department of health and human services (hhs) the office of … · 2016-09-06 · conduct a...

U.S.DepartmentofHealthandHumanServices(HHS)TheOfficeoftheNationalCoordinatorforHealthInformation

Technology(ONC)

SecurityRiskAssessment(SRA)ToolUserGuide

Version:2.0Date:September2016

DISCLAIMERTheSecurityRiskAssessment(SRA)ToolandtheSRAToolUserGuideareprovidedforinformationalpurposesonly.UseofthistoolisneitherrequiredbynorguaranteescompliancewithFederal,Stateorlocallaws.Pleasenotethattheinformationpresentedmaynotbeapplicableorappropriateforallhealthcareprovidersandprofessionals.TheSecurityRiskAssessmentToolisnotintendedtobeanexhaustiveordefinitivesourceonsafeguardinghealthinformationfromprivacyandsecurityrisks.FormoreinformationabouttheHIPAAPrivacyandSecurityRules,pleasevisittheHHSOfficeforCivilRightsHealthInformationPrivacywebsiteat:www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

NOTE:TheNISTStandardsreferencedintheSecurityRiskAssessmentToolandtheSRAToolUserGuideareforinformationalpurposesonlyasthey may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’srequirementsforriskassessmentandriskmanagement.Thistool isnot intendedtoserveas legaladviceorasrecommendationsbasedonaproviderorprofessional’sspecificcircumstances.Weencourageprovidersandprofessionalstoseekexpertadvicewhenevaluatingtheuseofthistool.

SRAToolUserGuide

ii

Contents

AcronymIndex.................................................................................................................................3

1. Introduction.......................................................................................................................4

1.1. Purpose..............................................................................................................................4

1.2. Audience............................................................................................................................4

1.3. WhatistheSRATool?........................................................................................................5

1.4. TheRoleoftheSRAToolinaRiskAssessment..................................................................5

1.5. WhattheSRAToolIsNot:..................................................................................................6

2. DownloadingtheSRATool.................................................................................................6

2.1. DownloadingtheSRATool(Windowsversion).................................................................6

2.2. DownloadingtheSRATool(iPadversion)..........................................................................8

3. UsingtheSRATool.............................................................................................................8

3.1. CreatingandUpdatingUsers.............................................................................................9

3.2. AddingInformationAboutYourPractice.........................................................................11

3.3. AddingInformationaboutBusinessAssociates...............................................................11

3.4. AddingInformationaboutITAssets................................................................................12

3.5. SRAToolLoginandQuestionWindow.............................................................................13

3.6. AnsweringSRAToolQuestions........................................................................................16

3.7. Reporting.........................................................................................................................18

3.8. UsingtheNavigator.........................................................................................................21

3.9. ExportingDatafromtheSRATool...................................................................................22

3.10. ImportingDataintotheSRATool....................................................................................23

3.11. LoggingOutoftheSRATool............................................................................................23

4. UninstallingtheSRATool.................................................................................................23

AppendixAAddressableandRequiredSpecifications...................................................................24

UnknownField Code Changed ... [1]




Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 4



























Yuanyuan Zhang� 9/6/2016 9:54 AM





SRAToolUserGuide

iii

AcronymIndexAcronym DefinitionEHR ElectronicHealthRecordePHI ElectronicProtectedHealthInformationHHS U.S.DepartmentofHealthandHumanServicesHIPAA HealthInsurancePortabilityandAccountabilityActof1996HITECH HealthInformationTechnologyforEconomicandClinicalHealthActNIST NationalInstituteofStandardsandTechnologyOCR TheOfficeforCivilRightswithinHHSONC TheOfficeoftheNationalCoordinatorforHealthInformationTechnologywithinHHSOS OperatingSystemPDF PortableDocumentFormatPHI ProtectedHealthInformationSRATool SecurityRiskAssessmentTool

SRAToolUserGuide

4

1. Introduction

WelcometotheSecurityRiskAssessmentTool(SRATool),designedtohelphealthcareprovidersandbusinessassociatesthathandlepatientinformationforthemtoevaluaterisks,vulnerabilitiesandadherence to theHealth InsurancePortabilityandAccountabilityAct (HIPAA)SecurityRule.TheHIPAASecurityRulerequireshealthcareproviders,healthplans,andbusinessassociates toconduct risk analyses and implement technical, physical, and administrative safeguards forelectronicprotectedhealthinformation(ePHI).TheOfficeoftheNationalCoordinatorforHealthInformation Technology (ONC) worked together with the Office for Civil Rights (OCR), whichenforces theHIPAASecurityRule, todevelop this tool toenableprovidersandotherentities tomeettheirHIPAASecurityRulecomplianceresponsibilities.

WehopeyoufindthistoolhelpfulasyouworktowardsimprovingtheprivacyandsecurityofyourhealthcarepracticeanditscompliancewiththeHIPAASecurityRule.Pleaserememberthatthisisonlyatooltoassist inpractice’sreviewanddocumentationofariskassessment.Therefore,thistool is only as useful as thework that goes into performing and recording the risk assessmentprocess. Once you have assessed your security risks using the tool, you may need to takeappropriatestepstoremediateanyareasfoundwanting.Theuseofthistooldoesnotmeanthatyourpractice isfullycompliantwiththeHIPAASecurityRuleorotherfederal,stateor local lawsandregulations.Itdoes,however,helpyoucomplywiththeHIPAASecurityRulerequirementtoconductperiodicsecurityriskassessments.

Note:Thistoolrunsonyourcomputer.NoneoftheinformationyouenterisreportedtoOCRorONCthroughthetool.

1.1. PurposeThe purpose of the SRA Tool is to assist health care providers and their business associates inperforminganddocumentingaSecurityRiskAssessment.TheHIPAASecurityRule,effectivesince2005, requiresall organizations that are coveredentitiesorbusinessassociatesunderHIPAA toconduct a thorough and accurate assessment of the potential risks and vulnerabilities to theconfidentiality, integrity, and availability of electronic protected health information held by theentity (164.308(a)(1)(ii)(A)). As the health care industry is both diverse and broad, the HIPAASecurityRuleisdesignedtobeflexibleandscalable.

1.2. AudienceThisSRAToolisdesignedforsmalltomedium-sizedpracticesandtheirbusinessassociates.ONChashistoricallydefinedsmall tomedium-sizedpracticestobethosewithonetotenhealthcareproviders. This SRA Tool was designed to assist these smaller organizations in performing anddocumenting a risk assessment. While the tool may be helpful or informative for largerorganizations, it may not account for the complexities sometimes found in such organizations,becausethetool is intendedforsmallorganizations.Organizationsshouldchooseasecurity riskassessmenttoolandprocessthatisrightforthem.

SRAToolUserGuide

5

1.3. WhatistheSRATool?

TheSRAToolisasoftwareapplicationthatahealthcareprovidercanuse,alongwithothertools&processes, toassist in reviewing its implementationof theHIPAASecurityRule.TheSRATool isavailableatnocostandcanbeusedwithseveraloperatingsystems,includingMicrosoftWindowsfordesktopand laptopcomputersandApple iOSfor iPad.The iOSSRAToolapplicationfor iPadcan be downloaded from the Apple App Store. Section 2 provides instructions on how todownloadbothversionsoftheSRATool.The SRA Tool guides health care providers and business associates through the standards andimplementation specifications identified in the HIPAA Security Rule and covers basic securitypractices, security failures, risk management, and personnel issues. Basic security practicequestionsincludedefiningandmanagingaccesstosystemsandPHI,backupsanddatarecoveries;and technical and physical security. Risk management questions address periodic reviews andevaluations and can include regular functions, such as continuousmonitoring. Lastly, personnelissuequestionsaddressaccess to informationaswellas theon-boardingandreleaseof staffaswellashelpingtoidentifyareaswherestafftrainingmaybeappropriate,forexample,notsharingpasswords.The sources of information used to support the development of the SRA Tool questionnairesincludethefollowing:

• HIPAASecurityRule1• NationalInstituteofStandardsandTechnology(NIST)SpecialPublication800-662• NISTSpecialPublication800-533• NISTSpecialPublication800-53A4• HealthInformationTechnologyforEconomicandClinicalHealth(HITECH)Act5

