Chat with us, powered by LiveChat

HHS SRA Tool Version 3.0 – The Good, Bad and Ugly

March 18, 2019 by 1 Comment

Earlier this month, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT). We have been following the development of this toolkit since its inception in 2011 as the HSR toolkit and reviewed V2.0 in early 2014. Each time a new version is released, HIPAA One gathers with a few trusted industry partners to review the changes and updates so that we may accurately counsel healthcare providers, payers and business associates on the pros and cons of utilizing this free, government-issued application.

ONC/HHS issued

Before diving into our review of V3.0, it is important to note that HHS in no way states that by using SRAT, healthcare providers are assured compliance with the Security Risk Analysis requirement under HIPAA. Per the Health IT.gov website: “Disclaimer: The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.”

This is not to say that SRAT does not have its merits. At HIPAA One, we firmly believe that SRAT can be an effective training tool for compliance professionals as well as a guideline for certified auditors. Despite being a time-consuming process, SRAT does provide step-by-step instructions similar to a bona fide HIPAA Security Risk Analysis. Healthcare professionals should merely be cautioned that without the guidance of a trained auditor, SRAT may or may not hold up in an audit scenario.

The Good

In short, the newly updated Security Risk Assessment Tool (SRAT) has made improvements mainly related to the user experience and follows the HIPAA Audit Protocol and NIST-based methodologies for calculating risk. One update, although mostly a file repository, is the bulk asset upload feature. This has been added along with a multi-location option for larger entities.

ONC/HHS Report Screen

Furthermore, organizations seeking assistance with Business Associate Agreement (BAA) management will find that HHS has added a BAA-type function. However, it is important to note that this does not actually produce a BAA agreement.

Having the ability to enter asset type and status at different stages of the ePHI systems is great but, without having the ability to track or assign these questions, an inexperienced user may not be able to identify where some of the gaps came from.

As users work through the tool, they will find that questions now map back to the HIPAA citations (similar to our software). There are also “tips” added throughout the tool. That being said, the most significant update is the production of a Final Report (arguably the most crucial component in completing a risk analysis.) Much like the rest of the tool, the newly created Final Report has a flag attached as the results of this report are fairly arbitrary with a large margin of error based on how the user responds to the risk calculation.

The Bad

Although SRAT it is a free tool (albeit funded by our taxpayer dollars) and updates have been made to create a better user experience, compared to other software solutions in the market place today, the tool still falls short. We frequently use the term “free like a puppy is free”. Aside from the tool being labor-intensive, mundane and error-prone; each measure results in multiple questions that need to be individually selected by one who knows how to estimate impact and likelihood year-over-year.

SRAT takes a single-user approach which means there is no way to collaborate on the assessment with others in the organization. This approach can result in the need for additional committee meetings to oversee remediation of identified risks. Also, because there is no option to delegate survey questions to employees in different roles, you may have someone in IT trying to answer HR related questions. Lastly, should users desire to go back to a previous section or revise an answer, navigation is difficult. Past sections are merely available through <BACK> and <NEXT>.

Being that SRAT does not save any historical data related to previous assessments, organizations who have completed risk assessments in past years are unable to import their old assessments and simply make updates reflective of the past year. Healthcare providers focused on creating a sustainable and long-lasting HIPAA compliant office, should seek out a tool that allows for year after year imports to decrease the amount of administrative work in completing a risk analysis each year.

The Ugly

When evaluating the accuracy and comprehensive nature of the tool, there are a few glaring issues that we would be remiss not to address. These are the aspects of SRAT that would require either the experience of a certified auditor or compliance professional in training to ensure the assessment is completed accurately.

Some of the issues not remedied by the V3.0 update include:

  • No Calculation of Risk – Without an experienced Auditor who is qualified to answer and assess risk, the average user is required to assign a risk score to each question without guidance or training. For example, the generated gaps from the SRAT do not have a correlation or identify which HIPAA control requirement those policies need to be addressed.
  • No Remediation Planning or Guidance – One critical component to completing a risk analysis is addressing and remediating the deficiencies and findings after the fact. The remediating planning process gives providers a framework for next steps and continued compliance.
  • The Final Report – A component missing from the final report is an executive, high-level overview. Additionally, in the final report there is an inability to see if you have met partial requirements or if there is a policy that needs to be edited or changed. Lastly, there is no prescriptive recommendations for addressing any of the identified risks.
  • No Included Policies and Procedures – SRAT does not include PnP templates nor does it review any current, existing PnP’s. This leaves providers at risk for continuing to use potentially outdated PnP templates and minimizes the possibility for a yearly review of these templates.

