Back to all insights
Business ContinuityDisaster RecoveryHealthcareHIPAA

The 72-Hour Recovery Conversation Every Healthcare Practice Should Have

B Byzantine Technologies · · 9 min read

The Question Nobody Wants to Game Out

Here is a conversation every healthcare practice should have before it is forced to: if every one of your systems went dark right now — EHR inaccessible, phones down, imaging offline, no way to submit claims or send prescriptions electronically — how would you keep seeing patients for the next 72 hours?

It is an uncomfortable question, which is exactly why so many practices avoid it. But ransomware, hardware failure, and prolonged outages do not wait for a convenient moment. The practices that weather these events are not the ones that got lucky; they are the ones that had the recovery conversation in advance and made decisions while calm, rather than improvising while in crisis. HIPAA’s contingency planning requirements — including data backup, disaster recovery, and emergency-mode operation planning — exist precisely to force this conversation. But the goal is not to satisfy a regulation. The goal is to be able to care for patients when the technology fails.

The 72-hour window is a useful frame because it captures the realistic span of a serious outage: long enough that you cannot simply close and wait it out, short enough that careful planning makes a genuine difference.

The Systems You’d Suddenly Be Without

A serious outage rarely takes down just one thing. Ransomware in particular tends to hit everything connected at once. Walking through each dependency makes the scope concrete.

EHR Access

The EHR is the heart of clinical operations. If it is unavailable, can your clinicians still know who is scheduled, what their histories are, and what medications they are on? This is where downtime procedures matter: a planned way to operate when the EHR is unreachable. For some practices that means maintaining limited offline access to critical patient information; for others it means paper-based downtime forms and a documented process to reconcile records once systems return. The worst answer is “we’d have no idea” — and that is the answer for any practice that hasn’t planned.

Backups

Backups are what determine whether an outage is a setback or a catastrophe. The recovery conversation has to ask hard questions: Are backups actually being made, of everything that matters? Are they tested — has anyone confirmed they can actually be restored? Is at least one copy isolated or immutable, so that ransomware which reaches the live systems cannot also destroy the backups? And critically: how long does a restore actually take? A backup that exists but takes four days to restore does not help you in a 72-hour window.

“Everyone has backups until the day they need them. The practices that recover quickly are the ones that tested the restore before the emergency — and discovered the gaps when it was safe to.”

Phones

When systems go down, the phones become a lifeline — patients calling to confirm appointments, pharmacies calling about prescriptions, referring providers trying to reach you. But if your phones are VoIP running over the same network and infrastructure that just went down, you may lose them too. The recovery plan should account for how patients reach you when primary systems are offline — whether through a cloud-based phone system that survives a local outage, cell phones as a fallback, or a documented alternate number.

Imaging

For practices that rely on diagnostic imaging, an outage of the imaging system or its storage can halt a significant part of operations. The conversation should cover whether recent images are accessible during an outage, whether new imaging can be performed and stored safely, and how imaging ties into the broader downtime procedure.

Claims and Billing

An extended outage doesn’t just disrupt care — it disrupts cash flow. If you cannot submit claims for several days, the revenue impact compounds. The recovery plan should consider how claims are handled during downtime: whether they’re queued for submission once systems return, whether there’s an alternate submission path, and how to avoid timely-filing problems with payers.

Prescriptions

Electronic prescribing is now central to patient care, and controlled substances in particular have strict electronic requirements. If e-prescribing is unavailable, clinicians need to know the fallback — and that fallback needs to be worked out in advance, not discovered at the moment a patient needs a medication.

Emergency-Mode Operations

HIPAA specifically requires an emergency mode operation plan — a documented way to continue critical business processes and protect ePHI while operating in emergency mode. In plain terms: how do you keep caring for patients and keep their information secure when your normal systems are unavailable?

This is more than a backup strategy. It is a complete picture of degraded operations: which functions are critical and must continue, which can pause, who is responsible for what during an outage, how staff are notified and coordinated, and how you protect patient information even on paper or fallback systems. The plan should be written down, distributed, and — ideally — rehearsed, because a plan that lives only in one person’s head fails the moment that person is unreachable.

Two Numbers Every Practice Should Know

The recovery conversation should produce two concrete numbers for your critical systems:

Recovery Time Objective (RTO) — how quickly you need a system back. This is a business decision: how long can you operate in downtime mode before the impact becomes unacceptable?

Recovery Point Objective (RPO) — how much data you can afford to lose, measured in time. If backups run nightly, your RPO is up to a day’s worth of data; if that’s unacceptable for your EHR, you need more frequent protection.

Knowing these numbers turns vague anxiety into concrete requirements. They tell you whether your current backup and recovery setup is actually adequate, or whether there’s a gap between what you need and what you have.

Having the Conversation

  1. List your critical systems — EHR, phones, imaging, billing, e-prescribing — and what depends on each.
  2. For each, ask: what happens if it’s down for 72 hours? Write down the honest answer.
  3. Verify your backups are complete, isolated, and — most importantly — tested by an actual restore.
  4. Set RTO and RPO for each critical system and check whether your setup actually meets them.
  5. Write the downtime and emergency-mode procedures — including paper fallbacks and how patients reach you.
  6. Rehearse. Even a tabletop walk-through surfaces gaps you’d otherwise discover during a real crisis.

The Byzantine Takeaway

The 72-hour recovery conversation is uncomfortable precisely because it forces you to imagine your practice without the systems it depends on. But that imagining is the work that makes recovery possible. Walk through every dependency — EHR, backups, phones, imaging, claims, prescriptions — and decide in advance how each will be handled when it fails. Test your backups before you need them, set concrete RTO and RPO targets, and write down your emergency-mode operations so the plan survives any one person being unavailable. HIPAA requires this planning, but the real reason to do it is simpler: when the systems go dark, your patients still need care, and the practices that planned are the ones that can still deliver it.

Have questions about your practice's security?

Book a free 30-minute consultation — no obligation, no jargon.

Talk to an expert

Continue reading

May 31, 2026·12 min read

MFA for Healthcare: Where It Matters Most and Where Clinics Get It Wrong

Multi-factor authentication is the single highest-leverage security control a medical or dental practice can deploy. Here is where it matters most — and the gaps that quietly leave clinics exposed.
May 29, 2026·8 min read

Why Guest Wi-Fi Should Never Touch Your Clinical Network

A flat network is a quiet liability. Here is why network segmentation — keeping guest Wi-Fi, patient devices, IoT, and medical equipment away from clinical systems — is one of the most important architecture decisions a practice makes.
May 26, 2026·8 min read

Cyber Insurance, HIPAA, and the New Baseline for Healthcare Security

Cyber insurers now expect MFA, EDR, tested backups, patching, incident response, and vendor oversight before they'll write a policy. The good news: those same controls map directly to HIPAA expectations.