to main content New Quick Safety advisory on building a culture of cybersecurity | The Joint Commission

New Quick Safety advisory on building a culture of cybersecurity

Tuesday, October 19 2021

Media Contact:  
Katie Looze Bronk
Corporate Communications  
(630) 792-5175  

(OAKBROOK TERRACE, Illinois, October 19, 2021) – Health care requires an all-hands approach to cybersecurity, including the establishment of a data safety culture that permeates an entire organization and its operations. Instituting a cybersecurity program can be challenging as the digital transition in health care means more information from across an organization is stored online.  

The operational needs of a facility, as well as interoperability regulations, often prioritize speed and accessibility of information over information security. Additionally, many facilities use a common network that integrates multiple aspects of clinical systems, medical systems, business systems, physical security and building management. 

A new Quick Safety advisory from The Joint Commission, “Organization-wide cybersecurity: Creating a culture of defense,” provides safety actions and resources to help health care organizations prepare for and repel a cybersecurity event. 

Building a culture of cybersecurity, or a human firewall, requires shared awareness of cybersecurity threats, including evaluation of the types of threats that exist, and incorporation of preventive strategies at all levels of a health care organization. Recommended safety actions in the advisory include:

Leadership’s role in a culture of cybersecurity

  • Create a culture of cybersecurity that is top down. 
  • Make sensitivity to cybersecurity threats and organizational preparedness part of the way the organization performs its work. 
  • Build a human firewall by requiring staff awareness of cybersecurity vulnerabilities at all levels of an organization. 

Staff education and training

  • Establish training programs for all staff and not just for clinicians. Include frequent refresher courses. 
  • Periodically evaluate staff to ascertain whether they appropriately respond to “test” cyber challenges. 
  • Train staff to anticipate non-conventional intrusions. 

Emergency management

  • Adopt the preparedness perspective of “when” not “if” a cybersecurity incident will occur.
  • Incorporate responses to cybersecurity attacks into an organization’s emergency preparedness plan.
  • Communicate necessary reporting and disclosure for any data breach. 

IT security team resources

  • Utilize available free resources from reputable sources.
  • Invest in security tools and resources when needed. 

Several resources from government security agencies and other organizations are included in the advisory – providing an initial checklist to measure cybersecurity preparedness within health care organizations. 

The full Quick Safety advisory is available on The Joint Commission website. It may be reproduced if credited to The Joint Commission.  


About The Joint Commission  
Founded in 1951, The Joint Commission seeks to continuously improve health care for the public, in collaboration with other stakeholders, by evaluating health care organizations and inspiring them to excel in providing safe and effective care of the highest quality and value. The Joint Commission accredits and certifies more than 22,000 health care organizations and programs in the United States. An independent, nonprofit organization, The Joint Commission is the nation’s oldest and largest standards-setting and accrediting body in health care. Learn more about The Joint Commission at



  • Ambulatory Health Care
  • Assisted Living Community
  • Behavioral Health Care
  • Critical Access Hospital
  • Diagnostic Imaging Services
  • Home Care
  • Hospital
  • Laboratory
  • Long Term Care
  • Nursing Care Center
  • Office-Based Surgery