Have You Conducted Your HIPAA Security Risk Analysis?
Your electronic health record data is a hot commodity on the black market. According to the FBI, “Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number.”
While threats increase daily, healthcare organizations notoriously under-spend on infrastructure security and assessing cybersecurity risks. The ONC learned early on that many practices were failing to complete the required risk assessments due to the time and perceived complexity of the task.
In response, the ONC and OCR developed a downloadable Security Risk Assessment (SRA) tool geared primarily to small and midsize practices. The SRA tool is free, and enables you to painlessly conduct your own risk analysis in accordance with the requirements of the HIPAA security rule. A security risk analysis is the foundation upon which to build the security activities to protect ePHI. The SRA tool will help you identify and assess the risks to ePHI in your practice so that you can implement the appropriate safeguards.
In October of 2018 (still the most recent version as of February 2021), the ONC released an updated version of the Security Risk Analysis (SRA) Tool, with a variety of new and enhanced features:
- Enhanced user interface
- Modular workflow
- Custom assessment logic
- Progress tracker
- Threats & vulnerabilities rating
- Detailed reports
- Business associate and asset tracking
- Overall improvement of the user experience
Basic Steps: How to use the HIPAA Security Risk Analysis Tool
The new SRA Tool is extremely user-friendly and simple to navigate. Once you have downloaded the SRA tool to your computer or tablet, you will enter some basic information about your practice location(s) and answer the assessment questions.
Once you’re finished entering basic practice information, you will proceed to entering Assets, Vendors, and Documents. The SRA tool provides downloadable Asset and Vendor templates, making it simple to add and upload assets and vendors (business associates). The Documents section will enable you to add documents, action item lists, references, remediation plans, or plan of action milestones relevant to your security risk assessment.
Next is the Assessment section. Here, you will proceed through the Q&A portion of the risk analysis, proceeding through Sections 1-7 in order. On the right side of the screen the tool provides helpful reference information to guide you through questions you may have on any particular section. As you proceed through the questions, you will assess whether each potential threat has a Low, Medium, or High likelihood and impact on your practice.
Once you have completed Sections 1-7, you will proceed to the Summary section which will provide you with a risk assessment summary, risk score, areas for review, and vulnerabilities score. At this point, you will be able to view and export the detailed report to PDF.
Video: Using the SRA Tool To Perform Your Risk Analysis
We’ve also developed a video walking you through the basic steps outlined above.
How Can MDS Help?
MDS has deep experience in the hosting and security infrastructure required (particularly as it relates to Prime Suite) for compliance with the HIPAA Security Rule. If your Risk Assessment uncovers issues that you are not sure how to address, please let us know and we can point you in the right direction.