Joint Commission and AHA launch cyber resilience program

The program shifts the standard question from whether a hospital can recover its IT systems to whether it can keep caring for patients while those systems are down.

What happened

The Joint Commission and the American Hospital Association launched the Cyber Resilience Readiness program on May 4, 2026, a voluntary initiative designed to help hospitals and health systems sustain safe clinical operations during cyber-related technology outages lasting 30 days or longer. According to the joint AHA announcement, the program was developed over 18 months in partnership with multiple healthcare organizations and is available at jointcommission.org. At its center is a free self-assessment tool that assesses four dimensions: maintaining safe patient care during cyber disruptions, coordinating clinical and leadership response during downtime, preparing staff to function effectively through a major incident, and identifying risks to clinical continuity. Organizations can complete the self-assessment independently or submit it for a $2,000 expert review with tailored recommendations. A formal certification pathway recognizing strong clinical continuity and cyber resilience capabilities is planned for summer 2026.

Going deeper

The program was built from the lessons of actual ransomware attacks and cyber events affecting US hospitals. Its defining departure from existing cybersecurity frameworks is its emphasis on clinical continuity rather than IT restoration. Most existing cybersecurity approaches measure how quickly systems can be brought back online. The CRR measures whether care can continue safely while they remain offline. According to Becker's Hospital Review, the self-assessment takes approximately 35 to 45 minutes and is designed to be completed by Chief Information Officers, and incident response, risk, and compliance leaders, with larger organizations potentially adding biomedical engineering, facilities, clinical leadership, and legal counsel. The program is modular and flexible, allowing organizations to engage components that match their current stage of readiness. Completing the self-assessment alone does not advance an organization through the program. It is informational, supporting internal understanding of gaps before an organization moves to expert review or eventual certification.

What was said

John Riggi, National Advisor for Cybersecurity and Risk at AHA, stated in the joint press release, "A cyberattack against a hospital that disrupts or delays patient care is more than a data crime; it is a threat to life crime. The CRR program focuses squarely on clinical continuity, ensuring that high-quality patient care can continue safely and effectively even when mission-critical technologies are unavailable." Joint Commission president and CEO Jonathan B. Perlin, MD, PhD, added, "It is about how to continue operations under any scenario where technology systems might be down for any period of time. Hospitals and healthcare organizations need practical tools to evaluate and strengthen their approach to withstanding these incidents."

In the know

The 30-day outage planning benchmark that anchors the CRR program is grounded in documented incident timelines. The Kettering Health ransomware attack in May 2025 took approximately three weeks before normal operations resumed. The Covenant Health attack in Maine caused care disruptions that stretched months, with cancer patient appointments canceled and prescriptions delayed. According to the FBI's 2025 Internet Crime Report, healthcare recorded 642 cyber incidents in 2025, the most of any critical infrastructure sector, including 460 ransomware attacks. Former FBI testimony before Congress in April 2026 cited at least 47 documented patient deaths attributable to hospital ransomware attacks between 2016 and 2021, showing why clinical continuity has become the measure that matters alongside data security.

The big picture

The CRR program formalizes a change in how healthcare organizations are expected to think about cyber resilience. The previous standard measured cyber readiness primarily in IT terms: whether backups exist, whether systems can be restored, and how quickly recovery can occur. The new standard asks whether clinical operations, medication administration, lab processing, imaging, scheduling, and bedside decision-making can continue for a month without those systems. The reframing has direct implications for how hospitals budget, train, and plan. Staff downtime procedures, manual workflow documentation, communication trees, and clinical prioritization all become part of the resilience picture alongside network segmentation and backup infrastructure. The self-assessment tool is free and available now at jointcommission.org.

FAQs

What does the 30-day planning benchmark mean in practical terms?

Healthcare organizations are expected to document and test their ability to deliver safe patient care across all clinical functions for a sustained period without access to electronic health records, digital ordering systems, imaging platforms, or communication tools. The benchmark reflects actual ransomware recovery timelines rather than a theoretical worst case.

How does the CRR program differ from existing HIPAA security requirements?

HIPAA's Security Rule requires covered entities to have contingency plans, including data backup, disaster recovery, and emergency mode operations. The CRR goes further by assessing the clinical quality and patient safety dimensions of those plans, assessing whether care can actually be delivered safely during downtime rather than whether the plan exists on paper.

Who should complete the self-assessment, and how long does it take?

The self-assessment takes 35 to 45 minutes and is designed for CIOs, incident response, risk, and compliance leaders. Larger or more complicated organizations may bring in biomedical engineering, facilities management, clinical leadership, and legal counsel to address the full scope of the evaluation dimensions.

What does the expert review add beyond the self-assessment?

The $2,000 expert review involves a tailored debrief from Joint Commission and AHA experts and produces a set of top-line recommendations for addressing identified vulnerabilities. The self-assessment alone is informational and does not advance an organization through the program or toward certification.

When will the CRR certification be available?

Joint Commission plans to make the certification pathway and additional advisory and educational services available in summer 2026. The certification will formally recognize organizations demonstrating strong clinical continuity and cyber resilience capabilities, though the AHA will not be involved in that certification process.