Updated Security Risk Assessment Tool Released by OCR
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) presently has an enforcement initiative centered on risk analysis implementation as per the requirement of the Security Management Standard of the HIPAA Security Law. Recently, OCR issued its first enforcement action with that initiative against Bryan County Ambulance Authority in Oklahoma, which had to pay a $90,000 settlement.
OCR’s main concern is the imposition of the HIPAA Regulations, particularly compliance with the HIPAA Security Law. However, OCR would rather help HIPAA-covered entities comply with the regulations. OCR assists HIPAA-covered entities in their HIPAA Security Rule compliance through its Security Risk Assessment (SRA) Tool. OCR and the Assistant Secretary for Technology Policy (ASTP) released an updated version of the tool last week.
Ransomware attacks and hacking incidents keep increasing in the healthcare and public health sectors, yet most of the time, these attacks are avoidable by performing a detailed and precise risk analysis and handling the determined risks. Many OCR investigations of big data breaches have revealed failures in risk analysis, including failing to carry out a risk analysis and not performing comprehensive and precise risk analyses. Because of these problems, risks and vulnerabilities were not recognized and resolved and were exploited by cybercriminals to access healthcare systems and patient information.
The SRA Tool guides covered entities in answering multiple choice questions made to help determine risks and vulnerabilities before being exploited by cybercriminals. The updated version of the SRA tool, mainly for small- and medium-sized HIPAA-covered entities, consists of several improvements according to responses from users and the most recent cybersecurity guidance. The new tool consists of new and improved guidance and directions, new information on determining supply chain threats, and new content on addressing risks and vulnerabilities. The information was also upgraded to exchange NIST Cybersecurity Framework (CSF) 1.1 references with NIST CSF 2.0 references since current references are the voluntary Healthcare and Public Health (HPH) Cybersecurity Performance Goals, which OCR is urging all HIPAA-covered entities to use. The updated version of the SRA desktop app can be downloaded from the HHS website.
.