On today's episode, ASTHO's Maggie Nilz explains how cyber disruptions are reshaping the foundation of public health systems. She shares how digital infrastructure makes core health functions more vulnerable and what jurisdictions can do to meet these challenges.
Cyberattacks aren’t just an IT problem; they’re a potential public health emergency. ASTHO Senior Analyst for Preparedness, Maggie Nilz, explains how cyber disruptions are reshaping the foundation of public health systems. She explains how increasingly interconnected digital infrastructure has made core health functions more vulnerable, which raises the risk of things like delayed outbreak detection and interrupted lab reporting. As cyber threats surge and federal policy shifts, states are beginning to treat cyber incidents like hurricanes or pandemics, building coordinated response frameworks and integrating cybersecurity into emergency planning.
State Policy Trends in Cybersecurity and Public Health Preparedness | ASTHO
Thriving Under Pressure: Building Resilient Dialysis Systems and Teams
JOHN SHEEHAN:
This is Public Health Review Morning Edition for Friday, May 1, 2026. I'm John Sheehan with news from the Association of State and Territorial Health Officials.
Today: cybersecurity and public health preparedness. ASTHO Senior Analyst for Preparedness Maggie Nilz explains how cyber disruptions are reshaping the foundation of public health systems and how increasingly interconnected digital infrastructure has made core health functions more vulnerable. As cyber threats surge and federal policy shifts, states are beginning to treat cyber incidents like hurricanes or pandemics, and are building coordinated response frameworks and integrating cybersecurity into emergency planning.
MAGGIE NILZ:
Public health relies heavily on digital systems for functions such as disease surveillance, laboratory reporting, emergency communications, and health data management. These systems are highly interconnected, so a cyber disruption can ripple across multiple functions at once. For example, we've seen cyber disruptions in surveillance systems that have led to delays in detecting outbreaks, or disruptions in lab systems that all interrupt test reporting. And what's changed is that cyber incidents can disrupt essential services just like a natural disaster. So, preparedness now has to include digital continuity, not just physical response. What we're seeing is that cybersecurity is now about keeping core public health functions running, not just protecting data.
SHEEHAN:
So, you've also cited a rise in cyber attacks or health care data breaches, as well as, you know, low levels of preparedness in agencies. So, what is that telling us about the state of readiness, and why is cybersecurity kind of a lower priority for health agencies?
NILZ:
So, we've seen thousands of health care data breaches over time, but there's been a really significant sharp increase in the last few years. However, in a recent study, they found that only 13 percent of local health departments reported being prepared for cyber disruptions, and that gap tells us that the risk is growing faster than our operational readiness. Cybersecurity is often still treated as an IT issue and not a preparedness issue. Now, that lag has a lot of reasons behind it, including limited funding and workforce capacity constraints, as well as competing priorities. You know, we've had a number of those in the last few years in the preparedness realm, including infectious disease outbreaks and disaster response. And all of that makes it really challenging to integrate cybersecurity into traditional preparedness frameworks. All in, the threat has accelerated a lot faster than preparedness systems have been able to adapt to it.
SHEEHAN:
For sure. And at the same time, federal oversight and federal policy is also changing. And how does the federal shift also relate to state-level preparedness?
NILZ:
Absolutely. I think that's a really key part of the changing landscape of cybersecurity right now. With federal changes, such as Health and Human Services restructuring its IT oversight, it's signaling a renewed focus on coordination and health IT systems. States often look to federal agencies for policy direction and best practices, funding and grant requirements, and standards around data sharing and interoperability. So, these shifts are going to encourage states to align cybersecurity with public health infrastructure and strengthen integration between IT and preparedness systems.
SHEEHAN:
Mmhmm. And several states are now treating cyber attacks, or cyber incidents, specifically like natural disaster emergencies. For example, New York has reporting requirements and Virginia has proposed a Cyber Civilian Corps. How are these examples of redefining how states approach cyber defense?
