Ransomware is the single most common cause of practice closure we see today, and the operational decisions that determine recovery happen in the first 48 hours. By the time a practice manager is on the phone at 6:30 AM, the choices in front of them are: pay or don't, talk to patients or don't, call the carrier or don't, and restore or reinstall.

The playbook below is the one we rehearse with every new Techspedient client. It assumes nothing specific about your stack — it's the skeleton. The filled-out version lives in your runbook and names your people, your vendors, and your escalation contacts.

Hour 0–2: Contain, don't investigate. Disconnect affected endpoints from the network but do not power them off (volatile memory matters for forensics). Suspend remote access. Rotate privileged credentials from a known-clean workstation.

Hour 2–12: Engage counsel and your cyber carrier before talking to anyone else. They will drive the incident response firm selection and protect privilege. Stage patient-facing messaging with counsel review. Decide who owns the phone.

Hour 12–24: Validate a clean backup exists, in an environment the attacker never had credentials into. Begin a sandbox restore of PMS and imaging before attempting production recovery. Confirm RTOs/RPOs with leadership.

Hour 24–48: Begin phased production restore, starting with appointment and imaging access so tomorrow's schedule can run. Segment the clean network from the dirty one until every endpoint has been verified.

The practices that recover in days instead of weeks are not luckier. They made these six decisions before the call — not after