Key Takeaways
- The American Hospital Association (AHA) and The Joint Commission unveiled the Cyber Resilience Readiness program on May 4 to help hospitals sustain clinical operations during prolonged cyber‑related outages.
- The initiative focuses on real‑world operational readiness and patient safety, moving beyond traditional IT‑centric recovery plans.
- Participation is voluntary and assesses an organization’s capacity to maintain safe patient care, coordinate multidisciplinary response, train staff, and mitigate risks that threaten clinical continuity.
- Interested parties can reach out to AHA cybersecurity advisors John Riggi ([email protected]) or Scott Gee ([email protected]) for details, and visit aha.org/cybersecurity for additional resources and threat intelligence.
Program Announcement and Objectives
On May 4, the AHA and The Joint Commission jointly announced the launch of the Cyber Resilience Readiness program, a first‑of‑its‑kind initiative designed to bolster hospitals’ and health systems’ ability to keep clinical services running safely during extended cyber‑technology outages. The program’s core objective is to shift the focus from merely restoring IT systems after an attack to ensuring that patient care can continue uninterrupted for 30 days or longer, even when critical digital infrastructure is compromised. By emphasizing operational readiness and patient safety, the program addresses a gap that many existing cyber‑risk frameworks overlook: the direct impact of technology failures on bedside care.
Why Clinical Continuity Matters
Clinical continuity refers to the ability of a healthcare organization to deliver safe, high‑quality care despite disruptions to its technology platforms. Cyber incidents—such as ransomware attacks, denial‑of‑service events, or supply‑chain compromises—can render electronic health records, imaging systems, medication dispensing tools, and communication networks unavailable for days or weeks. When these systems fail, clinicians may revert to paper‑based processes, face delays in diagnosis and treatment, and encounter heightened risks of medication errors or missed appointments. The Cyber Resilience Readiness program directly tackles these scenarios by helping institutions prepare for, respond to, and recover from such events while safeguarding patient outcomes.
Core Components of the Readiness Evaluation
The voluntary program evaluates four interrelated domains essential for sustaining care during a cyber disruption. First, it measures an organization’s ability to maintain safe patient care when key technologies are offline, including the adequacy of backup procedures, manual workflows, and staff familiarity with alternative processes. Second, it assesses the capacity to coordinate clinical, operational, and leadership response during downtime, ensuring that clear command structures, communication channels, and decision‑making protocols are in place. Third, the program examines how well staff are prepared to function effectively during a significant cyber incident, covering training, drills, and role‑specific readiness. Finally, it requires organizations to identify and mitigate risks that could threaten clinical continuity, such as single points of failure, inadequate vendor contracts, or insufficient cyber hygiene practices.
Emphasis on Real‑World Operational Readiness
Unlike many cybersecurity initiatives that concentrate on technical remediation—patching systems, restoring backups, or improving intrusion detection—the Cyber Resilience Readiness program places a premium on real‑world operational readiness. This means testing whether contingency plans work under realistic conditions, verifying that clinicians can access critical patient information through alternate means, and ensuring that supply chains for medications and consumables remain functional despite digital disruptions. By simulating extended outages and measuring actual performance, the program helps hospitals uncover gaps that theoretical plans might miss, leading to more resilient, patient‑centered operations.
Patient Safety as the Central Metric
Patient safety drives every aspect of the program’s assessment criteria. Metrics include rates of adverse events during simulated downtimes, timeliness of critical lab results communicated via non‑digital means, and adherence to medication safety protocols when electronic prescribing tools are unavailable. The program encourages hospitals to treat cyber resilience not as an IT issue but as a clinical quality and safety imperative, aligning cyber preparedness with existing patient safety initiatives such as root‑cause analysis, incident reporting, and continuous quality improvement.
Voluntary Participation and Collaborative Support
Participation in the Cyber Resilience Readiness program is entirely voluntary, reflecting the AHA and Joint Commission’s recognition that hospitals vary widely in size, resources, and risk profiles. Organizations that opt in receive guidance, assessment tools, and benchmarking data to help them gauge their current state and chart a path forward. The program also fosters collaboration among peer institutions, allowing hospitals to share lessons learned, best practices, and innovative solutions for maintaining care during cyber events. This community‑based approach amplifies the impact of individual efforts and builds a broader culture of readiness across the sector.
How to Get Involved
Hospital leaders, chief information security officers, emergency management directors, and clinical officers interested in learning more or enrolling in the program can contact the AHA’s cybersecurity advisors directly. John Riggi, AHA national advisor for cybersecurity and risk, is reachable at [email protected], while Scott Gee, AHA deputy director for cybersecurity and risk, can be emailed at [email protected]. Additionally, the AHA maintains a dedicated cybersecurity hub at aha.org/cybersecurity, where visitors can access the latest threat intelligence, toolkits, webinars, and case studies related to cyber resilience and risk management.
Broader Implications for Healthcare Cybersecurity
The launch of the Cyber Resilience Readiness program signals a maturing understanding of cyber risk in healthcare: protecting data is necessary, but ensuring that care delivery remains safe and effective when technology fails is equally critical. By bridging the gap between IT security teams and clinical leadership, the program encourages a holistic risk management framework that integrates technical controls, operational planning, and staff training. As cyber threats grow in frequency and sophistication, initiatives like this will likely become a standard component of hospital accreditation, emergency preparedness planning, and quality improvement cycles, ultimately strengthening the nation’s healthcare infrastructure against digital adversity.