SUPPORT
(888) 383-7078
Book A 15 Minute Call

Cybersecurity as a Patient Safety Issue

Why the Next Code Blue Won’t Start at the Bedside

Your EMR just went dark. Nurses can’t pull med records. Allergy histories sit locked behind encrypted servers. Pharmacy interfaces no longer respond. The medication cart might as well be a paperweight. And somewhere down the hall, a resident needs insulin now.

The Numbers Have Moved Past Alarming

Consider what we know.
Health care and public health ranked as the top sector targeted for cyberthreats in 2025, according to the FBI’s latest annual report on internet crimes. Attackers launched 460 ransomware attacks and 182 data breaches, totaling 642 cyber events. Healthcare and public health experienced 642 cybercrime events last year, the most of any critical infrastructure industry. Financial services came in second with 447. (Source: FBI Internet Crime Report 2025, via AHA and Becker’s Hospital Review)

Still, those numbers only capture the attacks we know about. Globally, ransomware attacks increased by 49% year over year, setting a new record with 1,174 disclosed attacks. Researchers estimate that only 86% of ransomware attacks get disclosed by victims. (Source: BlackFog Annual Ransomware Report, via HIPAA Journal)

Meanwhile, healthcare retained its position as the sector most targeted by ransomware groups in 2025, accounting for 22% of disclosed attacks. (Source: BlackFog Annual Ransomware Report, via HIPAA Journal)

The Financial Toll
The financial damage runs deep. The average healthcare data breach cost settled around $7.42 million in 2025. That figure dropped markedly from the prior year, yet it still leads all industries. (Source: AccountableHQ, citing IBM Cost of a Data Breach Report 2025)

Dollar figures alone, however, fail to describe the scene on a nursing unit at 2 AM when every screen goes black and a resident needs a time-sensitive medication.

Why PAC/LTC Faces a Unique Threat
The threat profile for post-acute and long-term care has shifted in a specific way. The US, India, Italy, and Canada all saw an approximate 30% increase in attacks on healthcare companies from 2024 to 2025. Those “companies” include pharmacy platforms, billing vendors, and therapy management systems.

Here is the critical detail: over 80% of stolen protected health information records came not from hospitals but from third-party vendors, software services, business associates, and nonhospital providers. The ransomware does not need to hit your server room. It just needs to reach someone in your supply chain. (Sources: Comparitech Healthcare Ransomware Roundup 2025; AHA 2025 Cybersecurity Year in Review)

A Ransomware Event on Your Nursing Unit

Most organizations file cybersecurity under the IT director’s responsibilities. They fund it from the technology budget. Leadership discusses it in technology meetings.

That structure creates a blind spot.

What Actually Happens in a 120-Bed SNF

Walk through what unfolds in a skilled nursing facility when ransomware locks the system:

  • The eMAR vanishes. Nurses cannot verify current orders, confirm dosing, or check allergy histories. They lose the single most critical tool for safe medication administration.
  • Double-dose and missed-dose risk multiplies by the hour. Without electronic verification, no one can reliably confirm what a resident received, when they received it, or who administered it.
  • Pharmacy connections go down. New orders cannot transmit. Controlled substance reconciliation turns into guesswork with missing pieces.
  • Clinical decisions go blind. Lab results, progress notes, and diagnostic imaging become unreachable. Staff make care decisions in an information vacuum.

Ransomware encrypts hospital systems and cuts off access to EHRs, diagnostic tools, pharmacy platforms, and care authorization systems. Clinicians then revert to manual processes. Risky delays in medication management and diagnostics follow. Documented cases directly connect these disruptions to adverse patient outcomes. (Source: Nurses Educator, citing ANIA and HIPAA Journal)

What Federal Leaders Are Saying
FBI Co-deputy Director Andrew Bailey made the stakes plain: “When these attacks hit, the downstream effects move very quickly. Ambulances are diverted from the hospitals that can no longer receive them.” (Source: AHA News, April 2026)

AHA national cybersecurity advisor John Riggi reinforced this point, noting that attackers “know these attacks cause disruptions and delays to digitally dependent health care delivery, posing a risk to patient and community safety.” (Source: AHA News, April 2026)

The Staffing Gap Makes It Worse
The most common contributing factor (42%) in successful attacks was a lack of people and capacity. Many healthcare organizations reported having too few cybersecurity experts monitoring systems at the time of an attack. That description fits most PAC/LTC providers with precision. (Source: Sophos State of Ransomware in Healthcare 2025, via Fierce Healthcare)

The Regulatory Ground Has Already Shifted

If the clinical picture does not move the needle, the regulatory trajectory should.

