Last week, the HHS Office for Civil Rights (OCR) and the Office of the National Coordinator of Health Information Technology (ONC) hosted a webinar on the HIPAA Security Risk Assessment Tool ( SRA tool or tool). The webinar provided a tour of the SRA tool, answered frequently asked questions, and provided updates on upcoming improvements to the tool. Most importantly, the webinar serves as an additional reminder to entities subject to HIPAA of their obligation to perform a security risk assessment and update that assessment on a periodic basis and in response to new business processes, operations and threats. Below are my top five takeaways from the webinar:
1. Do it!
A major theme of the webinar was the importance of conducting a thorough and periodic assessment of the security risks an organization faces. This scan is an administrative guarantee required under the HIPAA security rule and is an essential tool to assess and improve the security of any organization subject to HIPAA. In countless settlements between the OCR and covered entities, the inability of the covered entity to perform a full security risk analysis has been flagged as a major flaw that has contributed to a breach or other failure. important compliance. The OCR and ONC developed the SRA tool as an option to help organizations comply with the requirement to conduct a risk assessment and to thoroughly document their assessment and mitigation strategies.
As noted several times in the webinar, an organization should expect to spend a significant amount of time performing a risk assessment, whether or not it uses the SRA tool, and the quality of the he evaluation depends on the time and effort that the organization puts into it.
2. Cover the entire landscape
To perform a comprehensive risk assessment, it is essential to consider the entire security landscape of the organization. As the webinar reiterated, simply assessing the risk to a vendor’s EHR is insufficient. Rather, organizations should consider all of the potential risks and vulnerabilities of electronic PSR across their enterprise when performing the assessment, including email, mobile devices, and cloud-based applications. . The fact that a risk to an organization is not included in the ARS tool is not a âget out of prison freeâ card; the organization should always document that it has assessed the risk and may need to document this assessment outside of the tool.
3. Improvements are coming
The webinar introduced users of the SRA tool, or future users, to upcoming improvements for the tool. These improvements include:
- The launch of an interactive spreadsheet version of the SRA tool. The spreadsheet can be used by those who cannot run the software tool or prefer to work in a spreadsheet format.
- Incorporating content from Healthcare Industry Cybersecurity Practices (HICP) Technical Volume 1 into the tool to give users additional context on cybersecurity best practices.
- The creation of a file association feature to make it easier for users to open files created with the SRA tool.
- Added new short instructional videos to help users navigate using the tool.
4. MacOS users are still out of luck
Unfortunately for users of computers and Apple devices, the SRA tool is still not compatible with macOS, and upcoming improvements do not include compatibility. The webinar highlighted that macOS users will be able to use the downloadable and interactive version of the SRA Tool Spreadsheet once it is released.
5. Give your opinion
SRA Tool users can provide feedback on the tool through the SRA Tool User Experience Survey. Those who have used the tool in the past may wish to share their thoughts on the user interface and how the tool could be improved in the future.