Ransomware in the Hospital: The First 24 Hours, the First 72 Hours, the First Month

Hospitals are the most affected critical infrastructure sector in Germany in 2026. Cyberattacks on clinics have more than tripled since 2020; ransomware is by far the most common attack type. Whether it happens is no longer the question. The question is: what to do when it happens.

This roadmap is intended for clinic executives, IT managers, data protection officers, and crisis team leaders. It traces the process that has proven effective in real incidents — from the first suspicious screen message to the BSI final report after 30 days. Not as theory, but as an operational script.

Three preliminary notes. First: anyone reading this roadmap only during an ongoing incident has already lost. It only works if the structures — crisis team, escalation chain, reporting templates, backup strategy — have been established beforehand. Second: a cyberattack in a hospital is not an IT problem. It is a care crisis with an IT cause. The response runs through the crisis team, not the helpdesk. Third: NIS2 has significantly increased the pressure. Section 32 of the BSIG requires an initial report to the BSI within 24 hours, a 72-hour assessment report, and a final report after 30 days. Missing these deadlines can result in fines of up to €10 million and personal liability for management under Section 38 of the BSIG.

The First 30 Minutes — Detection and Containment

A typical start: a staff member at admissions can no longer access the HIS. Radiology calls in to say the images are not loading. At the same time, the IT hotline receives multiple tickets from different wards. What initially looks like a server problem turns out after 15 minutes to be encrypted files.

These first 30 minutes decide whether the incident becomes a controlled crisis or a widespread outage. Three steps are non-negotiable:

1. Rapid triage by IT leaders. Are only individual endpoints affected, or is it spreading? Is only the HIS affected, or also Active Directory, PACS, LIS, pharmacy systems? Initial indicators of ransomware: files with unusual extensions (.lockbit, .ryuk, .conti), ransom notes in directories, disabled endpoint detection, unusual activity in Active Directory logs.

2. Immediate network isolation of affected segments. Disconnect infected workstations from the network — physically if possible, otherwise via switch port disable or firewall rule. Critical question: has the attacker already obtained domain admin rights? If so, the entire domain is compromised. In that case: take all servers off the network, shut down Active Directory, and only restart after forensic assessment.

3. Convene the crisis team. Executive management, IT leadership, medical leadership, nursing leadership, data protection, press office. Ideally, a predefined list with private phone numbers and deputies. Activate the crisis room — physically, not digitally, because the digital tools may themselves be compromised.

What does not happen in the first 30 minutes: recovery, forensics, ransom negotiation, external communication. Only three things: detect, contain, escalate.

The First 24 Hours — Triage, Crisis Team, BSI Initial Report

Hour 1 to 4: Damage assessment. Which care processes are affected? Emergency department, operating room, intensive care unit, laboratory, imaging, pharmacy, billing, patient identification. Which systems are down? HIS, PACS, LIS, RIS, AD, email, telephony, elevator control, climate control, access control. Which devices are compromised versus proactively shut down? Which backups are available and not affected themselves?

At the same time: switch to manual operations. The famous paper forms from the drawer. Patient identification by wristband with admission number. Medication by handwritten order. Findings by telephone and fax. The Lukaskrankenhaus Neuss operated for weeks in manual mode after a ransomware attack in 2016 — without patient losses, because the crisis team worked and the emergency folder was ready to hand.

Hour 4 to 12: Bring in external support. Three calls are critical:

External IT forensics. Anyone without a contract with a 24/7 forensic service provider should call now at the latest — and expect to wait hours for a response in a crisis. Providers with healthcare experience are rare; know the important companies in advance, and keep the emergency number in the crisis team folder.

Data protection officer. In parallel with the BSI report, the GDPR reporting obligation under Article 33 GDPR applies. If there is suspicion of unauthorized access to or theft of patient data, the competent data protection authority must be informed within 72 hours. If there is a high risk, the affected individuals must also be informed under Article 34 GDPR.

Insurer. Call cyber insurance and report the loss immediately. Many policies require notification within 24 hours, otherwise coverage lapses. Insurers often have their own forensic pools already covered by the policy — saving negotiations with unfamiliar providers in the acute phase.

Hour 12 to 24: BSI initial report. Section 32 of the BSIG requires the initial report within 24 hours of becoming aware of a significant security incident. "Significant" is deliberately not narrowly defined here — in the case of ransomware in a hospital, the threshold is practically always met.

