HHS offers free data security risk assessment tool

The Office of the National Coordinator for Health Information Technology is offering its security risk assessment tool free to all industry stakeholders.

“Conducting a security risk assessment is one way to identify and assess risks to electronic protected health information within your organization, check if your organization has appropriate safeguards in place, and reveal any areas where ePHI may be at risk,” says Kathyrn Marchesini, chief privacy officer at ONC, and Ali Massihi, information technology specialist at the Department of Health and Human Services.

Further, assessing security risks can help reduce the chance of being impacted by a variety of cyberattacks and online scams, they add.

The assessment also aids documentation of the risk identification and analysis process such as vulnerability scans and site walk-throughs.

The tool helps organization stay safe in four different ways.

Identify potential threats and vulnerabilities. The security risk assessment tool (SRA) is designed to help small and medium-sized provider organizations identify potential threats and vulnerabilities—such as a weak login to access the electronic health record—which can be used to inform an organization’s development of plans to protect electronic patient data.

Review all electronic devices involved with ePHI. The tool enables users to include the review of all electronic devices that store or capture ePHI such as EHR hardware and software, technical endpoints and devices that can access data maintained in the EHR, such as smartphones and tablet computers.

Routinely access overall security risks. Some providers may perform security reviews annually or as needed if new technology comes in to the organization. However, it is best to continue to review, correct, modify and update security protections in the era of new and emerging threats.

Complying with HIPAA. The organization can comply with the HIPAA Security Rule by uncovering potential weaknesses in security policies, processes and systems. HIPAA requirements pertain to all ePHI an organization creates, receives, maintains or transmits, not just what is in the electronic health record or another health IT product.

The security risk assessment tool is available here.

For reprint and licensing requests for this article, click here.