Skip to main content

RISC Toolkit 2.0

Risk Identification and Site Criticality

Strengthening Health Care Cyber Resilience Webinar

Cyber resilience in health care is no longer just an IT priority. It’s an operational imperative. Watch the recent webinar on the new RISC 2.0 Cybersecurity Module to gain a standards-based view of your risk posture and learn to prioritize what matters most.

View Archived Webinar 

Through our industrial base expansion efforts, ASPR is helping to make our nation’s industrial base more resilient, diverse, and secure. ASPR is working with our partners across government and industry to strengthen public health and medical supply chains and to address concerns regarding domestic manufacturing and supply chain surge capabilities.

The Risk Identification and Site Criticality 2.0 (RISC 2.0) Toolkit is an objective, data-driven, risk assessment resource with a dedicated cybersecurity module that can be used by public and private organizations within the Healthcare and Public Health (HPH) Sector to inform emergency preparedness planning, risk management activities, and resource investments. It provides HPH owners and operators in the HPH Sector with nationally recognized, standards-based evaluation criteria in an easy-to-follow, guided format.

The RISC Toolkit allows users to identify threats and hazards specific to their site using objective, national-level data, assess the vulnerability of their site based on industry standards and guidance, evaluate the consequences of disruptions, and assess the criticality of their facility. The RISC 2.0 Toolkit can compare multiple facilities across systems, coalitions, and regions to identify dependencies and interdependencies in a consistent, repeatable way.

RISC 2.0

Access the new web-based, objective, data-driven all-hazards risk assessment.

Login or Register

Key Features

Estimate the human, property, and business impacts to a facility that may result from a specific threat or hazard

  • 34 external threats or hazards, including active shooters, flooding, and more

  • 33 internal threats or hazards, including water or generator failures, supply shortages and more

Quickly assess facility level

  • Emergency preparedness and resilience

  • Physical security

  • Cybersecurity

  • Critical dependencies

The modernized RISC 2.0 application includes a number of new features

  • Role based access

  • Context level help

  • Location services

  • Data segmentation

  • Enhanced approach to creating risk assessments

  • Heatmap style visualizations

General Topics & Questions

Please report all errors or bugs encountered to hphrisc@hhs.gov. Please include as much information as possible, including error messages and screenshots.

Risk Ratings are calculated by multiplying your scores from each of the three modules (THAM, RIST-V, and RIST-C). The overall score is the product of the relative Threat/Hazard Rating, the hazard-specific Vulnerability Score, and the hazard-specific Consequence Rating. A full explanation of the scoring process is described in the HPH RISC Toolkit Reference Guide.

The two types of threats/hazards are inherently different in their origin and impact—external events affect a region or community, whereas local/internal events by and large involve a single facility—as well as how an individual facility prepares for and responds to them (i.e. facility-specific power outages, IT disruptions, infant abductions, etc.). Therefore, the components of the Toolkit present these hazard types separately to facilitate the different processes an organization may use to address them. Additionally, due to the different data sources available, Threat/Hazard Ratings for external and local/internal events are calculated differently.

External hazards have been assessed based on historical events located within the area surrounding a facility. These historical incidences have also been adjusted to determine the rate at which they occur in relation to each other (e.g., tsunamis happen most frequently in the United States to Hawaii and Alaska, but have only occurred three times in the past 20 years).

However, local/internal hazards are based on non-national data sources, and are relative to other local/internal hazards. Since local/internal hazards scores are not derived using the same two-step approach used for external hazards, they cannot be compared.

THAM

Please report the broken link to hphrisc@hhs.gov.

The lower resolution of the provided map is an acknowledged data limitation; however, the data source utilized was the only national indication of subsidence potential identified. If you have knowledge of a better or more user-friendly national resource, please share the source with hphrisc@hhs.gov for possible inclusion in future versions of the THAM.

The NOAA Historical Hurricane Tracks Tool will occasionally not display the search results. Please close the window and try again.

Threat/Hazard Ratings represent the likelihood of each event occurring at the assessed facility, relative to other facilities and other event types. The ratings range from 0.1 to 4.0, with a higher rating indicating a greater likelihood. They do not consider protective measures in place to protect against the event or the extent of damage it may cause; for those factors complete the RIST-V and RIST-C.

The THAM separates reporting of Threat/Hazard Ratings according to two different types of events...

The values calculated by the tool are based on national-level data sources...

