Estimated reading time: 7 minutes
In July 2019, a ransomware attack hit Springhill Medical Center in Mobile, Alabama. Fetal monitors in 12 delivery rooms went dark. A woman arrived to give birth. Nobody told her the hospital’s systems were down. The umbilical cord wrapped around her baby’s neck went undetected. The baby was born with severe brain damage and died nine months later. The attending physician’s own text messages described the death as preventable. The hospital eventually settled the wrongful death lawsuit. Terms were never disclosed.
That case, the first in the United States linking a ransomware attack to a patient death, was not an isolated failure. It was a warning. Hospitals that cannot sustain clinical operations during a cyberattack do not just lose data. They lose patients. Now, two of America’s most authoritative healthcare institutions have moved to address that risk directly. The Joint Commission and the American Hospital Association (AHA) launched Cyber Resilience Readiness (CRR) on May 4, 2026. It gives hospitals a structured, credentialed way to assess and strengthen their ability to keep patients safe when technology systems fail.
Healthcare Led Every Sector In Cyber Incidents In 2025
The FBI’s most recent Internet Crime Report puts the current threat in sharp relief. Healthcare and public health ranked as the most frequently targeted sector for cyber threats in 2025. The sector recorded 642 total incidents. That figure included 460 ransomware attacks and 182 data breaches. No other sector matched that volume. For underwriters pricing hospital cyber risk, these numbers confirm what claims data already shows: healthcare is a high-frequency, high-severity territory.
The industry has documented this trajectory for years. Two-thirds of healthcare organizations reported ransomware hits at a four-year high in survey data this publication covered. Meanwhile, healthcare breaches rose 112% in 2025 even as record volumes fell, according to the Fortified Health Security annual report. Attackers are hitting more targets with sharper precision. Small and rural hospitals face particular exposure, with limited security budgets and rising Medicaid funding pressure compounding the risk. CISOs across health systems continue to flag IoMT visibility gaps as a persistent vulnerability, leaving thousands of network-connected medical devices effectively unmonitored. The cumulative picture is one of sustained, structural weakness, not isolated incidents.
What Cyber Resilience Readiness Actually Addresses
CRR focuses on clinical continuity, not IT recovery alone. That distinction separates it from every existing cybersecurity framework. Most standards ask how to prevent a breach or restore systems. CRR asks a harder question. Can a hospital keep patients safe when systems go completely dark?
The program covers four core areas: clinical workflows, operational response, leadership coordination, and staff preparedness during extended technology outages. The Joint Commission and the AHA developed it over 18 months in partnership with multiple healthcare organizations. Real-world ransomware events shaped its design. The goal is to move hospitals from awareness to readiness, and from readiness to genuine resilience.
Jonathan Perlin, president and CEO of the Joint Commission, identified the core problem directly. “Digital disruption poses a direct and growing threat to patient safety and clinical care,” he said. That framing extends beyond ransomware to any scenario where mission-critical systems go offline, including extreme weather, infrastructure failure, and third-party vendor collapse.
The Self-Assessment Tool Is Free And Live Now
CRR launches with a free, structured self-assessment tool available immediately. Hospitals and health systems can access it at the Joint Commission website. The assessment prompts organizations to evaluate their readiness across clinical, operational, leadership, and workforce dimensions.
Organizations can complete it internally at no charge. For a fee, they can submit it for expert review. Expert review currently returns topline recommendations tied to identified vulnerabilities. In the coming weeks, the Joint Commission and the AHA will offer additional paid advisory services. The program is voluntary and modular. Organizations engage only the components that fit their current needs.
A Formal Certification Pathway Is Coming
The self-assessment is the first component of a larger structure. The Joint Commission will develop a formal certification pathway that recognizes hospitals with demonstrated clinical continuity and cyber resilience capabilities. AHA will not participate in the certification process. No launch date for certification has been announced. The program begins with assessment and advisory services.
