Stop Rehearsing the Workaround

Downtime readiness is becoming a real discipline. Two of its trends stop at the workaround, and the two that matter most for 2026 have not been set yet.

Revenue-cycle leaders have started writing downtime plans, and the discipline is overdue. A cyber incident stopped being an IT problem the moment it started stopping cash flow. Sophos counted 67% of healthcare organizations hit by ransomware in a single year (Sophos, 2024), and the guidance now circulating gets the stakes right. When the systems go down, claims do not go out and money does not come in. The plan it prescribes is careful: paper claim forms kept current, offline read-only copies of billing data, credentials tracked and rotated, downtime drills run quarterly. Every one of those is a good instinct. Most of them stop one step short of the fix.

The cost of stopping short is not abstract. Ascension disclosed a 2024 breach affecting 5.6 million patient records (HIPAA Journal, 2024). The same system reported a $1.1 billion net loss for that fiscal year. Downtime shows up on the income statement.

Both case examples in the guidance describe a trend already in motion, and neither finishes the thought, because the plan keeps the recovery tools inside the system under attack. That is the flaw the whole discipline is circling. Protection has to live outside the system it protects. Everything below follows from that one line.

Protection has to live outside the system it protects.

TRENDS BEING SET

01   The backups became the target.

The guidance is direct about it. Attackers no longer stop at production; they go looking for the backups, and the system it describes survived only because one offline, immutable copy sat where a stolen credential could not reach. That is the 3-2-1 discipline working, and it is becoming the baseline. The step the plan stops at is asking teams to maintain those offline copies by hand. A copy maintained by hand is a copy reachable by the credential that just compromised production. CyberVault holds that copy apart from production: a file-level backup that stays tamper-proof and contamination-free, so the ransomware that encrypts the primary cannot reach or corrupt it. The trend is right. The default is wrong. Immutability belongs in the architecture, not in a runbook someone has to remember to run.

02  The dependency you cannot route around.

Change Healthcare set the other trend, and the whole sector felt it. A clearinghouse thousands of providers route through went down in early 2024 and took claims and payment flows across the country with it. The lesson the guidance draws is sound: build an alternate path to payer portals, eligibility, and historical claims, and know where your financial data lives before you need it. It even brings RTO and RPO targets into revenue-cycle language, which is progress. Then it defines that alternate path as manual, worked from paper forms and fax numbers and drilled quarterly so staff can run it under pressure. Spare Tire is that alternate path built as infrastructure. It runs outside the EHR and holds a read-only posture in normal operation, syncing over HL7 only when systems are healthy, so a dark EHR does not mean dark operations. Recovery time stops being the length of a forensic investigation and becomes the length of a cutover.

TRENDS THAT NEED SETTING

03  The workaround is a compliance event.

Here the guidance names a risk and moves past it. Ad-hoc workarounds, it warns, create compliance exposure when documentation is incomplete or PHI handling drifts from policy. True, and understated. The manual workflow it recommends is where the exposure lives. The moment billing reverts to email and paper, protected health information leaves every controlled system at once, at the point when oversight is thinnest and staff are improvising. No drill closes that gap, because the data itself is now moving unprotected. Document GPS keeps control attached to the file. It tokenizes each attachment at send and lets the sender revoke access afterward, with an audit trail on every document, so the workaround that keeps cash moving does not become the breach that follows the outage.

04  AI is the next blast radius.

The guidance closes on 2026 and gets the threat half right. Adversaries are using AI to sharpen phishing and automate credential attacks, and the advice to harden identity and rotate credentials faster is sound. What it does not say is that providers are about to run their own AI on the same ungoverned data, inside revenue-cycle and clinical workflows, the way they once ran backups on the production network. That is the trend no one has set, and it is the one that matters most. Mithra AI sits under the model rather than beside it, giving each AI output a verified source and an audit-grade record of how it was produced, across whichever model an organization runs.

The next outage-class problem is not restoring a system. It is defending an AI-generated decision to a regulator.

THE ONE DECISION

A downtime plan can rehearse the workaround forever and still lose the quarter, because the workaround accepts the flaw. The trends worth keeping all point the same way, toward recovery tools that sit off the target.

CyberVault

Immutable backup a stolen credential cannot reach.

Spare Tire

A continuity path that runs when the EHR does not.

Document GPS

Control that travels with the data.

Mithra AI

Provenance under every AI output.

One architectural decision, applied four ways.

ShelterZoom made it the starting point.

Sources: Sophos (2024); HIPAA Journal (2024); Ascension FY2024 financial results. Case examples and recommendations as reported in the referenced revenue-cycle downtime-readiness guidance, March 2026.