New Cyber Resilience Readiness Program Developed by Joint Commission; AHA
Joint Commission and the American Hospital Association (AHA) have partnered to create a new Cyber Resilience Readiness program for hospitals and health systems to help them sustain safe clinical operations during cyber-related technology outages.
Hacking and ransomware attacks have skyrocketed in recent years. According to the Federal Bureau of Investigation (FBI), healthcare and public health was the most targeted sector in 2025, experiencing 642 hacking incidents, including 460 ransomware attacks and 182 data breaches. Currently, the HHS’ Office for Civil Rights breach portal shows 765 data breaches affecting 500 or more individuals were reported in 2025, the highest number ever reported in a single year. These incidents often result in prolonged periods of digital darkness, where systems are offline, and healthcare organizations are forced to resort to manual processes for recording patient information. During those periods, hospitals and health systems must ensure continuity of care and maintain patient safety, even without access to critical technologies.
To counter the threat to patient safety and care from cyber incidents, extreme weather events, and other natural disasters, Joint Commission and AHA partnered to create a new Cyber Resilience Readiness (CRR) Program for healthcare organizations. The program was developed in partnership with several healthcare organizations and is a first-of-its-kind program to help hospitals and health systems strengthen their ability to sustain safe clinical operations during technology outages caused by cyber events and natural disasters.
While many cybersecurity approaches are focused on rapidly restoring IT systems, the CRR emphasizes real-world operational readiness and patient safety impacts. The CRR was informed by the lessons learned from actual ransomware attacks and other cyber events that have affected hospitals across the United States. “The goal is to help hospitals and health systems move from awareness to readiness, and from readiness to resilience, ultimately enabling organizations to move beyond assessment to practical, operational improvement,” according to Joint Commission and the AHA.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The CRR program is centered on a structured, free-to-complete self-assessment tool for evaluating the current ability to maintain safe care during technology outages, with a focus on maintaining clinical workflows, operational response, leadership coordination, and staff preparedness. The self-assessment tool familiarizes hospitals and health systems with the questions they need to ask and what they need to prepare for. Should they so wish, their assessments can be submitted for expert review for a fee, and they will receive a set of top-line recommendations on how any identified vulnerabilities can be addressed. Joint Commission also plans to develop a new certification pathway to allow organizations to demonstrate strong clinical continuity and cyber resilience capabilities.
“Digital disruption poses a direct and growing threat to patient safety and clinical care,” said Jonathan B. Perlin, MD, PhD, president and CEO of Joint Commission. “As cyber criminals become increasingly sophisticated, advanced, and creative, so too must our efforts to thwart the risks – but we are not talking about cyberattacks alone. It is about how to continue operations under any scenario where technology systems might be down for any period of time. Hospitals and healthcare organizations need practical tools to evaluate and strengthen their approach to withstanding these incidents. The new Cyber Resilience Readiness program is designed to help healthcare organizations focus on what matters most: maintaining safe, quality patient care and clinical operations at all times.”
