AHA’s Riggi and Joint Commission’s Walders Say Cyber Resilience Needs a Single Accountable Executive

The American Hospital Association and the Joint Commission have launched a joint Cyber Resilience Readiness Program that moves hospitals beyond traditional security audits. The first publicly available component is an 80‑question self‑assessment covering five domains such as governance, readiness, and clinical continuity. By answering these prompts, health systems instantly gauge their maturity and uncover blind spots they may have never considered. The program will soon add a formal certification process and a suite of advisory services, creating a credible, nonprofit‑driven pathway for organizations to demonstrate readiness for digital darkness and ransomware events.

Central to the initiative is a cultural shift from viewing cyber threats as an IT problem to treating them as a clinical continuity issue. The partnership stresses that safe patient care must continue even when networks or internet connections fail for days or weeks. To achieve this, leaders need a single accountable executive—often a senior CISO or CIO—who reports directly to the board and drives multidisciplinary planning. Without clear ownership, hospitals risk fragmented responses that jeopardize patient outcomes during prolonged outages.

Beyond the assessment, the program offers rigorous advisory services that draw on real‑world incident narratives from hospitals across the country. Experts help teams answer three critical questions: what will work, what won’t, and what’s the plan when technology disappears. They guide scenario‑based tabletop exercises, evaluate dependencies such as HVAC and imaging equipment, and develop 30‑day outage strategies. Health system leaders are encouraged to start the self‑assessment today, engage the advisory team, and embed cyber resilience into board agendas to protect both patients and the continuity of care.