RISC Toolkit 2.0

Please report all errors or bugs encountered to hphrisc@hhs.gov. Please include as much information as possible, including error messages and screenshots.

Risk Ratings are calculated by multiplying your scores from each of the three modules (THAM, RIST-V, and RIST-C). The overall score is the product of the relative Threat/Hazard Rating, the hazard-specific Vulnerability Score, and the hazard-specific Consequence Rating. A full explanation of the scoring process is described in the HPH RISC Toolkit Reference Guide.

The two types of threats/hazards are inherently different in their origin and impact—external events affect a region or community, whereas local/internal events by and large involve a single facility—as well as how an individual facility prepares for and responds to them (i.e. facility- specific power outages, IT disruptions, infant abductions, etc.). Therefore, the components of the Toolkit present these hazard types separately to facilitate the different processes an organization may use to address them. Additionally, due to the different data sources available, Threat/Hazard Ratings for external and local/internal events are calculated differently.

External hazards have been assessed based on historical events located within the area surrounding a facility. These historical incidences have also been adjusted to determine the rate at which they occur in relation to each other (e.g., tsunamis happen most frequently in the United States to Hawaii and Alaska, but have only occurred three times in the past 20 years).

However, local/internal hazards are based on non-national data sources, and are relative to other local/internal hazards. Since local/internal hazards scores are not derived using the same two-step approach used for external hazards, they cannot be compared.

Please report the broken link to hphrisc@hhs.gov.

The lower resolution of the provided map is an acknowledged data limitation; however, the data source utilized was the only national indication of subsidence potential identified. If you have knowledge of a better or more user-friendly national resource, please share the source with hphrisc@hhs.gov for possible inclusion in future versions of the THAM.

The NOAA Historical Hurricane Tracks Tool will occasionally not display the search results. Please close the window and try again.

Threat/Hazard Ratings represent the likelihood of each event occurring at the assessed facility, relative to other facilities and other event types. The ratings range from 0.1 to 4.0, with a higher rating indicating a greater likelihood. They do not consider protective measures in place to protect against the event or the extent of damage it may cause; for those factors complete the RIST-V and RIST-C.

The THAM separates reporting of Threat/Hazard Ratings according to two different types of events: external threats/hazards for which there are objective, national-level data sources regarding their frequency of occurrence (e.g., hurricanes, HAZMAT spills, active shooters); and local/internal hazards specific to a single facility and for which no national datasets exist (e.g., HVAC failure, violent patients, chemical theft). Such information can be useful as inputs for planning and preparedness activities, and may be used in any such practice where objective data on incident occurrence is needed. Using the THAM as part of the HPH RISC Toolkit will provide additional information and calculate Risk Ratings for each threat/hazard, allowing risk- based prioritization.

The values calculated by the tool are based on national-level data sources. Sometimes, local data, subject matter experts, or institutional knowledge may provide additional information that can be used to refine the calculated ratings. In such cases, you may overwrite the calculated ratings on the results page. The user entered score will be carried through the entirety of the risk assessment process. Should you choose to go back to the THAM generated values, click the Reset Values button on the THAM results page.

The questions found in the RIST-V come from the major discipline-specific standards and best practices identified for the Healthcare and Public Health Sector, as well as from subject matter expert input. The list of sources is as follows:

• ASIS International (2009) Facilities Physical Security Measures Guideline
• ASIS International (2012) Security Management Standard: Physical Asset Protection
• Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response (2012) Healthcare Preparedness Capabilities: National Guidance for Healthcare System Preparedness
• Center for Medicare and Medicaid Services Emergency Preparedness Rule
• Centers for Disease control and Prevention, Office of Public Health Preparedness and Response (2011) Public Health Preparedness Capabilities: National Standards for State and Local Planning
• Department of Homeland Security (2013) Infrastructure Survey Tool and Rapid Survey Tool and supporting reference manuals
• California Emergency Medical Services Authority (2014) Hospital Incident Command System Guidebook
• Borten, K. (2016) Combat Visual Hacking in Healthcare
• National Fire Protection Association (2015) NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs
• New Jersey Hospital Association (2004) Emergency Preparedness Hospital Security Readiness Assessment Tool
• The Joint Commission (2011) Comprehensive Accreditation Manual for Hospitals
• National Institute of Standards and Technology (2014) Framework for Improving Critical Infrastructure Cybersecurity

Many terms have been defined, as indicated by a light blue underlined text; click on these terms to display a pop-up window containing the definition. If you have identified additional terms that you believe should be formally defined, please send your request to hphrisc@hhs.gov.

