BIPI is a Chennai-based engineering company that operates the control layer for modern digital infrastructure. We design and run cybersecurity defence, agentic AI systems, digital engineering, growth automation, and continuous compliance as one platform, so organisations can detect signals, decide in real time, and deliver continuously.

What cybersecurity services does BIPI offer?

Web, mobile, network, and API penetration testing (VAPT), red team engagements, cloud security architecture, Zero Trust deployments, 24/7 SOC operations, and detection engineering. We work with financial services, SaaS, and regulated mid-market companies across India, APAC, EMEA, and North America.

What AI services does BIPI build?

Custom AI agents, LLM integrations, autonomous decision systems, and AI Ops intelligence layers. Our agents are scoped, observable, and audited end-to-end. We do not ship demos. We ship production agents that take real action across your existing systems.

Which compliance frameworks does BIPI support?

ISO 27001:2022, SOC 2 Type II, PCI DSS, GDPR, and India's DPDPA. We treat compliance as an engineering program, not a paper exercise: continuous evidence generation, exception tracking, and 72-hour breach-readiness.

BIPI Private Limited is headquartered in Chennai, Tamil Nadu, India, and serves clients across APAC, EMEA, and North America.

How do I contact BIPI?

Email info@bipi.in for new engagements or careers@bipi.in for jobs. You can also use the contact form at bipi.in/contact. We respond within one business day.

BIPI

Healthcare IR Playbook: When Ransomware Hits the EHR

Cybersecurity

When ransomware locks clinicians out of the EHR, every minute maps to patient risk. This playbook covers triage from HL7 interface shutdown to DICOM/PACS isolation and patient divert decisions.

By Arjun Raghavan, Security & Systems Lead, BIPI · October 2, 2024 · 11 min read

#incident-response#healthcare#ransomware#hipaa#ehr#dicom

The February 2024 Change Healthcare attack took down prescription processing for thousands of pharmacies across the United States. The Synnovis ransomware incident in June 2024 forced London NHS trusts to cancel thousands of blood transfusions and surgical procedures. Healthcare ransomware is no longer a data-breach problem; it is a patient-safety emergency, and your IR playbook must reflect that reality.

First 15 Minutes: Life-Safety Triage Before Forensics

When the first page comes in, the IR team lead must answer one question before touching any keyboard: are any life-critical systems affected right now? Ventilator controls, infusion pump telemetry, cardiac monitoring, and OR scheduling are non-negotiable. Identify these systems before isolating anything, because a poorly timed network cut can be more dangerous than the ransomware itself.

Page the CISO, CMO, and CNO simultaneously. Clinical operations leadership must be in the room within 15 minutes.
Confirm whether the EHR (Epic, Cerner/Oracle Health, Meditech) is read-only, fully inaccessible, or partially degraded.
Activate downtime procedures immediately. Every hospital should have laminated downtime binders at nursing stations; do not wait to confirm the scope of the incident.
Identify which HL7 v2 or FHIR interfaces are still running. Interfaces to labs, pharmacy, and radiology may be sending data into an encrypted environment and must be paused.
Notify your DICOM/PACS team. Radiology worklists fed from a compromised RIS can propagate encrypted data or simply stop functioning, delaying reads on trauma cases.

EHR Lockout: Downtime Procedures Are Your Continuity Plan

Most IR plans treat downtime procedures as a fallback. In healthcare ransomware, they are the primary continuity mechanism for the first 48 to 96 hours. Downtime procedures must be tested at least quarterly, not dusted off during an active incident. If your downtime binders are more than six months old, assume they are wrong.

Medication administration records (MAR): Switch to paper MAR immediately. Designate a pharmacist to each ward for verbal order verification.
Lab results: Establish direct phone callbacks from the lab to unit charge nurses. Critical values must have a confirmed verbal receipt loop.
Radiology: Radiologists revert to direct verbal reads for stat imaging. Establish a secure fax chain for written reports if the PACS viewer is offline.
OR scheduling: Move to a whiteboard-based schedule in the surgery charge desk. Elective cases should be paused until EHR read access is restored.
Patient identification: Use wristband scanners if the backend is offline, or revert to manual two-identifier confirmation at every medication administration.

HL7 and FHIR Interface Triage

HL7 v2 message brokers (Mirth Connect, Rhapsody, Ensemble) sit between clinical systems and are often overlooked in ransomware triage. If the broker itself is not encrypted, it may still be routing messages into an inaccessible EHR database, creating a backlog or, worse, silently dropping messages. FHIR APIs used for patient portal data, payer integrations, and third-party app connections should be suspended at the API gateway level to prevent data from reaching external parties during an active breach.

DICOM and PACS Isolation Protocol

PACS servers are high-value ransomware targets because they hold large volumes of unstructured imaging data and are often inadequately patched due to vendor support constraints. During an active incident, the PACS network segment should be isolated from the general hospital LAN within the first hour if encryption activity is detected on adjacent subnets.

Identify which DICOM nodes (modalities, workstations, archive) are on the affected VLAN.
Check the PACS vendor's emergency support line. Many vendors have a 24-hour clinical continuity line for exactly this scenario.
If the primary PACS is down, confirm whether a disaster recovery PACS or cloud-based viewer (Nuance, Ambra, Intelerad) is available for stat reads.
Do not attempt to restore PACS from backup until the primary infection vector is identified and contained. Restoring to an infected environment will re-encrypt the archive.

Patient Divert Decisions

Patient divert is a clinical decision, not an IT decision. However, the IR team must provide real-time status updates to clinical leadership so that the decision can be made with accurate information. Provide a simple red/yellow/green status board covering: EHR access, lab systems, pharmacy systems, radiology, and ED registration.

undefined

HIPAA Breach Notification Triggers

Ransomware creates a presumption of breach under the HIPAA Omnibus Rule unless you can demonstrate through a risk assessment that there is a low probability that PHI was accessed or exfiltrated. In modern double-extortion attacks, data exfiltration almost always precedes encryption. Assume breach, notify your privacy officer and legal counsel within the first two hours, and begin the 60-day notification clock from the date of discovery.

In double-extortion ransomware, the data was already stolen before the encryption notice appeared. Assume exfiltration. Start the HIPAA clock from day one.

Post-Incident: Hardening the Attack Surface

Segment clinical networks by function: imaging, pharmacy, lab, and administrative traffic should traverse separate VLANs with stateful inspection at the boundary.
Require MFA on all EHR vendor remote access connections. The Change Healthcare attack entered through a Citrix gateway with no MFA.
Patch HL7 interface engines on the same cycle as other critical infrastructure, not on clinical downtime schedules alone.
Test offline backup restores for the EHR database quarterly. A backup you have never restored is not a backup.
Conduct tabletop exercises specifically covering EHR ransomware with clinical department heads, not just IT staff.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.