Displaying 10 results for

State Policy Trends in Cybersecurity and Public Health Preparedness Maggie Nilz Learn how states are including cybersecurity in their emergency preparedness work in this Health Policy Update. Cybersecurity is an increasingly important component of public health preparedness as state cybersecurity policy intersects with public health agency responsibilities. Public health agencies rely on interconnected digital systems and critical infrastructure for disease surveillance, laboratory reporting, emergency communications, and health data management, making cybersecurity critical to maintaining these functions. Beyond compromising sensitive data and potentially harming patients, cyber incidents can disrupt essential public health services, including emergency response operations. Health care data breaches have steadily increased over the last 15 years, highlighting growing risks for government and health systems. A recent report showed that more than 7,000 health care data breaches were reported to the Department of Health and Human Services since 2009, and reported HIPAA data breaches in 2023 were nearly double the number recorded in 2018. Meanwhile, preparedness capacity has lagged: as of 2022, only 13% of local health departments reported being prepared for cyber-related disruptions, and recent scans show cybersecurity is rarely included in emergency preparedness planning. In response at the federal level, HHS recently announced it is undoing a 2024 reorganization by returning department-wide technology responsibilities to the Office of the Chief Information Officer while refocusing the Office of the National Coordinator for Health Information Technology on improving nationwide health IT interoperability and data sharing. In recent years, state and territorial legislatures have begun to address these gaps by incorporating cybersecurity into preparedness, health care oversight, and statewide governance structures. These legislative trends signal a need to integrate cybersecurity into emergency operations plans, strengthen cross-sector coordination, and safeguard the continuity of public health services. Some of the most recent policies considered and enacted by legislatures treat cyber incidents as emergencies, expand reporting requirements, and strengthen cyber governance. Cyber Incidents Are Being Built into Emergency Preparedness Frameworks In response to these growing threats, jurisdictions have begun incorporating cyber response into emergency plans and strategies, reinforcing cybersecurity as essential to preparedness. These developments highlight growing awareness that cyber incidents can disrupt critical services, much like natural disasters. In 2025, New York enacted S 7672, which requires municipal entities and public authorities report cybersecurity incidents and demands for ransom to the state Division of Homeland Security and Emergency Services. In addition, it directs the Director of the Office of Information Services to establish cybersecurity training and protection standards for state systems as well as require cybersecurity training for state and local government employees. Virginia is currently considering HB 83, which would establish a volunteer Cyber Civilian Corps within the state IT agency to provide rapid assistance during cybersecurity incidents affecting municipalities, nonprofits, education, and critical infrastructure. Preparedness efforts also extend beyond legislation to executive action. In February 2026, Minnesota Governor Tim Walz authorized $1.2 million in state disaster assistance to support response efforts and restore critical systems in response to a cyber incident that disrupted digital services in Saint Paul on July 29, 2025. Additionally, the National Governors Association has included cybersecurity as a primary consideration for planning and preparedness in their latest edition of the Public Health Emergency Playbook. Health care and Public Health Critical Sectors Are Facing New Cyber Requirements Beyond emergency response frameworks, jurisdictions are also adopting cybersecurity reporting and planning requirements for health care and public health organizations. Companion bills in Tennessee (HB 511/SB 555) would require health care providers and facilities to notify their contracted health insurers of cybersecurity incidents. In Maine, LD 2103 would require hospitals to adopt cybersecurity plans to protect patient data and maintain operations, and must include cybersecurity training for employees and board members. New Jersey is looking to adopt and implement a more comprehensive cybersecurity plan across all sectors. This session, legislators have introduced at least two cyber security bills: A 3231 would require “sensitive businesses” (defined as those engaged in financial, essential infrastructure, or health care industries) to report cybersecurity incidents to the New Jersey Cybersecurity and Communications Integration Cell (NJCCIC) when they are aware of their occurrence and would require NJCCIC to conduct a cybersecurity audit within 30 days of notification. A 3283 would require the same “sensitive businesses” to implement cybersecurity programs in accordance with standards adopted by NJCCIC and certify compliance annually. As states expand reporting and cybersecurity requirements, these obligations may intersect with public health reporting and continuity planning. States Are Strengthening Government Cyber Governance and Coordination In addition to sector-specific requirements, jurisdictions are also strengthening the governance structures responsible for coordinating cybersecurity, improving their ability to respond to large-scale incidents affecting public systems. Legislation enacted recently in Texas and California aim to improve coordination among state government by establishing a state agency centralizing cybersecurity incident prevention and response (Texas HB 150) and mandating the development of a cybersecurity playbook to strengthen information sharing (California AB 979). A 2024 bill enacted in Puerto Rico (PC 1530) requires commonwealth agencies to develop and implement a cybersecurity program, which must include a yearly risk assessment as well as vulnerability assessment. At least three jurisdictions are currently considering bills strengthening established cybersecurity programs, with two states recently passing legislation. Utah recently enacted a bill authorizing the Utah Cyber Center to conduct voluntary cybersecurity risk assessments for critical infrastructure and coordinate with government entities on infrastructure safety (HB 165). Utah also enacted legislation creating a specific funding stream for the Center to use for various activities, including implementing a statewide cybersecurity plan and conducting assessments for governmental entities (SB 123). Kansas enacted HB 2574, which would require chief information security officers for the executive, legislative, and judicial branches to adopt cybersecurity programs based on a nationally recognized standard for governmental entities. Finally, Florida recently passed SB 7024, which would expand the state’s public record exemption to include risk assessments, information related to cybersecurity breaches, and information related to data protection, ensuring the confidentiality of sensitive cybersecurity information held by state agencies; the bill is with the governor for final consideration. Key Takeaways for Preparedness Leaders Cybersecurity is critical for preparedness across multiple policy areas, and requires new planning, coordination, and oversight responsibilities. By including cyber incidents into disaster frameworks, standards for health care organizations, and governance, preparedness leaders may find themselves more directly engaged in integrating cybersecurity into emergency operations, exercises, and cross-sector partnerships. For state and territorial health agencies beginning to incorporate cybersecurity into their preparedness plans, agencies such as the Cybersecurity and Infrastructure Security Agency provide jurisdictional support and resources to guide this work. article yes

