Ransomware Recovery and Imaging Operations: Lessons Learned and Planning Considerations

In this era, almost all healthcare workflows are digital and rely on robust institutional networks; a ransomware attack in a healthcare system can have catastrophic patient care consequences. The usual downtime processes in an institution might not address the breadth of this disruption and timelines for recovery. This article shares our lessons learned from ransomware recovery. From this experience, a four-phase recovery planning framework has been developed. The primary focus is on acute patient care, incident communication, and emergency imaging operations in the initial phase. In the next phase, continued digital asset unavailability necessitates a transition to long-term analog workflows. In the infrastructure recovery and reconciliation phases, each taking weeks or months, the emphasis is on rebuilding a ransomware-free environment and reconciling the data accrued during extended downtime. In preparation for future events, we have initiated a continuous readiness process. A response task force has been formed to guide physicians, technologists, nurses, and informatics units on recovery workflows appropriate for extended downtime and keeping these procedures updated. Incident command structure has been discussed for communications and resource allocation during a ransomware attack, possibly in the context of a multi-incident scenario such as that involving concurrent staffing shortage amidst a pandemic. Finally, we discuss considerations for tabletop simulation, which may be valuable to the planning process.