The following is drawn from a recent engagement with a multi-site healthcare system that experienced a ransomware event in late 2025. Names and identifying details are removed; the operational lessons are preserved with the client's permission.
What worked
The single most important factor in the recovery was that the system had immutable, off-site backups taken within the previous twelve hours. Restoration was painful but possible. Several other things worked: clinical-continuity procedures had been rehearsed, the IR retainer activated within the first hour, and the system's general counsel had a pre-existing relationship with breach counsel.
What failed
The runbooks were out of date. Several systems had grown materially since the last DR test, and the documented restoration procedures had not been updated. Recovery took three days longer than it should have because the team was reverse-engineering current state during the event.
Communications failed early. The first all-staff message was delayed by 18 hours while leadership debated wording. By that point, staff had been talking to local press. The lesson was that communications templates should be drafted before the event, with pre-approved language for known scenarios.
Vendor coordination was harder than expected. Three separate critical vendors had their own definitions of incident, their own notification cadences, and their own recovery procedures. Coordinating them in real time was a full-time job by itself.
Operational changes since
The system has rebuilt its DR program with a quarterly live-restore cadence — full restoration of one critical system into an isolated environment, end-to-end tested. Runbooks are now versioned and reviewed at every change-control meeting. Communications templates are pre-drafted for ten common scenarios. Vendor coordination protocols are explicit, with named contacts and pre-defined cadences.
There has not been a second incident.