Initial estimates from 2020 suggest that annual drug overdose deaths in the United States reached a record high of 93,000. Fortunately EMS strategies are being put in place to combat this nation-wide issue.

This report shares results and key takeaways from interviews on topics including the overall structure of Legionnaires’ disease programs, diagnosis and clinical testing protocols, and risk communication.

The 2020 holiday season is coinciding with a nationwide surge of COVID-19 cases. With great concern that holiday travel to see loved ones may exacerbate community spread of the virus, many states are increasing public health measures before the winter holiday season. As of November 16, 2020, 13 states and D.C. had a quarantine requirement for out-of-state travelers. The U.S. territories also have instituted travel restrictions to limit the spread of COVID-19.

After a year and a half of work as embedded disability specialists, 5 program participants share their reflections on important lessons learned and why disability inclusion is critical to the future of emergency preparedness.

Under the Tenth Amendment, states have the power to protect the health and welfare of their populations, including the authority to implement isolation and quarantine orders to limit the spread of disease. This post is an examination of state public health authority for isolation and quarantine.

States and territories have broad powers to protect public health and safety, including powers to prevent and control the spread of communicable disease typically exercised by state and territorial health departments. This authority is an essential tool in the fight to keep the public safe and healthy.

This week might have marked the beginning of summer, but many policymakers and health officials have their eye on the upcoming school year and what that might mean in terms of getting students vaccinated against COVID-19. According to a recent MMWR, COVID-19 related hospitalizations among adolescents increased in March and April 2021, potentially related to increased circulation of new COVID-19 variants, changes in physical distancing, and a larger number of children returning to school or other in-person indoor activities. This increase indicates an urgent need for vaccination against COVID-19, which is currently authorized for use in youth as young as 12.

Recent state laws and governor emergency orders prohibiting universal school mask protocols are complicating the implementation of CDC’s evidence-based guidance for COVID-19 mitigation measures for in-person school. Ten states have enacted laws (Arizona, Arkansas, Iowa, North Dakota, Oklahoma, South Carolina, and Utah) or issued executive orders (Florida, Tennessee, and Texas) to limit or prohibit issuing universal face mask protocols for schools and in eight of these states the law or order now faces a legal challenge

As the number of COVID-19 vaccinations grows, some states are looking at their vaccination rates to determine when to loosen measures that mitigate the spread of COVID-19, such as venue capacity limits, business closure times, and masking requirements. As vaccinations allow businesses to reopen and customers to return, questions have arisen about whether venues or services—especially those that bring people in close contact for long periods of times—such as retail stores, concert venues, entertainment venues, air travel, cruise ships, etc., can require patrons or customers to verify that they received a COVID-19 vaccine. So far, state policy makers have had mixed views on the issue.