OCR, ASTP release version 3.6 of Security Risk Assessment Tool

The HHS Office for Civil Rights and the Assistant Secretary for Technology Policy have released version 3.6 of the Security Risk Assessment Tool. Version 3.6 of the SRA Tool consists of enhanced reports, refreshed library files and improved content for questions, responses and education, OCR and ASTP said in an announcement.

The SRA Tool has been updated several times in recent years. It was developed in 2014 to help small and mid-sized healthcare providers assess risks and vulnerabilities to protected health information (PHI) and ensure compliance with HIPAA. The tool is free to download and use.

"The SRA Tool is a desktop application that walks users through the security risk assessment process using a simple, wizard-based approach," ASTP states on its SRA Tool information webpage.

"Users are guided through multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are given along the way. Reports are available to save and print after the assessment is completed."

The latest version of the tool has an updated risk scale to align with National Institute of Standards and Technology standards, as well as updated library files that are included when users install the application, which can help mitigate potential vulnerabilities in outdated files.

Additionally, there is a new assessment confirmation button that enables users to confirm that a section has been approved, with the approver's name and date for audit records. New content in the form of questions, responses and education will ideally make the application "more relevant in the evolving cybersecurity environment as well as easier to use," ASTP noted.

The changes to the SRA Tool will improve usability, but healthcare practitioners should know that the tool is just one mechanism for improving compliance. Using this tool does not guarantee HIPAA compliance, nor is it sufficient on its own to address all the privacy and security risks to PHI. Nonetheless, the tool can be helpful for small, medium or under-resourced organizations looking to improve HIPAA compliance.

Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.