Reframing Cyber Risk: Why Healthcare Must Plan for Extended Downtime - UNH

The video highlights a growing consensus in the health‑care sector: cyber‑risk is no longer a hypothetical threat but a looming reality that could shut down electronic medical record (EMR) systems for weeks. As patient care now depends entirely on digital information flows, any prolonged loss of technology jeopardizes treatment, billing, and regulatory compliance.

Speakers trace the evolution from early data‑theft attempts to sophisticated ransomware that encrypts entire EMR databases, demanding ransom for decryption. They argue that the industry has shifted from asking "if" an attack will occur to "when," rendering traditional perimeter defenses insufficient. Consequently, health organizations must develop contingency plans for extended outages—30 to 45 days—not just brief glitches.

A striking quote underscores the urgency: "It's a when, not an if." The presenters note that most hospitals have never rehearsed a scenario where technology is unavailable for a month‑plus, leaving a critical conversation absent from boardrooms and IT roadmaps. They call for structured dialogues, tabletop exercises, and clear escalation protocols.

The implication is clear: health systems must integrate long‑term cyber‑resilience into their business continuity strategies, allocate resources for offline patient‑care processes, and align incentives across clinical, operational, and security teams. Failure to do so could result in catastrophic service disruptions, regulatory penalties, and loss of patient trust.