What is the OCR's Security Risk Assessment Tool?

The HHS Security Risk Assessment (SRA) Tool is a valuable resource for healthcare organizations to systematically assess, document, and manage security risks related to protected health information (PHI). It helps organizations comply with the requirements of the HIPAA Security Rule and improve the overall security of patient data.

Note: Security Risk Assessment Tool 3.4 is the latest version as of September 12th, 2023. The latest version's new features include:

• A Remediation Report to help track your responses within the tool
• A Glossary and "Tool Tips" help
• Updated references to Health Industry Cybersecurity Practices (HICP) for 2023 Edition
• Bug fixes and stability enhancements

What is a HIPAA risk assessment?

HHS calls the risk assessment the foundational step to HIPAA compliance. It helps determine the most effective and appropriate administrative, physical, and technical safeguards to properly protect ePHI. All while considering each CE's unique needs and characteristics. There is no one way to perform a risk assessment, as there is no one solution to cybersecurity.

A HIPAA risk assessment can tackle and analyze:

1. Scope of the analysis
2. Potential threats and vulnerabilities
3. Current security measures
4. The likelihood of a threat
5. The potential impact of a threat
6. The level of risk
7. Helpful security measures and final documentation are needed

See also: What is a HIPAA risk assessment?

What is the HHS Risk Assessment?

The SRA Tool was developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS Office for Civil Rights (OCR). This tool is designed to assist healthcare providers, especially medium and small organizations, in conducting security risk assessments required by the HIPAA Security Rule.

The SRA Tool helps healthcare organizations evaluate and manage security risks related to PHI within their operations. It provides a structured process through a Windows desktop application or an Excel workbook to guide users through the assessment, identify vulnerabilities, and develop strategies to address them. The tool also generates reports to document the assessment and remediation efforts.

Who should use the SRA Tool?

1. Small and medium healthcare providers
2. Dental practices
3. Community health centers
4. Behavioral health practices
5. Small hospitals
6. Healthcare organizations with limited resources
7. Any size organization seeking to improve security posture

What are the specific features of the SRA Tool?

1. Guided assessment process: The SRA Tool provides a structured, step-by-step approach to conducting security risk assessments. It uses a simple, wizard-based interface that guides users through the assessment process.
2. Multiple-choice questions: Users are presented with a series of multiple-choice questions related to various aspects of security and compliance. These questions help organizations assess their current security practices and identify potential vulnerabilities.
3. Threat and vulnerability assessments: The tool assists organizations in identifying potential threats to protected health information (PHI) and vulnerabilities within their systems and processes. This helps organizations pinpoint areas of risk.
4. Asset and vendor management: Users can input information about their organization's assets (hardware and software) and vendors (third-party service providers). This feature helps organizations understand their security landscape and potential risks associated with external partners.
5. Report generation: After completing the assessment, organizations can generate reports summarizing the assessment findings and recommendations. These reports can be saved and printed for documentation purposes.
6. Remediation report: In Version 3.4 of the SRA Tool, a Remediation Report feature was introduced. This allows organizations to track their responses to identified vulnerabilities and monitor their progress in addressing security issues.
7. Information security standards: The tool references National Institute of Standards and Technology (NIST) standards, widely recognized as best practices in information security. While these standards are not required for compliance with the HIPAA Security Rule, they provide valuable guidance.
8. Local data storage: All information entered into the SRA Tool is stored locally on the user's computer. The tool does not collect, view, store, or transmit any of the entered information, ensuring data privacy and security.

Related: The NIST Cybersecurity Framework and the HIPAA Security Rule crosswalk

How can it be utilized by healthcare organizations?

1. Download and install the tool: Healthcare organizations can download the SRA Tool from the official HealthIT.gov website. Two versions are available: one for Windows and one in the form of an Excel workbook. Organizations should choose the version that best suits their needs and system requirements.
2. Follow the guided assessment process: For the Windows desktop application, Users can launch the application and follow a step-by-step, wizard-based approach. For the Excel workbook, Users can open the spreadsheet and navigate through the content, which mirrors the assessment process found in the desktop application.
3. Answer multiple-choice questions: The tool presents multiple-choice questions related to security and compliance. Users should answer these questions accurately based on their organization's practices and procedures.
4. Assess threats and vulnerabilities: The tool assists organizations in identifying potential threats and vulnerabilities that could compromise the security of PHI. It helps in evaluating the organization's current security measures and practices.
5. Manage assets and vendors: Users can input information about their organization's assets (hardware, software) and vendors (e.g., HIPAA compliant email services). This step helps in understanding the broader security landscape.
6. Access references and guidance: Throughout the assessment, the tool provides references and additional guidance to help users make informed decisions about security measures and risk mitigation strategies.
7. Generate reports: After completing the assessment, the SRA Tool allows organizations to generate reports summarizing the assessment findings and recommendations. These reports can be saved and printed for documentation purposes.
8. Track remediation: Version 3.4 of the SRA Tool introduced a Remediation Report feature, which enables organizations to track their responses to identified vulnerabilities and work on addressing them.

See also: How to perform a risk assessment