Cyberattacks on healthcare systems are increasing in frequency and severity. Hospitals need to integrate cybersecurity preparedness into their emergency operations planning and response in order to mitigate adverse outcomes during increasingly likely cyber events. No data currently exists regarding the level of preparedness of US hospital systems for cybersecurity attacks. We surveyed hospital emergency managers to assess cybersecurity preparedness for these events.

Fifty-seven emergency managers representing hospitals across the US participated in an online Qualtrics survey regarding current preparedness and response procedures for cybersecurity hazards.

Survey responses between April 2019 and May 2021 demonstrated that a majority of hospital systems surveyed included cybersecurity disasters in their HVA (82.4%, 47/57), and most ranked it as one of their top five priorities (57.4%, 27/47). However, over half denied specifically mentioning cybersecurity in their EOPs (52.6%, 30/57). Fourteen of the 57 hospital systems (24.5%) endorsed previously activating an Emergency Response for a cybersecurity incident unrelated to Information Technology (IT) failure.

The survey results suggest that American hospitals are currently underprepared for cybersecurity disasters. We emphasize the importance of prioritizing cybersecurity in HVAs and implementing specific EOP annexes for cybersecurity emergencies.