Many questions in the tool have the option to select Not Applicable (N/A). If you have identified an additional question that does not apply to your facility type, please report this to hphrisc@hhs.gov. Provide the question number and your facility type and the question will be reviewed for possible modification in future versions of the RIST-V.

These narrative responses are not used in the Vulnerability Score or subsequent risk calculations. They are intended to function as institutional memory and be used by the facilities themselves to track their answers.

The questions in this tool cover a wide range of topics that will require diverse expertise and disparate information to complete; therefore, it is anticipated that the tool will be completed by a group of experts rather than a single individual. While the tool may be completed by a single individual, it is recommended that users collaborate with the relevant individuals and departments within their organization with the appropriate operational knowledge (e.g., CFO, IT Department, Emergency Manager), as well as with external agencies as needed.

The Vulnerability Scores reported in the RIST-V represents the overall facility vulnerability as well as the vulnerability for each major section and subsection of the tool. These scores depict the extent of the facility’s vulnerability to the entire all-hazards landscape (i.e., are not hazard- specific) based on the policies, plans, procedures, and capabilities in place at a facility. The Vulnerability Scores are calculated on a scale from zero to one; a score closer to zero indicates the facility or asset being assessed has low overall vulnerability and is highly resistant.

In the Dashboard, the overall Vulnerability Score is adjusted to reflect only the vulnerabilities relevant to each specific threat or hazard. For example, physical security training will play a role in mitigating the risk associated with an active shooter event, but will not affect the risk associated with a hurricane. These scores are on a scale of zero to one, and are analogous to the RIST-V Vulnerability Scores divided by 100 (i.e., a 0.23 in the Dashboard is similar to a 23 in the RIST-V).

The RIST-V report provides an overall Vulnerability Score for the facility as well as Vulnerability Scores for each major section and subsection of the tool. All Vulnerability Scores are on a scale of 0 – 100, with a score closer to zero indicating less vulnerability. The scores reflect the number of protective measures and procedures in place as reflected in your answers to the survey questions. Users can review sections with high vulnerability scores to determine what actions can be taken to reduce vulnerability. The results of the RIST-V can be used on their own or in combination with existing planning and preparedness activities in your organization. However, a risk-based approach to preparedness planning also incorporates information on likelihood and consequence of individual threats/hazards. Using the RIST-V as part of the HPH RISC Toolkit will provide additional information and calculate Risk Ratings specific to individual threats/hazards, allowing risk-based prioritization of corrective actions.

A larger Vulnerability Score indicates a greater level of vulnerability; thus, follow-on actions after performing a vulnerability assessment with the RIST-V should be designed to reduce your scores. Notably, Vulnerability Scores are based on all survey questions regardless of facility type, size, or other characteristics. Therefore, some procedures or mitigations that could be implemented to reduce vulnerability may not be desirable or feasible for your facility (for example, screening and badging all visitors in a large hospital). The end goal of this assessment should be to identify ways to minimize vulnerabilities, not to reduce all vulnerability to zero.

An initial step to improve Vulnerability Scores is to identify those sections and subsections with the highest vulnerability scores. Users can then go review those sections to identify responses that increased vulnerability, thus identifying specific actions to improve scores. A handful of general resources regarding vulnerability are provided in the introduction page of the RIST-V module that can be accessed for ideas on improving mitigation strategies and reducing vulnerability.

ASPR’s Risk Identification and Site Criticality (RISC) 2.0 Toolkit is a free, web-based platform where public and private organizations within the healthcare and public health sector can conduct risk assessments by identifying threats, assessing vulnerabilities, determining consequences and criticality, and sharing findings with stakeholders. The new cybersecurity module guides users through a series of questions about their policies and practices, scoring responses against the NIST Cybersecurity Framework 2.0 and HHS Cybersecurity Performance Goals. This objective, standards-based approach helps organizations identify critical gaps, prioritize investments, and make informed decisions about risk mitigation.

Cyber Evaluation results may be reviewed directly from the Risk Assessment Dashboard. Users may view Cyber scores in the context of other Facility risk indicators, including Hazard, Vulnerability, Consequence, and Criticality scores. Cyber results may also be included when exporting Risk Assessment dashboards to HTML or PDF formats.

For more information, please follow the RISC 2.0 User Guide