Enhanced Security Risk Assessment (SRA) Tool 2023 Updates: Your Guide to Unlocking Its Power

The Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) released a new version of the Security Risk Assessment (SRA) tool this month, with new forms and features that your practice can use.

In this blog, we’ll review what an SRA is, what the SRA tool is used for, and what the updates to the tool are for 2023.

What is a Security Risk Assessment or Analysis?

Often used interchangeably, a Security Risk Assessment or Security Risk Analysis (SRA) is part of the HIPAA Security Rule‘s requirement that covered entities (i.e. health plans, most health care providers, health care clearinghouses, and some health apps) conduct an annual assessment of their risks and vulnerabilities around protections of the availability, confidentiality, and integrity of electronic Personal Health Information (ePHI). This assessment must evaluate the administrative, physical, technical, and organizational aspects of your security. 

What is the SRA Tool?

The free SRA tool offered by the Department of Health and Human Services was developed by OCR and ONC to help guide small to medium-sized practices through completing their annual SRA. Currently, two forms of the tool exist:

  • A software-based application that runs on Windows.
    • This application provides feedback with each step and displays progress indicators. It also allows for multiple user accounts and file sharing.
  • An excel-based spreadsheet that consists of the same content as the desktop application version.
  • gov states that this format is meant to replace the legacy version of the tool, which was a paper format. Our evaluation shows that the excel format is harder to follow visually and not printable in a useful way.

We recommend using the software version of this tool if possible.

The tool itself guides users through understanding the context of each question, considering the potential impacts to ePHI in your environment, and identifying relevant security references (e.g., the HIPAA Security Rule). There are seven sections to the SRA tool:

  1. SRA Basics
  2. Security Policies, Procedures & Documentation
  3. Security & Your Workforce
  4. Security & Your Data
  5. Security & Your Practice
  6. Security & Your Vendors
  7. Contingency Planning

It is important to note that use and completion of the SRA tool does not guarantee HIPAA compliance, but it does help users complete the necessary assessments and assures practices that necessary safeguards are in place.

What Updates to the Tool Have Been Made in 2023?

  • Remediation Report: You can track responses to vulnerabilities inside the tool.
  • To get more information, you can hover over terms in the glossary & tool tips section.
  • Updated edition references to the Health Information Cybersecurity Practices (HICP).
  • Bug fixes and usability improvements

Additional Cybersecurity Resources

Prepare for Cyberthreats

In addition to the free federal resources above (particularly those listed under the Cybersecurity Act of 2015), we recommend reviewing the Federal Trade Commission’s guidance on securing your wireless network. These, in combination, will help you prepare your practice to ward against cyberthreats. We also recommend reviewing the government’s new healthcare cybersecurity toolkit.

Respond to Cyberattacks

Below is guidance from the HHS Office of Civil Rights (OCR) on the required and recommended steps to follow in response to a cyberattack at a healthcare practice:

Anti-Virus Software

We recommend that you research or seek out expert opinion on the anti-virus software your practice employs. But we caution you to not install more than one anti-virus software. Multiple anti-virus software applications can slow down your system and interfere with each, reducing the effectiveness of the software. Remember that your computer may have anti-virus software pre-installed (such as Windows Defender, which is built-in with Windows 10).

Train Yourself and Your Staff

Below are free training resources:

Additional Physician Cybersecurity Resources from the AMA

Below are free training resources:

The AMA has also developed tips and advice on protecting your computers and network to keep your patient health records and other data safe from cyberattacks.

Download and share with your staff and IT:

Next Steps

Ready to ensure HIPAA compliance for your practice? Schedule a thorough SRA with us today and safeguard your healthcare environment against cyber threats. We’re here to support you every step of the way!

Jessica Peterson, MD, MPHWritten By: Jessica Peterson, MD, MPH

About the Author: Jessica Peterson, MD, MPH is the Senior Director of Value-Based Care Policy at Anatomy IT.