupt operations — they disrupt care delivery. Medication administration, imaging, lab results, diagnosis history, appointment scheduling, and patient communications can all go dark simultaneously. Patients get diverted. Surgeries get postponed. Outcomes are affected. The Change Healthcare incident in 2024 and the ongoing wave of regional hospital system attacks have made clear that every practice — not just hospitals — needs a rehearsed response plan.

This article lays out the first 72 hours as a playbook. It is not a substitute for a tabletop exercise with your clinical and legal leadership, but it is a starting framework.

Hour 0: Recognition and Declaration

Ransomware becomes evident in one of a few ways: file extensions change on a shared drive, a ransom note appears on endpoints, the EHR becomes unresponsive, or a security tool fires a high-severity alert. The first decision is declaration — formally activating the incident response plan. This is a one-way door. Declaring earlier is always safer than declaring later.

Whoever first identifies the event should call the incident commander (CIO, practice administrator, or whoever owns the IR plan) immediately. Do not email — attackers may be watching email. Use a pre-agreed out-of-band channel: cell phones, Signal, a physical phone tree.

Hour 0–1: Containment

Goal: stop the spread. The order matters:

• Isolate network segments. Disconnect affected subnets from the rest of the network. Clinical VLANs get priority protection — if the attack is in billing, you keep clinical running.
• Disable shared drives. File shares are the fastest vector for lateral spread.
• Disconnect backups. Modern ransomware specifically targets backup systems. If you can air-gap or pause replication within minutes, do it.
• Do not shut down affected endpoints. Memory-resident forensic evidence is lost on shutdown. Isolate them at the network layer instead.
• Preserve the ransom note. Screenshot it. Do not click any links.

Hour 1–4: Clinical Continuity

Activate EHR downtime procedures. Every practice should have written downtime procedures for each clinical workflow — medication administration via paper MAR, lab order routing via fax, scheduling via paper slips, prior auth via phone. If your downtime procedures have not been drilled in the last 12 months, you will discover gaps during the event, which is the worst possible time.

Clinical leadership makes the diversion decision. If patient safety cannot be assured at current census, divert incoming patients. This is not an IT decision.

Hour 4–24: Reporting Clocks Start

Several clocks start running, some immediately, some once scope is understood:

• Cyber insurance carrier: call within hours. Most policies require prompt notice, and the carrier's breach coach — an outside counsel with attorney-client privilege protection — should be guiding your response from hour one.
• FBI / CISA: voluntary but recommended. CISA has a dedicated healthcare sector contact. FBI field office. Law enforcement engagement preserves options and may support decryption.
• HHS OCR: the 60-day breach notification clock starts the day you discover the breach (reasonably should have known), not the day you confirm scope. If 500+ individuals are affected, notification to HHS and media must happen within 60 days.
• State Attorneys General: varies by state; Texas, Oklahoma, and New York all have overlapping obligations. See our healthcare compliance coverage for state-by-state timing.

Ransomware is presumptively a breach under HIPAA unless you can demonstrate a low probability that ePHI was compromised through the four-factor risk assessment. Assume breach notification is required until forensic evidence shows otherwise.

Hour 24–48: Forensics and Scope

Bring in a digital forensics and incident response (DFIR) firm. Do not do this yourself unless you have dedicated DFIR staff. Key questions the forensics team answers:

• How did the attacker get in? (Almost always: phishing, exposed RDP, or compromised vendor credentials)
• When did they get in? (Often weeks or months before encryption)
• What did they access? (This drives breach notification scope)
• Did they exfiltrate data? (Double-extortion ransomware — pay for decryption AND non-publication)
• Are they still in the environment?

The forensic timeline determines breach-notification scope. If data was exfiltrated, every individual whose PHI was in the exfiltrated data set must be notified.

Hour 48–72: The Payment Decision

This is not a technical decision. It is a business, legal, and ethical decision, made by the executive team with counsel. Considerations:

• Does payment restore data? Historical data suggests ~60% of paying victims recover most data, ~40% recover partial or none.
• OFAC sanctions risk. Paying a sanctioned threat actor is a federal crime. Your breach coach and insurance carrier will run an OFAC check before any payment.
• Double extortion. If the attacker has exfiltrated data, paying for the decryptor does not stop them from publishing the data. The "non-publication" payment is a separate negotiation.
• Time to recover without payment. If backups are intact and verified, restoration is almost always faster and always safer than payment.

Hour 48–72: Recovery

Recovery is rebuilding from a known-good state. For most practices this means:

• Rebuild domain controllers and identity infrastructure first — attackers almost always compromise AD
• Restore endpoints from bare-metal images, not from the compromised OS
• Restore data from offline / immutable backups, scanned for dormant malware
• Rotate every credential, including service accounts, API keys, and vendor credentials
• Deploy enhanced monitoring before bringing users back online

What Preparation Looks Like Before an Event

The 72-hour playbook runs well only when the preparation is done. Minimum preparation:

• Immutable / offline backups with tested restores
• EHR downtime procedures rehearsed in the last 12 months
• Incident response retainer with a DFIR firm
• Cyber insurance with healthcare-specific coverage
• Out-of-band communication plan (do not assume email works)
• Tabletop exercise including clinical leadership, not just IT

Lessons From Recent Healthcare Ransomware Incidents

The pattern across major healthcare ransomware events in 2023 and 2024 is consistent. Initial access was most commonly via phishing, exposed remote access, or compromised third-party vendor credentials. Dwell time — the period between initial compromise and encryption — was typically 2 to 8 weeks, during which attackers mapped the environment, elevated privileges, and exfiltrated data. Backups were specifically targeted, with shadow copies deleted and backup appliances compromised. Restoration took 2 to 6 weeks in cases where backups survived; substantially longer where they did not.

The operational impact in every case exceeded the ransom demand. Revenue losses, diverted patient volume, overtime for clinical and technical staff, forensic costs, legal fees, breach notification costs, and credit monitoring for affected individuals collectively run into the tens of millions for even mid-sized incidents.

Communication During the Event

Communication is a separate workstream that needs to run in parallel with technical response. Key audiences:

• Staff: what to tell patients at check-in, how to handle phones, what can and cannot be discussed externally
• Patients: appointment rescheduling, portal downtime notification, reassurance about care continuity
• Referral partners: notification that incoming referrals may be affected, alternative routing
• Media: prepared statement if the event becomes public; all media inquiries routed through a single spokesperson
• Regulators: as the investigation progresses, regular updates to HHS, state AG, and others as required

Pre-draft communication templates now. Writing them during the event adds delay and risk.

If you want a practical walkthrough of ransomware readiness for your practice, schedule a consultation with our healthcare IT team. We run tabletop exercises designed for clinical leadership, not just technical staff.