The following is a guest article by Matt DeFrain, Managing Director at Arcova
When this season of “The Pitt” depicted a hospital spiraling into chaos after a ransomware attack forced clinicians to abandon digital systems and go analog, many viewers saw it as gripping television. Healthcare cybersecurity leaders saw something else entirely: a realistic preview of what happens when a cyber event becomes an operational crisis.
On the show, clinicians lose access to digital health records, lab orders disappear, paper charts replace connected systems, and patient care begins to deteriorate in real time. The frightening part is how familiar the scenario feels.
For years, many organizations approached cybersecurity through the lens of compliance and baseline controls. Did we meet the HIPAA requirement? Did we complete the audit? Do we have the right tools in place, and are they secure? Those questions still matter, but they are no longer enough.
The better question is, if critical systems disappeared tomorrow, how long could your organization safely continue delivering care?
Most healthcare organizations are not prepared to answer.
Downtime Planning Was Built for Hours, Not Weeks
Nearly every health system has downtime procedures. The problem is that most of them were designed for temporary outages, not prolonged operational paralysis.
Across healthcare, cyberattacks have evolved beyond data theft and financial extortion. Today, the real risk is operational disruption at scale. We are now seeing attacks capable of delaying surgeries, disrupting care coordination, taking down entire hospital networks, and jeopardizing patient safety.
That shift requires healthcare leaders to fundamentally rethink what cybersecurity preparedness actually means.
Healthcare leaders often think about cyber resilience in terms of restoring technology. They should also be thinking about sustaining patient care during extended disruption. It’s worth noting that, as operational pressure increases, the likelihood of medical error rises with it.
It is now table stakes to test whether manual workflows can realistically scale beyond a few hours. Teams must also audit and understand where hidden dependencies exist between systems to identify which clinical and operational processes would fail first under prolonged downtime conditions.
The Biggest Threats Often Enter Through Third Parties
One of the most important lessons from recent healthcare cyber incidents is that organizations do not need to be directly breached to experience catastrophic disruption.
Healthcare operates through a deeply interconnected network of vendors, technology providers, partners, and external platforms. Every connection creates another potential attack vector.
The Change Healthcare incident illustrated this reality on a massive scale. A compromise originating through a third party affected claims processing, pharmacy operations, payment systems, and healthcare delivery organizations across the country. Many hospitals that considered themselves operationally secure still found themselves severely impacted.
The challenge becomes even more complicated as healthcare organizations rapidly adopt AI-enabled tools and external data platforms. Employees are also increasingly using generative AI tools on personal devices or outside formal governance structures. In many environments, shadow AI adoption is already happening at scale, creating significant exposure risks around sensitive data, metadata leakage, third-party integrations, and uncontrolled information sharing.
Healthcare organizations need a far more comprehensive understanding of how all of these pieces are woven into their environment, what data is accessed where, and how privilege escalation could occur. You can’t govern what you can’t see, or what you don’t know exists. Visibility across partners, vendors, AI tooling – visibility across the full ecosystem – is the first step.
Most of All, Cybersecurity Must Be Reframed Around Patient Impact
One of the reasons “The Pitt” resonated so strongly with viewers is that it showed how patient care suffers when systems fail. Now more than ever, maintaining quality patient care must become the central organizing principle for healthcare cybersecurity moving forward, regardless of the scenario.
Too often, cybersecurity conversations are narrowly focused on compliance metrics, technical controls, or financial loss. Those issues matter, but they miss the broader operational stakes. Boards, executives, IT leaders, clinical leadership teams, and security teams all need to operate from a shared understanding that cybersecurity resilience is directly tied to care continuity.
Organizations should be running realistic operational resilience exercises that include clinical leaders and staff, not just IT teams. They should be stress-testing how long they can operate under degraded conditions. They should understand how communications, supply chain systems, imaging workflows, and third-party dependencies intersect with all team members’ unique roles during a crisis.
Most importantly, they need to stop viewing cybersecurity preparedness as the goal. The goal is maintaining safe patient care under adverse conditions.
The Next Healthcare Cyber Crisis Will Be Operational
The healthcare industry is entering a new era of cyber risk where operational disruption will define the severity of an incident. “The Pitt” felt believable because healthcare leaders already know how fragile interconnected systems can become under pressure. Increasingly, that pressure is what healthcare leaders need to be preparing for now.
This shouldn’t become a battle for who has the longest compliance checklists or the largest security budgets. Instead, it’s the organizations that prepare for resilience at every level of the operation that will see the most enduring success.

Matt DeFrain is Managing Director at Arcova, where he advises healthcare organizations on cybersecurity, governance, operational resilience, and risk management strategies. He works closely with healthcare leaders to strengthen preparedness against evolving cyber threats that impact both technology infrastructure and patient care.
No comments:
Post a Comment