• Print

Security Risk Assessment


SRT ToolHow can I provide comments?

ONC is asking users to provide comments regarding their use of the Security Risk Assessment (SRA) Tool. These comments will be used to improve future versions of the SRA Tool.

Comments will be accepted from Friday, March 28th to Monday, June 2nd.

 [*] denotes required fields

Security Risk Assessment Tool Web Event

It’s been about a month since HHS released the Security Risk Assessment (SRA) Tool on March 28th of this year. Since then ONC has received many suggestions, comments and questions . This webinar is designed to review the current state of the tool, discuss some of the known issues and ONC’s plan to address those identified issues and answer questions from users across the country.

ONC is looking forward to hearing from the SRA Tool’s user community.

Register here and join us at – on April 29th 2014 from 2 – 3:30 pm EDT.

Share Your Comment


Mitch Harris
Practice Manager
Medical Clinic

The SRA program available for download is only for windows computers and I-Pads. You apparently forgot about Apple Computers. We ONLY have apple computers and we do not use I-pads. Why would you exclude practices using Apple computers??

I would appreciate an answer. Thank you.

Jennifer DeCapua
Women's Health Care

I AGREE!!! We also use Apple computers and I would really like to be able to use this tool!!!

Robert Brzezinski
Information Privacy, Security and Compliance

Just downloaded the tool and here are couple of initial thoughts:
As we try to teach end users about online security we recommend two things:
1 - Do not download software through unencrypted connections, yet this tool/ software is offered from http page. It would be great if we could practice what we preach and offer the tool from an https page.
2 – Another thing we teach is: do not download or install software from unknown sources. The exe file when downloaded and installed shows “Publisher: Unknown Publisher”. It would be great if we could identify the publisher to make the tool trustworthy and re-emphasize good security practices - do not install unsigned software. This may also help with addressing Windows warning messages during download/installation.
Hope this helps

Alfonso Perez
HIT Consultant

Linux users were also left out. And it does not run in wine. BUT it does look good!

Robert Brzezinski
Information privacy, security and compliance

I quickly stepped through the tool’s questions – here are some observations, suggestions:
1. Some questions are in English and some are in tech-gov-martian speak ;o)
2. I’m not sure what to make out of, how to answer this in context of questions: “With respect to a threat/vulnerability affecting your ePHI: Likelihood: Low Medium High Impact: Low Medium Maybe this can be phrased better.
3. After answering all questions (the Navigator shows that all questions are answered), I clicked on Report and Chart. The chart shows all responses under Administrative criteria, there are no charts showing Physical or Technical criteria/responses.
4. When data is exported to Excel the report headers do not correspond to titles/headers from the app where the questions are answered e.g. Current Activities (in the app) are Explanation in Excel document, what is Reason in Excel column C? Lack of consistency.
5. When generating PDF report the report is also visible in html and the page is called node-webkit
Also developer tools can be opened from the html page – Invalid CSS property name: -webkit-overflow-scrolling
This at the minimum will be VERY confusing to average user …
6. I also tried to install the application on Surface tablet, but the Windows 8.1 RT system did not allow for this application to run …
7. I do not know who the “Copyright Joyent, Inc. and other Node contributors” are but it looks like the product is unfinished.
Hope this helps
The tool takes approach similar to the one I’ve developed and have been using over last few years – mapping questions to HIPAA standards and creating grouping categories for administrative, physical and technical safeguards, than presenting results in dashboard like report.

Deanna Mool
Risk Analysis v. Risk Assessment
Content (Language)

I truly wish you had titled this tool a risk analysis tool. However, the tool looks very good from a preliminary review. I have been trying to get my clients to distinguish between a risk analysis (164.308(a)(1)(ii)confirmation of meeting the security provisions of the rule and the goal for this tool)-- and a risk assessment (164.402 breach (2) analysis of events after a breach). I don't think I am alone in making this distinction and it makes it far easier to discuss different activities of HIPAA compliance if they have different titles. I believe the Omnibus Rule overall is fairly consistent in the use of the terms although I would admit that the risk analysis uses the term assessment within its activities. The prior page on this website indicates the Guide on the right panel is a "Guide to a Risk Analysis". You have the "Top 10 Myths of Security Risk Analysis". I appreciate the tool but the title is just confusing. Please consider a new title of "Risk Analysis Tool".

Roy Anderson
Manager, HIPAA privacy/Security, EMR implementation, ICD-10 PM, Utilization Review Manager, other

I will send another when I have used the product more extensively. It works on my I-pad, the download was very slow and kept timing out, need to be able to go back and correct or change / update information. Also, The simple act of building and then making available for free will help this small CAH hosptial and clinics improve upon already completed risk analysis and management. Thank you. After using more extensively, I will indeed provide feed back. positive I pray. Enjoy your day and thanks!