In summary

2018 HIPAA SRAT v3.0 tool

Pros:

  • Bulk asset upload
  • Multiple location option
  • Basic Business Associate Agreement (BAA) utility
  • Questions map to HIPAA citation
  • Guidance through on screen “tips”
  • Simple Final report
  • User guide

 Cons:

  • No specified roles. One person is left to answer questions they may not be qualified to answer, from IT to HR.
  • No auto calculation of risk. Without a certified auditor, answering and assessing risk for each of the questions is arbitrary.
  • Does not provide an actual Business Associate Agreement (BAA).
  • Navigation is difficult. Past sections are only available through <BACK> <NEXT>.
  • Lots of clicks
  • No remediation planning or guidance
  • No review by an auditor to keep impartiality. No ongoing updates
  • No policies and procedures provided or review of the providers policies. Could be older than 3 years
  • No vulnerability scan for free linking back to software
  • Graphs near the end that are not updatable and have a questionable purpose
  • No importing assessments year after year
  • Use of the SRAT tool will not guarantee you will pass an audit

Bottom line, this solution would work for compliance-in-training individuals or those who have the time but no funding to run a stand-alone SRA solution.

If your workplace is considering using the SRAT tool for your 2018 risk analysis, we would encourage you to take a look at our industry-leading automated software before doing so. At HIPAA One our software scales seamlessly based on your role and size of the organization. And with tiered pricing accessible for even single-doc physician practices, HIPAA One is the only choice for a guarantee to pass an audit using a simple, automated and affordable approach to conducting the annual HIPAA assessment.

Filed Under: Blog

Cloud Email Phishing Attacks: A Practical Guide

March 18, 2019 by Leave a Comment

Attention CIOs, CISOs and IT Administrators! A quick review of the HHS Breaches Over 500 list paints a pretty grim picture of the number of breaches affecting 500 or more individuals. Breaches have been steadily increasing and the culprit is … [Continue reading]

Filed Under: Common Vulnerabilities and Exploits, HIPAA Security Tagged With:

State Departments Conducting Audits?!?

September 6, 2018 by Leave a Comment

In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits … [Continue reading]

Filed Under: Blog

Healthcare Continues to Dominate Breach Related Costs

August 16, 2018 by Leave a Comment

A new study conducted by the Ponemon Institute on behalf of IBM Security confirmed the fears of so many healthcare information security professionals, no other personal information yields a higher value than compromised patient records. Across the … [Continue reading]

Filed Under: Blog

Similar but Different: Gap Assessment vs Risk Analysis

June 21, 2018 by Leave a Comment

If you've heard the terms gap assessment and risk analysis used interchangeably before in privacy or security conversations, you are not alone. At HIPAA One, we have found that there are quite a few misconceptions about these two approaches and how … [Continue reading]

Filed Under: Blog

GDPR and Windows 10 Compliance

May 4, 2018 by 1 Comment

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft. On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR … [Continue reading]

Filed Under: Blog

GDPR and the Impact on U.S. Healthcare Providers

April 11, 2018 by Leave a Comment

A new acronym has begun popping up within the healthcare technology community and is slowly beginning to gain momentum in the way of media coverage and industry articles. If you’ve heard the term GDPR in the past few months and did not understand … [Continue reading]

Filed Under: Blog

Cloud Security in Healthcare

April 2, 2018 by Leave a Comment

Guest Blog by Yiannis Koukouras, TwelveSec in collaboration with HIPAA One In our culture, something or someone is always trending. Whether it be bell-bottom jeans in the '70's, playing Nintendo in the '80's or watching stock market go up and down … [Continue reading]

Filed Under: Blog

Missed your SRA in 2017? Here’s How to Avoid a MIPS Penalty

March 15, 2018 by Leave a Comment

First, do your HIPAA Security Risk Analysis immediately to reduce chances of a breach while maintaining compliance with all Federal reimbursement programs. With just mere days left before the March 31st MIPS submission deadline, if you have not … [Continue reading]

Filed Under: Blog

Consequences for HIPAA Violations

March 12, 2018 by Leave a Comment

A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before, another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 in order to settle potential violations … [Continue reading]

Filed Under: Blog
Next Page »