The HHS released an updated HIPAA Security Risk Assessment Tool offering a couple of new features that users request to optimize usability.
The HHS Office of the National Coordinator for Health Information Technology (ONC) together with the HHS’ Office for Civil Rights (OCR) designed the HIPAA Security Risk Assessment Tool.
The Security Risk Assessment Tool is intended to help small to medium-sized healthcare organizations when performing thorough, company-wide risk analysis to identify the risks to protected health information (PHI) integrity, availability, and confidentiality.
Healthcare organizations can use the tool to identify and assess risks and vulnerabilities. After which, they could use the data to boost their safeguard against malware, ransomware, viruses, botnets, and other kinds of cyberattack.
The Health Insurance Portability Act Security Rule makes risk analysis a basic requirement for covered entities. Doing a risk analysis enables a healthcare organizations to pinpoint the areas that may be putting PHI on the line. After determining the risks, they are evaluated, prioritized, and managed to a level that is fair and acceptable.
Since the tool was first released, there have been a few updates to improve performance and feature more functions. The newest version 3.1 of the Risk Assessment Tool, was introduced in time with the National Cybersecurity Awareness Month and comes along with certain user-requested features:
- Risk and vulnerability validation
- Usage of NIST Cybersecurity Framework references
- Better asset and vendor management
- Ability to export Entire Reports to Excel
- Question flagging and a new Flagged Report
- Alternatives for several reported bugs to boost stability
HHS provides a downloadable file of the tool for Windows devices here https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-toolfor. Unfortunately, there is no new version for a Mac OS version of the tool.
HHS states that the tool is vital to the work required in the conduct and documentation of a risk analysis. Using the tool does not guarantee that the HIPAA-covered entities and their business associates will be in compliance with the risk assessment requirements of the HIPAA Security Rule. The tool will only be an instrument for facilitating the performance of risk assessments.