department of health and human services (hhs) the office of … · 2016-09-06 · conduct a...
TRANSCRIPT
U.S.DepartmentofHealthandHumanServices(HHS)TheOfficeoftheNationalCoordinatorforHealthInformation
Technology(ONC)
SecurityRiskAssessment(SRA)ToolUserGuide
Version:2.0Date:September2016
DISCLAIMERTheSecurityRiskAssessment(SRA)ToolandtheSRAToolUserGuideareprovidedforinformationalpurposesonly.UseofthistoolisneitherrequiredbynorguaranteescompliancewithFederal,Stateorlocallaws.Pleasenotethattheinformationpresentedmaynotbeapplicableorappropriateforallhealthcareprovidersandprofessionals.TheSecurityRiskAssessmentToolisnotintendedtobeanexhaustiveordefinitivesourceonsafeguardinghealthinformationfromprivacyandsecurityrisks.FormoreinformationabouttheHIPAAPrivacyandSecurityRules,pleasevisittheHHSOfficeforCivilRightsHealthInformationPrivacywebsiteat:www.hhs.gov/ocr/privacy/hipaa/understanding/index.html
NOTE:TheNISTStandardsreferencedintheSecurityRiskAssessmentToolandtheSRAToolUserGuideareforinformationalpurposesonlyasthey may reflect current best practices in information technology and are not required for compliance with the HIPAA Security Rule’srequirementsforriskassessmentandriskmanagement.Thistool isnot intendedtoserveas legaladviceorasrecommendationsbasedonaproviderorprofessional’sspecificcircumstances.Weencourageprovidersandprofessionalstoseekexpertadvicewhenevaluatingtheuseofthistool.
SRAToolUserGuide
ii
Contents
AcronymIndex.................................................................................................................................3
1. Introduction.......................................................................................................................4
1.1. Purpose..............................................................................................................................4
1.2. Audience............................................................................................................................4
1.3. WhatistheSRATool?........................................................................................................5
1.4. TheRoleoftheSRAToolinaRiskAssessment..................................................................5
1.5. WhattheSRAToolIsNot:..................................................................................................6
2. DownloadingtheSRATool.................................................................................................6
2.1. DownloadingtheSRATool(Windowsversion).................................................................6
2.2. DownloadingtheSRATool(iPadversion)..........................................................................8
3. UsingtheSRATool.............................................................................................................8
3.1. CreatingandUpdatingUsers.............................................................................................9
3.2. AddingInformationAboutYourPractice.........................................................................11
3.3. AddingInformationaboutBusinessAssociates...............................................................11
3.4. AddingInformationaboutITAssets................................................................................12
3.5. SRAToolLoginandQuestionWindow.............................................................................13
3.6. AnsweringSRAToolQuestions........................................................................................16
3.7. Reporting.........................................................................................................................18
3.8. UsingtheNavigator.........................................................................................................21
3.9. ExportingDatafromtheSRATool...................................................................................22
3.10. ImportingDataintotheSRATool....................................................................................23
3.11. LoggingOutoftheSRATool............................................................................................23
4. UninstallingtheSRATool.................................................................................................23
AppendixAAddressableandRequiredSpecifications...................................................................24
UnknownField Code Changed ... [1]
UnknownField Code Changed ... [2]
UnknownField Code Changed ... [3]
UnknownField Code Changed ... [4]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 4