Julie Sours
Compliance & Training Specialist

My computer won't allow for download because it is from an unknown source. I did however view the content in Word and thought the content was very well presented. I would like to download the application to my computer so I can use it as an active function.

Technical Issues (Problems)

Does not work. I viewed the tutorial and the program does not allow entry of the information. I can't get past the initial set up and is not allowing me to enter anything beyond the intial items. I also had same issue with warning of danger to run from an unknown source. Allowed this to run anyway, but seems to be giving me issues.

Patrick Phelan
Technical Issues (Problems)

Hi -- first of all, congratulations on the new tool!!! I haven't given it an in-depth look yet, but I wanted to mention a little bug I noticed before I forget. To recreate:

- click Glossary
- click Show/Hide Columns
- click the "X" in the upper-right to close the glossary
- the checklist of columns to show or hide remains on top



William Randleman
Information Security Consulting

This tool does not provide a risk assessment for ePHI.
What it does provide is a program gap analysis against the CFR.
For instance there is no determination of acceptable risk. No treatment of business processes nor system specific risk analysis. Apparently the concern here is simply compliance risk rather than risk of compromising PHI/ePHI.

Cindy Buege
HIT Clinical Specialist

It would be nice to have the functionality to be able to edit a note, once it has been added.

Paul Hales
Attorney at Law
Legal Services
Technical Issues (Problems)

Download of the SRA Tool caused my Windows 8.1 HP laptop to crash. The computer popped up a message warning that the program should not be downloaded, and might cause a serious malfunction. I downloaded the program because I assumed it was from a trustworthy source. My computer tech is working on the problem now. There appears to be no possible source of the malfunction other than the download of the SRA tool.

Seth Krieger
Software Developer
Technical Issues (Problems)

The software runs after download on Windows 8 and Windows 7, but I am unable to run it on Windows 8.1. I attempted on two different computers running Windows 8.1 and got the same result both times. Reviewing the Windows Application log in Event Viewer reveals the same error on both systems:

Faulting application name: SRATool.exe, version:, time stamp: 0x528eb2be
Faulting module name: ntdll.dll, version: 6.3.9600.16502, time stamp: 0x52c35a76
Exception code: 0xc0000005
Fault offset: 0x0004373d
Faulting process id: 0x1764
Faulting application start time: 0x01cf503ddcc2da8f
Faulting application path: C:UsersSethDesktopSRATool.exe
Faulting module path: C:WindowsSYSTEM32ntdll.dll
Report Id: 1a82fbf9-bc31-11e3-8285-6c626d40308b
Faulting package full name:
Faulting package-relative application ID:

Melanie Rittenour
HR Director/Compliance & Privacy Officer

I worked on the SRA Tool, and the one thing that I would like to be able to do, is run a report before it is fully finished. Right now, the only report i was able to run, was on questions already answered. I wanted to run a report that still listed some of the questions, without them all being answered just yet.

Thank you.

Jeff Huddleston
VP, Managing Dir
Healthcare Consulting
Technical Issues (Problems)

Cannot install on Windows 8.1 machine.
Tried downloading a couple of ways/times, but still does not install.
Warnings pop up from multiple AV and Malware, but when I approve, the install just fades away.

Raymond Goins
IT Manager
Healthcare - Long-Term Care

It's definitely a Risk Analysis tool only. But it does allow you to perform faster Risk Assessment based on all the information you can input in and export from it. The SRA tool definitely is not supported on all platforms (i.e. Linux, Windows 8.1, MAC OS X) and it definitely has some bugs/crashing issues on Windows 7 Professional 64-bit. Please do another release that supports multiple operating systems.

StupidlyLong Survey

I appreciate the intent of this tool, but it's too long, repetitive (I see the differences in the nuances of different wording of questions, but they aren't helpful), and you lose interest by question 2,459.

It feels that this tool was designed by a team that completely forgot that you have working people using this. This tool missed the mark, just like Obamacare did - you can't have a one-size fits all tool that works for everyone. The theory behind this tool and Obamacare is good - but the application thereof is terrible. Simplify this baby down for people that don't have 30 hours to go through the initial screening. Make it short - then if a risk is possible, THEN open up further lines of questions to help that company drill down. They're called gate questions - the subsequent questions only appear if the gate question is answered affirmatively. Remember you're trying to help the end user follow the HIPAA guidelines, not bore us to death with 15 slight variations on the same question.

