Healthcare organizations can take advantage of new cybersecurity guidance from the federal government that will help them assess their practices and identify risks.
The Department of Health and Human Services (HHS) on Thursday released an updated version of its Risk Identification and Site Criticality (RISC) toolkit that assesses organizations against the latest NIST Cybersecurity Framework and HHS’s own Cybersecurity Performance Goals.
The new cybersecurity module “will help our partners understand what is needed to strengthen their resilience and we strongly encourage them to take advantage of it,” John Knox, HHS’s principal deputy assistant secretary for preparedness and response, said in a statement.
RISC 2.0 “can compare multiple facilities across systems, coalitions, and regions to identify dependencies and interdependencies in a consistent, repeatable way,” HHS said on the toolkit’s website.
The department said more than 3,500 healthcare organizations are already using the service.
How it works
Organizations can access RISC through a portal on the HHS website. After inputting information about their facilities, organizations can complete self-assessments that generate reports about their preparedness for cyberattacks, natural disasters and other crises.
The new cybersecurity module “supports identification and assessment of cyber risks that may impact facility operations, safety, continuity of care, and mission performance by mapping the questions to the 206 NIST Cybersecurity Framework Subcategories and 20 HHS Cybersecurity Performance Goals,” according to RISC’s user manual.
Organizations already using RISC can update their facility profiles to include cybersecurity assessments alongside the hazards that the toolkit previously covered.
Organizations need any help they can get
The new HHS resource comes as hospitals and other healthcare organizations struggle to fend off increasingly sophisticated and aggressive cyberattacks. Ransomware attacks against healthcare providers surged in 2025, according to multiple analyses. Hospitals often use legacy technology with serious vulnerabilities, and their IT departments sometimes face challenges applying software updates and implementing other defensive measures.
Last week, the University of Mississippi Medical Center reopened its clinics after a ransomware attack crippled its electronic health-records platform and forced it to shutter services for more than a week.
Even healthcare providers that successfully protect their own networks sometimes experience breaches resulting from supply-chain attacks. The 2024 Change Healthcare ransomware attack caused major disruptions across the U.S. healthcare system as hospitals struggled to complete basic tasks without Change’s services.