UnknownField Code Changed ... [5]
UnknownField Code Changed ... [6]
UnknownField Code Changed ... [7]
UnknownField Code Changed ... [8]
UnknownField Code Changed ... [9]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 7
UnknownField Code Changed ... [10]
UnknownField Code Changed ... [11]
UnknownField Code Changed ... [12]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 10
UnknownField Code Changed ... [13]
UnknownField Code Changed ... [14]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 11
UnknownField Code Changed ... [15]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 12
UnknownField Code Changed ... [16]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 15
UnknownField Code Changed ... [17]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 17
UnknownField Code Changed ... [18]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 20
UnknownField Code Changed ... [19]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 21
UnknownField Code Changed ... [20]
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: 22
UnknownField Code Changed ... [21]
Yuanyuan Zhang� 9/6/2016 9:54 AM
UnknownField Code Changed ... [22]
Yuanyuan Zhang� 9/6/2016 9:54 AM
UnknownField Code Changed ... [23]
Yuanyuan Zhang� 9/6/2016 9:54 AM
SRAToolUserGuide
iii
AcronymIndexAcronym DefinitionEHR ElectronicHealthRecordePHI ElectronicProtectedHealthInformationHHS U.S.DepartmentofHealthandHumanServicesHIPAA HealthInsurancePortabilityandAccountabilityActof1996HITECH HealthInformationTechnologyforEconomicandClinicalHealthActNIST NationalInstituteofStandardsandTechnologyOCR TheOfficeforCivilRightswithinHHSONC TheOfficeoftheNationalCoordinatorforHealthInformationTechnologywithinHHSOS OperatingSystemPDF PortableDocumentFormatPHI ProtectedHealthInformationSRATool SecurityRiskAssessmentTool
SRAToolUserGuide
4
1. Introduction
WelcometotheSecurityRiskAssessmentTool(SRATool),designedtohelphealthcareprovidersandbusinessassociatesthathandlepatientinformationforthemtoevaluaterisks,vulnerabilitiesandadherence to theHealth InsurancePortabilityandAccountabilityAct (HIPAA)SecurityRule.TheHIPAASecurityRulerequireshealthcareproviders,healthplans,andbusinessassociates toconduct risk analyses and implement technical, physical, and administrative safeguards forelectronicprotectedhealthinformation(ePHI).TheOfficeoftheNationalCoordinatorforHealthInformation Technology (ONC) worked together with the Office for Civil Rights (OCR), whichenforces theHIPAASecurityRule, todevelop this tool toenableprovidersandotherentities tomeettheirHIPAASecurityRulecomplianceresponsibilities.
WehopeyoufindthistoolhelpfulasyouworktowardsimprovingtheprivacyandsecurityofyourhealthcarepracticeanditscompliancewiththeHIPAASecurityRule.Pleaserememberthatthisisonlyatooltoassist inpractice’sreviewanddocumentationofariskassessment.Therefore,thistool is only as useful as thework that goes into performing and recording the risk assessmentprocess. Once you have assessed your security risks using the tool, you may need to takeappropriatestepstoremediateanyareasfoundwanting.Theuseofthistooldoesnotmeanthatyourpractice isfullycompliantwiththeHIPAASecurityRuleorotherfederal,stateor local lawsandregulations.Itdoes,however,helpyoucomplywiththeHIPAASecurityRulerequirementtoconductperiodicsecurityriskassessments.
Note:Thistoolrunsonyourcomputer.NoneoftheinformationyouenterisreportedtoOCRorONCthroughthetool.
1.1. PurposeThe purpose of the SRA Tool is to assist health care providers and their business associates inperforminganddocumentingaSecurityRiskAssessment.TheHIPAASecurityRule,effectivesince2005, requiresall organizations that are coveredentitiesorbusinessassociatesunderHIPAA toconduct a thorough and accurate assessment of the potential risks and vulnerabilities to theconfidentiality, integrity, and availability of electronic protected health information held by theentity (164.308(a)(1)(ii)(A)). As the health care industry is both diverse and broad, the HIPAASecurityRuleisdesignedtobeflexibleandscalable.
1.2. AudienceThisSRAToolisdesignedforsmalltomedium-sizedpracticesandtheirbusinessassociates.ONChashistoricallydefinedsmall tomedium-sizedpracticestobethosewithonetotenhealthcareproviders. This SRA Tool was designed to assist these smaller organizations in performing anddocumenting a risk assessment. While the tool may be helpful or informative for largerorganizations, it may not account for the complexities sometimes found in such organizations,becausethetool is intendedforsmallorganizations.Organizationsshouldchooseasecurity riskassessmenttoolandprocessthatisrightforthem.
