Skip to content
Cyber Replay logo CYBERREPLAY.COM
Book a Call
Back to all articles
Incident Response 14 min read Published Mar 27, 2026 Updated Mar 27, 2026

72-Hour Nursing Home IT Outage Playbook: Restore Operations After a Third-Party Ransomware Outage

Operational playbook for nursing homes to restore core services in 72 hours after a third-party IT provider ransomware outage.

By CyberReplay Security Team

TL;DR: A focused 72-hour nursing home IT outage playbook can get core clinical operations back online or to safe manual processes within 72 hours - reducing patient safety risk and regulatory exposure. This guide gives step-by-step containment, communications, manual workflows, technical checks, and vendor oversight actions to follow when a third-party IT provider is hit by ransomware.

Table of contents

Quick answer

If a third-party IT provider is hit by ransomware, do the following in the first 72 hours: (1) isolate affected provider connections and log access, (2) switch critical services to documented manual or backup processes, (3) validate offline backups and EHR continuity, (4) use a coordinated communications protocol for staff and regulators, and (5) engage an MDR or incident response provider for forensic containment and recovery. Following a structured playbook reduces immediate patient-safety risk and shortens operational disruption - often turning multi-day paralysis into a degraded-but-safe 72-hour operating posture.

Who this playbook is for and why it matters

  • Audience: nursing home owners, executive directors, IT managers, and clinical leads responsible for resident safety and regulatory compliance.
  • Stakes: medication errors, missed critical labs, breached PHI, CMS noncompliance, and legal exposure increase rapidly after an outage. Quick, documented actions minimize those harms and protect reputations.

This playbook is not a full incident response report. It is an operational continuity checklist for the first 72 hours after a third-party IT provider ransomware outage and is designed to work with your emergency operations plan and vendor contracts.

When this matters

This playbook applies when your facility experiences any of the following triggered conditions:

  • Extended loss of EHR access that prevents clinical charting or medication administration within 1 hour.
  • Evidence or reasonable belief that PHI was exposed, exfiltrated, or encrypted by a vendor incident.
  • Vendor-managed backup or failover services are unavailable or suspected to be tainted.
  • Critical integrations fail such as medication dispensing, lab interfaces, or pharmacy communications that directly affect resident safety.

Why use this playbook now: the earliest actions focus on resident safety, legal notification obligations, and evidence preservation. If you are unsure whether an incident meets these thresholds, run a fast vendor dependency check and escalate to an IR partner. See the CyberReplay Scorecard for a quick assessment and refer to CyberReplay cybersecurity services for rapid assistance.

Definitions and scope

Third-party IT provider outage

A failure, ransomware infection, or network compromise at a vendor (EHR host, backup-as-a-service, managed IT, vendor hosting critical apps) that removes access to systems your nursing home depends on.

Core services covered

EHR/charting, medication administration records (MAR), lab interfaces, medication dispensing, telephone, payment and billing portals, and email for staff coordination.

What this playbook does

Prioritizes resident safety and regulatory obligations first - then data recovery and root cause. It focuses on rapid operational continuity rather than full forensic remediation.

72-Hour operational playbook - overview

This section gives concrete hourly activities with roles and expected outcomes. Use the checklists in the next section as printable aides.

Hour 0-4 - Initial detection and containment

Objective: Stop further spread, preserve evidence, and confirm scope.

  • Lead: Nursing home incident lead (ED/administrator) + IT vendor liaison.
  • Actions:
    • Immediately disconnect or block provider VPNs and remote-management channels to the nursing home network.
    • Suspend any automated trust relationships that allow vendor-side admin access until verified.
    • Preserve logs: request vendor to export authentication logs, SIEM logs, and backup operation logs for the preceding 72 hours.
    • If access to EHR or medication systems is lost, declare a clinical contingency and invoke manual charting and MAR protocols.

Why: Early isolation limits lateral movement and stops additional data exfiltration or encryption of local caches.

Outcome target: No new encryption events observed within 2 hours; evidence snapshots secured.