Stop being so afraid that it has to look a certain way and fit the guidelines in the manual in a desk somewhere that no one outside of your office cares about and make a tool that is usable and time friendly. Obviously you haven't mastered the concept of not creating survey fatigue.

Amy Carr
SRA Tool
EHR Consulting
Technical Issues (Problems)

Myself and my employer were both unable to open the tool on our computers. Are other individuals having trouble? Is there something with internet security settings I need to modify? My pc is new with Windows 8. My employer has windows 7. This tool sounds very useful and we would love to see it.
Thank you,
Amy Carr

Ops Support Specialist, Security Officer
Behavioral Health
Technical Issues (Problems)


Have you heard from anyone else regarding the issue of not being able to access the tool on multiple computers? I am having this same issue.


Matthew Roth
Content Manager

The SRA app should have a tutorial or at least a video. It's really unclear when the app is launched what the end result will be and why information is being asked for and what will happen to that information.

I'd prefer this on my Apple laptop than iPad too.

Shirley Brown
IT Audit Manager
Technical Issues (Problems)

I cannot get the toolkit to open. I download and it says run, but does not open. Is some software needed?

John Wright-Piekarski
Healthcare IT

Is this an alternative to a paid security risk assessment needed to meet meaningful use?


Karen Geller
Director of Risk Management
health vare

Is it possible to print out the entire tool so I can work with others to respond?

Scott Frost
EHR Business Implementation Specialist
Quality Improvement

I work for a REC, and I help many small practices with their security risk assessments. I would like to be able to start new SRA tools for each organization I work with, and then add users at each one to answer questions about their practice.

To get a feel for the new tool, I downloaded it and answered most of the questions. I gave this file the name of Sample 1. Then I downloaded the tool again, expecting a blank file into which I could enter data about a second practice. However, all the data from Sample 1 already populated the new file. When I tried to delete information about business associates and asset inventory, it wouldn't go away.

How can I create multiple versions of the tool for the different organizations I work with, with different users in each one who do not have access to the files about other organizations?

It was easy to create separate files for each organization using the earlier tool, which was a sophisticated Excel file. Unless this functionality can be maintained, I will have to continue using the old tool.

The user guide explains how to clear all data within the tool, but it does so by deleting the whole HHS folder. I am afraid that this option would delete not only the second file, but also Sample 1 that I do not want to eliminate.

If there is a better solution that I just haven't found yet, what is it?

Thank you.

Laura Rosas

Thank you so much for your comment. We will be reviewing all comments for improvements in the next version of the tool. The tool is designed to so that a user can exit and re-enter and the information will be saved. If you download the tool onto a different computer/server, it will not store the information from your version. You can have multiple users on one risk assessment tool, but it will recall of the information and cannot be "wiped clean" except to erase the entire folder.

I hope this information helps - we will consider this issue in our contemplated updates.

Take care,


Deborah Sherl
Health IT Consultant, previously employed at the WA. ID REC (WIREC)
Health Information Technology/ RN
Content (Language)

Thank you all for producing and making the Security Risk Tool publicly available. I am concerned that it is not identified as "HIPAA Security Risk Analysis Tool". Both the Meaningful Use Core 15 and the Security Rule identify the process as "Analysis", and not "assessment". Words are important, as you know! Out here on the street - we are conducting HIPAA Security Risk Analysis. Please consider renaming OR letting us know why you have changed to "Assessment". I was fortunate to offer a small part in beta testing this product and I believe it offers high yield value to the small to medium practices. I appreciate that you are taking comments. Deb Sherl, RN

Deborah Sherl
Health IT Consultant, previously employed at the WA. ID REC (WIREC)
Health Information Technology/ RN
Content (Language)

Thank you all for producing and making the Security Risk Tool publicly available. I am concerned that it is not identified as "HIPAA Security Risk Analysis Tool". Both the Meaningful Use Core 15 and the Security Rule identify the process as "Analysis", and not "assessment". Words are important, as you know! Out here on the street - we are conducting HIPAA Security Risk Analysis. Please consider renaming OR letting us know why you have changed to "Assessment". I was fortunate to offer a small part in beta testing this product and I believe it offers high yield value to the small to medium practices. I appreciate that you are taking comments. Deb Sherl, RN

Content (Language)

Thank you for your comment. We very much appreciate the feedback we are receiving from users.

Risk Assessment and Risk Analysis are interchangeable terms. If we receive signficant feedback from users, we may consider changing the term ot avoid confusion.

Thank you again. I hope this information has been helpful.

Anthony Cerullo
Technical Issues (Problems)

The security assessment tool downloads and I save it to desktop folder but the exe. file does not execute any function. I downloaded it to windows 8 professional. Please help.


Share Your Comment