ONC Needs to Improve Risk-Rating Features of New Security Tool

The risk-rating features of a new tool developed by the Office of the National Coordinator for Health IT to help healthcare providers in small to medium sized physician offices conduct security risk assessments (SRA) need improvement. Released in late March, the SRA tool is designed by ONC to help practices that include 1 to 10 providers with HIPAA requirements for securing protected health information. However, more guidance about how to rate real-world threats to ePHI is required to make the tool useful.

"The tool allows users to rate as 'Low,' 'Medium', or 'High' the 'Likelihood of harm' and the 'Impact of harm' related to each security rule requirement the tool evaluates," states a review posted in an April 14 blog by Randal L. Gainer, a privacy attorney and certified security professional  at Seattle law firm BakerHostetler. "Yet the tool offers incomplete guidance regarding why the risks associated with each requirement should fall into the 'Low' category as opposed to the 'Medium' or 'High' category. Users are left to guess whether failing to comply with a requirement would have a low, medium, or high likelihood of affecting the confidentiality, integrity, or availability ePHI, and whether the impact of such an effect would be 'Low,' 'Medium,' or 'High.'"

According to the Gainer, part of the problem is that SRA tool does not enable a threat-based approach and instead suggests that an entity must focus equally on all of the HIPAA Security Rule requirements. In addition, he asserts that the tool does not identify recognized threats, such as an employee or contractor without authorization being able to access protected information. The risk-rating features of the tool should be improved by identifying specific threats to ePHI, Gainer argues.