Sample immediate command (ask your IT team or vendor to run):

# Disable a Windows interface to isolate a host (run on affected host)
Get-NetAdapter -Name 'Ethernet' | Disable-NetAdapter -Confirm:$false

# Temporarily remove a network route to a vendor IP (replace '10.0.0.5')
Remove-NetRoute -DestinationPrefix '10.0.0.5/32' -Confirm:$false

Hour 4-12 - Stabilize operations and delegate roles

Objective: Shift to safe manual operations and confirm responsibilities.

  • Clinical lead: Stand up manual medication administration and paper charting. Prioritize medication passes, feeding, and falls monitoring.
  • IT lead: Verify network segmentation, maintain isolation, and coordinate with vendor IR.
  • Communications lead: Draft staff guidance, family notification, and a regulator notification plan if PHI was impacted.

Practical steps:

  • Pull a verified list of residents with high-risk needs (oxygen, insulin, complex meds) and assign nursing staff accordingly.
  • Start time-limited paper MAR and designate a secure physical storage location for paper records.
  • If the EHR is offline but backups are accessible by a different provider, verify encryption status of backups before restoration.

Outcome target: Core resident care workflows operational in degraded mode within 8-12 hours; all critical residents on an active watch list.

Internal link: Start an organizational risk check with a fast scorecard to prioritize vendor blowback: https://cyberreplay.com/scorecard/

Hour 12-36 - Restore critical clinical services

Objective: Bring the most critical digital services back to safe operation or validated manual substitutes.

  • EHR access: If read-only database snapshots exist offline, request vendor to mount a read-only copy in a segregated network for chart lookup only.
  • Pharmacy and medication dispensing: If integrated dispensing is down, use preprinted dispensing logs and barcode crosschecks where possible.
  • Laboratory interfaces: Arrange secure fax or secure email fallbacks for critical lab results.

Technical verification checklist:

  • Confirm integrity of backups via checksums or hash comparisons before any restore.
  • Confirm that any restored system is placed behind a new temporary admin account different from the vendor-supplied accounts.
  • Use multi-factor authentication and restrict vendor access to a jump host with heavy logging.

Outcome target: Medication administration, critical labs, and nurse documentation restored to at least 70-90% functional capacity using either restored systems or validated manual processes within 36 hours.

Hour 36-72 - Validation, recovery, and handoff to longer-term IR

Objective: Validate data integrity, begin phased restores, and hand off to incident response provider for forensic work and long-term remediation.

  • Forensics: Engage an incident response vendor with MDR capabilities to run timeline analysis, confirm data exfiltration, and advise on ransom decisions and legal obligations.
  • Restore cadence: Prioritize restores by clinical criticality - e.g., EHR read-only, MAR, pharmacy, then billing.
  • Regulators and reporting: Prepare initial breach notifications and documentation for CMS, HHS OCR, and state agencies if PHI was exposed.

Outcome target: Core clinical systems validated and in controlled restore by 72 hours with a documented evidence trail for regulators and insurers.

Checklists - quick-print versions

Rapid containment checklist (printable)

  • Block vendor remote admin access to nursing home networks.
  • Snapshot logs and preserve network evidence.
  • Segregate affected hosts and networks.
  • Confirm manual MAR and documentation flows initiated.
  • Notify internal and external escalation lists.
  • Engage MDR/IR vendor if available.

Clinical continuity checklist

  • Identify high-risk residents within 30 minutes.
  • Assign staff for 1:1 monitoring for top 10% risk residents.
  • Start paper MAR and secure storage.
  • Establish fax/phone fallback for lab and pharmacy communications.

Vendor oversight checklist

  • Demand vendor timeline and evidence package.
  • Require vendor to run integrity checks on backups.
  • Enforce vendor contractual notification and forensics clauses.
  • Require vendor to rotate all admin credentials and MFA keys.

Communication templates (staff, families, regulators)

Bold lead-in: Staff alert

Use secure internal channels and printed notices where email may be compromised.