RIST-V

The questions found in the RIST-V come from major discipline-specific standards and best practices identified for the Healthcare and Public Health Sector, along with input from subject matter experts. The sources include:

  • ASIS International (2009), Facilities Physical Security Measures Guideline

  • ASIS International (2012), Security Management Standard: Physical Asset Protection

  • U.S. Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response (2012), Healthcare Preparedness Capabilities: National Guidance for Healthcare System Preparedness

  • Centers for Medicare & Medicaid Services, Emergency Preparedness Rule

  • Centers for Disease Control and Prevention, Office of Public Health Preparedness and Response (2011), Public Health Preparedness Capabilities: National Standards for State and Local Planning

  • U.S. Department of Homeland Security (2013), Infrastructure Survey Tool and Rapid Survey Tool and Supporting Reference Manuals

  • California Emergency Medical Services Authority (2014), Hospital Incident Command System Guidebook

  • Borten, K. (2016), Combat Visual Hacking in Healthcare

  • National Fire Protection Association (2015), NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs

  • New Jersey Hospital Association (2004), Emergency Preparedness Hospital Security Readiness Assessment Tool

  • The Joint Commission (2011), Comprehensive Accreditation Manual for Hospitals

  • National Institute of Standards and Technology (2014), Framework for Improving Critical Infrastructure Cybersecurity

Many terms have been defined, as indicated by a light blue underlined text; click on these terms to display a pop-up window containing the definition. If you have identified additional terms that you believe should be formally defined, please send your request to hphrisc@hhs.gov.

Many questions in the tool have the option to select Not Applicable (N/A). If you have identified an additional question that does not apply to your facility type, please report this to hphrisc@hhs.gov

. Provide the question number and your facility type and the question will be reviewed for possible modification in future versions of the RIST-V.

These narrative responses are not used in the Vulnerability Score or subsequent risk calculations. They are intended to function as institutional memory and be used by the facilities themselves to track their answers.

The questions in this tool cover a wide range of topics that will require diverse expertise and disparate information to complete; therefore, it is anticipated that the tool will be completed by a group of experts rather than a single individual. While the tool may be completed by a single individual, it is recommended that users collaborate with the relevant individuals and departments within their organization with the appropriate operational knowledge (e.g., CFO, IT Department, Emergency Manager), as well as with external agencies as needed.

The Vulnerability Scores reported in the RIST-V represent the overall facility vulnerability as well as the vulnerability for each major section and subsection of the tool. These scores depict the extent of the facility’s vulnerability to the entire all-hazards landscape (i.e., are not hazard-specific) based on the policies, plans, procedures, and capabilities in place at a facility. The Vulnerability Scores are calculated on a scale from zero to one; a score closer to zero indicates the facility or asset being assessed has low overall vulnerability and is highly resistant.

In the Dashboard, the overall Vulnerability Score is adjusted to reflect only the vulnerabilities relevant to each specific threat or hazard. For example, physical security training will play a role in mitigating the risk associated with an active shooter event, but will not affect the risk associated with a hurricane. These scores are on a scale of zero to one and are analogous to the RIST-V Vulnerability Scores divided by 100 (i.e., a 0.23 in the Dashboard is similar to a 23 in the RIST-V).

The RIST-V report provides an overall Vulnerability Score for the facility as well as Vulnerability Scores for each major section and subsection of the tool. All Vulnerability Scores are on a scale of 0–100, with a score closer to zero indicating less vulnerability. The scores reflect the number of protective measures and procedures in place as reflected in your answers to the survey questions. Users can review sections with high vulnerability scores to determine what actions can be taken to reduce vulnerability.

The results of the RIST-V can be used on their own or in combination with existing planning and preparedness activities in your organization. However, a risk-based approach to preparedness planning also incorporates information on likelihood and consequence of individual threats or hazards. Using the RIST-V as part of the HPH RISC Toolkit will provide additional information and calculate Risk Ratings specific to individual threats or hazards, allowing risk-based prioritization of corrective actions.

A larger Vulnerability Score indicates a greater level of vulnerability; thus, follow-on actions after performing a vulnerability assessment with the RIST-V should be designed to reduce your scores. Notably, Vulnerability Scores are based on all survey questions regardless of facility type, size, or other characteristics. Therefore, some procedures or mitigations that could be implemented to reduce vulnerability may not be desirable or feasible for your facility (for example, screening and badging all visitors in a large hospital). The end goal of this assessment should be to identify ways to minimize vulnerabilities, not to reduce all vulnerability to zero.

An initial step to improve Vulnerability Scores is to identify those sections and subsections with the highest vulnerability scores. Users can then review those sections to identify responses that increased vulnerability, thus identifying specific actions to improve scores. A handful of general resources regarding vulnerability are provided in the introduction page of the RIST-V module that can be accessed for ideas on improving mitigation strategies and reducing vulnerability.

Cybersecurity Module

ASPR’s Risk Identification and Site Criticality (RISC) 2.0 Toolkit is a free, web-based platform...

The module aligns with NIST Cybersecurity Framework 2.0 and HHS Cybersecurity Performance Goals.

Cyber Evaluation results may be reviewed directly from the Risk Assessment Dashboard. Users may view Cyber scores in the context of other Facility risk indicators, including Hazard, Vulnerability, Consequence, and Criticality scores. Cyber results may also be included when exporting Risk Assessment dashboards to HTML or PDF formats.

For more information, please follow the RISC 2.0 User Guide.

No. The cyber module is an optional capability that you may enable when creating or updating a Facility Profile within the tool.

For more information, please follow the RISC 2.0 User Guide.