1.4. TheRoleoftheSRAToolinaRiskAssessment

The SRA Tool can support an organization’s risk assessment process. Risk assessment identifiesconditions under which ePHI could be disclosed without proper authorization, improperlymodified,ormadeunavailablewhenneeded.ResponsestothequestionsintheSRAToolcanbeused to help organizations identify areas where security controls and organizational policiesdesigned toprotectePHImayneed tobe implementedorwhereexisting implementationsmayneed to be improved. Compliance with the Security Rule’s risk analysis and risk managementimplementation specifications requires organizations to accurately and thoroughly assess thepotential risks and vulnerabilities to all of their ePHI, including ePHI on all forms of electronic

1http://www.hhs.gov/hipaa/for-professionals/security/2http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf3http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf4http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf5https://www.healthit.gov/sites/default/files/hitech_act_excerpt_from_arra_with_index.pdf

SRAToolUserGuide

6

media, and implement security measures that are sufficient to reduce these risks andvulnerabilities to a level that is reasonable and appropriate. If, after completing all of thequestionsintheSRATool,threatsandvulnerabilitiesstillexistbutareunaccountedforintheSRATool(i.e.,aparticularthreatorvulnerabilitydidnotfitwellwithanyoftheexistingquestions),theorganizationmusteither1)documenttheunaccountedforthreatsandvulnerabilitiesandassesstheriskposedinthemostappropriateplacewithintheSRATool,or2)documenttheunaccountedfor threats and vulnerabilities and assess the risk posed as part of a separate risk assessmentdocumenttosupplementtheSRATool.Usingthetoolwillhelpyouidentifyareaswhereyouneedtomakechangestoyoursecurity;thetoolwillnotmakethosechangesforyou.

1.5. WhattheSRAToolIsNot:

AToolthatSupportsMultipleConcurrentUsers.TheSRATool isnot intendedtobe,norwas itbuilt to be, a collaborative tool to be used simultaneously bymany users. It is expected that asingleuseratanyonetimewithappropriatepermissionstoinstallandruntheapplicationonthecomputer will use the tool to individually capture information. However, multiple users mayaccessthetoolonseparateoccasions,andVersion2.0ofthetoolallowstheusertoexportacopyof the data entered into the tool and share with other users so that theymay add additionalinformation (see Sections 3.9 and 3.10). If you choose to use this feature you should ensure asinglefileisusedsinceyoucannotmergetwodifferentcopiesofthedata.AGuaranteeofHIPAACompliance.TheSRATooldoesnotproduceastatementofcompliance,nor does completion of the tool guarantee or otherwise indicate compliance with the HIPAASecurityRuleoranyotherFederal,State,orlocalstatutes.However,whiletheToolwillnotproveyoucomplywith theSecurityRule inall respects,whencompleted inanaccurateandthoroughmanneritcanprovidedocumentationofyourorganization’seffortstoconductariskassessment,andthis,inturn,isoneofmanyaspectsofsecurityrulecompliancethatmaybeevaluatedinanOCRauditorcompliancereview.OrganizationsmayusetheSRATool incoordinationwithothertoolsandprocessestosupportriskanalysisandriskmanagementactivitiesrequiredbytheHIPAASecurityRule.StatementsofcompliancearetheresponsibilityofthecoveredentityandtheHIPAASecurityRuleregulatoryandenforcementauthority.Pleasenote,theSRAToolprovidesguidanceinunderstandingtherequirementsoftheHIPAASecurityRule—RiskAnalysisspecifically,anddoesnotcoveradditionalSecurityRulerequirementsnorprovisionsfortheHIPAAPrivacyRule.2. DownloadingtheSRATool

2.1. DownloadingtheSRATool(Windowsversion)

To download the SRA Tool, for Microsoft Windows, navigate to ONC’s website at:http://www.healthit.gov/security-risk-assessment(Figure1). Yuanyuan Zhang� 9/6/2016 9:54 AM

Formatted: Font:+Theme BodyYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure1

SRAToolUserGuide

7

Figure1.HealthIT.gov/security-risk-assessment

Next,selectthebluebuttonlocatedwithinthe“SecurityRiskAssessmentTool”box(Figure2).

Figure2.SRAToolLinkLocation

Once you select the button, you will be directed to the Security Risk Assessment Tool page.Navigate to the right side of the page to begin downloading theWindows version of the tool(Figure3).

Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme BodyYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure2

Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body

Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure3

SRAToolUserGuide

8

Figure3.Windows-VersionDownloadLink

WhileyourdownloadingexperiencemayvarydependingupontheInternetbrowseryouareusing,all browsers should allow you to save the file on your desktop computer or laptop. Onceprompted,selectthearrowsymbolnexttothe“Save”optionandsavethefiletoalocationofyourchoice. Be sure to remember the locationwhere you downloaded the file, as youwill need todoubleclickthefiletorunthetool.