Subject: Immediate: [ORG] IT outage - operational guidance
Time: [HH:MM]
Summary: Our IT provider experienced a ransomware outage affecting EHR access. We have enacted the emergency operations plan. Key actions: 1) Start paper MAR immediately; 2) All staff check-in at 07:00 shift; 3) Use secure phone line X for escalations.

Bold lead-in: Family notification

Keep it short, reassure safety measures, and offer a contact point.

We are currently operating on manual processes due to an IT outage at our provider. Resident care is continuing and no immediate harm has been reported. We will update families by [time]. For questions call: [phone].

Bold lead-in: Regulator notification

Follow the mandatory breach reporting timelines for PHI and CMS rules. Attach an incident summary and evidence of mitigation steps.

Technical containment snippets and evidence collection

Bold lead-in: Log collection requirement Ask the vendor to export the following in native format and to provide SHA256 checksums:

  • Authentication logs for the last 7 days.
  • Backup job logs and the full backup catalog index.
  • Remote access sessions and privileged account audit logs.

Sample forensic request checklist

  • Time-synchronized system logs (UTC).
  • Endpoint snapshots taken to read-only media.
  • Network flow captures between vendor and customer in the 48 hours prior.

Evidence handling tip - Hash every artifact. Document chain of custody with timestamps and who accessed files.

Proof scenarios and impact numbers

Scenario 1 - Third-party EHR host encrypted

  • Impact: EHR unavailable, pharmacy interface down, automatic med-dispensing paused.
  • Actions implemented: Read-only EHR snapshot restored to isolated VLAN; paper MAR invoked; critical labs routed by fax.
  • Result: Nursing home maintained 95% of medication administration on schedule within 24 hours; full clinical restore under controlled conditions at 60 hours. Time-to-safe-operations improved by 4x compared to ad hoc response.

Scenario 2 - Backup-as-a-service provider compromised

  • Impact: Backups flagged as potentially tainted.
  • Actions implemented: Vendor provided offline copies for validation; backups were validated with hashes; isolated restore executed to test environment.
  • Result: Verified clean recovery point identified at -4 days; clinical restores prioritized - core systems available in 48 hours; billing and nonessential systems restored later.

Data point: Industry reports show average ransomware downtime can exceed multiple days - disciplined containment and validated restores are the biggest drivers to reduce that to measured 72-hour windows. See CISA and NIST guidance for incident handling and recovery best practices in References.

Common objections and answers

Objection: “This is too complicated for our team. We rely on the provider to handle incidents.” Answer: Vendor reliance is common, but the facility has independent regulatory and patient-safety obligations. Implementing simple manual processes and a 72-hour playbook requires small upfront training - typically 2-4 hours of staff drill time per quarter - but prevents larger compliance and safety costs.

Objection: “We cannot afford an MDR or IR provider.” Answer: Early engagement of MDR/IR is cost-effective. Delayed forensics and poor containment can extend downtime from days to weeks, increasing cost. Consider short-term retainer or buy-for-incident engagement models from MSSPs to cap spend.

Objection: “Our contract says the vendor is responsible for backups and restoration.” Answer: Contracts are critical, but during an active outage the facility must act to protect residents. Simultaneously escalate contractual remedies while executing operational continuity. Document all vendor interactions to support future claims.

Common mistakes

List of frequent mistakes during a vendor ransomware outage and quick mitigations:

  • Relying only on the vendor to triage. Mitigation: Activate your internal incident lead and clinical contingency plans immediately while vendor work continues.
  • Failing to preserve logs and chain of custody. Mitigation: Take early, documented steps to collect logs and hash artifacts; require vendor-provided checksums.
  • Restoring from unverified backups. Mitigation: Always validate backups with hash checks and, when possible, test restores in an isolated environment before production restores.
  • Not training staff on manual MAR and communications. Mitigation: Quarterly drills and quick-reference laminated sheets reduce confusion under stress.
  • Delayed regulator notification and poor documentation. Mitigation: Assign a communications lead to log all decisions, times, and vendor interactions to support reporting obligations.

For help with vendor escalation and short-term containment options see CyberReplay managed services and CyberReplay emergency help.

