Isolated recovery environments emerge as a critical layer of cyber resilience

LAS VEGAS – Ransomware attacks and other system disruptions are forcing healthcare organizations to rethink how they protect access to electronic health records.

Isolated recovery environments, or IREs, are emerging as a critical resilience strategy, allowing hospitals to rapidly restore core clinical systems in a secure, air-gapped environment while maintaining continuity of patient care.

At the HIMSS26 session "Safeguarding EHR Access: Isolated Recovery Environments for Ransomware Defense" here on Wednesday, Jeff Thomas, chief technology officer for Sentara Healthcare, and Matt Dinger, leader on the Worldwide Public Sector Global Healthcare team at Amazon Web Services (AWS), discussed the benefits of IREs for EHRs and the challenges to implementation.

Dinger noted that ransomware incidents can have direct patient consequences, with studies showing mortality rates rising during major cyber disruptions. 

Financially, healthcare downtime tied to cyber events has cost the sector nearly $22 billion over the past six years, and a single attack can erase a health system's annual profitability.

"If your system is compromised and EHR is unavailable, you don't have that clinical history or other health issues," Dinger said. "There is a clinical impact on the patients no matter how hard the clinicians work."

An IRE provides an air-gapped environment where critical systems and data can be restored if primary infrastructure is compromised, he explained. 

These environments rely on immutable backups, secure management channels and controlled access to ensure attackers cannot move laterally into recovery systems.

"An IRE can effectively mirror the EHR in a secure cloud environment using a one-way data pipeline that continuously journals system activity," he said.

If a cyber incident occurs and hospitals activate emergency procedures – often referred to as "Code Dark" – the isolated system can be brought online so clinicians can continue accessing patient information.

Thomas said the approach is designed to ensure care can continue even during major cyber incidents.

"Cybersecurity is patient care at its finest," Thomas said.

At Sentara, leaders have conducted tabletop exercises simulating scenarios in which ransomware forces an organization-wide shutdown of core systems, including EHR platforms, imaging systems and lab integrations. 

Those exercises revealed how quickly clinical operations can be disrupted without a resilient recovery strategy.

Implementing an IRE requires both technical architecture and executive governance. Thomas said health systems must define clear processes for activating recovery environments, limiting access and ensuring clinicians can safely retrieve information during an emergency.

"Building a zero-trust framework is the fundamental basis for success," he said.

Sentara has developed a segregated control plane with tightly restricted administrative access and a formal incident command process to determine when the recovery environment should be activated.

Health systems considering IRE deployments should start with a focused approach and expand gradually, Thomas advised. That includes integrating legacy systems carefully, coordinating across clinical and technical teams, and regularly testing recovery procedures.

"Start small, scale smart, test regularly," he said.

For healthcare organizations facing increasingly sophisticated cyber threats, Thomas said the goal is maintaining continuous access to the data clinicians need to care for patients.

"You do not have to be in the cloud to do a cloud IRE," he said. "This is you building the ability to give yourself that lifeboat."

WATCH NOW: HIMSS26 starts with talks about AI and cybersecurity