As cyberattacks on healthcare organizations continue to escalate—particularly ransomware and supply-chain incidents—regulators are sharpening their focus on resiliency. One of the most practical developments for healthcare leaders is the recent update to the U.S. Department of Health and Human Services (HHS) Risk Identification and Site Criticality (RISC) toolkit, which now includes a dedicated cybersecurity module. For healthcare organizations looking to better understand, benchmark, and improve their cybersecurity posture, this is a timely and valuable resource.

Why the HHS RISC 2.0 Toolkit Matters for Healthcare Organizations

HHS has enhanced the RISC 2.0 toolkit to give healthcare organizations a more structured way to evaluate cybersecurity readiness alongside broader emergency preparedness. Key updates include: a new cybersecurity module aligned with the latest NIST Cybersecurity Framework (CSF) and HHS Cybersecurity Performance Goals (CPGs), the ability to assess multiple facilities and their interdependencies and a consistent, repeatable methodology for cyber risk self-assessment that can be used over time.

More than 3,500 healthcare organizations are already using RISC 2.0 to gauge preparedness for cyberattacks, natural disasters, and other disruptive events. This is especially important as cyber incidents can delay or disrupt patient care, impact critical clinical and operational systems, compromise sensitive data, and trigger regulatory, financial, and reputational fallout.

RISC 2.0 gives healthcare organizations a government-backed, practical framework to:

• Benchmark their current cybersecurity posture
• Identify and prioritize vulnerabilities across facilities
• Support enterprise risk management and emergency preparedness planning.

When used effectively, RISC 2.0 becomes more than a compliance exercise—it becomes a strategic tool to strengthen resilience and continuity of care.

Organizational Focus, Policy, and Governance: Building a Cyber-Ready Culture

Cyber resilience is not just a technology issue—it is equally a people, process, and governance challenge. At the same time, organizations should modernize cybersecurity policies to reflect current threats and align with HHS’s CPGs. By tying policies and governance to both the RISC toolkit and HHS CPGs, organizations can demonstrate a thoughtful, risk-based approach to cybersecurity oversight. To advance this work, healthcare organizations should:

• Update incident response plans: Incorporate RISC findings into incident response and business continuity plans with clear roles and escalation paths.
• Train staff regularly: Provide ongoing cyber awareness training, emphasizing phishing and ransomware prevention.
• Promote cross-functional collaboration: Involve clinical, operational, IT, compliance, and leadership teams so cybersecurity is built into daily workflows.
• Modernize cybersecurity policies: Update policies to reflect current threats, best practices, and HHS CPG expectations.
• Strengthen third-party risk management: Embed cybersecurity requirements into vendor selection, contracting, and oversight.
• Engage leadership in governance: Make cybersecurity a regular executive and board agenda item with clear accountability and metrics.

Turning Strategy into Action

To make this roadmap actionable, start with an initial cybersecurity self-assessment using the HHS RISC 2.0 toolkit and identify your most critical facilities, systems, and services. Use the results to pinpoint high-risk areas, update incident response and business continuity plans, roll out targeted phishing and ransomware training, and work with IT to strengthen patch management, access controls, and network monitoring. Over time, implement remediation projects for the highest-priority vulnerabilities, fully integrate cybersecurity into enterprise risk management, conduct regular reassessments using RISC, and establish ongoing third-party cybersecurity risk evaluations as part of vendor oversight.

Helpful Resources to Support Implementation

As you integrate the RISC toolkit into your cyber strategy, several resources can help:

• HHS RISC Toolkit Portal – Access to the toolkit, guidance, and user documentation

• NIST Cybersecurity Framework (CSF) – A widely adopted framework for organizing and improving cybersecurity programs

• HHS Cybersecurity Performance Goals – Practical objectives that help healthcare organizations prioritize key security controls

• Incident Response Plan Templates – Sample plans tailored to healthcare environments

• Cybersecurity Awareness Training Modules – Training resources focused on healthcare-specific cyber risks

• Third-Party Risk Management Checklists – Tools to evaluate and monitor vendor cybersecurity posture

By proactively leveraging RISC 2.0 and following these recommendations, healthcare clients can significantly enhance their cybersecurity resilience, protect patient safety, and ensure continuity of care in the face of growing cyber threats. Graham Company is available to support clients in implementing these strategies and optimizing their cybersecurity risk management programs. Please reach out to your Graham Company representative to start the conversation. To learn more about Graham Company’s focus on Cyber Liability, please watch this video.