AHA, Joint Commission launch cyber resilience program

Joint Commission and the American Hospital Association have launched a new program aimed at helping hospitals and health systems bolster their cyber resilience, particularly during technology outages caused by cyberattacks. The AHA and Joint Commission developed the Cyber Resilience Readiness (CRR) program in partnership with healthcare organizations over the past 18 months, the groups said in a joint announcement.

The CRR program consists of a free self-assessment tool that enables healthcare organizations to evaluate their current ability to provide care during cyber-related technology outages, with questions focused on operational response, staff preparedness and leadership coordination, the announcement stated.

Organizations can use the tool to identify resilience gaps on their own or pay a fee to submit it for expert review. The expert review will include recommendations for how the health system can address any identified vulnerabilities. The program is modular, and organizations can choose to use only the elements relevant to them.

"A cyberattack against a hospital which disrupts, or delays patient care is more than a data crime; it is a threat to life crime," John Riggi, national advisor for cybersecurity and risk at AHA, said in the announcement.

"The CRR program focuses squarely on clinical continuity -- ensuring that high quality patient care can continue safely and effectively even when mission‑critical technologies are unavailable."

The CRR program aims to complement existing cybersecurity approaches by focusing on patient safety and operational readiness in addition to IT recovery. The industry groups said the program was informed by lessons from actual ransomware and cyberattacks.

"Digital disruption poses a direct and growing threat to patient safety and clinical care. As cyber criminals become increasingly sophisticated, advanced, and creative, so too must our efforts to thwart the risks -- but we are not talking about cyberattacks alone," Jonathan B. Perlin, M.D., president and CEO of Joint Commission, said in the press release.

"It is about how to continue operations under any scenario where technology systems might be down for any period of time. Hospitals and healthcare organizations need practical tools to evaluate and strengthen their approach to withstanding these incidents."

Joint Commission also plans to develop a new certification pathway to acknowledge organizations that demonstrate strong cyber resilience capabilities. The self-assessment tool is available now, and the cyber resilience readiness certification and educational services from Joint Commission will be available in summer 2026.

Jill Hughes has covered health tech news since 2021.