A chief medical information officer describes what hospitals face when they inevitably suffer a ransomware attack—whether it leads to short- or long-term outages.
RSAC 2026 CONFERENCE — San Francisco — Joseph Izzo, chief medical information officer for San Joaquin General Hospital, received ransomware training during a downtime period. He practiced responding and maintaining patient care in the event that the facility is forced to operate offline. But when the hospital where he was working was actually hit with ransomware, he realized very quickly how "different it was under pressure."
Izzo shared his story at RSAC 2026 Conference and provided key incident response (IR) recommendations for healthcare organizations, a sector frequently targeted by ransomware gangs due to highly sensitive information. Ransomware doesn't always cripple hospitals, but partial attacks happen frequently, Izzo explained. Either way, a rapid response is necessary when serving a vulnerable population.
Recommendations ranged from identity protection to being prepared to operate with pen and paper in a digital world. Preparation is what really "makes the difference" when healthcare facilities are trying to get past a ransomware incident, Izzo emphasized.
Healthcare staff may ask patients about their medical history, but it's "not a fair ask," and self-reporting can be unreliable, Izzo said. The fact that communications between other doctors, pharmacies, or hospitals may be compromised or insecure only adds to the challenges. Even fax machines could be offline. Medications prescribed and procedures performed during this time of incomplete information could lead to potentially substandard care, he warned.
"Care relies on the entire picture, not just a snapshot in front of you," Izzo said. "Without preparation, such as making strong analog variations, error risk increases dramatically.
Therefore, it is important to rehearse partial and gray-zone failures, not just total outages, Izzo recommended.
Hospitals must also be ready when ransomware hits surrounding healthcare organizations, which are forced to divert patient care.
"Preparation determines if the situation escalates or stabilizes," he said.
To address degraded care situations, hospitals and clinicians should run tabletop exercises that include frontline staff in planning and response. Izzo observed less burnout when they were involved in these conversations.
Since hospitals are increasingly using artificial intelligence (AI) alongside digital tools, they should also understand the broader risks shadow AI poses when they use unapproved tools that represent a whole other attack vector. While it is beneficial, it's important to "be careful" with AI, he warned.
But mapping where "identity, information, and execution depend on digital systems" in one place is step one.
"Rehearse, and use believable or real cases," Izzo urged.
RSAC 2026 CONFERENCE — San Francisco — Joseph Izzo, chief medical information officer for San Joaquin General Hospital, received ransomware training during a downtime period. He practiced responding and maintaining patient care in the event that the facility is forced to operate offline. But when the hospital where he was working was actually hit with ransomware, he realized very quickly how "different it was under pressure."
Izzo shared his story at RSAC 2026 Conference and provided key incident response (IR) recommendations for healthcare organizations, a sector frequently targeted by ransomware gangs due to highly sensitive information. Ransomware doesn't always cripple hospitals, but partial attacks happen frequently, Izzo explained. Either way, a rapid response is necessary when serving a vulnerable population.
Recommendations ranged from identity protection to being prepared to operate with pen and paper in a digital world. Preparation is what really "makes the difference" when healthcare facilities are trying to get past a ransomware incident, Izzo emphasized.
Prep When Digital Tools Fail
Hospitals rely heavily on digital tools — for many healthcare professionals and Izzo, that's all they know. Patients wear barcoded wristbands for identity verification. Electronic medical records (EMR) list patients' allergies, medical history, potential drug interactions, and other pertinent records. During a ransomware incident, all these systems shut down. When systems break down, data becomes fragmented.Healthcare staff may ask patients about their medical history, but it's "not a fair ask," and self-reporting can be unreliable, Izzo said. The fact that communications between other doctors, pharmacies, or hospitals may be compromised or insecure only adds to the challenges. Even fax machines could be offline. Medications prescribed and procedures performed during this time of incomplete information could lead to potentially substandard care, he warned.
"Care relies on the entire picture, not just a snapshot in front of you," Izzo said. "Without preparation, such as making strong analog variations, error risk increases dramatically.
Forced to Adapt
Downtime playbooks do not help mitigate long-term outages stemming from ransomware, Izzo said, so being flexible and thinking outside the box is key. "Gray areas," or unpredictable failures that aren’t discussed but happen frequently, can complicate recovery. Systems may be back online, but they're lagging, missing data, or providing only intermittent access. The "impossible question" becomes: "Do you trigger downtime or stay on that system?" Either way, there is risk.Therefore, it is important to rehearse partial and gray-zone failures, not just total outages, Izzo recommended.
Hospitals must also be ready when ransomware hits surrounding healthcare organizations, which are forced to divert patient care.
"Preparation determines if the situation escalates or stabilizes," he said.
Rehearse, and Then Rehearse Some More
Ransomware disruptions and risks extend across healthcare organizations. To protect the identity piece, human review and multiple checks are key. For example, organizations can implement redundant verification workflows, two-person high-risk confirmation, and prevalidated paper Medication Administration Record processes, he recommends.To address degraded care situations, hospitals and clinicians should run tabletop exercises that include frontline staff in planning and response. Izzo observed less burnout when they were involved in these conversations.
Since hospitals are increasingly using artificial intelligence (AI) alongside digital tools, they should also understand the broader risks shadow AI poses when they use unapproved tools that represent a whole other attack vector. While it is beneficial, it's important to "be careful" with AI, he warned.
But mapping where "identity, information, and execution depend on digital systems" in one place is step one.
"Rehearse, and use believable or real cases," Izzo urged.