The report is submitted via the BSI reporting portal (Mein-Unternehmenskonto, MUK). Keep the content concise:

• General description of the incident

• Time of detection

• Affected systems and care areas

• Suspected vector (if already known)

• Containment measures taken so far

• 24/7 contact point for follow-up questions

Anyone who does not have the initial report ready writes it under pressure. Prepared templates save 30 to 60 minutes — time that is urgently needed elsewhere in the crisis team.

Hour 24 to 72 — Assessment, Forensics, Evaluation Report

Day 2: Full containment and start of forensics. The forensic specialists are on site or connected remotely. Their first task: preserve evidence without altering it. Disk images of infected systems, logs from firewall, Active Directory, mail server, endpoint detection tools. Collecting these logs before restarting is non-negotiable — later it will be too late.

Three critical decisions run in parallel:

Pay the ransom — yes or no? In Germany, payment is not illegal per se, but may become punishable if there is a proven link to sanctioned groups (e.g., those covered by EU sanctions lists). The BKA generally advises against it. Insurers often do not cover ransom payments, or only under strict conditions. In practice: even after payment, full recovery is not guaranteed — decryptors are often faulty, data is only partially usable, and double extortion (decrypt key plus threat of data publication) is common.

Recovery strategy. Restore from backups or rebuild from scratch? Backups must be verified as clean before reconnecting — some ransomware families lie dormant in the network for weeks and also infect older backups. Clean recovery often requires new hardware or a complete reinstall from reliably clean images.

External communication. Patients, relatives, referring physicians, local media. The press office coordinates, approved texts go through executive management. Important: communicate clearly what is working (emergency care continues, emergency department is reachable) and what is not (scheduled surgeries postponed, appointments rescheduled). False reassurance backfires as soon as the truth becomes visible.

Hour 72: BSI assessment report. Content:

• Detailed impact on care operations

• Severity classification

• Status of initiated measures

• Initial findings on the cause (initial vector, timeline)

• Estimated timeframe for recovery

The GDPR report to the competent data protection authority is due in parallel, if patient data is affected. Both reports are often made on the same day — separate submissions, separate authorities, no joint procedure.

Day 3 to Day 30 — Recovery and Final Report

The phase that receives the least attention in practice — and takes the longest.

Day 3 to 7: Prioritized restart. The order is not IT-driven, but care-prioritized. First what directly affects patients (HIS, PACS, LIS, pharmacy), then administration. This is a clinical decision, not a technical one. For each system: rebuild from verified backups or reinstall, apply patches, harden configuration, reconnect gradually, run function tests, intensify monitoring.

Day 8 to 21: Stabilization. The system is running again, but under observation. Extended logs, endpoint detection on all critical devices, frequent backup tests. Staff also need training — often all passwords must be changed, new workflows must be adopted, and clear escalation paths must apply. In Lukaskrankenhaus in 2016, all employees had to switch to 16-character passwords and accept a new security concept.

At the same time: improvement measures. What made the attack possible in the first place? In the typical clinic incident, it is one to three weaknesses: an unpatched internet-facing server, a phishing email with a macro attachment, compromised maintenance credentials from a service provider. These are closed before the system returns to normal — not afterward.

Day 30: BSI final report. Content:

• Complete incident review

• Confirmed cause (root cause)

• Consequences — damage, affected data, recovery costs

• Lessons learned and specific adjustments to the security concept

• Planned further follow-up steps

This report is not only mandatory — it is the basis if fines, civil lawsuits, or insurance disputes follow later. Write it carefully, attach the forensic report, have it approved by management, and include it in the ISMS file.

The Most Common Mistakes in the First Hours

Patterns repeat after real incidents. Four mistakes cost the most:

"Let’s first see if we can fix it ourselves." Trying to continue without forensics destroys evidence and increases the risk that the ransomware will return. In any serious suspicion: bring in external support — even if no findings emerge in the end.

"We can report to the BSI later; we’re busy right now." The 24-hour deadline starts when you become aware of the significant incident. It is not negotiable. Missing it risks fines regardless of the damage from the incident itself.

"We don’t need a crisis team, IT will handle it." That doesn’t work. Care issues, communication issues, staffing, supplier coordination, external forensics, authority contact — IT alone has neither the mandate nor the resources. Crisis management in a hospital is executive responsibility from minute one.

