We want to talk about something that happened two months ago that we don’t think the healthcare community has fully processed yet.
On February 19, 2026, the University of Mississippi Medical Center the only academic medical center in the state, serving more than 70,000 patients across seven hospitals and 35 clinics was hit by a ransomware attack. By morning, every clinic in Mississippi was closed. Surgeries were cancelled. Chemotherapy appointments were postponed. Doctors who had spent their careers working inside one of the most sophisticated electronic health record systems available were handed pens and paper.
The EPIC system — offline. Email — offline. Phones — offline.
It took nine days to reopen the clinics. Weeks more before the full scope of the breach was understood. And while UMMC worked around the clock with the FBI, CISA, and private sector cybersecurity experts to restore operations, data allegedly stolen during the attack was posted on the dark web with an $800,000 price tag.
This happened in Mississippi. Not in a headline from a distant city. Here. In the communities that healthcare organizations across the Southeast serve every single day.
And we are writing this because we think most healthcare organizations if they’re being completely honest with themselves have not asked the question that this incident demands:
Not “how did this happen to UMMC?” but “what would our response look like if it happened to us?”
In our experience working with organizations on cybersecurity posture, the answer to that second question is almost always more uncomfortable than anyone expects.
What Actually Happened at UMMC And Why It Matters Beyond Mississippi
The attack on UMMC has since been attributed to the Medusa ransomware group, a sophisticated criminal organization that uses a multi-extortion model. They don’t just encrypt your files. They steal your data first. Then they give you two choices: pay to decrypt, and pay again to keep the stolen data from going public. The specific attack vector at UMMC has not been fully disclosed. But based on what is publicly known and what the broader pattern of Medusa attacks tells us, the entry point was almost certainly a public-facing application vulnerability an internet-exposed system that hadn’t been fully hardened, combined with credential theft and privilege escalation that gave the attackers administrative access deep inside the network.
Here is the part that should stop every healthcare IT leader cold: the attack that became visible on February 19th almost certainly began weeks or months earlier. That is how modern ransomware works. The detonation — the moment everything goes dark is the conclusion of a patient, methodical process. The attackers were inside UMMC’s network long before anyone knew it. They mapped the environment. They found the EHR system. They found the backup infrastructure. They found the communication systems. And when they were ready when they had exfiltrated the data they wanted and positioned their payload precisely they hit the switch. This is not a story about a single vulnerability. It is a story about what happens when an organization’s visibility, incident response posture, and stakeholder communication are not aligned with the threat they actually face. Those three gaps not the specific technical vulnerability that let the attackers in are what turned a security incident into a nine-day statewide healthcare crisis.
Gap One: Visibility — The Threat Was Already Inside
Let us be direct about something that the cybersecurity industry doesn’t always say clearly enough: most healthcare organizations have a visibility problem, not a tools problem. In fact, the organizations with the most security tools often have the worst visibility. That sounds counterintuitive until you understand why it happens. Healthcare systems accumulate security products over time. Each clinical acquisition brings its own technology stack with its own security tooling.
Each vendor relationship introduces new network segments. Each department makes independent purchasing decisions based on their specific needs. The result is an environment where you might have 40, 60, sometimes over 100 security products that don’t talk to each other, don’t share threat intelligence, and can’t correlate events across the environment. An attacker performing lateral movement inside that kind of fragmented environment can fly completely beneath the radar. Any individual tool sees a piece of the picture. None of them sees the whole thing. And the whole thing — the pattern of an attacker quietly moving from system to system, escalating privileges, exfiltrating data only becomes visible when you’re looking at all of it together.
The question that every healthcare CISO should be able to answer today is this: if an attacker has been inside your network for three weeks, would you know? Not would your tools theoretically detect it. Would you actually know with enough confidence to act on it before it becomes the next headline? For most organizations, the honest answer is no. And that’s not a reflection of the security team’s competence. It’s a reflection of the architecture they’re working with. What changes this is an open unified Extended Detection and Response XDR that correlates signals across endpoint, network, cloud, identity, and application layers simultaneously. Not as separate dashboards that someone has to manually connect. As a single, correlated threat picture that surfaces behavioral patterns rather than isolated events. When you can see the whole picture, you can find the attacker before they find the switch.
Failure Two: SOC Posture and Incident Response Readiness. The Gap Nobody Measures
Every hospital above a certain size has a Security Operations Center — a SOC. Most have an incident response plan. Both of those things matter.
But there is a difference that most healthcare organizations have never honestly confronted: the difference between having a SOC and having a SOC that is actually effective under real incident conditions.
Think about what UMMC’s security and operations teams were facing in the early hours of February 19th.
