This past week brought hospital ransomware attacks to the forefront of public media, for better and for worse, with a major incident in Mississippi and a fictional one on HBO.
On Feb. 19, an epsiode of the popular drama series The Pitt featured a subplot about a cyberthreat against its fictional trauma center. Ransomware attacks struck nearby hospitals and, suspecting that his own might be next, the CEO of Pittsburgh Trauma Medical Center preemptively orders that all their IT systems be taken offline.
Cybersecurity experts debate the realism of HBO’s depiction, but there’s no questioning its relevance and timeliness. As if to underscore the point, early in the morning that same day the episode aired, the University of Mississippi Medical Center (UMMC) suffered a ransomware attack that was all too real. Its IT systems were impacted, including its electronic medical records platform, Epic. Life imitated art, and UMMC went dark at all 35 clinics in its network to prevent further damage.
Was HBO’s Depiction of Healthcare Ransomware Realistic?
The Pitt followed through on the ransomware plot in its latest episode — Season 2, Episode 8 — which aired Feb. 26. The staff at Pittsburgh Trauma carry on with their work, only they have to rely on paper and pens, fax machines, and one staff member’s conveniently photographic memory.
“This episode follows the patient care continuum from intake to discharge and shows every point where it breaks: dry-erase boards, triplicate paper orders, a pharmacist manually unlocking medication cabinets one at a time,” says Mick Coady, field chief technology officer (CTO) of Elisity. “That’s the picture every CISO I talk with is trying to paint for their board. Not ransom amounts. Not recovery timelines. What actually happens to patients.”
The single most authentic detail in the episode, in Coady’s view, was utterly mundane: when staff are told to use ballpoint pens, because felt-tip ink doesn’t press through triplicate carbon copies. “Someone in that writers room has been through a real downtime event. That’s an operational detail you only know if you’ve actually run paper processes in a clinical environment,” he says.
For Ross Filipek, chief information security officer (CISO) at Corsica Technologies, “What rang true to me was the operational chaos once systems went dark. Healthcare really is that dependent on IT. When digital charting, tracking boards, and core systems disappear, efficiency drops fast, and risk creeps in. I’ve seen that in real incidents.”
What HBO Got Wrong
While experts agree that the general tone of Episode 8 was spot on, they all caveat that it wasn’t without its small missteps and exaggerations. Most glaring for Coady, for example, were the patient monitors that kept running normally, and the uninterrupted stream of patients who might have otherwise been diverted to other facilities in a real-life scenario.
In Filipek’s view, the CEO’s crucial, preemptive decision to shut down all IT systems was implausible. “In a real hospital, executives would be heavily weighing patient safety and operational continuity alongside cyber-risk. That decision wouldn’t happen without heavy input from IT and security leadership, and it certainly wouldn’t be made lightly,” he says. “While I understand the show is predominantly about the clinician experience, the episode glossed over what would be happening behind the scenes. In reality, it would be all hands on deck. Technical investigation, targeted mitigations, maybe third-party support. You don’t just pull the plug and hope 24 hours fixes it.”
Coady, too, worries that the show might necessarily overlook certain aspects of real hospitals’ experiences, due to dramatic constraints. “Some systems take months to fully restore,” he says. “If the show makes that look like one bad shift, it undersells what six weeks on paper actually does to a hospital’s staff, its patients, and its finances.”
How Hospitals Should Address Ransomware
The latest episode ended with everything still in analog. In parallel this week, on Feb. 25, UMMC announced that although it was making “significant progress in responding to the cyberattack and restoring our systems,” it’s still struggling to return to normal operation. Regularly scheduled clinic appointments and elective procedures have been cancelled at least through Feb. 27, its telephone line is being overwhelmed, and individuals in need of care have been expressing their confusion online.
“The most concerning trend [in healthcare] isn’t just the volume of attacks, but how disruptive they have become,” says Ryan Witt, Proofpoint’s vice president of industry solutions, citing how 70% of victimized healthcare facilities report disruptions to patient care. “Ransomware can become a full operational shutdown. It results in deferred care, delayed diagnoses, and real clinical consequences for patients and their families.”
Witt, who authored Proofpoint’s 2025 “Cyber Insecurity in Healthcare” report, suggests that healthcare facilities need to focus in three main areas. First: securing credentials, the primary means by which attackers gain access to healthcare IT systems in the first place.
“Second, hospitals are encouraged to plan for clinical resilience. While it’s important to restore IT systems quickly, it’s equally important to ensure patient care remains as safe as possible while systems are down. That means practical downtime plans that address medication management, lab communications, triage, and patient prioritization,” he says.
Lastly, he advises, “Resilience needs to be tested, not assumed. Tabletop exercises and downtime drills should simulate real clinical stress. Leadership teams should practice making difficult real-time decisions about diversion, communications, and patient prioritization before they have to do it in a real crisis.”
On a positive note, Witt says more hospital executives now understand cyber-risk is a patient safety issue. “Boards are starting to ask how an incident could affect patient care, not only how fast can systems can be restored,” he says. “That shift in mindset is important and, frankly, long overdue.”
Source: www.darkreading.com…