RISC Toolkit 2.0

Risk Identification and Site Criticality

Risk Identification and Site Criticality (RISC) Toolkit is an objective, data-driven all-hazards risk assessment that can be used by public and private organizations within the Healthcare and Public Health Sector to inform emergency preparedness planning, risk management activities, and resource investments. The RISC Toolkit provides owners/operators in the HPH Sector with nationally recognized standards-based evaluation criteria in an easy-to-follow, guided format.

The RISC Toolkit contains three self-assessment modules. These allow users to identify external threats and internal hazards specific to their site by using objective national-level data; assess the vulnerability of their site based on industry standards and guidance; and evaluate the criticality of and consequences to their site in the event of an incident. The RISC Toolkit compares multiple facilities across systems, coalitions, and regions to identify dependencies and interdependencies in a consistent and repeatable method to help create a more resilient healthcare system.

Key Features

General Topics & Questions

Please report all errors or bugs encountered to hphrisc@hhs.gov. Please include as much information as possible, including error messages and screenshots.

Risk Ratings are calculated by multiplying your scores from each of the three modules (THAM, RIST-V, and RIST-C). The overall score is the product of the relative Threat/Hazard Rating, the hazard-specific Vulnerability Score, and the hazard-specific Consequence Rating. A full explanation of the scoring process is described in the HPH RISC Toolkit Reference Guide.

The two types of threats/hazards are inherently different in their origin and impact—external events affect a region or community, whereas local/internal events by and large involve a single facility—as well as how an individual facility prepares for and responds to them (i.e. facility- specific power outages, IT disruptions, infant abductions, etc.). Therefore, the components of the Toolkit present these hazard types separately to facilitate the different processes an organization may use to address them. Additionally, due to the different data sources available, Threat/Hazard Ratings for external and local/internal events are calculated differently.

External hazards have been assessed based on historical events located within the area surrounding a facility. These historical incidences have also been adjusted to determine the rate at which they occur in relation to each other (e.g., tsunamis happen most frequently in the United States to Hawaii and Alaska, but have only occurred three times in the past 20 years).

However, local/internal hazards are based on non-national data sources, and are relative to other local/internal hazards. Since local/internal hazards scores are not derived using the same two-step approach used for external hazards, they cannot be compared.

THAM

Please report the broken link to hphrisc@hhs.gov.

The lower resolution of the provided map is an acknowledged data limitation; however, the data source utilized was the only national indication of subsidence potential identified. If you have knowledge of a better or more user-friendly national resource, please share the source with hphrisc@hhs.gov for possible inclusion in future versions of the THAM.

The NOAA Historical Hurricane Tracks Tool will occasionally not display the search results. Please close the window and try again.

Threat/Hazard Ratings represent the likelihood of each event occurring at the assessed facility, relative to other facilities and other event types. The ratings range from 0.1 to 4.0, with a higher rating indicating a greater likelihood. They do not consider protective measures in place to protect against the event or the extent of damage it may cause; for those factors complete the RIST-V and RIST-C.

The THAM separates reporting of Threat/Hazard Ratings according to two different types of events: external threats/hazards for which there are objective, national-level data sources regarding their frequency of occurrence (e.g., hurricanes, HAZMAT spills, active shooters); and local/internal hazards specific to a single facility and for which no national datasets exist (e.g., HVAC failure, violent patients, chemical theft). Such information can be useful as inputs for planning and preparedness activities, and may be used in any such practice where objective data on incident occurrence is needed. Using the THAM as part of the HPH RISC Toolkit will provide additional information and calculate Risk Ratings for each threat/hazard, allowing risk- based prioritization.

The values calculated by the tool are based on national-level data sources. Sometimes, local data, subject matter experts, or institutional knowledge may provide additional information that can be used to refine the calculated ratings. In such cases, you may overwrite the calculated ratings on the results page. The user entered score will be carried through the entirety of the risk assessment process. Should you choose to go back to the THAM generated values, click the Reset Values button on the THAM results page.

RIST-V

The questions found in the RIST-V come from the major discipline-specific standards and best practices identified for the Healthcare and Public Health Sector, as well as from subject matter expert input. The list of sources is as follows:

ASIS International (2009) Facilities Physical Security Measures Guideline
ASIS International (2012) Security Management Standard: Physical Asset Protection
Department of Health and Human Services, Office of the Assistant Secretary for Preparedness and Response (2012) Healthcare Preparedness Capabilities: National Guidance for Healthcare System Preparedness
Center for Medicare and Medicaid Services Emergency Preparedness Rule
Centers for Disease control and Prevention, Office of Public Health Preparedness and Response (2011) Public Health Preparedness Capabilities: National Standards for State and Local Planning
Department of Homeland Security (2013) Infrastructure Survey Tool and Rapid Survey Tool and supporting reference manuals
California Emergency Medical Services Authority (2014) Hospital Incident Command System Guidebook
Borten, K. (2016) Combat Visual Hacking in Healthcare
National Fire Protection Association (2015) NFPA 1600: Standard on Disaster/Emergency Management and Business Continuity/Continuity of Operations Programs
New Jersey Hospital Association (2004) Emergency Preparedness Hospital Security Readiness Assessment Tool
The Joint Commission (2011) Comprehensive Accreditation Manual for Hospitals
National Institute of Standards and Technology (2014) Framework for Improving Critical Infrastructure Cybersecurity

Many terms have been defined, as indicated by a light blue underlined text; click on these terms to display a pop-up window containing the definition. If you have identified additional terms that you believe should be formally defined, please send your request to hphrisc@hhs.gov.

