Ransomware attacks on health care institutions are attacks on people. System outages can block access to medication lists, x-rays or other imagery that doctors rely on to provide both routine and urgent care. In fact, an independent study published in February 2026 by the American Economic Journal: Economic Policy found that “Among patients already admitted to the hospital when a ransomware attack begins, in-hospital mortality increases by 34–38 percent.”
Emerging AI and automation tools make it easier for more attacks to occur on more organizations more often. This applies significant pressure on security teams to build and maintain operational resilience, particularly during a ransomware attack. Resilience includes having trusted and tested policies and procedures in place to accelerate remediation and ensure there are no rash, ad-hoc decisions that risk making things worse.
The best ransomware defense plan focuses on three things; preparedness, response, and recovery. I spoke at the recent HIMSS 26 conference about this topic, and I want to share some highlights that make a great conversation guide if you feel like your organization should, or could, be more prepared for the moment.
The Ransomware Defense Playbook
Resilient ransomware defense is a continuing cycle of risk assessments, planning, testing, and applying learnings.
Start with a Baseline Risk Assessment
To understand your baseline, your team or a trusted partner first collects data through security program reviews, technical assessments, and executive interviews on your:
- Network’s vulnerabilities
- Incident response maturity
- Business continuity processes
- History of simulated ransomware exercises where processes are tested.
This baseline identifies capability gaps and helps you plot the path forward.
Plan with a Patient-Centered Approach to Ransomware Defense
Once the risk assessments are complete, planning begins. This is the time to establish governance over the decisions and processes as relates to an attack.
In this phase, security and clinical teams must collaborate to map workflows and develop incident response/continuity integration. Security decisions should be made in a clinical context to minimize harm to patients. Do you proactively shut down some clinical systems on networks that aren’t compromised to prevent attacker lateral movement into those systems? If an outage requires departments to mass transfer patients to facilities outside the organization, sharing charts and medical records becomes urgent. How do you handle that? Answers to these kinds of questions aren’t easy. Teams that haven’t experienced a ransomware incident before can struggle to even imagine all the scenarios that could arise, which is why having a partner experienced in these areas can be helpful in conceiving and addressing critical questions.
You’ll also want the workflows for these “what-if” scenarios to be reviewed and approved by clinical and executive leadership before a crisis occurs.
Simulate a Ransomware Attack to Test Your Plans
Software developers constantly analyze their code to check for bugs or opportunities for greater efficiency. Your ransomware defense program deserves the same. Simulated exercises provide measurable insights including reduced detection-to-decision time, accelerated recovery times, and improved cross-department communications.
Conduct tabletop exercises with clinical, technical, and executive stakeholders to validate playbooks and expose operational challenges.
Apply Your Learnings
Use your simulations to update resilience priorities, refine communication protocols, and strengthen coordination with law enforcement and regulators. Practicing allows you to track measurable progress such as shortening recovery times, accelerating attack response, and reducing the financial and clinical impacts of unplanned downtime.
Evaluate and Repeat the Cycle
As with many types of performance, evaluation and improvement are ongoing. By
combining structured assessment, phased execution, and measurable outcomes, this methodology provides healthcare organizations with a proven framework for building ransomware resilience that safeguards patient care.
Understanding the methodology is one thing, but executing it consistently is another. Here are five obstacles I commonly see standing in the way.
5 Obstacles to Achieving Ransomware Resilience
In my work for Fortified Health Security, I serve the health care industry exclusively. While the level of preparedness to deal with a ransomware attack varies greatly among institutions, there are still common challenges we observe that teams should work together to overcome.
- Hospitals have faced growing pressure to establish patching programs due to the sheer volume of modern and legacy devices in use. Based on the clients I work with, only about 40% of hospitals maintain a structured vulnerability management program capable of identifying and prioritizing non-patchable risks such as misconfigurations, unsupported devices, and weak remote access controls.
- One of the biggest obstacles to achieving resilience is the prevalence of legacy medical devices and unsupported operating systems that cannot be patched or updated. These assets create persistent exposure points that a patching program alone cannot mitigate.
- Employee resources are a challenge across all industries. One area that can suffer is tracking and managing things like users, permissions, digital certificates that can be useful when identifying and eliminating threats. AI and automation tools have come a long way to help SOC managers be more efficient and productive with asset monitoring.
- Even in 2026, we still see resistance from executives who perceive resilience efforts as costs rather than patient safety imperatives. Headlines showing data breach costs and reputation damage are softening that resistance, and we see teams gaining buy in by reframing resilience as a continuity of care initiative.
- Silos still exist and continue to complicate resilience efforts. Tabletop exercises that bring clinical, IT, security, and business executives together help SOC and security leaders build a more cohesive program. Iterating those exercises, assigning clear roles, and integrating business continuity teams has a measurably positive impact on collaboration and decision-making speed.
Next Steps
Ransomware resilience is an ongoing commitment to patient safety. The methodology outlined here gives your organization a practical framework to start or strengthen that work. Gaps in vulnerability management, legacy devices, staffing constraints, and cross-departmental silos don’t resolve themselves though, and the cost of inaction can be measured in more than financial and IT performance terms. It’s about people.
Remember, it is as much about deliberate execution as it is about the framework.
Fortified Health Security works exclusively with health care organizations like yours to build and mature personalized ransomware resilience programs. Whether you’re starting from scratch or pressure-testing what you already have, we can help. Let’s talk.
