Executive Summary

On March 14, 2026, the U.S. Department of Health and Human Services (HHS) Administration for Strategic Preparedness and Response (ASPR) released a significant new resource to aid the healthcare sector. A new cybersecurity module has been added to the Risk Identification and Site Criticality (RISC) 2.0 Toolkit, a free, web-based platform. This module is specifically designed to help healthcare and public health (HPH) organizations, regardless of their size or resources, to conduct a structured cybersecurity risk assessment. By answering a guided questionnaire, organizations can measure their current security posture against established best practices, namely the NIST Cybersecurity Framework (CSF) 2.0 and the voluntary HHS Cybersecurity Performance Goals (CPGs). The tool aims to provide actionable insights, helping facilities identify their most critical security gaps and prioritize improvements to enhance their cyber resilience.

Regulatory Details

• Tool: Risk Identification and Site Criticality (RISC) 2.0 Toolkit - Cybersecurity Module.
• Provider: HHS Administration for Strategic Preparedness and Response (ASPR).
• Purpose: To provide a free, standardized method for healthcare organizations to self-assess their cybersecurity risk.
• Frameworks: The assessment is benchmarked against two key standards:
  1. NIST Cybersecurity Framework (CSF) 2.0: A comprehensive framework of standards, guidelines, and best practices to manage cybersecurity risk.
  2. HHS Cybersecurity Performance Goals (CPGs): A set of voluntary, high-impact cybersecurity practices tailored for the healthcare sector, designed to provide a baseline level of security.

Affected Organizations

The toolkit is intended for a wide range of organizations within the U.S. healthcare and public health sector, including:

• Hospitals and health systems (from large urban centers to small rural facilities).
• Outpatient clinics and private practices.
• Long-term care facilities.
• Public health agencies.
• Medical supply chain partners.

The tool's web-based nature and free availability make it particularly valuable for smaller organizations that may lack the resources for expensive commercial risk assessment platforms.

Compliance Requirements

While use of the RISC 2.0 Toolkit is voluntary, it directly supports compliance with the spirit of regulations like the HIPAA Security Rule, which requires covered entities to conduct regular risk analyses. The toolkit provides a structured way to fulfill this requirement. The output of the assessment is a scored report that helps organizations:

• Identify Gaps: Pinpoint specific areas where their security controls are weak or non-existent when compared to the NIST CSF and HHS CPGs.
• Prioritize Investments: Use the assessment results to make data-driven decisions on where to allocate limited security budgets for maximum impact.
• Develop a Mitigation Strategy: Create a roadmap for implementing new security controls and improving their overall posture over time.

Impact Assessment

The release of this toolkit is part of a broader push by the U.S. government to raise the cybersecurity baseline across the entire healthcare sector, which is designated as critical infrastructure and is frequently targeted by cybercriminals. By providing a free and accessible tool, HHS aims to democratize risk assessment, enabling even the least-resourced organizations to take the first step toward better security. This can lead to a stronger collective defense for the entire industry. For individual organizations, using the tool can help them proactively identify and remediate vulnerabilities before they are exploited, potentially preventing costly data breaches and operational disruptions.

Compliance Guidance

Healthcare organizations should take the following steps to leverage this new resource:

1. Assemble a Team: Designate a team, including IT/security staff and a clinical or administrative leader, to complete the assessment. This ensures both technical and operational perspectives are included.
2. Complete the Assessment Honestly: The value of the tool lies in an accurate self-assessment. Answer the questionnaire based on the controls that are actually implemented and functioning, not what is planned or documented but not yet in place.
3. Analyze the Results: Review the scored report to understand the highest-priority gaps. Focus first on the 'Essential' CPGs, which cover foundational security practices like MFA, patch management, and backups.
4. Create an Action Plan: Develop a formal Plan of Action and Milestones (POA&M) to address the identified weaknesses. Assign responsibility, set deadlines, and track progress.
5. Repeat Regularly: A risk assessment is not a one-time event. Organizations should plan to repeat the assessment annually or whenever there is a significant change in their IT environment.