Not a tabletop scenario. Not a quarterly exercise. An actual Medusa ransomware detonation — everything going dark simultaneously across seven hospitals and 35 clinics with real patients who needed care, real staff who couldn’t access the systems they depended on, and real decisions that needed to be made in minutes.
The fact that UMMC’s hospitals and emergency rooms remained operational during those nine days that clinical staff successfully reverted to paper-based downtime procedures to maintain continuity of care is genuinely impressive. That doesn’t happen without some preparation.
But the nine-day clinic closure, the cancelled chemotherapy appointments, the postponed surgeries, the weeks of uncertainty about what data was taken. Those are the markers of a gap between what the incident response plan described and what the actual SOC capability could deliver under the pressure of a real event.
That gap exists at most healthcare organizations. And it almost never gets independently measured until an incident makes it impossible to ignore.
What SOC Posture Actually Means And Why Most Assessments Miss It
When we talk about SOC posture in healthcare, we’re not asking whether the SOC exists. We’re asking a more specific and more uncomfortable set of questions:
Detection capability — Can your SOC detect the behavioral patterns of an attacker who has been inside your network for weeks and is deliberately staying beneath the threshold of individual tool detection? Or is it primarily reactive responding to alerts that only trigger after something significant has already happened?
Response speed and decision quality under pressure — When a ransomware event begins detonating across multiple systems simultaneously, does your SOC have the trained muscle memory to contain it in the critical first hours? Or does the chaos of a real incident overwhelm processes that worked cleanly in controlled exercises?
Communication when the communication systems are down — This is the one that catches organizations completely off guard. Your SOC’s incident response protocols almost certainly assume that email and phones work. In a ransomware attack of UMMC’s scale, they don’t. Does your team have out-of-band communication protocols that function when your primary systems are offline? Most don’t.
Backup architecture integrity — Ransomware groups like Medusa specifically target backup systems before detonation. They know that your backups are your escape route so they compromise or encrypt them first. Organizations that have complete confidence in their backup and recovery capability often discover during an actual incident that those backups were either encrypted alongside the primary environment, corrupted during the attack, or insufficiently isolated to survive. When that happens, recovery is measured in weeks. Sometimes months.
Third-party access monitoring — Verizon’s 2025 data found that third-party involvement in breaches doubled to 30% of incidents. Healthcare organizations have complex vendor ecosystems clinical technology vendors, billing partners, insurance connectivity, remote monitoring providers. Each connection is a potential entry point. Most organizations have far less visibility into what those vendors are actually doing inside their network than they realize.
The Specific Question Your SOC Needs to Answer
The most important assessment any healthcare SOC can undertake right now is this: independent, external evaluation of whether your SOC’s actual capability matches what your incident response plan assumes it can do.
Not a self-assessment. Not a check against your tool vendor’s benchmarks. An external evaluation designed by people who have responded to real ransomware incidents who know what the first four hours of a detonation actually look like and who will give you an honest picture of where your capability ends and your exposure begins.
This is the assessment that the UMMC incident demands every healthcare organization conduct. And it is the assessment that most haven’t done.
Failure Three: The Board Doesn’t Have the Real Picture And That’s the Root Cause of Everything
The third failure is the one that determines whether the first two ever get fixed. Healthcare boards and C-suite leaders are not cybersecurity specialists. They rely on their security and IT leadership to translate technical risk into terms they can act on. When that translation fails. When security posture gets reported as a compliance checklist, a dashboard of green and yellow indicators, a list of tools that are deployed boards cannot make informed decisions about what they’re actually buying with their cybersecurity budget.
This is not a failure of commitment on the board’s part. It is a structural communication problem. Boards are approving security budgets based on an incomplete picture. They believe their organization is more protected than it is not because anyone has misled them, but because the tools and frameworks for translating security posture into boardroom language have historically been inadequate.
After February 19th, every healthcare board in Mississippi and Alabama had a conversation that started with: “Are we exposed to what happened at UMMC and how would we know?”
The organizations whose security leadership could answer that question with a quantified, documented, independently verified picture of their actual posture were in a fundamentally different position than those who couldn’t. What boards actually need and almost never have is a cyber risk picture expressed in business terms: Not mean time to detect. Not alert volumes. Not tool coverage percentages. What is our financial exposure if a ransomware event shuts down our operations for nine days? What is the probability of that happening in the next 12 months based on our current posture? Where are our three most critical gaps and what does it cost to close them versus what it costs if we don’t? What does our cyber insurer require us to demonstrate at renewal and do we have that documentation? Those are the questions that drive real cybersecurity investment decisions. And most healthcare security teams don’t have the framework to answer them in those terms.
