Back in undergrad, one of my roommates decided to bring home a dated mustard yellow couch that he found next to a dumpster conveniently featuring a “free” sign. While he expected it to be a great addition to our apartment, the reality was it ended up causing more problems than it was worth. In this case, “free” meant we were getting a couch filled with bugs, animal hair, and 20 years of dust. While “free” can be a tempting offer, it often makes things more complicated and requires additional work.
Recently, the Office of the National Coordinator (ONC), in collaboration with the HHS Office for Civil Rights (OCR) held a training session to promote the newest release of their Security Risk Analysis Tool (otherwise known as “SRAT”). The SRAT tool is a “free” solution provided by the United States government. At HIPAA One we believe the SRAT tool can be an effective training tool for compliance professionals and recognize that it does have its merits (you can read our previous reviews here and here). And although we are admittedly biased, we’re going to put on our game face and outline everything you need to know about the 3.0.1 update.
Before we get too far, it is important to note that the HHS in no way indicates their endorsement or assurance that the utilization of the SRAT tool will result in compliance. Per the HealthIT.gov site, “The Security Risk Assessment Tool at HealthIT.gov is provided for informational purposes only. The tool was designed to assist small to medium organizations and use of this tool is neither required by nor guarantees compliance with federal, state or local laws. ” While this isn’t the ringing endorsement you’d expect from a taxpayer funded project, it is important to note.
The Good: Asset Management, User Interface, and Stability
SRAT’s biggest strength is in their asset management tool. While we could quibble about using non-centralized, file-based desktop application as an asset inventory database, it works well. Assets can be added, removed, and disposed of with the bulk functionality making short work of a tedious process. This feature could benefit smaller organizations with limited needs. They also offer some business associate features that could provide value albeit with the same caveats detailed above (check back with HIPAA One in a few weeks – we’re rolling out a feature that will solve your BAA problems, not just hide them in an obscure, proprietary file.)
The assessment section of the tool contains seven sections with multiple-choice questions. With each question there is an education panel and reference panel to the HIPAA citation. As you complete each section, there is a section summary that shows each of the questions answered outlined in two columns “Areas of Success” and “Areas for Review.”
Overall, great strides have been made in the user interface and general stability of the application. If you don’t believe us, just search around for SRAT version 2.0 and you’ll be impressed too. However, it still has a ways to go. The interface is linear and involves a lot of clicking to move from one section to another, particularly if you have the or need to go backwards.
The Bad: Single-User, Yearly Import, and Self-calculated Risk Score
The SRAT is a file-based, single user approach. While SRAT touts their multiuser feature, it’s essentially in name only as it requires sequential access, emailing or sharing the file in some way from user to user. During a recent webinar, SRAT developers suggested that you could place it in a file share for easy access between multiple users and that “Windows will take care of it.” As individuals who have dealt with many Microsoft Office file conflicts on shared drives, we highly suggest some form of version control.
Importing from one assessment to another remains an issue as it has in previous releases. While the assets are easily exported and re-imported into new assessments, the security assessment questions are not. SRAT developers advise duplicating the SRA file, changing the name and then “backing” your way until the desired areas for updates and changes – not an optimal solution in the least. We also should mention that the tool itself requires administrator access to any PC utilizing the software which should raise the heckles of any security folks you may have on staff. Oh, and be sure to save every 5 minutes, because like in the 90s – SRAT thinks that’s a thing again.
The assessment itself is known in the industry as “semi-quantitative.” While good in theory, it breaks down in practice. Take for example, one of the questions the assessment leads with: “What is the impact and likelihood of information disclosure (ePHI, proprietary, intellectual, or confidential)?” You’re asked to rank the impact and likelihood as low, medium, or high. Don’t get us wrong – these are the big money questions, but it might be tough to answer without in-depth background knowledge and auditing/security training, especially with so little guidance offered by the tool itself. These responses are aggregated into a quantitative risk score that is presented in their final report without any explanation of the algorithm used to calculate the result. Finally, there is no prioritization of gaps or even a high-level executive summary – you’re on your own in communicating and conducting remediation efforts.
As we have mentioned there is concern in the tedious user interface, lack of support for collaboration, but most fundamentally we’re most concerned about you. Utilizing SRAT without the guidance of a trained auditor and substantial investment of time and effort, SRAT may very well fail you in an audit scenario.
By their own admission, the SRAT is targeted towards small to medium sized healthcare practices – generically defined as those with 1-10 providers. Fundamentally, this tool seems to be designed and marketed towards their version of an idealistic provider that fits the narrow constraints of the application without any regard for complex or slight variations from the vanilla use case. We highly recommend a solution that can adapt to your specific needs including practices of differing size, scope, and structure. Organizations with multiple locations or other minor complications will find the SRAT challenging and inadequate.
Much like dumpster diving for furniture, free isn’t always free. If you’re planning on using the SRAT tool for your 2019 security analysis, consider taking another look at HIPAA One. Our industry leading technology makes security and privacy assessments easy and our 100% audit pass rate should give you some peace of mind. Additionally, you’ll have access to our experienced and credentialed audit support team to walk you through any issues or concerns that you may have. Our software is flexible and is explicitly designed to fit any organizational size, structure, and/or skill set. Give us a call to see how HIPAA One can solve your compliance worries.