SRAToolUserGuide
5
1.3. WhatistheSRATool?
TheSRAToolisasoftwareapplicationthatahealthcareprovidercanuse,alongwithothertools&processes, toassist in reviewing its implementationof theHIPAASecurityRule.TheSRATool isavailableatnocostandcanbeusedwithseveraloperatingsystems,includingMicrosoftWindowsfordesktopand laptopcomputersandApple iOSfor iPad.The iOSSRAToolapplicationfor iPadcan be downloaded from the Apple App Store. Section 2 provides instructions on how todownloadbothversionsoftheSRATool.The SRA Tool guides health care providers and business associates through the standards andimplementation specifications identified in the HIPAA Security Rule and covers basic securitypractices, security failures, risk management, and personnel issues. Basic security practicequestionsincludedefiningandmanagingaccesstosystemsandPHI,backupsanddatarecoveries;and technical and physical security. Risk management questions address periodic reviews andevaluations and can include regular functions, such as continuousmonitoring. Lastly, personnelissuequestionsaddressaccess to informationaswellas theon-boardingandreleaseof staffaswellashelpingtoidentifyareaswherestafftrainingmaybeappropriate,forexample,notsharingpasswords.The sources of information used to support the development of the SRA Tool questionnairesincludethefollowing:
• HIPAASecurityRule1• NationalInstituteofStandardsandTechnology(NIST)SpecialPublication800-662• NISTSpecialPublication800-533• NISTSpecialPublication800-53A4• HealthInformationTechnologyforEconomicandClinicalHealth(HITECH)Act5
1.4. TheRoleoftheSRAToolinaRiskAssessment
The SRA Tool can support an organization’s risk assessment process. Risk assessment identifiesconditions under which ePHI could be disclosed without proper authorization, improperlymodified,ormadeunavailablewhenneeded.ResponsestothequestionsintheSRAToolcanbeused to help organizations identify areas where security controls and organizational policiesdesigned toprotectePHImayneed tobe implementedorwhereexisting implementationsmayneed to be improved. Compliance with the Security Rule’s risk analysis and risk managementimplementation specifications requires organizations to accurately and thoroughly assess thepotential risks and vulnerabilities to all of their ePHI, including ePHI on all forms of electronic
1http://www.hhs.gov/hipaa/for-professionals/security/2http://csrc.nist.gov/publications/nistpubs/800-66-Rev1/SP-800-66-Revision1.pdf3http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf4http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53Ar4.pdf5https://www.healthit.gov/sites/default/files/hitech_act_excerpt_from_arra_with_index.pdf
SRAToolUserGuide
6
media, and implement security measures that are sufficient to reduce these risks andvulnerabilities to a level that is reasonable and appropriate. If, after completing all of thequestionsintheSRATool,threatsandvulnerabilitiesstillexistbutareunaccountedforintheSRATool(i.e.,aparticularthreatorvulnerabilitydidnotfitwellwithanyoftheexistingquestions),theorganizationmusteither1)documenttheunaccountedforthreatsandvulnerabilitiesandassesstheriskposedinthemostappropriateplacewithintheSRATool,or2)documenttheunaccountedfor threats and vulnerabilities and assess the risk posed as part of a separate risk assessmentdocumenttosupplementtheSRATool.Usingthetoolwillhelpyouidentifyareaswhereyouneedtomakechangestoyoursecurity;thetoolwillnotmakethosechangesforyou.