Current CMS Requirements
Currently, CMS emergency preparedness Conditions of Participation/Conditions for Coverage require Medicare-participating facilities to maintain emergency plans based on an all-hazards approach. CMS defines “all-hazards” as an integrated approach to emergency preparedness that focuses on identifying hazards and developing capacities to address a wide spectrum of emergencies.

This approach covers natural, man-made, and facility-specific emergencies. The list includes care-related emergencies, equipment and power failures, interruptions in communications including cyber-attacks, loss of part or all of a facility, and supply chain disruptions.

Read that list carefully. CMS names cyber-attacks explicitly. (Source: CMS.gov, Homeland Security Threats page)

Homeland Security threats such as cyber-attacks can have a massive impact on healthcare organizations and can lead to a complete shutdown of operations. Incidents like ransomware, experienced by several healthcare facilities since 2016, further emphasize the need for organizations to strengthen their information security systems. (Source: CMS.gov)

Enforcement Is Tightening Fast
On April 23, 2026, HHS Office for Civil Rights announced settlements with four regulated entities following separate ransomware investigations under HIPAA. The resolutions mark 19 completed investigations from ransomware breaches and 13 completed investigations in OCR’s Risk Analysis Initiative. (Source: HHS.gov Press Release, April 23, 2026)

At the same time, proposed HIPAA Security Rule changes expected to finalize in May 2026 will introduce mandatory requirements. The updated rule will require mandatory annual security risk assessments, universal encryption of ePHI, multi-factor authentication across all systems, regular vulnerability scanning, and substantially more detailed compliance documentation. (Source: Medcurity, April 2026)

HHS Deputy Secretary Andrea Palm stated that “the increasing frequency and sophistication of cyberattacks in the health care sector pose a direct and significant threat to patient safety.” (Source: HHS.gov HIPAA Security Rule NPRM)

The Real Exposure for PAC/LTC Administrators
Here is the critical insight: you do not need a new regulation to face a deficiency citation tied to a cyber event.

If a ransomware lockout leads to a missed insulin dose, a skipped wound care treatment, or a resident deterioration because staff had no practiced downtime protocol, the survey tag will not say “cybersecurity failure.”

Instead, it will say Failure to Administer Medications as Ordered. Or Failure to Provide Adequate Supervision. Or Failure to Protect Residents from Harm.

The mechanism is digital. The accountability is clinical.

The Analog Drill: Building Clinical Muscle Memory for a Digital Blackout

The single most impactful step a PAC/LTC leader can take right now is treating downtime planning as a clinical drill. Call it what it is: the Analog Drill.

Your staff practice fire evacuations. They practice severe weather shelter-in-place. Nurse informaticists must ensure all clinical staff participate in regular downtime drills, not just IT teams, because real-world system disasters demand a clinical response, not only a technical one. (Source: Nurses Educator, citing ANIA Nursing Downtime Preparedness Toolkit)

A ransomware event deserves the same rigor.

1. Print and Secure Paper MARs Every 24 Hours

Every shift, staff should print a current paper Medication Administration Record, date it, and store it in a designated secure location on each nursing unit.

When the eMAR goes offline, your nurses need a verified starting point. A 48-hour-old printout full of discontinued orders becomes a medication error waiting to happen.

Make the daily print a policy. Make it auditable.

2. Run Quarterly “Lights Out” Med Pass Drills

Pick one unit. Announce that the eMAR is “down” for the next med pass. Direct nurses to work from the paper MAR, document by hand, and follow a manual verification protocol for high-risk medications: insulin, anticoagulants, and opioids.

