This past week, ransomware attacks on hospitals captured significant media attention, drawing both positive and negative reactions. A notable incident occurred in Mississippi, while a fictional scenario unfolded on HBO.
On February 19, an episode of the popular drama series The Pitt featured a subplot centered around a cyber threat to its fictional trauma center. As ransomware attacks affected nearby hospitals, the CEO of Pittsburgh Trauma Medical Center decided to preemptively take all IT systems offline, fearing his facility would be next.
Cybersecurity experts have been debating the realism of HBO's portrayal, yet its relevance is undeniable. To emphasize this point, early that same morning, the University of Mississippi Medical Center (UMMC) experienced a real ransomware attack. The attack impacted its IT systems, including the electronic medical records platform, Epic. In a move that mirrored the show's plot, UMMC temporarily shut down all 35 clinics in its network to mitigate further damage.
Was HBO's Depiction of Healthcare Ransomware Realistic?
The recent episode of The Pitt, which aired on February 26, continued the ransomware storyline. The staff at Pittsburgh Trauma had to rely on paper, pens, and a staff member’s impressive memory to carry out their duties.
Mick Coady, field chief technology officer at Elisity, noted, "This episode follows the patient care continuum from intake to discharge and illustrates the breakdown in processes: dry-erase boards, triplicate paper orders, and a pharmacist manually unlocking medication cabinets one by one. That's the picture every CISO I talk to is trying to convey to their board not ransom amounts or recovery timelines, but what actually happens to patients."
Coady found the most authentic detail in the episode to be surprisingly mundane: the staff were instructed to use ballpoint pens because felt-tip ink does not transfer through carbon copies. "Someone in that writers' room has experienced a real downtime event," he remarked. "That's an operational detail you only know if you've worked with paper processes in a clinical setting."
Ross Filipek, chief information security officer at Corsica Technologies, commented on the operational chaos depicted when systems went dark. He stated, "Healthcare is heavily reliant on IT. When digital charting, tracking boards, and core systems fail, efficiency plummets and risks escalate. I have witnessed this in actual incidents."
What HBO Got Wrong
While experts generally agreed that the tone of Episode 8 was accurate, they also pointed out some missteps and exaggerations. Coady noted that patient monitors continued to function normally and that the flow of patients to other facilities was unrealistic in a real-life scenario.
Filipek found the CEO's decision to shut down all IT systems before an attack to be implausible. He explained, "In a real hospital, executives would weigh patient safety and operational continuity alongside cyber risks. Such a decision would require significant input from IT and security leadership and would not be made lightly. The episode overlooked the behind-the-scenes efforts that occur during a crisis, which would involve all hands on deck, technical investigations, and possibly third-party support. You cannot just pull the plug and hope for a quick fix."
Coady expressed concern that the show might oversimplify the lengthy recovery process. "Some systems take months to fully restore. If the show implies that everything can be resolved in one bad shift, it downplays the impact of several weeks of paper processes on hospital staff, patients, and finances."
How Hospitals Should Address Ransomware
The episode concluded with everything still in analog. On February 25, UMMC reported that while it was making "significant progress in responding to the cyberattack and restoring our systems," it continued to face challenges in returning to normal operations. Many clinic appointments and elective procedures were canceled at least until February 27, and the hospital's phone lines were overwhelmed, leaving patients confused.
Ryan Witt, Proofpoint's vice president of industry solutions, highlighted a concerning trend in healthcare: not just the volume of attacks but their increasing disruption. He noted that 70% of victimized healthcare facilities report interruptions to patient care, with ransomware potentially leading to total operational shutdowns, resulting in deferred care, delayed diagnoses, and real clinical consequences for patients and their families.
Witt, who authored Proofpoint's 2025 "Cyber Insecurity in Healthcare" report, emphasized that healthcare facilities should focus on three main areas. First, securing credentials is crucial, as they are the primary means by which attackers access healthcare IT systems. Second, hospitals should plan for clinical resilience. While it is essential to restore IT systems quickly, ensuring patient care remains safe during outages is equally important. This requires practical downtime plans that address medication management, lab communications, triage, and patient prioritization.
Lastly, Witt advised that resilience needs to be tested, not assumed. He recommended tabletop exercises and downtime drills that simulate real clinical stress so that leadership teams can practice making difficult decisions about diversion, communication, and patient prioritization before facing an actual crisis.
On a positive note, Witt observed that more hospital executives are beginning to recognize cyber risk as a patient safety issue. He commented, "Boards are starting to inquire about how incidents could affect patient care, not just how quickly systems can be restored. This shift in mindset is important and, frankly, long overdue."
