Joint Commission and the American Hospital Association (AHA) created a Cyber Resilience Readiness program for healthcare providers to support safe clinical operations in times of cyber-related technology outages.
The program was developed in response to increasing cyber incidents affecting the healthcare and public health sector. According to the Federal Bureau of Investigation, healthcare and public health was the most targeted sector in 2025. The sector experienced 642 hacking incidents, 460 of which were ransomware attacks, that resulted in 182 data breaches.
The HHS Office for Civil Rights breach website lists 765 data breach reports involving 500 or more individuals in 2025. This was the highest number ever reported in a single year.
Cyber incidents frequently result in extended periods where systems are unavailable and healthcare organizations must use manual processes to document patient information. During those outages, hospitals and health systems are required to maintain continuity of care and patient safety without access to technology systems.
Joint Commission and the AHA stated that the Cyber Resilience Readiness program was created to address threats to patient safety and care associated with cyber incidents, natural disasters, and extreme weather incidents.
The organizations stated that the program was developed in partnership with several healthcare organizations. The program is the first of its kind to focus on helping hospitals and health systems strengthen their ability to keep safe clinical operations when cyber events and natural disasters cause technology outages.
Many cybersecurity approaches prioritize rapid restoration of information technology systems. The Cyber Resilience Readiness program instead focuses on operational readiness and the effect of outages on patient safety.
Joint Commission and the AHA stated that the objective of the program is to help hospitals and health systems move from awareness to readiness and from readiness to resilience. The organizations stated that the program is intended to support operational improvement beyond assessment activities.
The Cyber Resilience Readiness program includes a structured self-assessment tool that healthcare organizations can complete without charge. The tool evaluates an organization’s ability to maintain safe care when technology outages occur. It focuses on clinical workflows, staff preparedness, operational response, and leadership coordination.
Healthcare organizations may submit completed assessments for expert review for a fee. Then, participating organizations will receive top-line recommendations addressing identified vulnerabilities. The Joint Commission also plans to develop a certification pathway related to clinical continuity and cyber resilience capabilities.
Jonathan B. Perlin, MD, PhD, President and Chief Executive Officer of Joint Commission, stated that digital disruption presents a growing threat to patient safety and clinical care. He also stated that healthcare organizations require practical tools to evaluate and strengthen their ability to continue operations during periods when technology systems are unavailable and patient data including PHI are inaccessible. With the Cyber Resilience Readiness program, healthcare organizations could maintain safe and quality patient care and clinical operations during technology disruptions.