1.5. WhattheSRAToolIsNot:
AToolthatSupportsMultipleConcurrentUsers.TheSRATool isnot intendedtobe,norwas itbuilt to be, a collaborative tool to be used simultaneously bymany users. It is expected that asingleuseratanyonetimewithappropriatepermissionstoinstallandruntheapplicationonthecomputer will use the tool to individually capture information. However, multiple users mayaccessthetoolonseparateoccasions,andVersion2.0ofthetoolallowstheusertoexportacopyof the data entered into the tool and share with other users so that theymay add additionalinformation (see Sections 3.9 and 3.10). If you choose to use this feature you should ensure asinglefileisusedsinceyoucannotmergetwodifferentcopiesofthedata.AGuaranteeofHIPAACompliance.TheSRATooldoesnotproduceastatementofcompliance,nor does completion of the tool guarantee or otherwise indicate compliance with the HIPAASecurityRuleoranyotherFederal,State,orlocalstatutes.However,whiletheToolwillnotproveyoucomplywith theSecurityRule inall respects,whencompleted inanaccurateandthoroughmanneritcanprovidedocumentationofyourorganization’seffortstoconductariskassessment,andthis,inturn,isoneofmanyaspectsofsecurityrulecompliancethatmaybeevaluatedinanOCRauditorcompliancereview.OrganizationsmayusetheSRATool incoordinationwithothertoolsandprocessestosupportriskanalysisandriskmanagementactivitiesrequiredbytheHIPAASecurityRule.StatementsofcompliancearetheresponsibilityofthecoveredentityandtheHIPAASecurityRuleregulatoryandenforcementauthority.Pleasenote,theSRAToolprovidesguidanceinunderstandingtherequirementsoftheHIPAASecurityRule—RiskAnalysisspecifically,anddoesnotcoveradditionalSecurityRulerequirementsnorprovisionsfortheHIPAAPrivacyRule.2. DownloadingtheSRATool
2.1. DownloadingtheSRATool(Windowsversion)
To download the SRA Tool, for Microsoft Windows, navigate to ONC’s website at:http://www.healthit.gov/security-risk-assessment(Figure1). Yuanyuan Zhang� 9/6/2016 9:54 AM
Formatted: Font:+Theme BodyYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure1
SRAToolUserGuide
7
Figure1.HealthIT.gov/security-risk-assessment
Next,selectthebluebuttonlocatedwithinthe“SecurityRiskAssessmentTool”box(Figure2).
Figure2.SRAToolLinkLocation
Once you select the button, you will be directed to the Security Risk Assessment Tool page.Navigate to the right side of the page to begin downloading theWindows version of the tool(Figure3).
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme BodyYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure2
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure3
SRAToolUserGuide
8
Figure3.Windows-VersionDownloadLink
WhileyourdownloadingexperiencemayvarydependingupontheInternetbrowseryouareusing,all browsers should allow you to save the file on your desktop computer or laptop. Onceprompted,selectthearrowsymbolnexttothe“Save”optionandsavethefiletoalocationofyourchoice. Be sure to remember the locationwhere you downloaded the file, as youwill need todoubleclickthefiletorunthetool.
2.2. DownloadingtheSRATool(iPadversion)TodownloadthefreeSRAToolontoyouriPad,youwillneedtoaccesstheAppleAppStore.TheSRATooliscurrentlynotavailableforotherAppleproductssuchastheiPhone.WithintheAppStore,youcanfindtheSRAToolbysearchingfor“HHSSRATool.”Selectthe“Free”buttonfollowedbythe“Install”buttontobegindownloadingthetool.DownloadingshouldbeginautomaticallyandshouldonlytakeacoupleofminutesdependingonyourInternetconnectionspeed.Oncetheinstallationiscomplete,youwillseetheSRATooliconwillappearonyouriPadscreen.SelecttheSRAToolicontobeginyourassessment.