"Just restore the backups and we’re done." Backups managed in the same Active Directory are often compromised themselves. Most modern ransomware families deliberately destroy backups before encryption. Only offline or immutable backups are reliable — and even they must be verified before reconnection.

What Must Happen Before the Incident

The operational roadmap only works with preparation. Six building blocks must be in place in advance:

1. Crisis team structure documented. Who is in it, who substitutes, private phone numbers, clear responsibilities and escalation thresholds. Update twice a year, distribute as a physical card to all crisis team members.

2. Emergency folder physically available. On paper, not in the IT system. Content: crisis team list, forensic service provider, BSI contact, MUK access, insurance policy, sample texts for the three reports, admission and treatment forms for manual operations. Store in at least two independent locations.

3. Backup strategy 3-2-1 with an offline component. Three copies, two media types, one offline or immutable. Quarterly tested recovery, documented. For hyperscaler backups: multi-factor authentication for backup admins, separate identities from production AD.

4. Tabletop exercise at least once a year. Half-day simulation of a cyberattack with the real crisis team. What works, what does not. Weak points become visible painlessly in the exercise — in a real incident they are expensive.

5. Forensics contract in advance. Stand-by contracts with 24/7 response time. Ideally annual test engagements so the provider knows your environment and does not have to learn the topology only during a crisis.

6. Documented escalation chains. Who decides what at what time? Who may disconnect the network from the internet? Who communicates with the media? Who bears legal responsibility for which decision? This clarification must exist in writing and be known to all involved.

NIS2 compliance under Section 30 of the BSIG requires nothing less. Hospitals that do not have these building blocks are not only in trouble when an incident occurs — they are vulnerable from a regulatory standpoint and unprotected in fine proceedings.

Lessons from Real Cases

Lukaskrankenhaus Neuss (February 2016). Weeks of manual operation after a ransomware attack. The crisis team worked, patient care was maintained. Lesson: advance planning for manual operations — including practiced forms and phone trees — is vital for survival.

Klinikum Lippe (November 2022). After intensive negotiations, the data was decrypted. Whether a ransom was paid remained controversial in public reporting. Lesson: have a negotiation option, but do not plan it as plan A — clean backups remain the gold standard.

Caritas Clinic Dominikus Berlin (February 2024). Recovery without documented ransom payment, but with weeks of operational restrictions. Lesson: a clean backup strategy saves the extortion sum — but costs recovery time that must be bridged in communications and operations.

MVZ Tirschenreuth/Kemnath (Autumn 2025). Multiple sites affected at the same time because a central IT infrastructure was compromised. Lesson: distributed infrastructure and cleanly segmented networks reduce single points of failure — a central AD without replication separation is a single point of failure.

ChipSoft Netherlands (April 2026). A ransomware attack on a single software vendor brought about 80 percent of Dutch hospitals to a standstill. Lesson: supply chain risk is real and systemic — the cyberattack of one clinic can hit another clinic that did everything right itself. Supplier security under Section 30(2) No. 4 of the BSIG is therefore not a formality.

Conclusion

A ransomware incident in a hospital is the most demanding crisis currently faced by the German healthcare system. The operational roadmap is clear — 30 minutes to contain, 24 hours for the initial report, 72 hours for the assessment, 30 days for the final report — but it only works with preparation.

The five most important levers: documented crisis team, physical emergency folder, tested offline backups, stand-by forensic contract, annual tabletop exercise. Anyone who has these five will survive an incident. Anyone who does not is taking a risk — financially, regulatorily, and reputationally.

NIS2 tightens the screws. Section 32 of the BSIG, with its 24/72/30-day logic, makes preparation mandatory — and the personal liability of management under Section 38 of the BSIG ensures that omissions have consequences beyond the immediate incident.

Cybersecurity in a hospital is not an IT task, but a care task. It belongs on the management agenda, not in the helpdesk inbox.

At Entropy CS, we offer Managed Incident Detection & Response for healthcare organizations — a 24/7 SOC team with healthcare specialization, EDR/XDR integration, threat intelligence from healthcare ISACs, prepared incident playbooks for ransomware scenarios, and NIS2-compliant reporting documentation. Our free risk assessment takes 30 minutes and provides an honest evaluation of your incident readiness — including concrete gaps in crisis team, backup strategy, and reporting processes.