NILZ:
So, these couple of examples are creating frameworks very similar to a traditional preparedness framework. So, things similar to a state CERT program, the Community Emergency Response Training programs, and reporting requirements similar to what we would have following natural disaster responses. And so, it's really aligning cyber response as part of existing emergency management frameworks and allowing states to start treating cyber incidents like they would a hurricane or a pandemic as events that require coordinated emergency response across the state.
SHEEHAN:
And several states also have new cybersecurity planning and reporting requirements are in the pipeline.
How are these new proposals intersecting with sort of existing preparedness?
NILZ:
So, we've got a couple of examples from Tennessee, Maine, and New Jersey that are focusing on frameworks such as cyber incident reporting, organizational cybersecurity plans, and training and compliance standards around cybersecurity. And what that does is intersect with public health by supporting continuity of health care services, which public health depends on and interacts with on a day-to-day basis, as well as support infrastructure to feed existing reporting systems and data flows. The challenge is ensuring that these new cyber requirements align with existing public health reporting and emergency planning. But I think we'll find that as health care systems strengthen cybersecurity, it's going to directly support public health continuity. But coordination across systems is always going to be key.
SHEEHAN:
Yeah. And just as each agency or specific office has to have a disaster preparedness playbook, the same has to be true for cyber incidents. And everyone has to be coordinated, and it has to be a centralized response.
NILZ:
Absolutely.
SHEEHAN:
And can you connect the dots on why that coordination is so critical during large-scale incidents?
NILZ:
Yeah. So, what we're seeing right now is that states are creating centralized cyber agencies. They're sharing response playbooks and creating some standardized frameworks. But the reason that coordination is so critical is because cyber incidents often impact multiple agencies at once. So, public health depends on cross-sector systems. They pull in information from healthcare, IT, emergency management, environmental health, just to name a few. And so, without coordination, responses become fragmented, and recovery from those becomes very slow. However, with coordination, we're going to see faster information sharing and more unified and effective response. I think with cyber, in particular, as all of our public health leaders know, no single agency can handle a major incident alone. And it's really coordination that makes response effective.
SHEEHAN:
And as you mentioned at the top, these incidents are on the rise. And really, the threat is it's no longer theoretical. It's here. It's now. What is a major takeaway for an agency, sort of, reading this article and understanding like, 'Oh boy, we've got to get this squared away?'
NILZ:
I would say the biggest takeaway is that cybersecurity needs to be integrated into emergency preparedness planning now, not later. And that means including cyber in emergency operation plans, in practical and tabletop exercises, and starting to build those cross-sector partnerships. As you talked about, right, the why now is we're seeing threats increase. But we're also seeing states starting to advance policy in that direction. And so, resources and guidance are starting to become more available. I think we're at a precipice of cybersecurity being no longer an option for preparedness, but a core part of protecting public health.
SHEEHAN:
Maggie Nilz, thanks so much.
NILZ:
Awesome. Thanks.
SHEEHAN:
Maggie Nilz is ASTHO senior analyst for preparedness.
Stay informed on the latest federal developments with the View from Washington, D.C. segment on this podcast. This special feature offers timely updates from Capitol Hill. So, be sure to subscribe and never miss an episode. Carolyn Mullen and Jeffrey Ekoma provide public health policy analysis, federal updates, and insights on emerging actions and what they mean for state and territorial public health.
Join ASTHO for the webinar, 'Thriving Under Pressure: Building Resilient Dialysis Systems and Teams.' Understanding the structures, processes, and practices that influence patient safety during times of stress is essential to informing priorities and targeting interventions that strengthen resilience. This one hour session convenes frontline clinicians, workforce leaders, and public health partners to examine practical evidence-informed strategies that enhance both system and worker resilience in the outpatient dialysis setting. The link is in the show notes.
This has been Public Health Review Morning Edition. I'm John Sheehan for the Association of State and Territorial Health Officials.
