ONC and OCR Launch Modified Security Risk Assessment Tool

The latest version of the HHS Security Risk Assessment (SRA) Tool has been released by the Office for Civil Rights (OCR) and the Department of Health and Human Services (HHS)’ Office of the National Coordinator for Health Information Technology (ONC).

The HIPAA Security Rule calls for HIPAA-controlled entities to carry out a detailed, organization-wide risk evaluation to determine the threats and vulnerabilities to the integrity, confidentiality, and availability of electronic protected health information (ePHI). All risks discovered should then be put through risk management operations to minimize the determined threats and vulnerabilities to a minimal and fair level.

Risk assessments are important for HIPAA compliance. They enable HIPAA-covered entities to find out whether they are in compliance with the management, physical, and technical safety measures of the HIPAA Security Rule and allow them to select the most useful and suitable physical, administrative, and technical controls that secure ePHI. With the inspections and audits of HIPAA-controlled entities, it demonstrated that risk analysis is a facet of compliance that a lot of healthcare companies do not get correctly, and it is one of the most often reported HIPAA violations in OCR enforcement steps.

In 2014, ONC and OCR collaborated to develop and release the SRA Tool to assist small- and medium-sized medical care practices and business associates on this crucial part of following the HIPAA Security Rule. The SRA tool is a downloadable application that could be utilized to direct HIPAA-governed entities through the risk evaluation process. The SRA Tool is a desktop program that makes use of a wizard-based method that involves multiple-choice questions, risk and vulnerability checks, and asset and vendor administration, and takes users through the procedure of security threat assessment.

The SRA tool has been modified through the years, with the newest version integrating the following new functions as a response to user reviews and public suggestions:

  • file associations in Windows
  • the Health Industry Cybersecurity Practices (HICP) references
  • better reports
  • bug fixes
  • stability developments

ONC and OCR likewise produced an SRA Tool Excel Workbook to take the place of the paper version of the SRA tool. The workbook includes conditional formatting and formulas to compute and help know the risk in an identical manner as the SRA Tool software and is a good substitute for users without Microsoft Windows.

ONC and ORC say that the usage of the software doesn’t ensure HIPAA compliance but may help them realize compliance. The tool was made for SMBs, and may not be ideal for bigger healthcare companies.

The SRA program that is available for download on this link, could be installed as a program on 64-bit versions of Microsoft Windows 7/8/10/11. The new SRA Tool Excel Workbook is compatible with other systems.

Twitter Facebook LinkedIn Reddit Copy link Link copied to clipboard
Photo of author

Posted by

Mark Wilson

Mark Wilson is a news reporter specializing in information technology cyber security. Mark has contributed to leading publications and spoken at international forums with a focus on cybersecurity threats and the importance of data privacy. Mark is a computer science graduate.