Chat with us, powered by LiveChat

HHS SRA Tool V3.0 – The Good, Bad and Ugly

November 5, 2018 by Leave a Comment

Earlier this month, the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) released an updated version of their Security Risk Assessment Tool (SRAT) found on the HealthIT.gov website. Each time a new version is released, we circle up with a few trusted industry partners and review the changes/updates so that we may accurately counsel healthcare Providers, Payers and Business Associates on the pro’s and con’s of utilizing this free, government-issued application.

Before diving into our review of V3.0, it is important to remember that HHS in NO way states that by using SRAT, healthcare providers can be assured that they are compliant with the Security Risk Analysis requirement under HIPAA. Per the Health IT.gov website: “Disclaimer: The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.”

This is not to say that SRAT does not have its merits. At HIPAA One, we firmly believe that SRAT can be an effective training tool for compliance professionals in training or a guideline for Certified Auditors.  Despite being a time-consuming process, SRAT does provide step-by-step instructions similar to a bona fide HIPAA Security Risk Analysis and there is certainly value in that. Healthcare professionals should merely be warned that without the guidance of a trained auditor, SRAT may or may not hold up in an audit scenario.

The Good

In short, the newly updated Security Risk Assessment Tool (SRAT) tool has made improvements mainly related to user experience and follows the HIPAA Audit Protocol and NIST-based methodologies for calculating risk. For example, a new bulk asset upload feature has been added along with a multi-location option for larger entities. Although mostly a file repository, this feature does assist larger organizations with their assessment. Organizations seeking assistance with Business Associate Agreement management will find that HHS has added a BAA-type function, however, it is important to note that this does not actually produce a BAA agreement.

As users work through the tool they will find that questions now map back to the HIPAA citations (similar to our software) and there is a bit more guidance (in the way of tips) that have added throughout. Additionally, users will find they have the ability enter specific information around asset type and status relative to the different stages of ePHI systems. However, without having the ability to track or assign questions, the inexperienced end user will not be able to identify where some of the gaps come from. Probably the most significant update is related to the production of a Final Report which is arguably the most crucial component in completely a risk analysis and what you walk away with. Much like the rest of the tool, the newly created Final Report does have a flag attached as the results of this report are fairly arbitrary with a large margin of error based on how the user responds to the risk calculation.

The Bad

At HIPAA One, we frequently use the term “Free like a puppy” and that’s exactly what SRAT is. Although this tool does not cost a fee, SRAT still has a ways to go when comparing it to other software or solutions in the marketplace today (spreadsheets included.)  Aside from being labor-intensive, mundane and error-prone; each measure results in multiple questions that need to be individually selected by one who knows how to estimate impact and likelihood year-over-year.

SRAT takes a single-user approach meaning there is no way to collaborate on the assessment with others in the organization.  This approach can result in the need for additional committee meetings to oversee remediation of identified risks. For example, there is no option to delegate survey questions to employees in different roles so it would be totally possible to have someone in IT trying to answer HR related questions. Also, should users desire to go back to previous sections or revise a past answer while in the middle of the assessment, navigation is really difficult. Past sections are merely available through <BACK> and <NEXT>.

Being that SRAT does not save any historical data related to previous assessments, organizations who have completed risk assessments in past years are unable to import their old assessments and simply make updates reflective of the past year. Healthcare providers focused on creating a sustainable and long-lasting HIPAA compliant office, should seek out a tool that allows for previous year imports to greatly decrease the amount of administrative work in complete your risk analysis year over year.

The Ugly

When evaluating the accuracy and comprehensive nature of the tool, there are a few glaring issues that we would be remiss not to address. These are the aspects of SRAT that would require either the experience of a Certified Auditor or compliance professional in training to ensure the assessment is accurate.

Some of the large issues not remedied by the V3.0 update include:

  • No Calculation of Risk – Without an experienced Auditor who is qualified to answer and assess risk, the average user is required to assign a risk score to each question without guidance or training. For example, the generated gaps from the SRAT do not have a correlation or identify which HIPAA control requirement those policies need to be addressed.
  • No Remediation Planning or Guidance – One critical component to completing a risk analysis is addressing and re-mediating the deficiencies and findings after the fact. The re-mediating planning process gives providers a framework for next steps and continued compliance.
  • Final Report
    • Does not include an executive high-level overview
    • Unable to show if at least a partial requirement is met
    • No prescriptive recommendations on how to address any of the found risks
  • No Included Policies and Procedures – SRAT does not include PnP templates nor does it review any current, existing PnP’s. This leaves providers at risk for continuing to use potentially outdated PnP templates and minimizes the possibility for a yearly review of these templates.

