Have You Conducted Your HIPAA Security Risk Analysis?
Your electronic health record data is a hot commodity on the black market. According to the FBI, “Cyber criminals are selling the information on the black market at a rate of $50 for each partial EHR, compared to $1 for a stolen social security number or credit card number.”
While threats increase daily, healthcare organizations notoriously under-spend on infrastructure security and assessing cybersecurity risks. The ONC learned early on that many practices were failing to complete the required risk assessments due to the time and perceived complexity of the task.
In response, the ONC and OCR developed a downloadable Security Risk Assessment (SRA) tool geared primarily to small and midsize practices. The SRA tool is free, and enables you to painlessly conduct your own risk analysis in accordance with the requirements of the HIPAA security rule. A security risk analysis is the foundation upon which to build the security activities to protect ePHI. The SRA tool will help you identify and assess the risks to ePHI in your practice so that you can implement the appropriate safeguards.
Conducting a security risk assessment is a key requirement of the HIPAA Security Rule, and all healthcare provider groups and business associates must be able to prove they have conducted a security risk analysis in the event of an HHS audit.
Even if you are never audited, failing to conduct a security risk analysis means that you are potentially compromising the security of the PHI (personal health information) of your patients, as well as your own organization’s confidential information.
HIPAA requires that covered entities “implement policies and procedures to prevent, detect, contain, and correct security violations” by conducting “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of e-PHI held by the [organization].”
Basic Steps: How to use the HIPAA Security Risk Analysis Tool
The downloadable SRA tool guides you through the process of conducting your own HIPAA Risk Assessment. This tool is not required by the HIPAA Security Rule, but is meant to assist providers and professionals as they perform a risk assessment. The tool provides an exportable report to provide to auditors in the event of a HIPAA audit.
First, visit: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool and download the SRA Tool.
Once you have downloaded and saved the tool, run the application.
In the top right corner, enter first/last name/ initials and click the Tab button on you keyboard, and select “Log In”. Once logged in, read the disclaimer and “Start Assessment” in the lower right corner.
You may also enter data related to the practice, business associates, and asset inventory by clicking on each tab. This is not required to complete the assessment.
Every question will allow for a yes/no response and a “flag” field for later completion.
After answering yes/no, there is an opportunity to comment. Click on one of the three sections and enter text in the white box (optional).
At the bottom, complete the likelihood there will be breach in protected health information, and what impact a breach of data might have to the clinic/organization. Click “Next Question” when complete.
In the upper right area, each question provides 3 informational tabs (optional use).
On the lower right area, 3 more tools may be used for clarification (optional).
When finished with the assessment questionnaire, click “Report” at the bottom of the screen; choose the preferred export method:
* Note: This report is date-stamped, so make sure to run it within the calendar year of the attestation data if you are participating in the Meaningful Use program.
The new SRA Tool is extremely user-friendly and simple to navigate. Once you have downloaded the SRA tool to your computer or tablet, you will enter some basic information about your practice location(s) and answer the assessment questions.
Once you’re finished entering basic practice information, you will proceed to entering Assets, Vendors, and Documents. The SRA tool provides downloadable Asset and Vendor templates, making it simple to add and upload assets and vendors (business associates). The Documents section will enable you to add documents, action item lists, references, remediation plans, or plan of action milestones relevant to your security risk assessment.
Next is the Assessment section. Here, you will proceed through the Q&A portion of the risk analysis, proceeding through Sections 1-7 in order. On the right side of the screen the tool provides helpful reference information to guide you through questions you may have on any particular section. As you proceed through the questions, you will assess whether each potential threat has a Low, Medium, or High likelihood and impact on your practice.
Once you have completed Sections 1-7, you will proceed to the Summary section which will provide you with a risk assessment summary, risk score, areas for review, and vulnerabilities score. At this point, you will be able to view and export the detailed report to PDF.
Video: Using the SRA Tool To Perform Your Risk Analysis
We’ve also developed a video walking you through the basic steps outlined above.
The ONC has their own video series and tutorials on using the tool: