Healthcare organizations in the United States face threats, ranging from public health emergencies to cyberattacks. To support hospitals and health systems in enhancing their preparedness and resilience, the American Hospital Association (AHA) has released two comprehensive resources for cyber preparedness in healthcare.
The two guides, includes, Strategies for Medical Surge Management During Public Emergencies and Strategies for Cyber Preparedness in Health Care.
These guides are part of the AHA’s Convening Leaders for Emergency and Response initiative and are intended to increase cyber preparedness in healthcare, support staff, and sustain care delivery during crises.
The medical surge management guide is structured around the “four S’s”: staffing, supply, space, and systems. This framework provides hospitals with a methodical approach to anticipating and managing sudden increases in patient demand during pandemics, natural disasters, or other public health emergencies.
Staffing: Building a Flexible, Resilient Workforce
Staffing is critical for hospitals to respond effectively to medical surges. Adequate personnel, prepared for high-pressure scenarios, are necessary to safely expand capacity and maintain quality care. Public health crises often place prolonged stress on healthcare workers, highlighting the importance of workforce resilience and flexibility.
The AHA recommends tiered staffing models, which allow experienced clinicians, such as ICU nurses or physicians, to lead teams composed of redeployed personnel or float staff. This approach maintains high-acuity supervision while maximizing workforce capacity and reducing burnout.
A competency matrix is another key tool. By mapping staff skills, certifications, and cross-training, leaders can make rapid, informed staffing decisions during emergencies. When integrated into digital staffing platforms, these matrices enable real-time redeployment and highlight areas requiring pre-event training.
Dedicated float pools also contribute to surge readiness. Cross-trained personnel can be deployed to high-demand areas without overburdening core teams, guided by activation protocols and experienced float leaders. Centralized capacity command centers further support staffing decisions, using real-time data on patient volume, acuity, and bed availability to coordinate response efforts.
Supply: Maintaining Access to Critical Resources
Reliable access to medical supplies, equipment, and medications is vital during surge events. Sudden spikes in demand can strain supply chains, making proactive inventory management and planning essential.
Hospitals are encouraged to use digital tracking systems such as barcode scanners, RFID technology, and real-time dashboards to monitor supply use and prevent shortages. Emergency stockpiles organized into modular kits, based on functions like infection control or airway management, can streamline deployment during high-pressure scenarios.
Predictive tools, including the CDC’s PPE Burn Rate Calculator and the DASH model, allow healthcare organizations to forecast needs and stay ahead of demand. Strategic stockpiles and multisource vendor contracts further strengthen supply resilience.
Space: Expanding and Adapting Care Environments
Managing a medical surge also requires adaptable physical space. Hospitals must be able to expand or repurpose care areas while maintaining infection control, safety, and operational efficiency.
Predesignating surge zones, including inpatient units, recovery areas, or off-site facilities, ensures rapid activation. Infrastructure readiness, such as Wi-Fi connectivity, electronic health record access, and medical gas availability, must be assessed in advance.
Regulatory considerations, including emergency waivers and accessibility standards, should also be addressed. Regular drills and simulations familiarize staff with alternate care setups and help identify operational gaps.
Systems: Coordination, Communication, and Cybersecurity
Strong organizational systems underpin effective surge response, enabling clear governance, communication, and resource management. The companion AHA guide on cybersecurity highlights that resilient systems are equally critical for protecting healthcare organizations from increasing cyber threats.
Cyber incidents, much like public health emergencies, can disrupt operations and require coordinated response plans to maintain patient safety and continuity of care.
Cyber Preparedness in Healthcare
The AHA emphasizes that cyber preparedness in healthcare must be treated as an enterprise-wide priority rather than a purely technical challenge. Hospitals and health systems should embed cyber risk into governance frameworks, cultivate a cyber-aware workforce, and plan for clinical continuity during incidents. This includes cross-functional incident response plans, realistic drills, and robust backup and communication systems.
Third-party risk management is a critical component, requiring ongoing assessment of vendors and subcontractors. Additionally, hospitals are encouraged to collaborate regionally with healthcare coalitions and public health agencies to align cyber response efforts and strengthen collective resilience.
By adopting structured approaches across staffing, supply, space, and systems, and by integrating cybersecurity readiness into core operations, healthcare organizations can better anticipate challenges, respond effectively to emergencies, and recover quickly from disruptions.
