Hospitals urged to make cyber preparedness a core part of patient care

A new guide from AHA’s CLEAR initiative outlines strategies for hospitals to strengthen cyber resilience as a system-wide responsibility.

What happened

The American Hospital Association’s CLEAR initiative has released Strategies for Cyber Preparedness in Health Care, a detailed guide urging hospitals and health systems to treat cybersecurity not just as a technical function, but as a central part of enterprise risk management. The resource responds to the increasing frequency and impact of cyberattacks on the health care sector and tries to help organizations safeguard operations, protect sensitive data, and ensure continuity of patient care.

Going deeper

The guide outlines five strategic areas of action for health care leaders and their teams:

• Prioritize cybersecurity as an organizational imperative: Hospitals are encouraged to integrate cybersecurity into overall risk governance frameworks, elevating it to the same level as clinical quality, safety, and finance.
• Cultivate a trained and cyber-aware workforce: A proactive security culture depends on team-wide training, tools, and incident response readiness, not just IT professionals.
• Plan for clinical continuity during a cyber incident: Organizations should have regularly tested downtime procedures, clinical leadership engagement, and alternative communication channels to ensure patient care continues.
• Strengthen third-party risk management: Given the growing reliance on vendors, health systems must adopt a risk-based approach to vetting, monitoring, and managing third-party access and dependencies.
• Prepare for regional impacts: Since cyber incidents can cascade across networks and shared services, hospitals must coordinate with regional partners and prepare for disruptions beyond their own systems.

What was said

The CLEAR initiative positions cyber preparedness as necessary to maintaining trust, safety, and continuity across the health care ecosystem. It encourages leadership engagement at all levels from governance to clinical operations, and stresses that cyber incidents should be treated with the same urgency as any public health threat. The guide outlines interdepartmental collaboration and encourages regular testing, scenario planning, and communication drills.

The big picture

According to the American Hospital Association’s CLEAR Strategies for Cyber Preparedness report, “Cybersecurity is an essential pillar for delivering safe, high-quality and reliable health care.” The report warns that “as the threat landscape continues to evolve, hospitals and health systems must take deliberate, organizationwide action to build cyber resilience - not only to protect data and infrastructure but also to preserve uninterrupted patient care and strengthen community trust.” The AHA adds that “strengthening cyber readiness requires sustained leadership commitment, a culture of awareness and cross-functional coordination between clinical, operational and technical teams.” It concludes that “by investing in preparedness now - through clear planning, regular training and risk-informed decision-making - health care organizations will be better positioned to manage disruption, safeguard patients and ensure continuity of care when cyber incidents occur.”

FAQs

What is the CLEAR initiative, and who supports it?

CLEAR (Convening Leaders for Emergency and Response) is an AHA program funded through a federal partnership with the Administration for Strategic Preparedness and Response. It focuses on strengthening hospitals’ readiness for emergencies, including cyber threats.

How does this guide differ from typical IT security guidance?

Rather than focusing solely on technical controls, the guide addresses cybersecurity as a leadership, operational, and patient safety issue, stressing cross-functional preparedness.

Why is regional planning necessary for cyber incidents?

Health care systems often share vendors, infrastructure, or patient networks. A breach in one facility can impact others, making coordination across a region necessary for an effective response.

What types of third-party vendors pose cyber risks?

Any external party with access to clinical, financial, or operational systems, including EHR providers, billing companies, and medical device vendors, can introduce cybersecurity vulnerabilities.

How can hospitals begin implementing these strategies?

Hospitals can start by conducting a cyber readiness assessment, identifying internal and external risks, updating downtime procedures, and including cybersecurity in leadership-level discussions and scenario planning.