<img alt="" src="https://secure.businessintuition247.com/264463.png" style="display:none;">
Get Started

Stay in the know

Get the latest blog articles directly in your inbox.

Updates to the Security Risk Assessment Tool


HHS HIPAA OCR ONC cybersecurity 2022

The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) released a new version of the Security Risk Assessment (SRA) tool this month, with new forms and features that your practice can use.

In this blog, we'll review what an SRA is, what the SRA tool is used for, and what the updates to the tool are for 2022. 

What is a Security Risk Assessment or Analysis?

Often used interchangeably, a Security Risk Assessment or Security Risk Analysis (SRA) is part of the HIPAA Security Rule's requirement that covered entities (i.e. health plans, most health care providers, health care clearinghouses, and some health apps) conduct an annual assessment of their risks and vulnerabilities around protections of the availability, confidentiality, and integrity of electronic Personal Health Information (ePHI). This assessment must evaluate the administrative, physical, technical, and organizational aspects of your security.

What is the SRA Tool?

The free SRA tool offered by the Department of Health and Human Services was developed by OCR and ONC to help guide small to medium-sized practices through completing their annual SRA. Currently, two forms of the tool exist:

  • A software-based application that runs on Windows.
    • This application provides feedback with each step and displays progress indicators. It also allows for multiple user accounts and file sharing.
  • An excel-based spreadsheet that consists of the same content as the desktop application version.

We recommend using the software version of this tool if possible. 

The tool itself guides users through understanding the context of each question, considering the potential impacts to ePHI in your environment, and identifying relevant security references (e.g., the HIPAA Security Rule). There are seven sections to the SRA tool:

  1. SRA Basics
  2. Security Policies, Procedures & Documentation
  3. Security & Your Workforce
  4. Security & Your Data
  5. Security & Your Practice
  6. Security & Your Vendors 
  7. Contingency Planning 

It is important to note that use and completion of the SRA tool does not guarantee HIPAA compliance, but it does help users complete the necessary assessments and assures practices that necessary safeguards are in place. 

What Updates to the Tool Have Been Made in 2022?

The biggest update this year to the SRA tool is the introduction of the Excel-based format and the retirement of the fully paper-based format. The additional updates include: 

  • Updated references to the Health Information Cybersecurity Practices (HICP) guidance from a cybersecurity task group comprised of experts and stakeholders from industry and government  agencies
  • File association: you can link your own files to the SRA tool.
    • This functionality is only available in the software-based format. 
  •  Inclusion of references to your final "Risk Report" upon the completion of your SRA. 
  • Additional educational references included in the "Detailed Report" upon SRA completion.
  • Bug fixes and stability improvements to the software-based format.

 

Additional Cybersecurity Resources

Prepare for Cyberthreats

In addition to the free federal resources above (particularly those listed under the Cybersecurity Act of 2015), we recommend reviewing the Federal Trade Commission's guidance on securing your wireless network. These, in combination, will help you prepare your practice to ward against cyberthreats.

Respond to Cyberattacks

Below is guidance from the HHS Office of Civil Rights (OCR) on the required and recommended steps to follow in response to a cyberattack at a healthcare practice:

Anti-Virus Software

We recommend that you research or seek out expert opinion on the anti-virus software your practice employs. But we caution you to not install more than one anti-virus software. Multiple anti-virus software applications can slow down your system and interfere with each, reducing the effectiveness of the software. Remember that your computer may have anti-virus software pre-installed (such as Windows Defender, which is built-in with Windows 10).

Train Yourself and Your Staff

Below are free training resources:

Additional Physician Cybersecurity Resources from the AMA

Below are free training resources:

The AMA has also developed tips and advice on protecting your computers and network to keep your patient health records and other data safe from cyberattacks.

Download and share with your staff and IT:

Next Steps

If you want hands-on, personalized assistance, contact us and we will have your back. 

 

Juliette Walle

Written by Juliette Walle

Juliette Walle is a Health Policy Analyst at the consulting firm MarsdenAdvisors.

Related articles

E-Prescribing Requirement Update: What's Changed in the Recent Rule

In the 2023 Medicare Physician Fee Schedule, the Centers for Medicare and Medicare Services (CMS) updated the...

2022 MIPS Hardship Application Deadline Approaching

The Centers for Medicare and Medicaid Services (CMS) has opened the 2022 MIPS hardship applications.

There are two...