2.2. DownloadingtheSRATool(iPadversion)TodownloadthefreeSRAToolontoyouriPad,youwillneedtoaccesstheAppleAppStore.TheSRATooliscurrentlynotavailableforotherAppleproductssuchastheiPhone.WithintheAppStore,youcanfindtheSRAToolbysearchingfor“HHSSRATool.”Selectthe“Free”buttonfollowedbythe“Install”buttontobegindownloadingthetool.DownloadingshouldbeginautomaticallyandshouldonlytakeacoupleofminutesdependingonyourInternetconnectionspeed.Oncetheinstallationiscomplete,youwillseetheSRATooliconwillappearonyouriPadscreen.SelecttheSRAToolicontobeginyourassessment.

3. UsingtheSRAToolOnceyouhavedownloadedtheapplicationandsaved it toyourcomputerdouble-click the iconandselect“run”whenprompted.iPadusersshouldtaptheSRAToolicontolaunchthetool.TheSRAToolwillopentotheSRAToolloginscreen(Figure4). Yuanyuan Zhang� 9/6/2016 9:54 AM

Formatted: Font:+Theme BodyYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure4

SRAToolUserGuide

9

Figure4.LoginScreen

OnceyouinstallandlaunchtheSRATool,youwillnoticefourtabsontheright(Figure5):

• Users–Youmaycreatenewusersonthistab

• AboutYourPractice–Enterinformationaboutyourpracticeorbusinessonthistab,includingthenameandcontactinformationforyourorganization

• BusinessAssociates–Youmaymaintainalistofyourbusinessassociatesonthistab

• AssetInventory”–Youmaymaintainaninventoryofyourorganization’sITassetsonthistab

Ifthisisthefirsttimeyouhaveusedthetool,navigatetothe“Users”tabtobegin.

Figure5.LoginScreenTabs

3.1. CreatingandUpdatingUsersTo create a new user, type the user’s first and last names and initials in the associated fields(Figure6).

Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure5



SRAToolUserGuide

10

Figure6.CreatingaNewUser

Onceyouhaveenteredtheuser’s information,selectthe“Users”tabagaintobringupthe“LogIn”button(Figure7).

Figure7.SavingChangestoaNewUser

Ifyouhavemultipleusersthatwilladdinformationinthetool,youmaywanttocreatemultipleusers.Thetoolwilltrackwhenausermakesanupdatetoanassessmentquestion;thiswillallowyou tomonitorwho in yourorganizationanswereda specificquestion if youneed to follow-upwiththemlater.Toaddmultipleusers,simplytypeintheirinformationusingtheadditionalfields.Eachtimeyouaccessthetool,allusernamesarepre-populatedintheuserslist.Whenyouloginagain,youwillalreadyseeyournamelisted,andcansimplyselectthe“LogIn”buttonnexttoyourcredentials.Pleaserememberthatonlyoneusercanaccessthetoolatanyonetime(Figure8).

Figure8.EditingaUser

Toeditauser,double-clickonauser’snameor initials.Theselected fieldwillbecomeeditable.Whenyouhavemadetheeditstotheuser,click“Finished”(Figure9).



Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not Bold



SRAToolUserGuide

11

Figure9.SavingChangestoanEditedUser

Todeleteauser,double-clickonauser’snameorinitialstobegineditingthatuser.Thendeletetheuser’sfirstname,lastname,andinitials.Click“Finished”andtheuserwillbedeleted.

3.2. AddingInformationAboutYourPracticeToaddinformationaboutyourpracticeorbusinesssuchasyouraddress,selectthe“AboutYourPractice” tab from the login screen (Figure 5). Fill in the “Name,” “Address,” “City,” “State orTerritory,” “Zip Code,” and “Telephone Number” in the corresponding fields (Figure 10). ThisinformationwillbesavedwithinthetoolandwillnotbecollectedormaintainedbyHHS.

