The Administration for Strategic Preparedness and Response (ASPR), a division of the US Department of Health and Human Services (HHS), announced in a March 6 press release the launch of a new cybersecurity module within its Risk Identification and Site Criticality (RISC) 2.0 Toolkit. The module is designed to help healthcare organizations strengthen cybersecurity and protect patient care from disruptions caused by cyber threats.
Cybersecurity incidents have increasingly affected healthcare organizations in recent years, disrupting operations and creating risks to patient safety. According to ASPR, the new module provides healthcare and public health partners with additional tools to assess and strengthen their cyber resilience.
RISC 2.0 is a free, web-based platform that helps organizations conduct comprehensive risk assessments. Users can identify threats and hazards, assess vulnerabilities, evaluate potential consequences, and determine the criticality of their facilities. The tool also allows organizations to share findings with partners and stakeholders to support coordinated preparedness and response efforts. More than 3,500 health systems currently use the RISC platform.
The new cybersecurity module guides users through a series of questions about their cybersecurity policies and practices. Responses are scored against the NIST Cybersecurity Framework 2.0 and the HHS Cybersecurity Performance Goals, helping organizations identify potential gaps and prioritize improvements. This standards-based approach is intended to support more informed decision-making related to cybersecurity investments and risk mitigation.
The module is integrated into the existing RISC 2.0 platform, allowing organizations to evaluate cyber risk alongside other hazards within the same tool. Facilities, health systems, and healthcare coalitions can complete the cybersecurity assessment on its own or as part of broader risk assessments, depending on their needs.
The RISC 2.0 Toolkit supports emergency preparedness planning across the healthcare and public health sector. Using national-level data and guided assessments, the tool helps organizations identify location-specific threats, measure vulnerabilities based on industry standards, evaluate potential impacts of disruptions, and understand the critical role their facility plays within the broader healthcare system.
You can access the toolkit and cybersecurity module here.
Compliance Perspective
Issue
Healthcare organizations face potential risks from both cybersecurity threats and emergencies that can disrupt operations, compromise resident safety, and affect the delivery of care. Facilities are expected to maintain comprehensive plans that address both cyber and operational risks, ensuring continuity of operations and protection of sensitive resident information. Proactive assessment, staff training, and periodic review of policies are essential to strengthen preparedness and reduce vulnerabilities.
Discussion Points
- Ensure your facility’s emergency preparedness plan and cybersecurity policies are current. Include procedures for system access, incident response, backup operations, communication during emergencies, and continuity of care. Policies should reflect regulatory guidance and recognized frameworks. Facilities may also benefit from periodic consultation with qualified external experts to identify potential gaps and recommend improvements for both cybersecurity and emergency preparedness.
- Train all staff on emergency preparedness protocols and cybersecurity awareness. Med-Net Academy offers the course Emergency Preparedness Requirements for Nursing Homes, which covers the emergency plan, risk assessment, policies and procedures, and the communication plan. Staff responsible for IT, electronic health records, or system administration should also receive role-specific training related to system security and disaster continuity procedures.
- Regularly audit emergency preparedness readiness and cybersecurity measures to ensure policies are being followed and risks are mitigated. Evaluate staff understanding, documentation of drills, and system configurations. Periodic external reviews or mock assessments with experienced consultants can help uncover hidden risks and strengthen compliance and preparedness.
*This news alert has been prepared by Med-Net Concepts, Inc. for informational purposes only and is not intended to provide legal advice.*