Many questions in the tool have the option to select Not Applicable (N/A). If you have identified an additional question that does not apply to your facility type, please report this to hphrisc@hhs.gov. Provide the question number and your facility type and the question will be reviewed for possible modification in future versions of the RIST-V.

These narrative responses are not used in the Vulnerability Score or subsequent risk calculations. They are intended to function as institutional memory and be used by the facilities themselves to track their answers.

The questions in this tool cover a wide range of topics that will require diverse expertise and disparate information to complete; therefore, it is anticipated that the tool will be completed by a group of experts rather than a single individual. While the tool may be completed by a single individual, it is recommended that users collaborate with the relevant individuals and departments within their organization with the appropriate operational knowledge (e.g., CFO, IT Department, Emergency Manager), as well as with external agencies as needed.

The Vulnerability Scores reported in the RIST-V represents the overall facility vulnerability as well as the vulnerability for each major section and subsection of the tool. These scores depict the extent of the facility’s vulnerability to the entire all-hazards landscape (i.e., are not hazard- specific) based on the policies, plans, procedures, and capabilities in place at a facility. The Vulnerability Scores are calculated on a scale from zero to one; a score closer to zero indicates the facility or asset being assessed has low overall vulnerability and is highly resistant.

In the Dashboard, the overall Vulnerability Score is adjusted to reflect only the vulnerabilities relevant to each specific threat or hazard. For example, physical security training will play a role in mitigating the risk associated with an active shooter event, but will not affect the risk associated with a hurricane. These scores are on a scale of zero to one, and are analogous to the RIST-V Vulnerability Scores divided by 100 (i.e., a 0.23 in the Dashboard is similar to a 23 in the RIST-V).

The RIST-V report provides an overall Vulnerability Score for the facility as well as Vulnerability Scores for each major section and subsection of the tool. All Vulnerability Scores are on a scale of 0 – 100, with a score closer to zero indicating less vulnerability. The scores reflect the number of protective measures and procedures in place as reflected in your answers to the survey questions. Users can review sections with high vulnerability scores to determine what actions can be taken to reduce vulnerability. The results of the RIST-V can be used on their own or in combination with existing planning and preparedness activities in your organization. However, a risk-based approach to preparedness planning also incorporates information on likelihood and consequence of individual threats/hazards. Using the RIST-V as part of the HPH RISC Toolkit will provide additional information and calculate Risk Ratings specific to individual threats/hazards, allowing risk-based prioritization of corrective actions.

A larger Vulnerability Score indicates a greater level of vulnerability; thus, follow-on actions after performing a vulnerability assessment with the RIST-V should be designed to reduce your scores. Notably, Vulnerability Scores are based on all survey questions regardless of facility type, size, or other characteristics. Therefore, some procedures or mitigations that could be implemented to reduce vulnerability may not be desirable or feasible for your facility (for example, screening and badging all visitors in a large hospital). The end goal of this assessment should be to identify ways to minimize vulnerabilities, not to reduce all vulnerability to zero.

An initial step to improve Vulnerability Scores is to identify those sections and subsections with the highest vulnerability scores. Users can then go review those sections to identify responses that increased vulnerability, thus identifying specific actions to improve scores. A handful of general resources regarding vulnerability are provided in the introduction page of the RIST-V module that can be accessed for ideas on improving mitigation strategies and reducing vulnerability.

RISC Toolkit 2.0

RISC 2.0

Key Features

General Topics & Questions

I've encountered an error, what should I do?

How are Risk Ratings calculated?

Why can't I compare the Threat/Hazard Ratings, TˣV Scores, or Risk Ratings of external hazards with those of local/internal hazards?

Why are external hazards and local/internal hazards assessed separately?

THAM

A link in the THAM doesn't work, what should I do?

I can't determine if I'm in an area with Karst formation using the provided map (subsidence/sinkhole).

I don't see any hurricane search results from the NOAA Hurricane Historical Tracks website.

What do my THAM results mean?

How can I use my Threat/Hazard Ratings?

I don't agree with my Threat/Hazard Ratings.

RIST-V

Where do the questions in RIST-V come from?

I don't understand what term in the RIST-V means?

A question in the RIST-V doesn't apply to me. How should I answer?

What does the RIST-V do with the free-response answers I enter into the assessment?

I don't know the answer to a question in the RIST-V.

What di my RIST-V results mean?

How can I use my Vulnerability Scores?

Is a larger Vulnerability Score better or worse?

How can I improve my Vulnerability Scores?