Time it. Debrief it. Document it. Improve it.

This builds the kind of muscle memory that prevents panic at 2 AM on the night of an actual attack.

3. Establish a Controlled Substance Manual Reconciliation Protocol

Controlled substance management during an outage ranks among the highest-risk areas. Without electronic counts and chain-of-custody records, discrepancies multiply fast.

Build a paper-based dual-verification protocol specifically for controlled substances. Drill it separately. Your pharmacy consultant should review and sign off on the process.

4. Pre-Position Downtime Kits on Every Unit

A downtime kit is a physical box or binder containing everything a charge nurse needs to operate safely without technology:

  • Blank paper MARs and treatment administration records
  • Current resident face sheets (updated monthly)
  • Allergy lists (printed and verified monthly)
  • Physician and pharmacy contact numbers (not just saved in a phone app)
  • Manual vital sign logs
  • A laminated quick-reference card for the downtime protocol

Test this standard: if a charge nurse cannot locate and open the kit within 60 seconds, the drill has failed.

5. Train Every New Hire on Paper Charting

Many nurses hired in the last decade have never charted on paper. That training gap now represents a patient safety risk.

Include a paper charting competency in your onboarding program. One hour of hands-on practice with your facility’s downtime forms can prevent a critical error during a real event.

6. Include Your Vendors in the Scenario

Your pharmacy provider, lab service, therapy company, and hospice partners all interact with your clinical systems. A ransomware drill that only involves your staff misses half the picture.

Run a tabletop exercise that includes your key vendors. Identify their downtime protocols. Find out how long each partner can operate without the electronic interface. The gaps you uncover will prove instructive.

Beyond the Drill: Strategic Considerations for Leadership

Analog Drills address the immediate clinical risk. Leadership, however, should also evaluate the broader organizational posture.

Cyber Insurance
Carriers now ask detailed questions about downtime protocols, staff training frequency, and incident response plans. A documented Analog Drill program strengthens your position during underwriting.

Family Communication
After a publicized healthcare breach, families will want to know what your facility does to stay prepared. A practiced, documented downtime protocol gives you a concrete answer.

Staff Confidence and Retention
Nurses who have practiced paper charting under simulated pressure perform better during a real event. Those who have not will freeze, improvise, or leave the shift. Preparedness functions as a retention strategy just as much as a safety strategy.

Organizations with strong backup validation and tabletop-tested playbooks reported fewer days of disruption and lower forensic, legal, and notification costs. (Source: AccountableHQ)

The investment in practice pays off in measurable ways.

A Readiness Checklist for the Administrator’s Desk

Use this as a starting point for your next leadership team meeting:

  • Do we print current paper MARs every 24 hours and store them on each unit?
  • Have we conducted a simulated “lights out” med pass in the last 90 days?
  • Does every nursing unit have a stocked, current downtime kit?
  • Do we maintain a manual controlled substance reconciliation protocol?
  • Has every nurse on staff demonstrated paper charting competency?
  •  Have we included our pharmacy, lab, and therapy vendors in a tabletop exercise?
  • Does cybersecurity appear in our all-hazards risk assessment?
  • Have we documented our downtime protocol in our emergency preparedness plan?
  • Does our onboarding program include downtime procedures training?
  • Has leadership reviewed and signed off on the downtime protocol in the last 12 months?

If you checked fewer than seven boxes, your residents face real risk during a cyber event. Your organization also carries exposure to a deficiency finding rooted in clinical accountability.

The Conversation Ahead

Ransomware readiness in PAC/LTC has reached an inflection point. Threat volume sits at record levels. The regulatory framework is tightening. And the clinical consequences of unpreparedness are real, documented, and cited under tags that have nothing to do with computers.

Leaders who move first will accomplish two things. First, they will protect their residents during an event that grows statistically more likely every quarter. Second, they will build an organizational culture that treats digital resilience as a clinical competency, not a line item in the IT budget.

The path forward requires honest assessment, committed practice, and a willingness to drill for a scenario that feels unlikely until the morning arrives.

For those ready to think more deeply about where their organization stands, the conversation is open.