Hospitals are well-versed in disaster preparedness. Fire drills? Check. Emergency generator tests? Of course. Surge plans for flu season or COVID-19 spikes? Built into the playbook. But there’s one type of disaster that still gets treated as someone else’s problem – the province of the CIO or the security consultant – rather than what it really is: a full-blown, system-wide, clinical crisis. I’m talking about cyberattacks.
If you’re a healthcare system leader, you should ask yourself this question: if a ransomware attack hit tomorrow, would my hospital continue to deliver safe, effective care?
To be fair, some progress has been made. ECRI’s 2025 Top 10 Patient Safety Concerns list includes medical errors and delays in care resulting from cybersecurity breaches. Not in the fine print. Not tacked on as an appendix. It’s ranked number four. That puts it above persistent threats like diagnostic error and healthcare-associated infections. That alone should prompt serious reflection among health system executives who still see cybersecurity as merely an IT compliance issue.
If you're still not convinced that ransomware belongs in the same conversation as CLABSIs or wrong-site surgeries, let me point you to one of the clearest real-world examples to date. A study published in JAMA Network Open by Christian Dameff, MD, MS and colleagues at UCSD looked at what happened when four hospitals in San Diego went dark – digitally speaking – following a ransomware attack. These weren’t small clinics. These were core members of the region’s acute care delivery system. Their electronic health records (EHRs) were rendered inaccessible. Imaging systems went down. Telemedicine capabilities disappeared. Paper charts made a nostalgic, but ultimately inadequate, return.
When one hospital gets hit, the whole region suffers
The most striking insight from this study wasn’t just the chaos at the affected hospitals. It was the collateral damage experienced by the hospitals that weren’t attacked. The study showed that the nearby academic EDs saw significant surges in volume and disruptions in workflow. Emergency department visit numbers jumped. EMS arrivals spiked because the affected hospitals were on diversion. Waiting room times increased. So did the number of patients who left without being seen or against medical advice. Even stroke care, one of the most time-sensitive protocols in all of emergency medicine, was adversely affected. There were more stroke code activations, more confirmed strokes, and more acute treatments for stroke.
Let that sink in: A ransomware event targeting one hospital system made it more complicated to treat strokes across an entire metro area.
This wasn’t a local outage. It was a regional disaster. It just didn’t look like one: no flames, no floodwaters, no crumbling infrastructure. But the operational effects were just as severe. And unlike many natural disasters, this one was man-made, invisible, and potentially preventable.
From data breach to clinical breakdown
So, why are healthcare organizations still treating these incidents like isolated IT problems instead of clinical safety events?
Part of the issue lies in how cyber risk is framed. For years, the conversation has centered around data, specifically guarding protected health information and avoiding HIPAA violations. That’s still important, but in 2025, it’s not enough. This is no longer just about social security numbers leaking onto the dark web. It’s about whether your trauma center can function when your PACS is offline. Whether you can deliver tPA without access to prior imaging. Whether your ICU can determine which drugs a patient is allergic to … or not.
In the San Diego case, affected hospitals spent four weeks operating in a semi-analog environment. Imagine doing that during a surge in respiratory illness or a regional disaster. Manual workflows, paper orders, limited communication: all of it slowed care and likely compromised safety. The domino effect impacted surrounding hospitals, overwhelmed EMS systems, and might have altered clinical outcomes. That is not a theoretical concern. It is a lived one, with charts and timestamps to prove it.
Cybersecurity is a safety strategy, not a technical task
We have to elevate cybersecurity out of the server room and into the C-suite, and not just for annual audits or board presentations. Cyber risk should sit alongside CAUTI rates and sepsis mortality on organization dashboards. If a ransomware attack can delay a stroke diagnosis or lead to the wrong medication being administered, then it’s as much a patient safety issue as anything else tracked by quality departments.
We also need to stop pretending that having a downtime policy printed out in a binder somewhere is a sufficient response. If you haven’t run a serious, real-world simulation where clinical teams are forced to deliver care without the EHR for several hours or days, then you don’t have a plan; you have a wish. Clinical leaders must partner with IT to create scenarios that reflect the real chaos of an outage. Stroke codes, trauma alerts, high-risk deliveries: these events won’t stop just because your servers have.
And let’s not forget that ransomware doesn’t respect institutional boundaries. A cyberattack on one hospital can and does affect others. That means health systems need to coordinate regionally. Cross-institutional planning, EMS protocol alignment, and data-sharing agreements are no longer optional. Yes, even if the other hospitals in your region are technically “competitors.” The malware doesn’t care who owns your MRI.
Modern cyber defense requires real investment
Of course, all of this requires real investment, not just in firewalls and endpoint detection, but in staff, training, and resilience planning. Too many hospitals continue to run outdated systems with known vulnerabilities. Why? Because the upgrades are expensive and the risks seem abstract, until they’re not; until radiology systems are offline, and your ED has a backlog of 80 patients. Until your clinicians are fumbling with paper notes during a code. Until a patient suffers harm because no one could access their allergy history.
Beyond the technical infrastructure, hospitals must treat cyber resilience as a clinical competency. That means ensuring frontline staff know what to do when systems fail, not just theoretically, but practically. Cyber failure scenarios should be embedded into orientation, clinical education, and quality improvement. The workflows must be rehearsed and accessible. It should not take a disaster to figure out how to print labs or find an old medication list.
If it happened tomorrow, would you be ready?
At the end of the day, this is not about scaring people. It’s about calling something what it is. Cyberattacks are not hypothetical. They are not isolated. And they are no longer just financial or technical problems. They are clinical safety events that disrupt care, strain already overburdened systems, and harm patients.
So, here’s the question I posed earlier: If a ransomware attack hit tomorrow, would your hospital continue to deliver safe, effective care?
If you don’t like the answer, you know what to do next.