Figure10.FillingouttheAboutYourPracticeTab

3.3. AddingInformationaboutBusinessAssociates

Toaddinformationaboutyourbusinessassociates,selectthe“BusinessAssociates”tabfromthelogin screen (Figure 5). You will need to fill in the “Name,” “Type,” and “Address” in thecorresponding fields (Figure11).There isno limit to thenumberofBusinessAssociatesyoucanadd.Newfieldswillbegeneratedafteryoure-selectthe“BusinessAssociates”header.Formoreinformation on who may be a Business Associate, please refer to the OCR website at:www.hhs.gov/ocr.

Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:12 pt, Not Bold


Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:12 pt, Not Bold





SRAToolUserGuide

12

Figure11.TheBusinessAssociateTab

3.4. AddingInformationaboutITAssets

ToaddinformationaboutITassets,selectthe“AssetInventory”tabfromtheloginscreen(Figure5).Withinthistab,youwillseefourfields, labeled“Name,”“Type,”“HasePHI,”and“Assignee.”These fields have no field length. Theywill allow you to input asmuch information as needed(Figure12).

Figure12.TheAssetsTab

Under “Name,” provide the name for the information asset, for example, “Electronic HealthRecord(EHR)”or“PracticeManagementSystem.”Inthefieldlabeled“Type,”describethetypeofasset.Forexample,youcanlabelit“anapplication”andexplainhowePHIistransmittedorstored.AcopymachinemayalsostoreePHIandthereforemaybeanexampleofanasset.Thenextfield,labeled“HasePHI,”allowsyoutodocument if theasset receives, transmits,orstoresePHI.Thelast field, “Assignee,” allows you to document who in your organization is responsible for thisparticularasset.




SRAToolUserGuide

13

3.5. SRAToolLoginandQuestionWindow

Tologin,selectthe“Users”tab.Selectthe“LogIn”buttonlocatednexttoyourusernameontheloginscreen(Figure4).Afteryoulog in,thefirstscreenyouwillseeexplainstheAdministrative,Physical, and Technical Safeguards under the HIPAA Security Rule (Figure 13). Read thedescriptions and disclaimer. In the lower right corner, you will see three options, “ImportAssessment,”“CreateNew,”and“ContinueCurrent.”

• ImportAssessment–DatacanbeexportedfromtheSRAToolintoanSRAfile.TheSRAfilecan thenbestoredasanofflinebackupor transferred toanothercomputer.AnSRA filecan be imported to another copy of the SRA Tool. This option allows you to import apreviouslyexportedSRAfile. ImportingandexportingSRAfiles isuseful, forexample, fortransferring riskassessmentsbetweencomputers. Formore informationon importingorexportingSRAfiles,pleaseseeSection3.10.

• CreateNew–Thisoptionallowsyoutocreateabrandnewassessment.Ifthisisyourfirsttimeusingthetool, thiswillbetheonlyoptiontoselect.NOTE: Ifyoualreadyhavedataenteredintothetool,selectingthe“CreateNew”optionwilleraseexistingdatainthetool.

• ContinueCurrent–Ifyouhavepreviouslyimportedanassessmentorhavealreadystartedanassessment, thisoptionallowsyou to continueworkingon that assessment.NOTE: Ifyou have previously entered data (even using a prior version of the tool), you shouldalreadyhavedatathetoolcanaccess,sousethisoptionifyouwanttoaddinformationtoyourpreviousassessment.

Figure13.Administrative,Physical,andTechnicalSafeguardsScreen

Onceyouselectoneofthethreeoptions,youwillbeplacedontheSRAToolQuestionWindow(Figure14)






SRAToolUserGuide

14

Figure14.SRAToolQuestionWindow

Thefirstquestionappearswithinthegrayboxontheleftsideofthetool.ThequestioncitestheSecurity Rule and displays if the item is “Standard,” “Required,” or “Addressable.” Under theSecurityRule,thesetermsaredefinedas:

• Standards – measures a covered entity must take ensure the confidentiality,integrity, and availability of ePHI while in the custody of covered entities andbusiness associates as well as while in transit. Covered entities and businessassociates must comply with the applicable Standards provided in the SecurityRulewithrespecttoallePHI.

• Implementation Specifications – may be either Required or Addressable. TheseareinstructionsforimplementingSecurityRuleStandards.

• Required– ImplementationSpecificationsmustbe implementedby the coveredentityorbusinessassociate.