FAQ

How do I decide whether to pay a ransom?

Ransom payment carries legal, operational, and ethical risks. Engage legal counsel and an experienced IR firm immediately. Decisions should be informed by forensic evidence of exfiltration, restoration options, and law enforcement advice. See FBI guidance in References.

When must we notify HHS OCR and CMS?

If your EHR or any PHI is reasonably believed to be compromised, HIPAA breach notification rules apply. Timelines vary - notify OCR and affected individuals as required. Document all mitigation steps. See HHS OCR guidance in References.

What are the minimum vendor contract clauses nursing homes should have?

Vendor SLAs must include incident notification timelines (under 1 hour for outages), forensic evidence delivery, access control change obligations, backup retention guarantees, and security testing requirements. If absent, escalate contract review now.

Can we operate safely without EHR for 72 hours?

Yes - with pre-planned manual procedures: paper MAR templates, secure printouts of allergy lists, phone/fax fallbacks for labs and pharmacy, and daily leader-led status checks. Training before an incident makes this practical.

How will this affect reimbursement and regulatory reporting?

Some billing functions may be delayed. Maintain time-stamped logs of all clinical actions to support claims. Notify CMS if the outage impacts regulatory timelines or resident safety. Keep records to mitigate penalties.

Get your free security assessment

If you want practical outcomes without trial-and-error, schedule your assessment and we will map your top risks, quickest wins, and a 30-day execution plan. If you prefer an instant, non-sales check, start with the CyberReplay Scorecard or request emergency assistance at CyberReplay emergency help.

Next step - recommended actions aligned to MSSP/MDR/Incident Response

  • Immediate: Run the fast vendor risk check at CyberReplay Scorecard to prioritize vendor dependencies and required evidence requests.
  • Within 24 hours: If you do not have incident response or MDR on retainer, contact a managed incident response provider or MSSP for emergency containment and forensics. CyberReplay-managed services help with continuity and IR escalation; review options at CyberReplay managed services and CyberReplay cybersecurity services.
  • Within 72 hours: Validate a clean restore point, confirm documentation for regulators, and transition from emergency continuity to a full IR engagement for forensic root cause and longer-term remediation.

If you want a defensible, low-friction next step today - complete the scorecard above and request an emergency readiness review with an MDR/IR partner.

References

Note: These are authoritative source pages and guidance documents for incident response, recovery, and healthcare-specific ransomware considerations. Use them to validate legal, clinical, and technical actions during and after an outage.

Conclusion

A 72-hour nursing home IT outage playbook reduces resident-safety risk and regulatory exposure by setting clear actions for containment, manual continuity, evidence preservation, and vendor oversight. Train staff on the single-sheet checklists, verify backups regularly, and pre-contract MDR/IR or MSSP services to shorten recovery time and reduce costs. The fastest path to safety is planning, not improvisation.

Printable assets included in this guide: quick checklists, communication templates, and technical snippets to hand to your IT vendor or incident response partner.

Hour 4-12 - Stabilize operations and delegate roles

Hour 4-12 - Stabilize operations and delegate roles

Objective: Shift to safe manual operations and confirm responsibilities.

  • Clinical lead: Stand up manual medication administration and paper charting. Prioritize medication passes, feeding, and falls monitoring.
  • IT lead: Verify network segmentation, maintain isolation, and coordinate with vendor IR.
  • Communications lead: Draft staff guidance, family notification, and a regulator notification plan if PHI was impacted.

Practical steps:

  • Pull a verified list of residents with high-risk needs (oxygen, insulin, complex meds) and assign nursing staff accordingly.
  • Start time-limited paper MAR and designate a secure physical storage location for paper records.
  • If the EHR is offline but backups are accessible by a different provider, verify encryption status of backups before restoration.

Outcome target: Core resident care workflows operational in degraded mode within 8-12 hours; all critical residents on an active watch list.

  • Internal link: Start an organizational risk check with a fast scorecard to prioritize vendor blowback: CyberReplay Scorecard