TL/DR –
The Department of Health and Human Services (HHS) has released an updated version of its Risk Identification and Site Criticality (RISC) toolkit that helps healthcare organizations assess their cybersecurity practices and identify risks. The toolkit aligns with the latest NIST Cybersecurity Framework and HHS’s own Cybersecurity Performance Goals. The move comes as healthcare organizations face increasingly sophisticated and aggressive cyberattacks, with ransomware attacks surging in 2025.
Healthcare Cybersecurity: New Federal Guidance to Assess Risks
The federal government has released new cybersecurity guidance to help healthcare organizations assess their practices and identify risks. The Department of Health and Human Services (HHS) updated its Risk Identification and Site Criticality (RISC) toolkit, aligning with the latest NIST Cybersecurity Framework and HHS’s Cybersecurity Performance Goals.
John Knox, HHS’s principal deputy assistant secretary for preparedness and response, stated that the updated cybersecurity module will strengthen resilience. The RISC 2.0 toolkit can compare multiple facilities across systems and regions, identifying dependencies in a consistent, repeatable way. Over 3,500 healthcare organizations have already adopted this service.
Understanding the RISC Toolkit
Organizations can access RISC through a portal on the HHS website. Once facility information is inputted, self-assessments generate reports on cyberattack preparedness, natural disasters, and other crises. The new cybersecurity module supports identification and assessment of cyber risks, as outlined in RISC’s user manual.
Existing RISC users can update their facility profiles, including cybersecurity assessments on top of prior hazards covered by the toolkit.
The Increasing Need for Cybersecurity in Healthcare
The release of HHS’s resource comes as healthcare organizations struggle to defend against escalating cyberattacks. In 2025, ransomware attacks surged against healthcare providers, according to several reports and analyses. Hospitals often rely on legacy technology with significant vulnerabilities, with IT departments facing challenges in software updates and other defense measures.
Recently, the University of Mississippi Medical Center recovered from a ransomware attack that crippled its electronic health-records platform and shuttered services for over a week. Additionally, successful internal network protection does not safeguard against potential breaches from supply-chain attacks, such as the 2024 Change Healthcare ransomware attack that disrupted U.S. healthcare systems.
—
Read More Health & Wellness News ; US News