Two medical associations have partnered to launch a certification for hospital staff to prepare for cyberattacks.

The Cyber Resilience Readiness program, announced earlier this month, was developed by the American Hospital Association and the Joint Commission, a healthcare accreditation nonprofit. The program provides hospital staff with guidance on how to respond to lack of access to electronic records and diagnostic tools due to power outages, ransomware, and other cyberattacks.

A ransomware attack was featured prominently in the TV hospital drama “The Pitt,” reflecting an increasing problem in the healthcare industry. A release announcing the certification cites an FBI report noting that “healthcare and public health were the most frequently targeted sectors for cyberthreats in 2025, with a total of 642 incidents, including 460 ransomware attacks and 182 data breaches.” In March, a cyberattack on the technology company Stryker caused a global disruption of medical facilities.

Scott Gee, deputy national advisor for cybersecurity and risk at AHA, said that the association has been addressing the challenge for years, but in 2024 began working with the Joint Commission on developing a training program that addressed both the technical issues of cybersecurity and protocols for medical staff for when a facility goes dark.

“Folks tend to think it’s an IT problem, but cybersecurity is an enterprise-wide risk,” Gee said. “The IT folks are the ones turning systems back on and getting things back up and running. But the clinicians have to be able to do their job during that outage. Sometimes there’s no close alternative. Sometimes the economic impact is tremendous, and sending all your patients away just compounds the problem.”

Through the program, healthcare facility leaders are encouraged to take a free self-assessment. An expert review is available for $2,000; additional advisory services and the full certification is scheduled to launch this summer.

As with most certifications, the Cyber Resilience Readiness program is designed to respond to a changing environment, one that is very rapid in both healthcare and cybersecurity. “Cybersecurity is not an end state, it’s an ongoing process,” Gee said. “That’s what we’re trying to impart to hospitals. What we’re trying to do through this program and this certification is build that awareness, and build an ongoing program at these institutions that can maintain that level of cybersecurity and cyber-awareness.”

But though the challenge in the healthcare space is acute, Gee notes that the assessment process is similar regardless of industry: Identify the places where work intersects with technology and develop action plans for when the two are forced to decouple.

“There are different tools and devices that are very specific to certain industries, but the one thing they have in common is that network and technological dependency,” he said. “So you’re mapping your potential vulnerabilities, understanding the equipment that you’re actually using, understanding your dependencies on it, and then mapping how to work without that equipment functioning. If it all goes down, you still have to provide power, telecom, water, whatever it is. How do you do that without that technology?”