When Training Meets Reality
Joseph Izzo, chief medical information officer for San Joaquin General Hospital, had gone through ransomware training during a scheduled downtime period. He practiced maintaining patient care while systems were offline and felt reasonably prepared. Then, at a facility where he was working, a real ransomware attack struck — and the difference, he said, became immediately apparent. No amount of classroom preparation fully captures what it feels like to respond under pressure.
Izzo brought that firsthand perspective to the RSAC 2026 Conference in San Francisco, where he outlined incident response (IR) recommendations tailored specifically for healthcare organizations — a sector that ransomware gangs consistently target because of the extraordinarily sensitive nature of the data it holds.
Ransomware Doesn't Have to Be Total to Be Devastating
A common misconception is that ransomware either fully cripples a hospital or leaves it largely unaffected. In reality, partial attacks happen frequently, Izzo explained. Even limited disruptions in a healthcare environment can have serious consequences for a vulnerable patient population. Whether an incident results in a short outage or a prolonged one, a rapid and coordinated response is essential.
The overarching message Izzo delivered was straightforward: preparation is what "makes the difference" when healthcare facilities are trying to recover from a ransomware incident.
What Happens When Digital Tools Go Dark
Modern hospitals are deeply dependent on digital infrastructure. For many healthcare professionals — including Izzo himself — digital systems are all they have ever known in a clinical context. Patients wear barcoded wristbands that serve as identity verification. Electronic medical records (EMR) contain allergy information, full medical histories, potential drug interactions, and other critical data.
When ransomware strikes, those systems go offline. Data becomes fragmented and unreliable. Staff may attempt to gather information directly from patients, but as Izzo pointed out, that is "not a fair ask" — self-reported medical history is inherently unreliable. The situation is compounded when communication channels between doctors, pharmacies, and other hospitals are also compromised or rendered insecure. Even fax machines, often a fallback option, could be offline.
Prescribing medications or performing procedures during a period of incomplete information creates serious risk of substandard care. As Izzo put it: "Care relies on the entire picture, not just a snapshot in front of you. Without preparation, such as making strong analog variations, error risk increases dramatically."
Playbooks Have Limits — Flexibility Fills the Gap
Standard downtime playbooks are designed for relatively short, predictable outages. They do not adequately address the prolonged disruptions that ransomware can cause, Izzo said. Adaptability and creative problem-solving become essential when the playbook runs out.
He drew particular attention to what he called "gray areas" — unpredictable, partial failures that occur frequently but rarely get discussed in formal training. Systems may come back online but behave erratically: lagging, missing data, or offering only intermittent access. In those moments, clinicians face what Izzo described as the "impossible question": do you trigger full downtime procedures, or do you continue using a degraded system? Both choices carry risk.
For this reason, he urged hospitals to rehearse not just total outages but also partial and gray-zone failures. Facilities must also prepare for the ripple effects when ransomware hits neighboring healthcare organizations, forcing those hospitals to divert patients — adding sudden, unplanned load to facilities that may themselves be struggling.
"Preparation determines if the situation escalates or stabilizes."
Key Recommendations for Healthcare Organizations
Izzo offered a range of concrete recommendations across several domains:
Protecting Patient Identity
When digital verification systems are unavailable, human oversight becomes critical. Izzo recommended implementing:
- Redundant verification workflows
- Two-person confirmation processes for high-risk decisions
- Prevalidated paper Medication Administration Record (MAR) processes
Addressing Degraded Care Scenarios
Hospitals and clinical staff should run tabletop exercises that specifically include frontline staff in both planning and response phases. Izzo noted that he observed less burnout among staff who were brought into these preparedness conversations early and given a voice in shaping the response protocols.
Managing the Risk of Shadow AI
As hospitals increasingly integrate artificial intelligence alongside their standard digital tools, Izzo flagged the growing threat posed by shadow AI — unapproved tools adopted informally by staff that represent an entirely separate attack vector. While AI can offer genuine clinical benefits, he urged organizations to "be careful" and to understand the broader risks before deploying or tolerating unsanctioned AI use.
Mapping Digital Dependencies Is Step One
Before any rehearsal can be effective, Izzo stressed the importance of first mapping out exactly where "identity, information, and execution depend on digital systems" — consolidating that picture in a single place so that vulnerabilities are visible and understood by decision-makers and frontline staff alike.
From there, the guidance was unambiguous: "Rehearse, and use believable or real cases," Izzo urged. The gap between knowing what to do and being able to execute it under real pressure is only bridged through repeated, realistic practice — not theoretical familiarity with a policy document.
For a sector as critical and as consistently targeted as healthcare, that discipline around preparation may ultimately determine not just operational continuity, but patient outcomes.
Source: Dark Reading