Displaying 12 results for

State Policy Trends in Cybersecurity and Public Health Preparedness Maggie Nilz Learn how states are including cybersecurity in their emergency preparedness work in this Health Policy Update. Cybersecurity is an increasingly important component of public health preparedness as state cybersecurity policy intersects with public health agency responsibilities. Public health agencies rely on interconnected digital systems and critical infrastructure for disease surveillance, laboratory reporting, emergency communications, and health data management, making cybersecurity critical to maintaining these functions. Beyond compromising sensitive data and potentially harming patients, cyber incidents can disrupt essential public health services, including emergency response operations. Health care data breaches have steadily increased over the last 15 years, highlighting growing risks for government and health systems. A recent report showed that more than 7,000 health care data breaches were reported to the Department of Health and Human Services since 2009, and reported HIPAA data breaches in 2023 were nearly double the number recorded in 2018. Meanwhile, preparedness capacity has lagged: as of 2022, only 13% of local health departments reported being prepared for cyber-related disruptions, and recent scans show cybersecurity is rarely included in emergency preparedness planning. In response at the federal level, HHS recently announced it is undoing a 2024 reorganization by returning department-wide technology responsibilities to the Office of the Chief Information Officer while refocusing the Office of the National Coordinator for Health Information Technology on improving nationwide health IT interoperability and data sharing. In recent years, state and territorial legislatures have begun to address these gaps by incorporating cybersecurity into preparedness, health care oversight, and statewide governance structures. These legislative trends signal a need to integrate cybersecurity into emergency operations plans, strengthen cross-sector coordination, and safeguard the continuity of public health services. Some of the most recent policies considered and enacted by legislatures treat cyber incidents as emergencies, expand reporting requirements, and strengthen cyber governance. Cyber Incidents Are Being Built into Emergency Preparedness Frameworks In response to these growing threats, jurisdictions have begun incorporating cyber response into emergency plans and strategies, reinforcing cybersecurity as essential to preparedness. These developments highlight growing awareness that cyber incidents can disrupt critical services, much like natural disasters. In 2025, New York enacted S 7672, which requires municipal entities and public authorities report cybersecurity incidents and demands for ransom to the state Division of Homeland Security and Emergency Services. In addition, it directs the Director of the Office of Information Services to establish cybersecurity training and protection standards for state systems as well as require cybersecurity training for state and local government employees. Virginia is currently considering HB 83, which would establish a volunteer Cyber Civilian Corps within the state IT agency to provide rapid assistance during cybersecurity incidents affecting municipalities, nonprofits, education, and critical infrastructure. Preparedness efforts also extend beyond legislation to executive action. In February 2026, Minnesota Governor Tim Walz authorized $1.2 million in state disaster assistance to support response efforts and restore critical systems in response to a cyber incident that disrupted digital services in Saint Paul on July 29, 2025. Additionally, the National Governors Association has included cybersecurity as a primary consideration for planning and preparedness in their latest edition of the Public Health Emergency Playbook. Health care and Public Health Critical Sectors Are Facing New Cyber Requirements Beyond emergency response frameworks, jurisdictions are also adopting cybersecurity reporting and planning requirements for health care and public health organizations. Companion bills in Tennessee (HB 511/SB 555) would require health care providers and facilities to notify their contracted health insurers of cybersecurity incidents. In Maine, LD 2103 would require hospitals to adopt cybersecurity plans to protect patient data and maintain operations, and must include cybersecurity training for employees and board members. New Jersey is looking to adopt and implement a more comprehensive cybersecurity plan across all sectors. This session, legislators have introduced at least two cyber security bills: A 3231 would require “sensitive businesses” (defined as those engaged in financial, essential infrastructure, or health care industries) to report cybersecurity incidents to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) when they are aware of their occurrence and would require NJCCIC to conduct a cybersecurity audit within 30 days of notification. A 3283 would require the same “sensitive businesses” to implement cybersecurity programs in accordance with standards adopted by NJCCIC and certify compliance annually. As states expand reporting and cybersecurity requirements, these obligations may intersect with public health reporting and continuity planning. States Are Strengthening Government Cyber Governance and Coordination In addition to sector-specific requirements, jurisdictions are also strengthening the governance structures responsible for coordinating cybersecurity, improving their ability to respond to large-scale incidents affecting public systems. Legislation enacted recently in Texas and California aim to improve coordination among state government by establishing a state agency centralizing cybersecurity incident prevention and response (Texas HB 150) and mandating the development of a cybersecurity playbook to strengthen information sharing (California AB 979). A 2024 bill enacted in Puerto Rico (PC 1530) requires commonwealth agencies to develop and implement a cybersecurity program, which must include a yearly risk assessment as well as vulnerability assessment. At least three jurisdictions are currently considering bills strengthening established cybersecurity programs, with two states recently passing legislation. Utah recently enacted a bill authorizing the Utah Cyber Center to conduct voluntary cybersecurity risk assessments for critical infrastructure and coordinate with government entities on infrastructure safety (HB 165). Utah also enacted legislation creating a specific funding stream for the Center to use for various activities, including implementing a statewide cybersecurity plan and conducting assessments for governmental entities (SB 123). Kansas enacted HB 2574, which would require chief information security officers for the executive, legislative, and judicial branches to adopt cybersecurity programs based on a nationally recognized standard for governmental entities. Finally, Florida recently passed SB 7024, which would expand the state’s public record exemption to include risk assessments, information related to cybersecurity breaches, and information related to data protection, ensuring the confidentiality of sensitive cybersecurity information held by state agencies; the bill is with the governor for final consideration. Key Takeaways for Preparedness Leaders Cybersecurity is critical for preparedness across multiple policy areas, and requires new planning, coordination, and oversight responsibilities. By including cyber incidents into disaster frameworks, standards for health care organizations, and governance, preparedness leaders may find themselves more directly engaged in integrating cybersecurity into emergency operations, exercises, and cross-sector partnerships. For state and territorial health agencies beginning to incorporate cybersecurity into their preparedness plans, agencies such as the Cybersecurity and Infrastructure Security Agency provide jurisdictional support and resources to guide this work. article yes

