The Annual Safeguarding Health Information: Building Assurance through HIPAA Security Hosted by the HHS Office for Civil Rights (OCR) and the National Institute of Standards and Technology (NIST) took place late October in DC. This post will serve as Part two and will pick up from where I left off in my previous blog.
- The OCR’s SRA 3.0 risk analysis software is very basic and only intended for small providers
- More and more healthcare providers are realizing that they need a robust software solution to conduct their risk analysis to meet OCR’s expectations, and manage today’s threat landscape.
The SRA 3.0 Tool is VERY Basic
Prior to the conference, OCR announced that it had released its new SRA tool, version 3.0, with numerous improvements. OCR representatives, Nick Heesters and Rose-Marie Nsahai, demonstrated the SRA tool in the afternoon session. There was some positive feedback, some negative, and several questions about the software’s limitations and inconsistencies with OCR’s guidance document. I noted that while the SRA tool enables you to record your information assets, it does provide a means to specify their properties, nor to link these assets to specifically applicable vulnerabilities and threats. Further, it does not tie specific controls to applicable threat scenarios for these assets. Furthermore, there is no way to frame risk in the tool – i.e., establish definitions for impact and likelihood. One gentleman from the audience pointed out that the SRA tool also does not calculate the impact and likelihood score correctly and asked if that issue been addressed in version 3.0. The OCR representatives were not sure and said they would “need to check with the contractor.”
OCR Re-Affirms Security Risk Assessment Tool 3.0 Intended for Small Providers
During the questioning, the OCR representatives continued to restate something that Director Severino had said in his keynote address: The SRA 3.0 tool is intended for small to medium size organizations with non-technical staff. The implication is that these organizations are probably not doing anything at all for risk analysis, and the tool is a way to get them to do something. One audience member who identified herself as an IT consultant made the case that she should be able to use the SRA tool for large organizations. The OCR representatives replied that, while it can be used for any organization (i.e., it’s free to all), it’s a “starting point for thinking about your risk analysis” and it is not intended for larger organizations who are “more complex, are under constant attack,” and who have more available resources. As OCR has said many times in the past, it will hold larger organizations “to higher standards.“ The takeaway here is: if you are a large provider thinking you can get by just using the SRA tool to do your risk analysis, think again.
Healthcare Providers Are Embracing Software – It’s About Time!
Based on the interest in the SRA tool and, to some extent, the comments about its shortcomings, my final takeaway was that many of these organizations are seeking a software tool to conduct their risk analysis and facilitate their risk management process. Smart organizations have come to realize that attempting to conduct an enterprise risk analysis the way OCR requires cannot be accomplished using spreadsheets. Using software to complete a risk analysis is not a new concept – after all, over 400 organizations are already using Clearwater’s IRM|Analysis SaaS risk management software platform to conduct their risk analysis by the book. However, other organizations have traditionally been slow to adopt the use of software. This is changing.
The topic of “what software can I use to do this” came up again on Friday during the Best Practices for Managing Risk panel discussion, when there were at least two questions about what tools the panelists were using to conduct their risk analysis. One of the panelists, Dan Bowden, CISO at Sentara Healthcare, talked about how Sentara uses multiple solutions to manage its overall risk management program. Bowden noted that it uses a software platform, along with the software vendor’s services, to facilitate its risk analysis. He also said they produce an OCR-ready report directly from the software’s “Risk Register.” Any guess which software platform they use for this? I’ll give you a hint – it might have been mentioned earlier in this blog, and no it’s not OCR’s SRA tool!
The Safeguarding HIPAA Conference, once again, spotlighted that healthcare organizations must perform an enterprise wide, information asset-based risk analysis in accordance with OCR’s guidance. OCR has made it clear through enforcement actions and through its statements that risk analysis will continue to be at the centerpiece of their oversight.
Executing a risk analysis the right way, per OCR’s guidance, and managing it on an on-going basis requires a purpose-built software system designed to meet OCR’s requirements.
We recognized this need many years ago and, as a result, developed IRM|Pro, the leading cyber risk management software for healthcare. With over 400 customers using our IRM|Pro software and having assisted many healthcare organizations with responses to OCR inquiries, we are well aware that OCR has received reports directly from our system and that they have been accepted when following our methodology. That being said, risk analysis can be done the way OCR wants it to be done. OCR is aware that others are implementing risk analysis the right way. The bar has been raised but there is a solution. OCR’s continued focus on managing risk right will drive industry’s adoption of cyber risk management software. This will ultimately result in a reduced number of breaches and fewer enforcement actions by OCR, a vision we should all share and look forward to.
More from this series:
Clearwater Enterprise Cyber Risk Management IRM|Analysis™
Intuitive software for completing a formal, NIST-based, OCR-quality security risk analysis and establishing a continual Risk Management Program of Framing, Assessing, Responding and Monitoring Learn more