Code Blue: Ransomware Lessons from the Healthcare Front Line

Ransomware attacks against healthcare providers are not simply a technology issue, they represent a public health crisis that delays critical care, overwhelms already stretched facilities, and puts real patients at risk.

That was the central theme of Code Blue: Ransomware Lessons from the Healthcare Front Line (available on-demand), a recent discussion featuring Cynthia Kaiser, former FBI Deputy Assistant Director for Cyber and now Senior Vice President at the Halcyon Ransomware Research Center, alongside Heather M. Costa, Director of Technology Resilience at Mayo Clinic.

The conversation offered a candid look at the real-world consequences when healthcare providers are forced offline by an attack. Both Kaiser and Costa emphasized that resilience must be measured by protecting patient outcomes, not only by whether an attack is prevented.

For context, a University of Minnesota study found significant increases in Medicare patient mortality rates during ransomware attacks, revealing that delayed or disrupted care translates directly into loss of life. While prevention efforts remain essential, the true determinant of patient outcomes is the ability to respond quickly and sustain care in the midst of a ransomware attack.

It’s About the Patients

Costa framed the conversation around a simple truth: cybersecurity in healthcare is patient safety. At Mayo Clinic, her team approaches technology disruption through the lens of clinical care, working backwards from the patient to the infrastructure and mapping how each component of technology connects to outcomes.

“We map from patient to bare metal to understand how technology touches care,” Costa explained. “What we do from a cybersecurity perspective is patient safety.”

Kaiser reinforced that perspective from the threat side, noting that the same clinical lens helps leadership grasp the urgency. “When you connect a system outage to a care workflow, people understand the stakes,” she said, adding that communicating concrete patient impacts to boards and executives is what drives timely decisions in a crisis.

That mindset shapes prioritization during an incident. It is not about restoring the easiest systems first, but those most critical to patient lives and safety. “That framing keeps recovery priorities honest,” Costa said, while Kaiser emphasized the value of making those determinations well in advance. “Knowing what must come back first is what turns confusion into action,” she said.

This approach recognizes that the stakes extend well beyond lost data or delayed billing, encompassing preventable complications from heart attacks and strokes, urgent maternity needs, and ICU capacity. When systems go down, the real question is whether patient outcomes will suffer because of the disruption to care.

Resilience Over Perfection

Kaiser and Costa emphasized that no security posture can eliminate risk entirely. The more effective approach is to build resilience so the impact can be mitigated when an attack inevitably occurs. Costa explained that her team never frames scenarios as “if,” but always as “when.”

“There is no mitigation of risk to zero,” she said. “Start and then get better tomorrow than you are today. Do not let perfection be the enemy of good.”

Drawing on two decades at the FBI, Kaiser stressed that planning itself reveals hidden dependencies and organizational crown jewels. “The process of building an incident response plan shows you what you value and what you need to protect,” she said. “But you must practice it. An incident response plan that is never exercised is just a PDF.”

Exercises must extend beyond tabletop discussions. Costa urged healthcare providers to run live drills where staff work with paper workflows, manual processes, and real handoffs to expose weaknesses.

“If you can put boots on the ground and actually do a test where people are trying out the forms and handoffs, you see very quickly what does not work,” she said, noting that those lessons can then be fed back into plans to keep them grounded in reality. Kaiser agreed and offered a simple litmus test from field response: “Practice is what turns a plan into a capability.”

Regional Impacts and Real Consequences

Both emphasized that disruptions to care from ransomware attacks are never confined to the targeted organization, they ripple across regions and affect patients at nearby facilities as well.

Research from the University of Minnesota and DePaul University documented how patient volumes in emergency departments at attacked hospitals drop significantly following a ransomware incident as patients are diverted elsewhere, delaying critical care. “A much longer ambulance ride when you are having a heart attack can seriously impact your prognosis,” Kaiser said.

Complementary findings published in JAMA Network Open highlight the broader “blast radius,” showing that nearby providers often experience surges in emergency department traffic and longer wait times as they absorb overflow from the impacted facility. “Regional surges raise ICU mortality risk when more patients are flooding into already stretched facilities,” Kaiser noted.

Costa added that the knock-on effects extend beyond emergency transports. Patients may arrive at unaffected providers carrying medical scans on USB drives from impacted environments, creating an additional infection vector if staff plug them into the network. Staff who work across multiple facilities can also carry compromised devices between environments. “Those details matter because they can introduce new risks,” Costa explained.

Building True Resiliency

Resiliency is not the responsibility of a single department, and both panelists stressed the need for integrated approaches that bring together IT, security, clinical leadership, legal, communications, and external partners.

Traditional disaster recovery plans built for physical events like storms or earthquakes are not enough, because cyber incidents require system-by-system recovery strategies with clear prioritization, always keeping the patient at the center. Costa emphasized that organizations must define those priorities through a clinical lens. “Communication is often the most critical system,” she said. “But recovery priorities must be driven by patient workflows.”

Decision structures must also be set long before a crisis hits. Kaiser recalled her FBI experience where organizations that recovered quickly had already established governance and legal involvement. “Organizations that establish those relationships up front navigate faster when it counts,” she said.

