Cyberattacks on healthcare systems are increasing in frequency and severity. Hospitals need to integrate cybersecurity preparedness into their emergency operations planning and response to mitigate adverse outcomes during increasingly likely cyber events. No data currently exist regarding the level of preparedness of United States hospital systems for cybersecurity attacks. We surveyed hospital emergency managers to assess cybersecurity preparedness for these events.

Fifty-seven emergency managers representing hospitals across the United States participated in an online Qualtrics survey regarding current preparedness and response procedures for cybersecurity hazards.

Survey responses between April 2019 and May 2021 demonstrated that a majority of hospital systems surveyed included cybersecurity disasters in their HVA (82.4%; 47/57), and most ranked it as 1 of their top 5 priorities (57.4%; 27/47). However, over half denied specifically mentioning cybersecurity in their Emergency Operations Plans (EOPs; 52.6%; 30/57). Fourteen of the 57 hospital systems (24.5%) endorsed previously activating an emergency response for a cybersecurity incident unrelated to information technology (IT) failure.

The survey results suggest that American hospitals are currently underprepared for cybersecurity disasters. We emphasize the importance of prioritizing cybersecurity in Hazard Vulnerability Analyses (HVAs) and implementing specific EOP annexes for cybersecurity emergencies.