The HHS Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released a new version of their popular Security Risk Assessment (SRA) Tool, adding features that will help users—generally small- to medium-sized provider practices—track their progress.[1]
The tool is designed to help health care providers conduct a risk analysis as the HIPAA Security Rule requires. The downloadable SRA tool is a Windows-based desktop application that walks users through the security risk assessment process using multiple choice questions, threat and vulnerability assessments, and asset and vendor management.
References and additional guidance are provided via the tool’s sections, and the tool also offers reports to save and print after the assessment is completed. The update just released is version 3.4 of the tool.
“Organizations should use information from their assessment to implement security measures, to design personnel screening processes, identify and strategize data backup, determine where and how encryption should be used, determine what authentication may be required to protect data integrity and to determine which policies and procedures may need to be created or improved to protect ePHI [electronic protected health information],” said Ryan Callahan, information technology business analyst at nonprofit research and consulting firm Altarum (Altarum developed the tool in partnership with OCR and ONC.).
Callahan said during a Sept. 13 webinar on the tool and its updates that smaller providers need more help on security than larger providers.[2] The SRA is designed to be an easy-to-use tool that can help small practices and other small health care organizations evaluate their security posture against increasingly sophisticated security threats and help them determine where they may not be in compliance with the Security Rule, he said.
The tool contains seven sections: SRA basics (the organization’s security management process at the time of the evaluation); security policies, procedures and documentation; security and the workforce; security and data; security and the practice (physical security procedures, such as maintaining locked doors); security and vendors; and contingency planning.
Unfinished Tasks Can Be Listed
Version 3.4 of the SRA tool includes a new remediation report designed to help users track their responses within the tool. “This is a space for users to document their response to areas of risk, which we’re calling remediation activities. So, you might use this to note changes in policy or procedure,” Callahan told webinar attendees.
For example, he said, “If your security officer is not involved in all policy and procedure updates, you might take action on that. You might need to update your policies to make sure your security officer is included. So that remediation activities [report] is a place for you to take note of when that was done [and] how that was done.”
There’s space in the report to assign an “owner” to activities, so it’s possible for users to identify the person who will be taking responsibility for the update, he said. There also is space for due and task completion dates, Callahan added.
The SRA also has been updated to reflect some of the 2023 additions to the HHS Health Industry Cybersecurity Practices, he said.
In addition, developers added a new glossary feature as a new menu item underneath reports, Callahan said. The glossary includes embedded definitions, where users can hover a cursor over a word and see the definition of that word. This “helps provide a little bit of context” and likely will be expanded going forward, he said, adding, “If something is difficult to understand or you think it could use more definition, send that feedback to the help desk, and we very well could expand the glossary to add more help here.”
New users can download version 3.4 of the SRA tool from its page at HealthIT.gov, Callahan said. Previous users can also download the new tool, which is compatible with files created from previous versions.[3]