The Numbers That Put This in Perspective
We want to ground this in specifics because cybersecurity risk as an abstraction is easy to defer. The University of Vermont Medical Center’s 2020 ransomware attack took its EHR offline for 28 days and cost approximately $65 million. UMMC’s nine-day closure affected 70,000 patients. The full cost staff hours, system rebuilding, federal investigation support, forensic analysis, extended clinic hours to clear the patient backlog, potential HIPAA regulatory consequences, legal exposure from the dark web data posting is not yet public. Based on comparable incidents, it will be measured in tens of millions of dollars at minimum.
And those numbers don’t include the human cost. The cancer patient whose chemotherapy was postponed. The surgical patient who waited. The rural Mississippi resident who had no alternative facility within a reasonable distance and simply went without care for nine days. The ransomware epidemic in healthcare is not slowing down. In 2025, ransomware groups conducted 293 attacks on hospitals and clinics, exposing 44.3 million patient records. The UMMC attack is the fourth time Mississippi hospital systems have been hit in three years. Predictions for 2026 suggest 40% of health systems will experience an attack. The question for every healthcare board is not what does better cybersecurity cost? It is what does nine days of closed clinics cost our organization and is that number larger than what we’ve invested in preventing it? For virtually every healthcare organization in the country, the answer is yes. By a significant margin.
A Note on Federally Funded Healthcare Organizations
Most commercial healthcare organizations operate their security function as a SOC a Security Operations Center focused on continuous monitoring, detection, and response within a commercial framework. That is the appropriate standard for hospitals and health systems operating primarily in the commercial market. However there is an important and growing distinction that healthcare leaders need to understand particularly following UMMC.
UMMC is not simply a commercial hospital. It is a federally funded academic medical center receiving federal research grants and operating under Medicare and Medicaid funding relationships. Under Presidential Policy Directive 21, healthcare is designated as critical infrastructure. CISA has been actively engaging academic medical centers and federally funded health systems to adopt CSIRT-aligned coordination protocols.
The incident response frameworks that govern how government agencies and critical infrastructure operators handle and coordinate cybersecurity events. This matters practically because: CISA’s coordination during the UMMC incident was not a standard commercial SOC engagement. It was a critical infrastructure response using government threat intelligence frameworks, inter-agency coordination protocols, and incident reporting requirements that go beyond commercial SOC standards. Federal funding relationships increasingly carry cybersecurity requirements that align with government frameworks rather than purely commercial standards. Organizations that can demonstrate alignment with both commercial SOC effectiveness and government-aligned incident response frameworks are in a materially stronger position with both their commercial insurers and their federal funding agencies. This is the convergence that healthcare security leaders at federally funded institutions need to be planning for now not after the next incident.
How the Fastcomcorp Cyber Risk Tool Addresses All Three Failures
We want to be direct about why we built what we built and why the UMMC incident makes it more relevant than ever. The Fastcomcorp Cyber Risk Tool was built because we saw a consistent gap between what healthcare organizations believed about their security posture and what independent assessment revealed about their actual posture. We thought the consequences of that gap were unacceptable. February 19th proved that they are. Built on Frameworks Your Regulators and Insurers Recognize. The tool is built on the NIST Cybersecurity Framework — the recognized standard for cybersecurity risk assessment across healthcare, government, and critical infrastructure.
It incorporates MITRE ATT&CK and MITRE ATLAS to align assessment findings with real-world adversary behavior meaning the gaps it identifies aren’t theoretical. They’re mapped to the specific techniques that groups like Medusa actually use against healthcare organizations. This framework alignment matters practically: the output of a Fastcomcorp assessment isn’t just meaningful internally. It is defensible externally to your cyber insurer at renewal, to your federal funding agency during oversight, to your board during the conversation after an incident, and to legal counsel if litigation follows a breach.
SOC Posture and Effectiveness Assessment
One of the most critical capabilities in the Fastcomcorp Cyber Risk Tool is the independent assessment of SOC effectiveness evaluating not just whether your security operations function exists and is staffed, but whether it has the actual capability to detect, contain, and respond to the kind of attack that hit UMMC in the critical first hours of a real event. This is the assessment most healthcare organizations haven’t done. And after February 19th it is the assessment every healthcare organization needs.
For Federally Funded Institutions
For academic medical centers and healthcare organizations with federal funding relationships or critical infrastructure designation — our assessment framework bridges commercial SOC standards and government-aligned incident response frameworks simultaneously. This means a single assessment satisfies both your commercial insurer’s requirements and your federal oversight agency’s expectations. Most commercial cybersecurity vendors cannot offer that bridge. We can.
