4 Ways Using the HHS Security Risk Assessment Tool Can Help Your Organization

Kathryn Marchesini, J.D. and Ali Massihi | October 30, 2019

As ONC works to advance the development and use of health IT, we know that you play an important and equal role in maintaining the public’s confidence and trust. The privacy and security of health information is always at the forefront of our work and your organization’s business practices. In the spirit of National Cyber Security Awareness Month (NCSAM), we want to highlight the HHS Security Risk Assessment (SRA) Tool, which you can use to assess your organization’s security risks. If you are responsible for the privacy or security of electronic protected health information (ePHI), you may be particularly interested in the SRA Tool.

In the health care sector, security is the way your organization implements administrative, technical, and physical safeguards to provide for the confidentiality, integrity, and availability of health information. Conducting a security risk assessment is one way to identify and assess risks to ePHI within your organization, check if your organization has appropriate safeguards in place, and reveal any areas where ePHI may be at risk. You can then take action to mitigate any risks that are found. For example, assessing security risks can help your organization reduce the chance of being impacted by a variety of cyber-attacks, malware, ransomware, and other online scams.

Conducting a security risk assessment is one way to identify and assess risks to ePHI within your organization, check if your organization has appropriate safeguards in place, and reveal any areas where ePHI may be at risk.

With known and emerging cyber security risks in the health care sector, using the SRA Tool can help your organization in the following 4 ways. Best of all, it’s free!

  • Identify potential threats and vulnerabilities to ePHI. The SRA Tool is designed to help small and medium-sized healthcare practices or organizations assess risks to ePHI. Organizations can use the SRA Tool to help identify potential threats (e.g., cyber-attack, theft) and vulnerabilities (e.g., weak login to access EHR) which can be used to inform an organization’s development of mitigation plans to protect electronic patient data.
  • Review all electronic devices involved with ePHI. The SRA Tool gives users the ability to include the review of all electronic devices that store or capture ePHI. The SRA Tool provides functionality to add documentation detailing your risk identification and analysis process (e.g., vulnerability scans, site walk-throughs). Include electronic health record (EHR) hardware, software (e.g., technical endpoints/APIs) and devices that can access data maintained in an EHR (e.g., your smart phone, tablet computer). Involve your EHR developer in the process.
  • Assess your overall security risks routinely. Some providers may perform these reviews annually or as needed depending on circumstances of their environment (e.g., when new technology is introduced in the health care provider’s technical environment). You must continue to review, correct, modify, and update security protections to provide for continued protection of ePHI in the face of new and emerging threats and vulnerabilities. The security risk management process is iterative and ongoing.
  • Assists with HIPAA Security Rule requirements. The SRA Tool can help organization’s meet requirements of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule by uncovering potential weaknesses in organizational security policies, processes, and systems. HIPAA Security Rule requirements pertain to all ePHI your organization creates, receives, maintains, or transmits, not just what is contained in your EHR or other health IT product.  Although use of this tool can assist with HIPAA compliance activities, use of the tool is neither required by nor guarantees compliance with of the HIPAA Security Rule requirements.

All you need to do to get started is download the SRA Tool. Be sure to review the User Guide for tips on using the SRA Tool. Questions? Email the Help Desk or check out the materials from and audio recording of our August webinar. The current version of the SRA Tool includes functionality updates based on public input. We want to continue to make improvements, so if you have suggestions after using the SRA Tool, please reach out to us via the Health IT Feedback Form.

Assessing risk is an important step in your security management process and helps your organization recognize where safeguards are needed to protect ePHI, including guarding against ransomware and other types of cyber-attacks. Get started today – download and use the SRA Tool.