Costa agreed, stressing that decisions must be made in the calm so that chaos does not overwhelm response. “You will not know every detail until the moment arrives, but you can know who decides,” she said, noting that this includes legal counsel, communications teams, and third-party vendors, and requires strong relationships with regional healthcare coalitions to handle overflow care and coordinate recovery. Defining roles and negotiating contracts in the midst of a crisis only wastes precious time and resources.

Managing the Human Element

Technology is only part of the challenge, as human risk plays a central role in both prevention and recovery. Attackers often exploit social engineering, targeting help desks and individual employees to gain entry. Even with significant investments in defenses, a single compromised identity can provide the foothold an attacker needs.

Kaiser noted that adversaries have adapted as organizations have hardened their systems. “Major organizations have made real security investments, so actors pivot to third parties and social engineering,” she said, adding that segmentation and incremental progress toward zero trust are essential to limit the damage when attackers get inside.

Costa stressed that staff must also feel safe reporting mistakes quickly. “People need to feel safe saying, ‘I clicked something I should not have,’ so you can move fast to contain,” she said. She emphasized that psychological safety is just as important as technical controls, and that training must be meaningful and memorable rather than perfunctory. “Make training sticky, not checkbox,” she added.

Communicating With Boards and Leadership

Urgency around ransomware already exists in most healthcare leadership teams, but expectations must be realistic. Leaders may want assurances that recovery will be quick and painless, yet Costa urged transparency.

“Use analogies and meet people where they are,” she said. “Be transparent about what is not possible and anchor every decision in patient care.” Building credibility through relationships ensures that when leaders are told something cannot be done, they trust the explanation.

She also highlighted a simple principle for executive communication: translate risk into business and clinical consequence, then pair it with a ready decision. “If leaders see the patient impact and the next step together, they act,” she said.

Kaiser emphasized that legal counsel must be involved early, both in planning and in incidents. “There are recurring wrinkles on data handling, confidentiality, information sharing, and insurance,” she said. Both agreed that resilience is not just a technical issue, it requires organizational buy-in and cultural alignment around the central mission of patient safety.

Policy and the Larger Landscape

Although providers must take local responsibility for resilience, federal policy and grants can provide support. Kaiser noted that grant programs exist to help smaller facilities raise their cybersecurity baseline.  

“No one in Washington thinks ransomware against healthcare providers is acceptable,” she said. “Policy can help, but the decisive actions still occur at the bedside, in the SOC, and in the command room.”

Costa added that regulations like the HIPAA Security Rule are under review and may evolve, and while practitioners have provided input the outcomes are uncertain. What matters is continuing conversations across organizations and learning from one another. “None of us has all the answers, and we are in it together for patients,” she said.

Steps to Take Now

The conversation yielded a set of practical actions that healthcare leaders can begin working on immediately. These are tested practices that Kaiser and Costa have seen make a difference in both prevention and response:

• Prioritize Recovery by Patient Impact: Map from patient to bare metal and define first things first, creating system-by-system recovery tiers that reflect clinical impact and patient workflows rather than technical convenience.

• Establish Clear Governance Before a Crisis: Decide in the calm who decides in the crisis, ensuring clinical leadership, IT, security, legal, communications, and key vendors are included. Involve legal early to pre-clear information sharing, data handling, law enforcement engagement, and insurance requirements.

• Test and Strengthen Plans Through Practice: Conduct regular tabletops and live drills that stress manual workarounds, paper workflows, and handoffs. Use exercises to expose weaknesses and refine continuity planning, so teams know how to act under pressure.

• Support People and Contain Risk by Design: Build psychological safety so staff quickly report suspected mistakes or compromises, reinforce with meaningful training, and design networks with segmentation and zero trust principles to limit the blast radius of any breach.

• Prepare for Wider System Disruption: Coordinate with healthcare coalitions and regional partners to manage patient overflow and maintain offline contact trees and critical numbers so communications continue when phones, messaging, or collaboration tools are unavailable. Measure success not just by whether an attack was blocked, but by how little patients and caregivers feel the disruption.

Redefining Success

If prevention is never perfect, then what is the measure of success, and how should leaders frame outcomes in an environment where disruption can still occur despite strong controls? Both Kaiser and Costa agreed that the only metric that truly matters is the impact felt by patients and caregivers.

“Our measure of success is how little the disruption is felt by patients and caregivers,” Costa said. “That is the test.”

Kaiser closed by reminding the audience that resilience is ultimately about the speed and completeness of response. “The quicker you can accept that there is a problem, the quicker you can move forward,” she said. “You will still face challenges, but if you have practiced, you can manage them.”

The session underscored that ransomware in healthcare is not simply about protecting systems and data, it is fundamentally about protecting the lives and wellbeing of patients.

For a deeper dive into these insights and practical advice, listen to the full webinar on demand here. If your organization is concerned about the risk ransomware poses to patient care, you can also connect directly with a Halcyon expert to discuss proactive defense strategies tailored to your organization's needs.