What This Means For Cyber Insurance Underwriting
The cyber insurance market has pushed healthcare clients toward evidence of operational resilience in the face of cyber threats for years. Preventing breaches matters. Surviving them matters more to claims outcomes. Hospital ransomware events generate prolonged business interruption losses. Billing systems, electronic health records, surgical scheduling, and pharmacy operations all collapse during extended outages. Losses run into tens of millions of dollars.
The demand for resilience is not coming from insurers alone. An EY-KLAS survey found that 81% of health system executives now identify cyber resilience as a strategic priority and link it directly to better patient outcomes. CRR gives those executives a credentialed, institutionally backed framework to act on that priority in a documented way.
John Riggi, National Advisor for Cybersecurity and Risk at AHA, stated the program’s purpose plainly. “The CRR program focuses squarely on clinical continuity,” Riggi said. That focus aligns directly with what insurers measure when they price healthcare accounts: not just security posture, but functional survival capacity.
Underwriters should track which hospital clients engage with the CRR program. Completion of the self-assessment, and particularly expert review submission, signals a board-level commitment to business continuity planning. Brokers working with hospital systems should brief clients on CRR now. It gives them a documented, credible artifact to present at renewal.
The Regulatory And Liability Dimension
General Counsel and CFOs at hospital systems should treat this as a governance matter, not just a security one. CRR is voluntary today. The Joint Commission’s involvement signals future regulatory relevance. The Joint Commission accredits most U.S. hospitals. Its standards carry direct weight in regulatory oversight and civil liability.
A hospital with a completed CRR assessment and documented follow-through builds a record of good-faith resilience planning. That record matters in post-incident litigation. It matters in regulatory enforcement proceedings. It may become relevant in future cyber policy terms and conditions as insurers look for differentiation within the healthcare segment.
What Underwriters And Brokers Should Do Now
CRR is the most credentialed hospital cyber resilience framework to reach the market. It comes from two institutions with genuine authority over hospital governance and standards. It fills a gap that IT-focused security frameworks leave open. The self-assessment is free. The program is live. The certification pathway is coming.
Underwriters should add CRR participation to their healthcare account questionnaires. Brokers should send their hospital clients directly to jointcommission.org. The baseline is a free self-assessment. The value, in claims reduction, underwriting differentiation, and liability protection, is considerably larger.
FAQ – Hospital Cyber Resilience
Cyber Resilience Readiness (CRR) is a new program launched by the Joint Commission and the American Hospital Association. It helps hospitals assess and strengthen their ability to maintain safe patient care during cyber-related technology outages.
The Joint Commission and the AHA developed CRR over 18 months in partnership with multiple healthcare organizations. Real-world ransomware incidents informed the program’s design.
Yes. The CRR self-assessment tool is free to complete. Hospitals can submit it for expert review for a fee. Additional advisory services will become available in the coming weeks.
Most cybersecurity frameworks focus on breach prevention or IT system recovery. CRR focuses on clinical continuity, keeping patients safe when mission-critical technology systems are unavailable for extended periods.
CRR participation is not currently a formal underwriting requirement. However, insurers are increasingly focused on operational durability in healthcare accounts. CRR completion provides documented evidence of preparedness that brokers can present to underwriters at renewal.
No. The Joint Commission plans to develop a formal certification pathway recognizing hospitals with strong cyber resilience capabilities. No launch date has been announced. The self-assessment and advisory services are available now.
Related Cyber Liability Insurance Posts
- Copperhelm Launches With $7M To Build Agentic Cloud Security Platform
- Whoever Underwrote this Hospital System May Not Be Sleeping Well(Opens in a new browser tab)
- Hacked Hospital Says Prep to Qualify for Cyber Insurance Helped in Ransomware Attack (Opens in a new browser tab)
- Cybersecurity Risk Quantification: Bitdefender Launches Free Risk Assessment(Opens in a new browser tab)
- Spectra Launches MSP Resilience Certification with Cyber Risk Board(Opens in a new browser tab)
