Putting it to the Test: A Detailed Performance Review of the New HHS Security Risk Assessment (SRA) Tool

Recently, we provided an initial reaction to the new Security Risk Assessment (SRA) tool developed by the U.S. Department of Health and Human Services (HHS), the verdict being it was Much Ado About Nothing. That said, the team here at Clearwater celebrates OCR’s efforts to make more software enabled solutions available to the healthcare marketplace…but we advise caution. When we put the SRA tool to the test there turned out to be some very real limitations. Fundamentally, the tool and its deliverables do not meet the requirements of a Bona Fide Risk Analysis or set you up for much success with ongoing Risk Management.

How Does the SRA Measure Up?

First of all, we experienced major technical issues with the tool. While evaluating it, the system became unresponsive and unstable. Navigation became non-functional. Even as a skilled technical user, I was unable to reinstall the software to my computer, or remove it. In the process of troubleshooting the problem, I had to start over and delete all the data I had entered. There was no support available from HHS, no phone number or email address. At the very least, it’s safe to say the tool is not ready for use on Windows 7. The experience reminded me a lot of early challenges users had with the healthcare.gov site.

Technical difficulties aside, here is how the tool stacks up in other key areas.

Compliance with Regulations and HHS/OCR Guidance
As noted earlier, the tool does not properly follow the HHS/OCR Guidance on how to complete a Risk Analysis under 45 CFR §164.308(a)(1)(ii)(A). Specific issues include the fact that it doesn’t perform risk analysis at the asset level and incorrectly handles threats and vulnerabilities.

Automated Updates to Regulations/Standards
The SRA specifically notes “the NIST Standards provided in this tool are for information purposes only as they may reflect current best practices in information technology.” The key word here, obviously, is the word “may” which indicates this tool is not currently guaranteed to represent the most up-to-date information available.

Assessment Wizard
The tool provides an assessment wizard to walk users through the security regulations, but it does not address fundamental elements of risk – like identifying threats and vulnerabilities. Nor does it require rankings for impact and likelihood of risk factors. These factors are widely considered to be a basic foundation for the analysis of risk.

Expert Control Recommendations
HHS states the tool is not intended to be an exhaustive or definitive source on safeguarding health information from privacy and security risks. Keep in mind, the tool is designed to help healthcare providers in small to medium sized offices, rather than large organizations which are often more privy to technical resources. Based on what we see in the marketplace every day, the SRA is ill suited for organizations larger than a 10-physician medical practice.

Dashboards and Reports
The SRA only provides one dashboard and one report, which is unlikely to gauge the effectiveness of your organization’s compliance program or to adequately support your efforts to justify needed investments to the senior team.

Dynamic, Actionable Remediation Management
While the SRA allows you to log a simple note on remediation next steps, you cannot assign responsible parties, set due dates, prioritize efforts or search/sort for remaining gaps in activities. There is no functionality for storing and managing compliance documents and no ability for you to manage progress over time.

Additional Operational Support and Security Features
There is no user support…and, of particular interest, there is no support for multiple users. Instead, the tool encourages users to share access to a workstation. This is a questionable security practice anywhere, but especially in a clinical environment where many computers have access to or store ePHI. Finally, the software itself has no security features or user authentication.

Privacy and Breach Assessment
The tool does not address privacy in any form.

The Final Verdict

It seems strange to conclude by saying that the SRA does little to help organizations meet the explicit HIPAA Risk Analysis protocol…but that’s the gist of it. The tool is also very immature and technically unstable, creating fertile ground for user frustration. There are more robust, secure and effective technology options available to support your efforts to safeguard patient data and fully respond to your compliance responsibilities.

Jon Stone

VP of Product Innovation at Clearwater Compliance
Jon has a unique breadth of experience with a combined 25 years’ experience in healthcare, working in the provider, payer and healthcare quality improvement fields. For the last 15 years Jon has provided strategic leadership for compliance and healthcare technology projects involving the most sensitive ePHI for companies such as CIGNA, Healthways and Ingenix. He is Clearwater’s VP of Product Innovation, and helps provide HIPAA Security and Privacy SaaS (Software as a Service) for the healthcare industry.