The new cybersecurity module in the RISC 2.0 toolkit helps providers evaluate digital threats through the same risk-assessment framework used for other operational hazards.
Federal health officials are offering hospital leaders a new way to assess cybersecurity risk and tie those risks more directly to patient safety and operational resilience.
HHS recently added a cybersecurity module to its Risk Identification and Site Criticality (RISC) 2.0 Toolkit, a free web-based platform used by organizations to evaluate threats and vulnerabilities across their facilities.
The new module allows providers to assess cybersecurity risks alongside traditional hazards such as natural disasters or infrastructure failures, giving leaders a wider view of threats that could disrupt care delivery.
For hospital executives, the updated toolkit can serve as a framework for governance, investment prioritization, and enterprise risk management.
Elevating cyber risk
Cyberattacks have increasingly disrupted hospital operations in recent years, making cybersecurity an enterprise risk issue rather than solely an IT concern.
The RISC 2.0 module helps organizations identify vulnerabilities and assess the potential operational consequences of cyber incidents, including impacts on safety, continuity of care, and mission performance.
HHS officials emphasize the connection between digital security and clinical operations.
“We must acknowledge that cyber safety is patient safety and that cyber threats can cause cascading problems across the health care industry,” John Knox, HHS’ principal deputy assistant secretary for preparedness and response, said in a statement. The module aims to help healthcare organizations “strengthen their resilience” and reduce the risk of disruptions to patient care.
Integrating cybersecurity into enterprise risk frameworks can help elevate the issue at the board and leadership level, ensuring cyber threats are considered alongside physical and operational hazards.
Identifying cybersecurity gaps
The cybersecurity module walks organizations through a series of questions about their policies, technical controls, and operational practices. Those responses are then scored against the National Institute of Standards and Technology Cybersecurity Framework 2.0 and HHS’ Healthcare Cybersecurity Performance Goals.
According to the RISC user guide, the cybersecurity module maps assessment responses to 206 subcategories within the NIST Cybersecurity Framework 2.0 and aligns with HHS’ 20 Healthcare Cybersecurity Performance Goals.
This standards-based approach helps providers identify gaps in cybersecurity programs, benchmark their practices against federal guidance, and prioritize investments to reduce risk.
The assessment can be completed as a standalone cybersecurity evaluation or integrated with broader risk assessments within the RISC platform.
For health systems that operate multiple hospitals or facilities, the platform can also compare risks across locations and identify dependencies between sites, offering insight that can inform systemwide preparedness planning.
Prioritizing investments
Cybersecurity spending is rising across healthcare, but many leaders still struggle to determine where to allocate resources.
By mapping responses to established frameworks, the RISC assessment can help leaders identify the most significant cybersecurity gaps and which controls should be addressed first.
The tool ranks threats and vulnerabilities across facilities, giving health system executives a clearer picture of where risks are concentrated across their organizations.
That visibility may also help bridge the communication gap between technical security teams and executive leadership.
Strengthening sector-wide resilience
More than 3,500 healthcare organizations are already using the RISC toolkit, according to HHS.
With the platform allowing organizations to share findings with partners and coalitions, the tool may also support regional preparedness planning, an increasingly important consideration as cyberattacks on hospitals can ripple across communities.
For hospital leaders, the update reinforces that cybersecurity is a core component of operational resilience and patient safety.
By incorporating cyber risk into a structured enterprise risk assessment, tools like the RISC 2.0 cybersecurity module may help executives better understand their vulnerabilities and make more informed decisions about how to address them.
Jay Asser is the CEO editor for HealthLeaders.
KEY TAKEAWAYS
The RISC 2.0 toolkit embeds cyber risk into a broader hazard assessment, reinforcing that cybersecurity is an operational and patient safety issue.
The assessment maps responses to federal cybersecurity standards, helping providers benchmark programs and identify the most critical security gaps.
By ranking vulnerabilities across facilities, the tool can help health system leaders prioritize cybersecurity investments and resilience planning.