Visibility Gap Mapping
The tool maps your current security tooling against the visibility requirements of the modern threat landscape — identifying where correlated detection capability is absent, where third-party access creates unmonitored exposure, where identity controls leave credential-based attacks undetected. It also surfaces dark web exposure — one of the most overlooked early warning signals in ransomware incidents. Attackers don’t typically start by exploiting a technical vulnerability. They start by buying credentials. If your staff’s email addresses and passwords are already available on the dark web — and given the current threat environment, the probability that some are is significant — that is intelligence about your actual exposure that your current tooling may not be surfacing.
Boardroom-Ready Risk Quantification
The output of a Fastcomcorp Cyber Risk Tool assessment is designed for the boardroom conversation not just the SOC. We express security posture in financial and operational terms. Quantified risk exposure. Gap prioritization by likelihood and impact. A remediation roadmap with expected risk reduction and cost at each stage. This is the picture that allows your board to make real decisions about cybersecurity investment. It is also the documentation your cyber insurer is increasingly requiring before renewing coverage and requiring at a level of specificity that a self-assessment or a compliance checklist cannot satisfy.
The Questions You Should Be Able to Answer Right Now
If you are a healthcare CIO, CISO, board member, or risk officer reading this here are the specific questions that the UMMC incident demands you be able to answer. Not theoretically. With documented evidence.
On Visibility:
- If an attacker has been inside our network for three weeks, would we know?
- Can we detect lateral movement across our environment within 24 hours of it beginning?
- Do we have correlated visibility across endpoint, network, cloud, and identity simultaneously — or are we working with fragmented tools that each see a piece of the picture?
- Do we know which of our third-party vendors have active access to our systems right now?
- Are any of our staff credentials currently available on the dark web?
On SOC Posture and Incident Response:
- When did we last have our SOC’s effectiveness independently assessed against a realistic ransomware scenario?
- How long could our clinical operations function without our EHR system and have we actually tested that under simulated downtime conditions?
- Are our backup systems isolated in a way that would survive a ransomware attack targeting our primary environment?
- Do our incident response protocols function when email and phones are offline?
- What is our documented mean time to contain and is it based on real incident data or exercise assumptions?
On Stakeholder Communication:
- Can our board express our top three cyber risks in financial and operational terms not technical ones?
- Does our cyber insurance coverage align with our actual recovery cost estimate for a nine-day operational shutdown?
- Does our insurer have the security posture documentation they require for our next renewal or will we be assembling it under pressure during the underwriting conversation?
- Can our CISO give the board an independently verified picture of our current posture external evaluation, not self-assessment?
If you can answer all of these questions confidently and with documented evidence your organization is in better shape than most. If you cannot closing that gap is the most important thing your security function can do right now.
What the Organizations That Don’t Make Headlines Do Differently
Fastcomcorp has worked with organizations across a wide range of security maturity levels. The ones that don’t end up in the news share a consistent set of characteristics. They treat cybersecurity posture as a business question and not a technology question. Their leadership understand risk in financial and operational terms. Their security leadership speaks the language of the boardroom, not just the SOC. They get independent assessments regularly. Not self-assessments. External evaluations by people whose job is to find the gaps and not confirm the assumptions.
They test their SOC and incident response capability under conditions that are genuinely uncomfortable. Not a quarterly exercise where everyone knows the answer. A realistic scenario designed against the current threat landscape, run by people who have actually been inside real ransomware incidents. They know what their insurers need and they have it documented before renewal rather than scrambling for it during the underwriting conversation. And they monitor for early warning signals that their environment may already be compromised dark web exposure of credentials, anomalous authentication patterns, unusual access behavior that individual tools miss but correlated visibility surfaces before the switch gets hit. None of this requires an unlimited budget. What it requires is an honest look at your actual posture. Not the posture you believe you have and the organizational commitment to close the gaps that assessment reveals.
One Final Thought
The UMMC ransomware attack in February 2026 is the fourth time Mississippi hospital systems have been targeted by ransomware in three years. It is one of 293 attacks on healthcare organizations globally in 2025 alone. Medusa, the group responsible is still operating. Healthcare remains their most profitable target sector. The people protecting healthcare organizations are not failing because they lack dedication or skill. They are working in an environment that has become fundamentally more dangerous while many of the tools, structures, and communication frameworks around them haven’t kept pace.
Medusa didn’t target UMMC because it was uniquely vulnerable. They targeted it because healthcare organizations are systematically under-resourced for the threat they face and because ransomware groups have mapped, with painful precision, exactly where the gaps are. The next attack will happen. The question is whether your organization will be in a position to contain it before it becomes nine days of closed clinics or whether your board will be discovering the answer to that question in real time.
Getting an independent, honest picture of your actual security posture from MSSP before you need it is not a luxury. After February 19th, it is the baseline.
Not next quarter.
Now.
