The Healthcare Ransomware Playbook

Abstract

Healthcare ransomware is no longer a pure IT event. The attacker's playbook now anticipates clinical workflow disruption — diversion, downtime documentation, paper ordering — and prices their demand against the hospital's continuity-of-care window.

This paper is drawn from fourteen ransomware incidents WIT ONE's incident-response practice supported between 2024 and 2026. The pattern that emerged is consistent enough to build a playbook around: where the attackers got in, how the decision tree differs from a generic enterprise, and what the successful responses had in common.

01The pattern across 14 incidents

Three recurring observations across the cohort:

Biomedical devices were the access path in 6 of 14. Infusion pumps, imaging consoles, and lab analyzers — all sat on flat networks, all spoke unauthenticated DICOM / HL7 / FTP, and at least one had a default vendor password documented online.
Median dwell time was 9 days, not the industry-quoted 16. Healthcare-targeted operators move faster. They know the decision-makers want clinical operations restored before the news cycle peaks.
The first 48 hours decide the cost of the year. Hospitals that activated their continuity-of-care plan on day 0 (not day 2) had measurably shorter diversion windows and lower regulatory exposure.

02Entry points, ranked

Biomedical devices on the clinical VLAN (43%). Vendor-imposed flat networks; unsegmentable without breaking workflow; little to no EDR coverage.
Third-party clinical applications (21%). SaaS RIS, LIS, and pharmacy systems with overprivileged integration credentials.
Phishing of clinical staff (14%). Lower rate than other industries — clinical staff are time- pressured but aware. The successful phish was almost always a payroll/HR pretext.
Vendor remote-access (14%). Persistent contractor connections to imaging or monitoring vendors, rarely revoked when the engagement ended.
Public-facing service exploit (7%). Citrix / VPN concentrators with patches deferred for clinical reasons.

03The first-48-hours decision tree

Hour 0 — Detection

The signal is rarely a ransomware note. It is volume of failed logins, unexpected lateral movement, or a single abnormal SMB write to a clinical share. The SOC's job is to escalate fast enough that clinical leadership is in the room before the encryption begins.

Hour 1 — The two parallel calls

Two phone calls happen simultaneously. The first to incident-response counsel. The second to the chief medical officer, with one question: “If we have to go to downtime documentation, when?” That answer determines containment latitude.

Hours 2–4 — Containment with clinical priority

Containment in healthcare is not “disconnect everything.” It is a triage: clinical-critical systems stay up, non-critical clinical systems get isolated, administrative systems get isolated first. EHR is almost never disconnected in the first 4 hours unless active encryption is observed there.

Hours 4–8 — Continuity-of-care activation

Downtime documentation kits, paper ordering, manual patient identification — these are pre-staged or they are not staged at all. The hospitals that performed best had drilled the activation in the previous 12 months.

Hours 8–24 — Communication discipline

Internal communication runs on a non-trusted channel (assume SharePoint and Teams compromised). External communication runs through a single named voice — usually the CMO, sometimes the CEO. Press silence is acceptable; contradictory press is fatal.

Hours 24–48 — Forensics + reporting

Forensic preservation begins in parallel with containment; it does not wait for it. HIPAA breach-notification clocks begin when discovery is reasonable; OCR expects evidence the clock started promptly.

04What worked across the successful responses

Pre-existing relationship with IR counsel and a managed-IR retainer. Sourcing an attorney during the first 12 hours costs the response more than it saves.
Drilled continuity-of-care plan. Not a binder. A muscle memory.
Network segmentation that survived contact with reality. The plans that worked had been built around clinical workflow, not NIST diagrams.
Backup integrity assumed false until proven. Every successful recovery had a clean offline copy and a practiced restore procedure. None of the failed recoveries did.
One named clinical leader on every operational call. Tech-only war rooms made clinical-impact decisions they weren't qualified to make.

05What we will do differently

Treat biomedical devices as managed assets, not vendor black boxes. Inventory, baseline, segment.
Move backup verification from quarterly to weekly, with restore drills monthly.
Assume the EHR vendor will not be available in the first 24 hours. Plan continuity assuming you are on your own; treat their response as upside.
Pre-stage downtime documentation kits physically, in clinical units, refreshed quarterly.
Run a tabletop with the CMO at the table every six months. Not a board game. A real one, with the same vendors that would be on the real call.

06Closing

The healthcare ransomware playbook is not a security document. It is an operational continuity document with a security incident at its center. The hospitals that recover fastest treat it as such — and the ones that don't lose patients, not just data.

About the author

Rick Azoy

Chief AI Officer & Chief Information Security Officer, WIT ONE

Rick Azoy is the Chief AI Officer and Chief Information Security Officer at WIT ONE, where he leads the engineering of WIT OS — the Enterprise AI Operating System. He has spent two decades building production cybersecurity, AI, and cloud-operations platforms across regulated industries, with a working focus on agent orchestration, runtime AI security, and sovereign retrieval architectures.