In Season 2 of HBO's The Pitt, episode seven ends with a gut punch: the CEO of Pittsburgh Trauma Medical Center walks into the ER and announces that two nearby hospitals have been hit with ransomware. As a precaution, the center is taking all systems offline. Immediately.

What follows is controlled chaos. A med student stares at a fax machine she's never used. Nurses hand-write medication orders in triplicate. A pharmacist manually unlocks medication cabinets one by one. Patient status boards go from digital dashboards to dry-erase markers. The ER doesn't stop — but it slows to a crawl, and the margins for error collapse.

Rapid Disaster Response — when the systems fail, we keep care going
What a coordinated disaster response actually looks like: command center, cold chain, drone delivery, mobile compute — deployed in hours, not weeks.

It's great television. It's also a documentary.

The Numbers Behind the Fiction

The FBI's 2025 Internet Crime Report confirmed what hospital operators already knew: healthcare and public health was the most targeted sector for ransomware in the United States for the second consecutive year.

642
FBI-reported healthcare/public health cyber events (2025)
120
Ransomware attacks Q1 2026
96%
Involved data exfiltration

Source: HIPAA Journal, Comparitech Q1 2026, AHA / FBI IC3 Report

The Pitt writers drew on Ascension, one of the largest nonprofit hospital systems in the US, which was hit by the Black Basta ransomware group in May 2024. The attack disrupted electronic health records across roughly 140 hospitals in 19 states — for weeks. Doctors and nurses were forced onto paper charts, handwritten orders, and verbal workarounds that hadn't been practiced in years.

Health-ISAC reported a 55% rise in overall tracked cyber incidents in 2025 compared to the prior year, with health-sector incidents up 21%. And in Q1 2026 alone, 120 ransomware attacks hit hospitals, clinics, and direct care providers — before the geopolitical situation made things materially worse.

Then the War Started

On February 28, 2026, the United States and Israel launched coordinated strikes on Iranian nuclear and military sites. Within 48 hours, over 60 hacktivist groups claimed retaliatory cyber actions. Iran-affiliated APT groups — some with documented ties to the Ministry of Intelligence — began targeting US critical infrastructure with a focus and scale not previously seen.

On April 7, CISA issued a joint advisory warning that Iranian-affiliated actors were actively exploiting programmable logic controllers deployed across US water systems, energy grids, and government facilities. The attacks weren't theoretical. They were operational — manipulating control system displays, corrupting project files, and causing real disruption across critical infrastructure sectors.

On March 11, a cyberattack on medical device manufacturer Stryker — one of the largest suppliers to US operating rooms — reportedly wiped more than 200,000 phones, laptops, and other devices, causing global disruption. Stryker confirmed the attack but has not publicly confirmed the scale of device losses.

Some reporting has alleged Russian-linked support and coordination with Iranian cyber operations. Ukrainian intelligence documented Russian satellite imagery being provided to Iranian targeting teams, and Russian hacking collectives sharing access credentials to Israeli and allied infrastructure via Telegram. The lines between state actors, proxies, and criminal ransomware groups have blurred to the point of irrelevance for the hospital administrator trying to keep the lights on.

The Gap Nobody Talks About

Here's what struck us about The Pitt's portrayal: the hospital survived. Barely. With heroic improvisation, institutional memory from a handful of senior nurses, and a lot of luck. But the show compressed six weeks of real-world Ascension downtime into a few TV hours — and even in that compressed timeline, the cracks were terrifying.

The show got the texture right. The fax machines. The triplicate forms. The moment a young resident realizes she has never placed a medication order without a computer. What it couldn't fully convey was the supply chain dimension — the part that doesn't make for dramatic television but determines whether patients actually get the medications, devices, and blood products they need.

When a hospital's EHR goes down, the clinical workflow degrades. When the procurement system goes down simultaneously, the supply chain goes blind. No purchase order status. No inventory counts. No automated reorder points. No visibility into what the distributor is shipping, what's on backorder, or what's sitting in a loading dock with no one to receive it.

Most disaster recovery plans cover IT restoration timelines. Very few cover what happens to the physical supply chain during those timelines. And almost none address what happens when the attack doesn't just hit your hospital — it hits your region, your distributor, or your GPO's systems simultaneously.

Go-bag kit with ruggedized compute, Starlink terminal, and barcode scanner — field-ready for offline operations
A deployable go-bag concept: ruggedized compute, satellite connectivity, barcode scanning — everything needed to keep supply chain visibility alive when the network is down.
OPS:X Deployed Stack — ecosystem of current and emerging capabilities for continuous care under disruption
The technology exists. The partners exist. The question is whether it's coordinated before the crisis — or improvised during one.

A Question, Not an Answer

Nobody has this figured out. The problem is bigger than any single organization's solution, and the honest conversations about what's actually in place — versus what's in a binder on a shelf — are the ones that matter most right now.

So here's the question:

What's actually in your 72-hour playbook if the screens go dark?

Not the tabletop exercise from 2019. Not the disaster recovery plan nobody's opened since it was written. What's really in place — and what isn't?

If you've lived through one of these events, or you've built something that actually works, or you know exactly where the gaps are — that's what's useful. The real answers are more valuable than any framework.

The convergence of escalating ransomware, nation-state cyber campaigns, and an increasingly fragile healthcare supply chain isn't a future risk. It's the current operating environment. The Pitt gave millions of viewers a visceral preview. The question is whether we use this moment to start a real conversation — or wait for the next real-world episode.