State Policy Trends in Cybersecurity and Public Health Preparedness Maggie Nilz Learn how states are including cybersecurity in their emergency preparedness work in this Health Policy Update. Cybersecurity is an increasingly important component of public health preparedness as state cybersecurity policy intersects with public health agency responsibilities. Public health agencies rely on interconnected digital systems and critical infrastructure for disease surveillance, laboratory reporting, emergency communications, and health data management, making cybersecurity critical to maintaining these functions. Beyond compromising sensitive data and potentially harming patients, cyber incidents can disrupt essential public health services, including emergency response operations. Health care data breaches have steadily increased over the last 15 years, highlighting growing risks for government and health systems. A recent report showed that more than 7,000 health care data breaches were reported to the Department of Health and Human Services since 2009, and reported HIPAA data breaches in 2023 were nearly double the number recorded in 2018. Meanwhile, preparedness capacity has lagged: as of 2022, only 13% of local health departments reported being prepared for cyber-related disruptions, and recent scans show cybersecurity is rarely included in emergency preparedness planning. In response at the federal level, HHS recently announced it is undoing a 2024 reorganization by returning department-wide technology responsibilities to the Office of the Chief Information Officer while refocusing the Office of the National Coordinator for Health Information Technology on improving nationwide health IT interoperability and data sharing. In recent years, state and territorial legislatures have begun to address these gaps by incorporating cybersecurity into preparedness, health care oversight, and statewide governance structures. These legislative trends signal a need to integrate cybersecurity into emergency operations plans, strengthen cross-sector coordination, and safeguard the continuity of public health services. Some of the most recent policies considered and enacted by legislatures treat cyber incidents as emergencies, expand reporting requirements, and strengthen cyber governance. Cyber Incidents Are Being Built into Emergency Preparedness Frameworks In response to these growing threats, jurisdictions have begun incorporating cyber response into emergency plans and strategies, reinforcing cybersecurity as essential to preparedness. These developments highlight growing awareness that cyber incidents can disrupt critical services, much like natural disasters. In 2025, New York enacted S 7672, which requires municipal entities and public authorities report cybersecurity incidents and demands for ransom to the state Division of Homeland Security and Emergency Services. In addition, it directs the Director of the Office of Information Services to establish cybersecurity training and protection standards for state systems as well as require cybersecurity training for state and local government employees. Virginia is currently considering HB 83, which would establish a volunteer Cyber Civilian Corps within the state IT agency to provide rapid assistance during cybersecurity incidents affecting municipalities, nonprofits, education, and critical infrastructure. Preparedness efforts also extend beyond legislation to executive action. In February 2026, Minnesota Governor Tim Walz authorized $1.2 million in state disaster assistance to support response efforts and restore critical systems in response to a cyber incident that disrupted digital services in Saint Paul on July 29, 2025. Additionally, the National Governors Association has included cybersecurity as a primary consideration for planning and preparedness in their latest edition of the Public Health Emergency Playbook. Health care and Public Health Critical Sectors Are Facing New Cyber Requirements Beyond emergency response frameworks, jurisdictions are also adopting cybersecurity reporting and planning requirements for health care and public health organizations. Companion bills in Tennessee (HB 511/SB 555) would require health care providers and facilities to notify their contracted health insurers of cybersecurity incidents. In Maine, LD 2103 would require hospitals to adopt cybersecurity plans to protect patient data and maintain operations, and must include cybersecurity training for employees and board members. New Jersey is looking to adopt and implement a more comprehensive cybersecurity plan across all sectors. This session, legislators have introduced at least two cyber security bills: A 3231 would require “sensitive businesses” (defined as those engaged in financial, essential infrastructure, or health care industries) to report cybersecurity incidents to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) when they are aware of their occurrence and would require NJCCIC to conduct a cybersecurity audit within 30 days of notification. A 3283 would require the same “sensitive businesses” to implement cybersecurity programs in accordance with standards adopted by NJCCIC and certify compliance annually. As states expand reporting and cybersecurity requirements, these obligations may intersect with public health reporting and continuity planning. States Are Strengthening Government Cyber Governance and Coordination In addition to sector-specific requirements, jurisdictions are also strengthening the governance structures responsible for coordinating cybersecurity, improving their ability to respond to large-scale incidents affecting public systems. Legislation enacted recently in Texas and California aim to improve coordination among state government by establishing a state agency centralizing cybersecurity incident prevention and response (Texas HB 150) and mandating the development of a cybersecurity playbook to strengthen information sharing (California AB 979). A 2024 bill enacted in Puerto Rico (PC 1530) requires commonwealth agencies to develop and implement a cybersecurity program, which must include a yearly risk assessment as well as vulnerability assessment. At least three jurisdictions are currently considering bills strengthening established cybersecurity programs, with two states recently passing legislation. Utah recently enacted a bill authorizing the Utah Cyber Center to conduct voluntary cybersecurity risk assessments for critical infrastructure and coordinate with government entities on infrastructure safety (HB 165). Utah also enacted legislation creating a specific funding stream for the Center to use for various activities, including implementing a statewide cybersecurity plan and conducting assessments for governmental entities (SB 123). Kansas enacted HB 2574, which would require chief information security officers for the executive, legislative, and judicial branches to adopt cybersecurity programs based on a nationally recognized standard for governmental entities. Finally, Florida recently passed SB 7024, which would expand the state’s public record exemption to include risk assessments, information related to cybersecurity breaches, and information related to data protection, ensuring the confidentiality of sensitive cybersecurity information held by state agencies; the bill is with the governor for final consideration. Key Takeaways for Preparedness Leaders Cybersecurity is critical for preparedness across multiple policy areas, and requires new planning, coordination, and oversight responsibilities. By including cyber incidents into disaster frameworks, standards for health care organizations, and governance, preparedness leaders may find themselves more directly engaged in integrating cybersecurity into emergency operations, exercises, and cross-sector partnerships. For state and territorial health agencies beginning to incorporate cybersecurity into their preparedness plans, agencies such as the Cybersecurity and Infrastructure Security Agency provide jurisdictional support and resources to guide this work. article yes