1117: Cybersecurity and Public Health Preparedness

JOHN SHEEHAN:
This is Public Health Review Morning Edition for Friday, May 1, 2026. I'm John Sheehan with
news from the Association of State and Territorial Health Officials.

Today, cybersecurity and
public health preparedness.
ASTHO Senior Analyst for Preparedness Maggie Nilz explains how cyber disruptions are
reshaping the foundation of public health systems and how increasingly interconnected digital
infrastructure has made core health functions more vulnerable. As cyber threats surge and
federal policy shifts, states are beginning to treat cyber incidents like hurricanes or pandemics,
and are building coordinated response frameworks and integrating cybersecurity into emergency
planning.

MAGGIE NILZ:
Public health relies heavily on digital systems for functions such as disease surveillance,
laboratory reporting, emergency communications, and health data management. These systems
are highly interconnected, so a cyber disruption can ripple across multiple functions at once. For
example, we've seen cyber disruptions in surveillance systems that have led to delays in
detecting outbreaks, or disruptions in lab systems that all interrupt test reporting.
And what's changed is that cyber incidents can disrupt essential services just like a natural
disaster. So, preparedness now has to include digital continuity, not just physical response. What
we're seeing is that cybersecurity is now about keeping core public health functions running, not
just protecting data.

SHEEHAN:
So, you've also cited a rise in cyber attacks or health care data breaches, as well as, you know,
low levels of preparedness in agencies. So, what is that telling us about the state of readiness,
and why is cybersecurity kind of a lower priority for health agencies?

NILZ:
So, we've seen thousands of health care data breaches over time, but there's been a really
significant sharp increase in the last few years. However, in a recent study, they found that only
13 percent of local health departments reported being prepared for cyber disruptions, and that
gap tells us that the risk is growing faster than our operational readiness. Cybersecurity is often
still treated as an IT issue and not a preparedness issue.
Now that lag has a lot of reasons behind it, including limited funding and workforce capacity
constraints, as well as competing priorities. You know, we've had a number of those in the last

few years in the preparedness realm, including infectious disease outbreaks and disaster
response. And all of that makes it really challenging to integrate cybersecurity into traditional
preparedness frameworks.
All in, the threat has accelerated a lot faster than preparedness systems have been able to adapt
to it.

SHEEHAN:
For sure. And at the same time, federal oversight and federal policy is also changing. And how
does the federal shift also relate to state-level preparedness?

NILZ:
Absolutely. I think that's a really key part of the changing landscape of cybersecurity right now.
With federal changes such as health and human services restructuring its IT oversight, it's
signaling a renewed focus on coordination and health IT systems.
States often look to federal agencies for policy direction and best practices, funding and grant
requirements, and standards around data sharing and interoperability. So, these shifts are going
to encourage states to align cybersecurity with public health infrastructure and strengthen
integration between IT and preparedness systems.

SHEEHAN:
Mm hmm. And several states are now treating cyber attacks or cyber incidents, specifically like
natural disaster emergencies. For example, New York has reporting requirements and Virginia
has proposed a cyber civilian corps.
How are these examples of redefining how states approach cyber defense?

NILZ:
So, these couple of examples are creating frameworks very similar to traditional preparedness
framework. So, things similar to a state CERT program, the community emergency response
training programs, and reporting requirements similar to what we would have following natural
disaster responses. And so, it's really aligning cyber response as part of existing emergency
management frameworks and allowing states to start treating cyber incidents like they would a
hurricane or a pandemic as events that require coordinated emergency response across the
state.

SHEEHAN:
And several states also have new cybersecurity planning and reporting requirements are in

the pipeline. How are these new proposals intersecting with sort of existing preparedness?

NILZ:
So, we've got a couple of examples from Tennessee, Maine, and New Jersey that are focusing on
frameworks such as cyber incident reporting, organizational cybersecurity plans, and training and
compliance standards around cybersecurity. And what that does is intersect with public health by
supporting continuity of health care services, which public health depends on and interacts with on
a day-to-day basis, as well as supports infrastructure to feed existing reporting systems and data
flows. The challenge is ensuring that these new cyber requirements align with existing public
health reporting and emergency planning.
But I think we'll find that as healthcare systems strengthen cybersecurity, it's going to directly
support public health continuity. But coordination across systems is always going to be key.

SHEEHAN:
Yeah. And just as each agency or specific office has to have a disaster preparedness playbook,
the same has to be true for cyber incidents. And everyone has to be coordinated, and it has to be
a centralized response.
Absolutely. And can you connect the dots on why that coordination is so critical during large-scale
incidents?

NILZ:
Yeah. So, what we're seeing right now is that states are creating centralized cyber agencies.
They're sharing response playbooks and creating some standardized frameworks.
But the reason that coordination is so critical is because cyber incidents often impact multiple
agencies at once. So, public health depends on cross-sector systems. They pull in information
from healthcare, IT, emergency management, environmental health, just to name a few.
And so, without coordination, responses become fragmented, and recovery from those becomes
very slow. However, with coordination, we're going to see faster information sharing and more
unified and effective response. I think with cyber in particular, as all of our public health leaders
know, no single agency can handle a major incident alone.
And it's really coordination that makes response effective.

SHEEHAN:
And as you mentioned at the top, these incidents are on the rise. And really, the threat is it's no
longer theoretical. It's here.

It's now. What is a major takeaway for an agency, sort of, reading this article and understanding
like, 'Oh boy, we've got to get this squared away?'

NILZ:
I would say the biggest takeaway is that cybersecurity needs to be integrated into emergency
preparedness planning now, not later. And that means including cyber in emergency operation
plans, in practical and tabletop exercises, and starting to build those cross-sector partnerships.
As you talked about, right, the why now is we're seeing threats increase.
But we're also seeing states starting to advance policy in that direction. And so resources and
guidance are starting to become more available. I think we're at a precipice of cybersecurity being
no longer an option for preparedness, but a core part of protecting public health.

SHEEHAN:
Maggie Nilz, thanks so much. 

NILZ:

Awesome. Thanks.

SHEEHAN:

Maggie Nilz is ASTHO senior analyst for preparedness.

Stay informed on the latest federal
developments with the View from Washington, D.C. segment on this podcast. This special feature
offers timely updates from Capitol Hill.
So, be sure to subscribe and never miss an episode. Carolyn Mullen and Jeffrey Ekoma provide
public health policy analysis, federal updates, and insights on emerging actions and what they
mean for state and territorial public health.

Join ASTHO for the webinar, 'Thriving Under Pressure:
Building Resilient Dialysis Systems and Teams.'
Understanding the structures, processes, and practices that influence patient safety during times
of stress is essential to informing priorities and targeting interventions that strengthen resilience.
This one-hour session convenes frontline clinicians, workforce leaders, and public health partners
to examine practical evidence-informed strategies that enhance both system and worker
resilience in the outpatient dialysis setting. The link is in the show notes.

This has been Public Health Review Morning Edition. I'm John Sheehan for the Association of
State and Territorial Health Officials.