KapacyberKapacyber
Healthcare Practice Cybersecurity Guide·Overview·HIPAA Cybersecurity Requirements·The HIPAA Risk Analysis HHS OCR Actually Wants·How Much Does Cybersecurity Cost for a Medical or Dental Practice?·Dental Practice Cybersecurity·Business Associate Agreements·Ransomware Hit Your Practice
Healthcare · Incident Response8 min read

Healthcare Ransomware Response — First 72 Hours

The EHR is encrypted. You can't schedule, chart, or bill — and under HIPAA, the clock has already started on a breach analysis. The next 72 hours decide whether you're back online and whether the notification turns into an OCR investigation. Here's the playbook.

Kapacyber

Security Research Team

If you're reading this during a live incident, skip to the steps below and start making calls — then come back. Ransomware response is a race against two clocks: the operational one (how long can you go without your EHR before you have to start cancelling patients?) and the regulatory one (HIPAA's 60-day breach notification clock starts at discovery).

The good news is that healthcare ransomware response is well-mapped. HHS OCR has issued specific guidance, and the practices that handle it well share a small set of habits. Here's the playbook.

The 72-Hour Healthcare Ransomware Playbook

1

Contain — isolate, don't power off

First hour

Disconnect affected systems from the network to stop spread, but don't power them off — that destroys volatile evidence that forensics will need. If the EHR is encrypted, isolate the EHR server and any workstations showing ransom notes.

2

Activate the plan — call counsel, IR, and your carrier

First few hours

Notify your cyber-insurance carrier (most policies require prompt notice as a condition of coverage), engage legal counsel familiar with HIPAA, and bring in incident-response expertise. Your IR plan should name these people in advance.

3

Switch to documented downtime procedures

First 24 hours

Bring out paper templates for charting and prescribing, run manual scheduling, and triage which procedures can continue. The practices that prepared a downtime procedure under HIPAA contingency planning keep operating; the ones that didn't usually can't.

4

Investigate — what data was accessed?

First 24–72 hours

Work with IR to determine scope: which systems were touched, was ePHI accessed or exfiltrated, what's the patient population affected? This drives both your recovery work and your breach-notification analysis.

5

Recover from backups, not from ransom

First 72 hours and beyond

Restore from tested offsite immutable backups. Rebuild systems clean rather than trusting them post-encryption. Avoid paying the ransom — it funds criminals, often doesn't decrypt reliably, and creates OFAC sanctions risk.

6

Complete HIPAA breach analysis and notify

By day 60

Run the four-factor breach risk assessment. Unless you can demonstrate low probability of compromise, notify affected patients within 60 days, HHS Secretary (immediately for 500+ events, annually otherwise), and the media if 500+ residents of one state are affected. Add state breach-notification duties on top.

The HIPAA Wrinkle Most Practices Miss

HHS OCR has specific guidance that ransomware on systems holding ePHI is presumptively a breach. The presumption can be rebutted by a documented four-factor risk assessment showing a low probability that PHI was compromised — but in practice, most practices can't prove that conclusively and end up notifying. The determination needs to be made carefully, documented, and made with counsel — not on a hunch.

That's why the HIPAA risk analysis (the one you should have run before any incident) matters: it tells you what ePHI lives where, which feeds directly into post-incident scope analysis. We cover what OCR actually wants in the HIPAA risk analysis HHS OCR actually wants.

Why You Shouldn't Pay the Ransom

The instinct to pay is understandable — you can't see patients, and the ransom demand is often less than the cost of the downtime. Three things change the math. First, only a fraction of payments yield working decryption. Second, OFAC sanctions risk applies — if the threat actor is on a sanctioned list, paying can itself be a federal violation. Third, payment doesn't restore the data exfiltration that often accompanies modern ransomware — the breach has already happened. The right preparation, especially tested immutable backups, makes payment unnecessary.

The Downtime Procedure That Keeps You Operating

HIPAA's contingency-plan requirement isn't just paperwork — a documented downtime procedure is what lets you keep seeing patients while the EHR is down. Paper charting templates, a printed roster of current medications and allergies for active patients, manual scheduling sheets, and a clear triage rule for which procedures can proceed versus which must reschedule. The practices that prepared one keep operating during recovery; the ones that didn't usually can't.

The Notification Chain

If the four-factor assessment leads to notification, the chain is: affected patients within 60 days of discovery; HHS Secretary immediately for events affecting 500+ individuals (otherwise on an annual log); and the media if 500+ residents of one state are involved. State breach-notification laws may add additional duties. The general first-24-hours steps for any business are in our incident-response guide.

Then Make Sure It Never Happens Again

Recovery is the backstop; prevention is the real fix. The seven threats hitting practices and their controls are in dental practice cybersecurity — the seven threats (same threats and controls apply to medical practices); the broader HIPAA picture in HIPAA cybersecurity for small practices; and the role of vendor risk in business associate agreements.

The Bottom Line

A healthcare ransomware incident is an operational emergency and a HIPAA event at the same time. Contain without destroying evidence, call counsel and your insurer fast, switch to documented downtime procedures so you can keep seeing patients, recover from tested backups, and run the four-factor breach assessment within the 60-day window. The practices that come through this calmly are the ones who prepared every one of those steps before they were needed.

See how we operate that readiness for practices on the cybersecurity for healthcare practicespage, or — if you're in an active incident — our need-help-now page.

This article is general information, not legal or compliance advice. Breach-determination and notification requirements are fact-specific; consult qualified counsel for your practice's situation.

Healthcare Practices

Get the free HIPAA risk-analysis worksheet.

The fillable worksheet OCR actually wants — including the ePHI inventory and contingency-planning prompts that drive your downtime procedure and post-incident scope analysis.

Get the free worksheet

Could Your Practice Survive an EHR Lockout?

A free 30-minute assessment shows whether you have the backups, downtime procedure, and incident-response plan to handle a ransomware event — before one tests them.

Get a Free Assessment
← Back to Security Insights

Keep Reading

Healthcare · Pricing Guide7 min read

How Much Does Cybersecurity Cost for a Medical or Dental Practice?

Read More
Healthcare · Threat Alert8 min read

Dental Practice Cybersecurity: The 7 Threats Hitting Practices Right Now

Read More
Healthcare · Compliance8 min read

Business Associate Agreements: What HIPAA Actually Requires from Your Vendors

Read More

Explore Our Managed Security Services

EDR, 24/7 monitoring, backup, and incident response in one predictable plan.

Learn More