HHS offers new online RISC 2.0 cybersecurity risk assessment tool

The Administration for Strategic Preparedness and Response (ASPR) has released a new online risk assessment tool to help organizations understand and address potential gaps in their cybersecurity defenses. 

The module, which sits within the Risk Identification and Site Criticality (RISC) 2.0 Toolkit, guides users through an assessment of their cybersecurity policies and practices, then scores their responses against the NIST Cybersecurity Framework 2.0 and HHS Cybersecurity Performance Goals. 

“Cyber threats are growing more sophisticated. This module is the latest addition to our toolkit of resources to assist our health care and public health partners in preventing the disruption of patient care and strengthening national health security,” said John Knox, ASPR Principal Deputy Assistant Secretary. ASPR is a division of HHS. 

“We must acknowledge that cyber safety is patient safety and that cyber threats can cause cascading problems across the health care industry. The new cybersecurity module will help our partners understand what is needed to strengthen their resilience and we strongly encourage them to take advantage of it.” 

Users can complete this module’s questionnaire independently or combine it with other assessments depending on their needs. As a whole, the RISC 2.0 Toolkit is designed to support proactive preparedness and response to cyber threats, which are getting increasingly frequent, varied, and creative from bad actors domestically and abroad. 

For example, medical device company Stryker just suffered a cyberattack tied to the US hostilities against Iran, wherein Iran-linked attackers allegedly wiped data from more than 200,000 systems, servers, and mobile devices, according to Krebs on Security.  News outlets have also reported disruptions in ordering and shipping.  

With RISC 2.0, organizations can take a variety of actions to bolster their preparedness and their defenses, including: 

• Identifying threats and hazards ranging from intentional acts to natural disasters and unintentional manmade disruptions like power failures or supply shortages 

• Assessing vulnerabilities in cybersecurity infrastructure and internal response plans, such as business continuity planning and physical access controls 

• Determining the criticality and consequences of threats and vulnerabilities, including damages to property or the role of a facility to the overall function of the healthcare system 

• Generating and sharing data insights with internal stakeholders and partner organizations to create actionable reports that can facilitate improvement at the local, regional, and national levels 

More than 3500 health systems are using the free RISC Tool resources already.  

“When health care organizations have the means to identify risks and vulnerabilities, they can implement strategies that minimize disruptions to patient care and strengthen preparedness and resilience,” the press release stated. 

ASPR hopes that users of the RISC Toolkit, including the new module, will incorporate results into planning considerations and develop more focused initiatives targeting their unique vulnerabilities and opportunities for improvement. The agency also encourages organizations to share best practices and seek advice from other entities across the sector to strengthen the overall preparedness and resilience of the healthcare industry. 

Jennifer Bresnick is a journalist and freelance content creator with a decade of experience in the health IT industry.  Her work has focused on leveraging innovative technology tools to create value, improve health equity, and achieve the promises of the learning health system.  She can be reached at [email protected].