New Cybersecurity Module in RISC 2.0 Toolkit Allows Healthcare and Public Health Organizations to Better Analyze Cyber Threats

The Administration for Strategic Preparedness and Response (ASPR) recently released a new cybersecurity module within the  Risk Identification and Site Criticality (RISC) 2.0 Toolkit . The RISC Toolkit is a free, web-based platform where public and private organizations within the healthcare and public health sector can conduct risk assessments by identifying threats, assessing vulnerabilities, determining consequences and criticality, and sharing findings with stakeholders. ASPR has integrated the new cybersecurity module into the existing RISC 2.0 platform, allowing facilities, health systems, and coalitions to analyze cyber risk alongside other hazards in one unified tool.

We acknowledge that cyber threats are growing more sophisticated, and we believe that cyber safety is patient safety. The cybersecurity module is our latest resource to assist our health care and public health partners in preventing the disruption of patient care and strengthening national health security. The new module guides users through a series of questions, in the style of a user-friendly self-assessment, about their policies and practices. Answers are scored against the  NIST Cybersecurity Framework (CSF) 2.0  and HPH Cybersecurity Performance Goals (CPGs) . This objective, standards-based approach helps organizations identify critical gaps, prioritize investments, and make informed decisions about risk mitigation. When health care organizations have the means to identify risks and vulnerabilities, they can implement strategies that minimize disruptions to patient care and strengthen preparedness and resilience.

The cyber module helps hospitals and healthcare systems better understand their cyber risks and areas where they may be particularly vulnerable. Once users better understand their risk profile, they can use existing field-proven tools like the CPGs and NIST CSF 2.0 to protect patient safety and increase the cyber resiliency of their organization. ASPR leads the HHS divisions and serves as the  Sector Risk Management Agency  for the Healthcare and Public Health Sector, and provides guidance and support to public and private partners to help enhance cybersecurity.

There are currently more than 3,500 health systems using the RISC toolkit to improve awareness of risks facing their facilities and communities, thus strengthening state and local resilience. In the tool, users enter site-specific data points through a series of questions. This information is then combined with data from 14 national databases, including the FBI crime and United States Geological Survey (USGS) earthquake databases, to provide a comprehensive assessment of threats and hazards resulting in an objective data-driven risk score for the facility. This allows organizations to better target capital investments and efforts to minimize the effects of natural disasters, security breaches, or other potential hazards to help lower risks to their facilities, staff and patients. Consistent analysis of these data creates a consistent method for assessing risk.

We must acknowledge that cyber safety is patient safety. The new RISC toolkit cybersecurity module will help our partners understand what is needed to strengthen their resilience and we strongly encourage them to take advantage of it.