• Addressable – The concept of “addressable implementation specifications” wasdeveloped to provide covered entities additional flexibility with respect tocompliancewith the security standards.However, “addressable”doesnotmean“optional.”ForImplementationSpecificationswhichareaddressable,thecoveredentityorbusinessassociatemustassesswhethertheimplementationspecificationis a reasonable and appropriate securitymeasure to applywhen analyzedwithreference to the likely contribution it would make to protecting ePHI in theorganization’s own environment. If it is, the entity must implement thespecification; if not, the entity must document why it is not, and put in placealternative procedures (if reasonable and appropriate). For example, theinformation access management standard includes the addressable AccessEstablishmentandModification implementationspecification.Asolopractitionerwithtwoemployeesmaydeterminethatitisnot“reasonableandappropriate”to

SRAToolUserGuide

15

implement policies and procedures to modify “…a user’s right of access to aworkstation, transaction, program or process” because all three workforcemembersrequirethesameaccesstoePHI.Thecoveredentitymustdocumenttherationale for deciding these particular measures were not reasonable andappropriate and what alternative measures are in place to comply with theInformationAccessManagementstandard.

If the implementation specification is reasonable and appropriate, then thecovered entity or business associate must implement that addressableImplementationSpecification.

If the implementation specification is determined to not be reasonable andappropriate, the covered entity or business associate must document why itwould not be reasonable and appropriate and implement an equivalentalternativemeasure if reasonable andappropriate (seeAppendixAAddressableandRequiredSpecifications).

TheyellowbaraboveeachassessmentquestionislabeledaccordingtothetypeofSecurityRulecategorythequestioncovers.Forexample,“A”standsfor“Administrative;”“T”forTechnical;and“P-H”for“Physical.”Questionsarenotinpresentedinnumericalorder.Instead,similarquestionsaregroupedbytopicacrosstheadministrative,technical,andphysicalsections.

Above the yellow bar is a progress bar to indicate how much of the assessment you havecompleted(Figure15).

Figure15.ProgressBar

Atbottomrightarefivebuttonsthatcanhelpyouusethetool(Figure16):

• Report–ThisbuttoncreatesaPDForMicrosoftExcelformattedreportofthedatayouhaveenteredintotheSRATool.Formoreinformationonreporting,pleaseseeSection3.7.

• Glossary–ThisbuttondisplaysaglossaryoffrequentlyusedtermsintheSRATool

• Navigator–Thisbuttondisplaysthe“NavigatorView.”FormoreinformationontheNavigatorView,pleaseseeSection3.8.

• RelatedInfo–Thisbuttondisplaysthe“ThingstoConsider,”“ThreatsandVulnerabilities,”and“ExamplesofSafeguards”tabs.Youmayfindthesetabsusefulwhenansweringquestionsinthetool.FormoreinformationontheRelatedInfobutton,pleaseseeSection3.6.

• Export–ThisbuttonexportsdatainthetoolintoanSRAfile.SRAfilescanbeusedtoback




SRAToolUserGuide

16

upyourriskassessmentdata,ortosendtoanotherusertoopenontheircomputer.Formoreinformationonexporting,pleaseseeSection3.9.

Figure16.NavigationButtons

3.6. AnsweringSRAToolQuestionsOnceyouhave logged intothetoolandareviewingthequestionwindow(seeSection3.5),youarenowreadytoanswertheassessmentquestionsinthetool.Toansweraquestion,selecteither“Yes”or“No”belowthequestion(Figure17).Youcanalsoselectthe“Flag”optionifyouwanttocallattentiontoaquestion.Flaggingcanbedonetoremindyoutoreviewthequestionagainlaterortoindicatetoanotherpersoninyourorganizationthatyouneedthemtorevieworanswerthequestion.

Figure17.AnsweringaQuestion

Ifyouransweris“No”,thenfourradiobuttonssuggestingthebestreasonforanswering“No”willbedisplayed:“Cost,”“PracticeSize,”“Complexity,”and“AlternateSolution”(Figure18).




SRAToolUserGuide

17

Figure18.ReasonsforAnswering“No”

NOTE: If an implementation specification is described as “required,” the specification must beimplemented. Addressable means that if implementing the specification is not reasonable andappropriate, an alternative solution may be implemented that effectively safeguards theconfidentiality, availability, and integrity of the protected health information (PHI). To betterunderstandtheelementsofaddressablespecifications,seetheAppendixonpage24.Once you answer the assessment question (either “yes” or “no”), space is provided for you to:describe your current activities (i.e., what you are doing to meet the requirement), add anyadditionalnotes,orexplainhowyouplantoaddressorremediateidentifiedshortcomings(Figure19).Selecttheappropriatetabforeachcategory.Theinformationyouprovidewillappearinyourriskassessmentreport.

