Security Risk Assessment Tool; Security Risk Assessment Tool v3.3 User Guide (May 5, 2022)
HHS’s Office of the National Coordinator for Health Information Technology, in collaboration with its Office for Civil Rights, has announced an updated version of the interactive Security Risk Assessment (SRA) Tool. The SRA Tool, first developed in 2014 (see our Checkpoint article), is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA security rule. The associated User Guide notes that the target audience for the SRA Tool is small and medium healthcare providers—but observes that health plans and business associates must also conduct risk analyses and implement technical, physical, and administrative safeguards to protect electronic protected health information (PHI).
The SRA Tool is a software application that can be downloaded, free of charge, from the agency’s website and run on a user’s computer. Users may download either a desktop application that is compatible with Microsoft Windows or an Excel Workbook intended to replace the legacy “paper” version of the SRA Tool, which took the form of Microsoft Word documents. According to the webpage, both formats have the same content. The User Guide explains that the content covers seven categories: SRA basics; security policies, procedures, and documentation; access management and workforce training; technical security procedures; physical security procedures; business associates; and contingency planning. Based on the user’s answers, the tool will indicate whether corrective action should be taken and provide guidance on the relevant HIPAA security rule or other security reference with suggestions on how to improve security. Users are also prompted to select applicable vulnerabilities and rate associated threats in terms of likelihood and impact—inputs that determine the entity’s risk level. In addition to the HIPAA security rule, the SRA Tool draws from several sources, including publications issued by the National Institute of Standards and Technology (NIST), the NIST cybersecurity framework (see our Checkpoint article), and—new for this version—Technical Volume 1 of the Health Industry Cybersecurity Practices (HICP). The SRA Tool is self-contained; input is stored on the user’s computer for future reference and report generation, but nothing is sent to HHS or elsewhere.
EBIA Comment: This version of the SRA Tool seems to be more user friendly than prior versions. Reference to the HICP Technical Volume 1 is noteworthy since the practices described in that publication stemmed from Section 405(d) of the Cybersecurity Act of 2015 and, therefore, are “recognized security practices” for purposes of a recent HITECH Act amendment (see our Checkpoint article). While a generic tool cannot replace knowledgeable counsel and a customized assessment of risks to electronic PHI (a large health plan, for example, may face different risks than a physician’s office), the SRA Tool may provide a useful analytical template. For more information, see EBIA’s HIPAA Portability, Privacy & Security manual at Sections XXIX.F (“Limiting Exposure Through ‘Recognized Security Practices’”) and XXX (“Core Security Requirements”).
Contributing Editors: EBIA Staff.