Health systems must deliver safe patient care for 30 days or longer without core technology systems. This is no longer a regulatory goal but the minimum operational standard for cyber resilience in healthcare. Most health system CIOs have not planned for this. The Joint Commission and the American Hospital Association started the Cyber Resilience Readiness (CRR) program to help hospitals assess and improve their ability to sustain clinical operations during extended cyber outages.
Cybersecurity is already expensive, with the average healthcare data breach costing $7.42 million. Greater costs come from daily downtime, lost revenue from manual charge capture and billing, and patients unable to access care and treatment.
The CRR program begins with a free self-assessment tool. It asks if your organization can provide safe care if technology fails. The survey covers many areas, but four themes are the top priority for a healthcare CIO.
Cyber Resilience Is Clinical Operations
The assessment highlights a key issue: clinical, business, emergency management, and disaster recovery are often siloed rather than integrated. Typically, IT manages application recovery, emergency management leads incident response, and clinical leadership oversees patient safety. These groups rarely collaborate before a crisis, resulting in last-minute coordination. CIOs should unite these departments proactively to ensure readiness.
The Board Must Be Involved
The CRR assessment asks how often leaders brief the board on cybersecurity and its impacts on patient care. It also asks whether boards distinguish clinical from business continuity. These topics are related but not the same. A CIO who links cyber risk to patient safety, revenue, and regulation will benefit the board.
Downtime Plans Must Work Operationally
The assessment’s key takeaway is that downtime plans must be tested realistically across all shifts and service lines—not just annually, and not only in a conference room. Effective testing means running scenarios that stretch 30 days or more. Senior leaders must observe the exercises and act on findings. If drill results are ignored, the effort is wasted. Hospitals that survive cybersecurity events do so because staff have instinctive responses built through repeated, realistic practice.
Inventory Visibility Is Crucial.
Healthcare organizations must keep inventories of all biomedical devices, IoT systems, imaging devices, building controls, software, and anything on the network. They must map all assets to clinical risk. Hospitals have decades of connected technology, but no one department fully owns it all. The CIO must integrate asset visibility, data classification, vendor risk, and business continuity into one model. This includes medical equipment and other hardware on the network that are outside IT control.
The self-assessment does not score your organization; it identifies gaps for action. CIOs must decide who to brief, what to fix, and how fast to act—these choices differentiate compliance from resilience.
What’s Next For CIOs
The CRR program and assessment are a starting point. How a CIO uses its findings determines if it becomes a real advantage. Healthcare CIOs must build business continuity plans that last weeks, not just hours or days. They should run tabletop exercises for manual operations on days 3, 10, and 30.
CIOs should focus on a disaster recovery MVP that requires only the critical systems to keep operations running in a crisis. Full backups can be complex and costly. An MVP focuses on speed, simplicity, and effectiveness. The goal is fast recovery to a minimal but safe level.
Combining the CRR assessment with an MVP program is essential. Healthcare leaders must act now: assess resilience, make key improvements, and ensure teams can provide patient care for 30 days or more under any circumstances. The healthcare CIO can lead this challenge.