Figure19.CurrentActivities,Notes,andRemediationTabs

Theradiobuttonsbelowthespaceallowyoutodocumentthelikelihoodthataparticularthreatcould affect your ePHI. You can also rate the impact or level of harm that could occur if thestandardorrequirementstatedinthequestionisnotmet(Figure20).




SRAToolUserGuide

18

Figure20.RiskLikelihoodandImpact

Ontherightsideofthequestion,therearethreetabsthatcanhelpyouunderstandandanswerthequestion (Figure21). “Things toConsider”givesyou factors to thinkaboutwhenevaluatingyourpractice.“ThreatsandVulnerabilities”offersinformationtohelpyouunderstandwhatsomeoftherisksareandtheirpotentialimpact.“ExamplesofSafeguards”providessomepotentialwaysof reducing or eliminating risks or vulnerabilities. You may hover your mouse pointer overunderlinedwordstoviewatooltipbubblewiththeword’sdefinition.

Figure21.ThingstoConsiderTab

3.7. ReportingThe“Report”buttononthequestionwindow(Figure16)opensuptheReportSummaryscreen(Figure22).Thisscreenletsyouseethecurrentstatusoftheassessmentresults.




Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:12 pt, Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure22

SRAToolUserGuide

19

Figure22.ReportSummaryScreen

TheSRAToolalsoprovidesoptionstocreateaportabledocumentformat(PDF)orMicrosoftExceldocument report of the data you have entered into the tool. To create a PDF or Excel report,selectthe“CreatePDF/Excel”buttonontheReportSummaryScreen.ThiswilldisplaytheReportOptionsscreen(Figure23).OntheReportOptionsscreen,youmayselect:

• ReportFormat–EitherPDForExcelformat

• Report Sections – Your responses to the SRA Tool questions are always included in thereport.Inaddition,youmayselectthatusers,businessassociates,andyourassetinventoryareincludedinthereportaswell.Also,ifyouaregeneratingaPDFreport,youmaychoosetohavethetoolgeneratecharts(Figure26).

• ReportOptions–Theseoptions letyoufilterwhat informationisproducedinthereport,suchastherisklevel,notes,citation,orlastedit.

Figure23.ReportOptionsScreen




SRAToolUserGuide

20

Whenyouarefinishedselectingyourreportoptions,clickon“Create”tocreateyourPDForExcelreport.Youwillbeprompted to selecta location to save the reportusinga standard“SaveAs”dialog(Figure24).

Figure24.“SaveAs”DialogforReportCreation

Onceyouselectafilelocationtosavethereport,thetoolwillcreateyourreport.IfyoucreatedaPDFreport,theReportPreviewScreenwillpop-up(Figure25).Withinthiswindowyouwillbeableto scroll down to see the report. To close the pop-up window, simply click on the “X” buttonlocatedatthetoprightofthewindow.

Figure25.ReportPreviewScreen

To open the saved report, simply locate the filewithin the folderwhere you saved the report.




SRAToolUserGuide

21

NOTE:makesuretoviewyourreportbeforeprintingit.Ifyouhaveselectedalotofcolumns,thereportmaybeverylongorspanmanypages.

Thereportcanalsobeviewedinachartform(Figure26).ThechartcanalsobecreatedinaPDFbyselectingthe“Charts”optionontheReportOptionsScreen(Figure23).

Figure26.ChartReport

3.8. UsingtheNavigatorTheNavigatorviewallowsyoutobothseehowmanyquestionsarecompletedineachsectionandalso navigate to a particular section at any time (Figure 27). This allows you to answer thequestionsinanyorderyoudesire.Whileyoumayanswerquestionsinanyorder,thereportwillalwaysdisplay/printintheorderoftheHIPAASecurityRule.ToaccesstheNavigatorview,clickonthe“Navigator”buttonontheSRAToolquestionwindow(Figure14).

