The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) released a new version of the Security Risk Assessment (SRA) tool this month, with new forms and features that your practice can use.

In this blog, we'll review what an SRA is, what the SRA tool is used for, and what the updates to the tool are for 2022. 

What is a Security Risk Assessment or Analysis?

Often used interchangeably, a Security Risk Assessment or Security Risk Analysis (SRA) is part of the HIPAA Security Rule's requirement that covered entities (i.e. health plans, most health care providers, health care clearinghouses, and some health apps) conduct an annual assessment of their risks and vulnerabilities around protections of the availability, confidentiality, and integrity of electronic Personal Health Information (ePHI). This assessment must evaluate the administrative, physical, technical, and organizational aspects of your security.

What is the SRA Tool?

The free SRA tool offered by the Department of Health and Human Services was developed by OCR and ONC to help guide small to medium-sized practices through completing their annual SRA. Currently, two forms of the tool exist:

• A software-based application that runs on Windows.
  • This application provides feedback with each step and displays progress indicators. It also allows for multiple user accounts and file sharing.
• An excel-based spreadsheet that consists of the same content as the desktop application version.
  • This version of the tool is for users who do not have access to Windows operating systems. 
  • HealthIT.gov states that this format is meant to replace the legacy version of the tool, which was a paper format. Our evaluation shows that the excel format is harder to follow visually and not printable in a useful way.

We recommend using the software version of this tool if possible. 

The tool itself guides users through understanding the context of each question, considering the potential impacts to ePHI in your environment, and identifying relevant security references (e.g., the HIPAA Security Rule). There are seven sections to the SRA tool:

1. SRA Basics
2. Security Policies, Procedures & Documentation
3. Security & Your Workforce
4. Security & Your Data
5. Security & Your Practice
6. Security & Your Vendors 
7. Contingency Planning 

It is important to note that use and completion of the SRA tool does not guarantee HIPAA compliance, but it does help users complete the necessary assessments and assures practices that necessary safeguards are in place. 

What Updates to the Tool Have Been Made in 2022?

The biggest update this year to the SRA tool is the introduction of the Excel-based format and the retirement of the fully paper-based format. The additional updates include: 

• Updated references to the Health Information Cybersecurity Practices (HICP) guidance from a cybersecurity task group comprised of experts and stakeholders from industry and government  agencies. 
• File association: you can link your own files to the SRA tool.
  • This functionality is only available in the software-based format. 
•  Inclusion of references to your final "Risk Report" upon the completion of your SRA. 
• Additional educational references included in the "Detailed Report" upon SRA completion.
• Bug fixes and stability improvements to the software-based format.

Additional Cybersecurity Resources

Prepare for Cyberthreats

In addition to the free federal resources above (particularly those listed under the Cybersecurity Act of 2015), we recommend reviewing the Federal Trade Commission's guidance on securing your wireless network. These, in combination, will help you prepare your practice to ward against cyberthreats.

Respond to Cyberattacks

Below is guidance from the HHS Office of Civil Rights (OCR) on the required and recommended steps to follow in response to a cyberattack at a healthcare practice:

• My entity just experienced a cyber-attack! What do we do now?
• Cyber-Attack Quick Response Infographic
  
  

Anti-Virus Software

We recommend that you research or seek out expert opinion on the anti-virus software your practice employs. But we caution you to not install more than one anti-virus software. Multiple anti-virus software applications can slow down your system and interfere with each, reducing the effectiveness of the software. Remember that your computer may have anti-virus software pre-installed (such as Windows Defender, which is built-in with Windows 10).

Train Yourself and Your Staff

Below are free training resources:

• HIPAA TV, Healthcare Cybersecurity Training
• HHS Cybersecurity Awareness Training
  Description: Cybersecurity awareness training leveraged by HHS employees, contractors, interns, and others.
• HHS, Your Mobile Device and Health Information Privacy and Security 

Additional Physician Cybersecurity Resources from the AMA

Below are free training resources:

The AMA has also developed tips and advice on protecting your computers and network to keep your patient health records and other data safe from cyberattacks.

Download and share with your staff and IT:

• How to improve your cybersecurity practices 
• Cybersecurity checklist for office computers 
• Protect your practice and your patients from cybersecurity threats 

Next Steps

• Share this information with your colleagues.
• Check out our blogs on other cybersecurity considerations like Information Blocking and Health Apps; the SAFER guides; and the FTC's clarification on health app information breaches.

If you want hands-on, personalized assistance, contact us and we will have your back.