Health agencies play a key role in preparing for and responding to hurricanes and other severe weather events.

As COVID-19 emerged and spread in the U.S., people working and residing in long-term care facilities have experienced a significant burden of COVID-19 cases and deaths. As of Oct. 8, deaths associated with these facilities account for 40% of total COVID-19 deaths in the U.S. Health officials have taken measures to improve their funding and capacity.

2020 has been a year of unprecedented events, and the past few months have already shown that they do not exist in a vacuum. While the country continues to respond and cope with the COVID-19 pandemic, many extreme weather events have already occurred, and are additional infectious disease challenges to consider. Responding to these events in the current conditions presents unique challenges to responders and communities.

The 2020 holiday season is coinciding with a nationwide surge of COVID-19 cases. With great concern that holiday travel to see loved ones may exacerbate community spread of the virus, many states are increasing public health measures before the winter holiday season. As of November 16, 2020, 13 states and D.C. had a quarantine requirement for out-of-state travelers. The U.S. territories also have instituted travel restrictions to limit the spread of COVID-19.

Vaccines are one of the greatest public health achievements of the last century, as well as some of the most powerful and cost-effective tools to prevent disease, disparities, disability, and death among children and adults. The COVID-19 pandemic and the unprecedented development and distribution of the vaccines against the novel coronavirus have generated much focus on state laws related to vaccinations. As state and territorial legislatures prepare to convene in the coming weeks, we can already identify several topics within vaccine law that policymakers across the country will consider.

Reconciling the tension between public health and civil liberties is one of the most significant challenges of public health law and ethics. The Supreme Court of the United States historically upheld state authority to enact and enforce public health laws that temporarily limit a person’s civil liberties, such as quarantine and isolation powers that restrict a person’s freedom of assembly in order to prevent the spread of contagious disease. There have been many legal challenges to the public health orders issued to slow the spread of COVID-19—many of the claims asserting violations of First Amendment rights of assembly, association, and expression—but they’ve largely been rejected by the courts. However, courts have treated claims asserting violations of the free exercise of religion more favorably, which may indicate an impending shift in how courts analyze the impact state and territorial actions may have on religious organizations.

This guide is intended to help public health and vector control professionals advance mosquito control efforts.

Recent state laws and governor emergency orders prohibiting universal school mask protocols are complicating the implementation of CDC’s evidence-based guidance for COVID-19 mitigation measures for in-person school. Ten states have enacted laws (Arizona, Arkansas, Iowa, North Dakota, Oklahoma, South Carolina, and Utah) or issued executive orders (Florida, Tennessee, and Texas) to limit or prohibit issuing universal face mask protocols for schools and in eight of these states the law or order now faces a legal challenge

Data reveals that nearly one third of COVID-19 patients experience one or more post-COVID conditions that linger for weeks or months after infection. The cause, duration, and potential treatments for these conditions are still being investigated. As more information emerges, federal and state policies are beginning to support “long-COVID” patients by clarifying how post-COVID conditions correlate to disability benefits, workers compensation and protections, and supporting further research into the conditions.

As the number of COVID-19 vaccinations grows, some states are looking at their vaccination rates to determine when to loosen measures that mitigate the spread of COVID-19, such as venue capacity limits, business closure times, and masking requirements. As vaccinations allow businesses to reopen and customers to return, questions have arisen about whether venues or services—especially those that bring people in close contact for long periods of times—such as retail stores, concert venues, entertainment venues, air travel, cruise ships, etc., can require patrons or customers to verify that they received a COVID-19 vaccine. So far, state policy makers have had mixed views on the issue.

The COVID-19 pandemic has further amplified the need for strong tobacco prevention and cessation policies. Research indicates that tobacco use is associated with increased rate of COVID-19 disease progression and increased likelihood of death among hospitalized patients, and that e-cigarette use is associated with a greatly increased risk of COVID-19 diagnosis in youth and young adults.