In Summary

Pros:
  • Bulk Asset Upload 
  • Multiple Location Option
  • Basic Business Associate Agreement (BAA) Utility
  • Questions Map to HIPAA Citation
  • Final Report
  • User Guide
Cons:
  • No Roles
  • No Auto Calculation of Risk
  • No Remediation Planning or Guidance
  • No Ongoing Updates
  • No Vulnerability Scans

If your workplace is considering using the SRAT tool for your 2018 risk analysis, we encourage you to take a look at our industry-leading automated software before doing so.  Our software scales seamlessly based on the size of your organization and with tiered pricing accessible for even single-doc physician practices, HIPAA One is the only choice for a guaranteed to pass an audit.

What are your thoughts on the SRAT tool?  Feel free to enter your comments below or Contact Us anytime for a free consultation.

NOTE: We have been following the development of this toolkit since its inception in 2011 and reviewed the 2014 v2.0 version here: https://www.hipaaone.com/quick-review-hhss-new-hipaa-security-risk-assessment-tool/

Filed Under: Blog

State Departments Conducting Audits?!?

September 6, 2018 by 1 Comment

In recent years, healthcare audits have been a trending topic within the compliance world. Following the Phase II launch of the HHS Office for Civil Rights (OCR) Audit Protocol in March 2016, many members of the healthcare community equate audits … [Continue reading]

Filed Under: Blog

Healthcare Continues to Dominate Breach Related Costs

August 16, 2018 by Leave a Comment

A new study conducted by the Ponemon Institute on behalf of IBM Security confirmed the fears of so many healthcare information security professionals, no other personal information yields a higher value than compromised patient records. Across the … [Continue reading]

Filed Under: Blog

Similar but Different: Gap Assessment vs Risk Analysis

June 21, 2018 by Leave a Comment

If you've heard the terms gap assessment and risk analysis used interchangeably before in privacy or security conversations, you are not alone. At HIPAA One, we have found that there are quite a few misconceptions about these two approaches and how … [Continue reading]

Filed Under: Blog

GDPR and Windows 10 Compliance

May 4, 2018 by 1 Comment

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft. On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR … [Continue reading]

Filed Under: Blog

GDPR and the Impact on U.S. Healthcare Providers

April 11, 2018 by Leave a Comment

A new acronym has begun popping up within the healthcare technology community and is slowly beginning to gain momentum in the way of media coverage and industry articles. If you’ve heard the term GDPR in the past few months and did not understand … [Continue reading]

Filed Under: Blog

Cloud Security in Healthcare

April 2, 2018 by Leave a Comment

Guest Blog by Yiannis Koukouras, TwelveSec in collaboration with HIPAA One In our culture, something or someone is always trending. Whether it be bell-bottom jeans in the '70's, playing Nintendo in the '80's or watching stock market go up and down … [Continue reading]

Filed Under: Blog

Missed your SRA in 2017? Here’s How to Avoid a MIPS Penalty

March 15, 2018 by Leave a Comment

First, do your HIPAA Security Risk Analysis immediately to reduce chances of a breach while maintaining compliance with all Federal reimbursement programs. With just mere days left before the March 31st MIPS submission deadline, if you have not … [Continue reading]

Filed Under: Blog

Consequences for HIPAA Violations

March 12, 2018 by Leave a Comment

A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before, another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 in order to settle potential violations … [Continue reading]

Filed Under: Blog

We’ve Helped Many Access the LADMF! Need Assistance?

January 30, 2018 by Leave a Comment

Last May, we wrote a “How To” blog on the Social Security Limited Access Death Master File (LADMF) aka DMF and the response has been overwhelming! The HIPAA One team is delighted by how many of you have come forward and asked us to assist your … [Continue reading]

Filed Under: Blog
Next Page »