Nobi_Prizue/istock via Getty Ima

Preparing EHR systems for ransomware attacks

Experts weigh in on how proactive cybersecurity planning protects your patients.

Healthcare is among the most targeted industries in the U.S. for ransomware attacks. According to the FBI's Internet Crime Report, the health sector reported 238 ransomware incidents and more than 440 total cyber incidents in 2024 — the highest combined total of any critical infrastructure sector. Recovery costs are also the highest in healthcare, averaging $7.42 million per incident, according to IBM's 2025 Cost of a Data Breach Report.

The impact goes beyond financial loss. In May 2024, a ransomware attack on Ascension, one of the largest nonprofit health systems in the country, disrupted EHR access, delayed surgeries, diverted ambulances and led to reported patient harm due to communication breakdowns and missing safety checks. 

"Cybersecurity is really a patient safety issue, not just a technical one," said Theresa Meadows, CIO-in-Residence at symplr and former CIO of Cook Children's Health Care System. "If we think of it that way, we'll prioritize mitigation strategies that protect patients, not just systems."

When the EHR goes down, patient care can quickly be compromised. Building a ransomware-resilient EHR must become a core element of patient safety planning.

Planning for healthcare cyberattacks

Cybersecurity planning should begin with patient care in mind. "What matters most is that patient data remains accessible and patient care continues even if the technology fails," said Lee Kim, senior principal of cybersecurity and privacy at HIMSS.

Meadows advised starting with a risk assessment. "What's the risk of the EHR being down and how long can the organization be without the EHR?" she said. From there, organizations should identify the top 10 processes that must continue without digital support. These may include registration, medication labeling and internal communication.  

"You don't know the patients' names, the nurse's schedule or how to find the physician because it's all in the EHR," Meadows said. 

When preparing for a downtime, plan for an extended outage. "The average downtime during a cyber event is 30 days. The first few hours you kind of know what you're doing, but the longer it goes the harder it becomes," Meadows said. This guideline coincides with Joint Commission recommendations for a four-week downtime preparedness plan in the event of a cyberattack. 

Rehearsing these plans is essential. "Hospitals must have well-defined downtime procedures… Staff should regularly rehearse downtime scenarios through tabletop exercises," said Kim. Tabletop exercises should cover all aspects of response — communication scripts, technical isolation plans and recovery workflows. 

Building resilient EHR architectures

System resilience can reduce the impact of ransomware and speed recovery. 

"Building resilience requires redundancy across networks, backups and systems, as well as robust network segmentation to limit attacker movement," Kim said. "Backups must also be regularly tested and validated to ensure they are usable when needed."

Isolating compromised devices without taking down the full EHR is critical. 

"If a cyberattack comes from a medical device, can you cut that off without taking down the EHR?" Meadows asked. 

Some organizations also implement redundancies in the form of alternate EHR access. "We built a second instance of the EHR in the cloud… If the on-prem system was down, we could go to a URL and access the EHR remotely," Meadows said.

Still, reliance on cloud systems has risks. "Cloud gives you recoverability, but it can also be a single point of failure. If your AT&T line is cut, you lose access," Meadows said. Kim concurs "Single points of failure can cripple health systems," she said. 

New technologies, especially AI tools, can introduce security risks. When making purchasing decisions, leaders should evaluate where data is stored, whether the vendor can recover from an incident and how the tool fits within their existing capabilities and internal expertise. "Sometimes we want to buy the new shiny object, but we don't have the people to support it," Meadows noted.

For smaller organizations with limited resources, Meadows recommended using the Health Industry Cybersecurity Practices guides. "If you're in a smaller facility and don't have a chief information security officer, pulling down those process guides is a good way to start building your plan," she said.

Incident response: what to do when an attack starts

During an incident, activating the incident response team helps ensure coordination and clear communication. "While IT figures out what's happening, someone needs to be talking to clinicians and staff," Meadows said.

The next step is assessing the extent of the compromise and segmenting. "Affected systems should be isolated quickly to contain the threat," Kim said. Disaster planning documentation should guide the process, including the order of system recovery. "Maybe the EHR isn't the most important. Maybe phones are and the EHR is second," Meadows said.

Recovery from backups should be deliberate and secure. "Restoration should only be from the last known clean version, with validation before going live," Kim said.

When faced with ransomware, the decision to pay a ransom should not be made under pressure. "You can make that decision ahead of time based on how confident you are in your ability to recover," Meadows said. "In the ideal world, you'd never pay the ransom and you would be able to use your technical team to recover timely."

By prioritizing EHR resilience in ransomware planning, healthcare leaders can position their systems for a fast response, potentially avoid an expensive payout, and protect the patients who depend on them.

Elizabeth Stricker, BSN, RN, comes from a nursing and healthcare leadership background, and covers health technology and leadership trends for B2B audiences. 

Dig Deeper on Cybersecurity strategies