Figure27.NavigatorView








SRAToolUserGuide

22

Tomove through the navigator sections, select the small grey arrow symbol and the questioncategorywillexpandtodisplaytheAdministrative,PhysicalandTechnicalsections(Figure28). Itwillalso indicatehowmanyquestionsare ineachsectionandhowmanyof thequestionshavebeenanswered.

Figure28.ExpandedNavigatorView

3.9. ExportingDatafromtheSRATool

Datacanbeexported fromtheSRATool intoanSRAfile.TheSRAfilecanthenbestoredasanofflinebackuportransferredtoanothercomputer.AnSRAfilecanbeimportedtoanothercopyoftheSRATool.Toexportdata,usethe“Export”buttonlocatedontheSRAToolquestionwindow(Figure14).Whenyouclickonthe“Export”button,astandard“SaveAs”dialogwillappearthatallowsyoutoselectalocationtosavetheSRAfile(Figure29).

Figure29.ExportinganSRAFile




SRAToolUserGuide

23

ONCstronglyrecommendsthatyouregularlyexportdatafromthetoolandsavetheexportedSRAfileasabackupofyoursecurityriskassessment. Ideally,backupsshouldbestoredinaseparatelocation from the computer where the SRA Tool is installed. As exported SRA files are notencrypted, you shouldprotect themwith strong access controls or use yourownencryption toprotecttheexportedfiles.

If you havemultiple facilities that require separate security risk assessments, you can use theexportfeaturetoworkonmultiplesecurityriskassessmentsatatime.

3.10. ImportingDataintotheSRATool

If you have previously exported data from the SRA Tool, you can import the data from theAdministrative,Physical,andTechnicalSafeguardsscreen(Figure13).Whenyouclickthe“Import”button, a standard system “Open” dialog will appear that allows you to select a previouslyexportedSRAfile.Whenyouselectafile,thedatawillbeimportedintotheSRATool.Pleasenote,thatimportinganSRAfilewilloverwriteanyexistingdatainthetool.Ifyoudonotwanttoloseexistingdata,besuretoexporttoaseparateSRAfilebeforeyouimportanewone.FormoreonexportingSRAfiles,seeSection3.9.

3.11. LoggingOutoftheSRATool

To log out of the SRA Tool, select the “Logout” link located at the upper right of the SRA Toolquestionwindow(Figure30).Whenyoulogout,allanswersarestoredforthenexttimeyoulogin.Youcancontinueworkingonyourassessmentbyclicking the“ContinueCurrent”buttonontheAdministrative,Physical,andTechnicalSafeguardsscreen(Figure13).

Figure30.SRAToolLogoutButton

4. UninstallingtheSRAToolTouninstalltheSRATool,firstremoveanydatacachedinthetool.Todothis,logintothetoolandselect “CreateNew” from the Administrative, Physical, and Technical Safeguards screen (Figure





SRAToolUserGuide

24

13). This will remove any data that is cached in the tool. Next, you may delete the SRA Toolprogramthatyoudownloadedtoyourcomputer.Thisuninstallstheapplication.

AppendixAAddressableandRequiredSpecificationsIn meeting standards that contain addressable implementation specifications, a covered entitymustdooneofthefollowingforeachaddressablespecification:(a) implementtheaddressableimplementationspecification;(b) implementoneormorealternativesecuritymeasurestoaccomplishthesamepurpose;or(c) notimplementeitheranaddressableimplementationspecificationoranalternative.However,inallcases,thecoveredentityorbusinessassociatemustmeetthestandard.

Thecoveredentity’schoicemustbedocumented.Thecoveredentitymustdecidewhetheragivenaddressable implementation specification is a reasonable and appropriate security measure toapplywithin itsparticular security framework.Acoveredentitymust implementanaddressableimplementationspecificationifitisreasonableandappropriatetodoso,andmustimplementanequivalent alternative if the addressable implementation specification is unreasonable andinappropriate,andthereisareasonableandappropriatealternative.

Thisdecisionwilldependonavarietyoffactors,suchas,amongothers,theentity'sriskanalysis,risk mitigation strategy, what security measures are already in place, and the cost ofimplementation.Thedecisions thata coveredentitymakes regardingaddressable specificationsmustbedocumented.UsersmayusethespaceprovidedintheSRAtoolandtheradiobuttonstodocument how the organizationwill implement addressable specifications.More information isavailablefrom:http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html


department of health and human services (hhs) the office of … · 2016-09-06 · conduct a...

Documents