OCR Releases Updated Security Risk Assessment Tool
The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) currently has an enforcement initiative focused on the risk analysis implementation specification of the Security Management Standard of the HIPAA Security Rule. Last week, OCR announced its first enforcement action under that initiative – A $90,000 settlement with Bryan County Ambulance Authority in Oklahoma.
Enforcement of the HIPAA Rules, and especially compliance with the HIPAA Security Rule, is a priority for OCR; however, OCR prefers to work with HIPAA-regulated entities to help them comply with the HIPAA Rules. One of the ways that OCR is helping HIPAA-regulated entities comply with the HIPAA Security Rule is through its Security Risk Assessment (SRA) Tool, a new version of which was released by OCR and the Assistant Secretary for Technology Policy (ASTP) last week.
Hacking incidents and ransomware attacks continue to increase within the healthcare and public health sector but in many cases, these attacks could have been prevented by conducting a comprehensive and accurate risk analysis and addressing the identified risks. Many OCR investigations of large data breaches have uncovered risk analysis failures, including a failure to conduct a risk analysis and not conducting comprehensive and accurate risk analyses. As a result of these failures, risks and vulnerabilities have not been identified and addressed and have been exploited by hackers to gain access to healthcare networks and patient data.
The SRA Tool walks regulated entities through multiple choice questions developed to help identify risks and vulnerabilities before they can be exploited by malicious actors. The new version of the SRA tool, primarily aimed at small- and medium-sized HIPAA-regulated entities, includes several enhancements based on feedback from users and the latest cybersecurity guidance. The updated tool includes new and enhanced guidance and instructions, new content on identifying supply chain risks, and updated content on mitigating risks and vulnerabilities. The content has also been updated to replace NIST Cybersecurity Framework (CSF) 1.1 references with references to NIST CSF 2.0 as now references the voluntary Healthcare and Public Health (HPH) Cybersecurity Performance Goals, which OCR is encouraging all HIPAA-regulated entities to adopt. The new version of the SRA desktop application is available for download on the HHS website.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
