HHS Launches New Cyber Assessment Tool to Secure Health Systems

Ransomware has become the dominant threat to the U.S. health‑care ecosystem, exploiting outdated legacy systems and the intricate web of third‑party connections that link hospitals, government agencies, and vendors. Each breach not only jeopardizes sensitive patient data but can also halt critical services, forcing clinicians onto manual processes that delay treatment. The surge to more than 2,200 incidents in 2025 underscores a systemic vulnerability that extends beyond large academic centers to community hospitals, where limited IT staffing amplifies the risk of prolonged downtime.

In response, HHS has expanded its Risk Identification and Site Criticality (RISC) platform with a dedicated cybersecurity assessment module. The tool walks users through a concise questionnaire, mapping responses to the National Institute of Standards and Technology (NIST) Cybersecurity Framework and HHS’s own performance goals. By delivering a clear gap analysis, the module enables health organizations to prioritize remediation in bite‑sized steps, a strategy especially valuable for low‑resource facilities. Because the service is free and web‑based, adoption barriers are minimal, encouraging widespread use across the nation’s diverse health‑care landscape.

Beyond technology, the initiative signals a cultural shift: cyber safety is now framed as patient safety. Proactive risk identification equips hospitals to enact contingency plans before an intrusion forces costly downtime procedures. For rural providers, the ability to benchmark against national standards offers a lifeline, helping them secure funding and technical assistance to modernize legacy infrastructure. As cyber threats continue to evolve, tools like RISC’s new module will be critical in bolstering national health security and ensuring uninterrupted patient care.