HHS Launches New Cyber Assessment Tool to Secure Health Systems

The Department of Health and Human Services is rolling out new cybersecurity tools to help hospitals and public health organizations combat growing cyber threats, including persistent ransomware attacks that officials say increasingly threaten patient care.

Ransomware attacks remain the most significant cybersecurity threat facing the health care sector, Charlee Hess, director of cybersecurity at the Administration for Strategic Preparedness and Response (ASPR), said Wednesday at Billington’s State and Local Cybersecurity Summit in Washington, D.C. She noted her team encountered more than 2,200 cyber incidents in 2025 that had the potential to impact hospitals, providers, public health organizations and people’s day-to-day lives.  

“We have a really massive problem with ransomware that’s continual, every single day,” she said.  “Legacy systems, interconnectedness play a huge role. You don’t always know what is going to happen. And so one of the things that we really want folks to do is to think through what their systems are, where they’re connected, so that we can defend before we get attacked.”  

Legacy systems and complex connections between hospitals, government agencies and third-party vendors increase the risk of cascading disruptions when an incident occurs. Hess emphasized that organizations should identify their digital dependencies and connections before an attack happens. She added that risks can be especially severe in rural communities, where hospitals have fewer options when systems go offline.  

Hess said health care organizations can use the agency’s free online risk assessment platform, known as the Risk Identification and Site Criticality (RISC) tool, to evaluate operational risks. 

Last week the department added a cybersecurity assessment tool to its RISC toolkit. The new feature, developed by the ASPR, is intended to help hospitals, health systems and public health partners better assess their cybersecurity posture as cyberattacks against the health sector grow more complex. 

“Cyber threats are growing more sophisticated. This module is the latest addition to our toolkit of resources to assist our health care and public health partners in preventing the disruption of patient care and strengthening national health security,” said ASPR Principal Deputy Assistant Secretary John Knox. “We must acknowledge that cyber safety is patient safety and that cyber threats can cause cascading problems across the health care industry. The new cybersecurity module will help our partners understand what is needed to strengthen their resilience and we strongly encourage them to take advantage of it.” 

The module prompts users to answer a set of questions about their cybersecurity policies and practices. Responses are evaluated against National Institute of Standards & Technology’s cybersecurity guidelines as well as HHS Cybersecurity Performance Goals and helps health care organizations identify cybersecurity gaps. 

“When health care organizations have the means to identify risks and vulnerabilities, they can implement strategies that minimize disruptions to patient care and strengthen preparedness and resilience,” the press release said.  

The agency’s performance goals outline basic and more advanced security practices to help organizations improve their defenses incrementally. 

“You have to take bite-sized chunks of it,” Hess said. “Lower-resource organizations can start with the more basic practices and work their way up.” 

Beyond tools and frameworks, Hess stressed that cybersecurity also requires education and cultural change within health care organizations. While security measures may slow down daily workflows, the alternative can be far more disruptive. 

“The flip side is you’re on downtime procedures because there was an intrusion,” she said. “Now you have no system. It’s going to take weeks, if not months, to recover.”