3. UsingtheSRAToolOnceyouhavedownloadedtheapplicationandsaved it toyourcomputerdouble-click the iconandselect“run”whenprompted.iPadusersshouldtaptheSRAToolicontolaunchthetool.TheSRAToolwillopentotheSRAToolloginscreen(Figure4). Yuanyuan Zhang� 9/6/2016 9:54 AM
Formatted: Font:+Theme BodyYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure4
SRAToolUserGuide
9
Figure4.LoginScreen
OnceyouinstallandlaunchtheSRATool,youwillnoticefourtabsontheright(Figure5):
• Users–Youmaycreatenewusersonthistab
• AboutYourPractice–Enterinformationaboutyourpracticeorbusinessonthistab,includingthenameandcontactinformationforyourorganization
• BusinessAssociates–Youmaymaintainalistofyourbusinessassociatesonthistab
• AssetInventory”–Youmaymaintainaninventoryofyourorganization’sITassetsonthistab
Ifthisisthefirsttimeyouhaveusedthetool,navigatetothe“Users”tabtobegin.
Figure5.LoginScreenTabs
3.1. CreatingandUpdatingUsersTo create a new user, type the user’s first and last names and initials in the associated fields(Figure6).
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure5
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure6
SRAToolUserGuide
10
Figure6.CreatingaNewUser
Onceyouhaveenteredtheuser’s information,selectthe“Users”tabagaintobringupthe“LogIn”button(Figure7).
Figure7.SavingChangestoaNewUser
Ifyouhavemultipleusersthatwilladdinformationinthetool,youmaywanttocreatemultipleusers.Thetoolwilltrackwhenausermakesanupdatetoanassessmentquestion;thiswillallowyou tomonitorwho in yourorganizationanswereda specificquestion if youneed to follow-upwiththemlater.Toaddmultipleusers,simplytypeintheirinformationusingtheadditionalfields.Eachtimeyouaccessthetool,allusernamesarepre-populatedintheuserslist.Whenyouloginagain,youwillalreadyseeyournamelisted,andcansimplyselectthe“LogIn”buttonnexttoyourcredentials.Pleaserememberthatonlyoneusercanaccessthetoolatanyonetime(Figure8).
Figure8.EditingaUser
Toeditauser,double-clickonauser’snameor initials.Theselected fieldwillbecomeeditable.Whenyouhavemadetheeditstotheuser,click“Finished”(Figure9).
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure7
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure8
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure9
SRAToolUserGuide
11
Figure9.SavingChangestoanEditedUser
Todeleteauser,double-clickonauser’snameorinitialstobegineditingthatuser.Thendeletetheuser’sfirstname,lastname,andinitials.Click“Finished”andtheuserwillbedeleted.
3.2. AddingInformationAboutYourPracticeToaddinformationaboutyourpracticeorbusinesssuchasyouraddress,selectthe“AboutYourPractice” tab from the login screen (Figure 5). Fill in the “Name,” “Address,” “City,” “State orTerritory,” “Zip Code,” and “Telephone Number” in the corresponding fields (Figure 10). ThisinformationwillbesavedwithinthetoolandwillnotbecollectedormaintainedbyHHS.
Figure10.FillingouttheAboutYourPracticeTab
3.3. AddingInformationaboutBusinessAssociates
Toaddinformationaboutyourbusinessassociates,selectthe“BusinessAssociates”tabfromthelogin screen (Figure 5). You will need to fill in the “Name,” “Type,” and “Address” in thecorresponding fields (Figure11).There isno limit to thenumberofBusinessAssociatesyoucanadd.Newfieldswillbegeneratedafteryoure-selectthe“BusinessAssociates”header.Formoreinformation on who may be a Business Associate, please refer to the OCR website at:www.hhs.gov/ocr.
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:12 pt, Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure5
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:12 pt, Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure10
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure5
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure11
SRAToolUserGuide
12
Figure11.TheBusinessAssociateTab
3.4. AddingInformationaboutITAssets
ToaddinformationaboutITassets,selectthe“AssetInventory”tabfromtheloginscreen(Figure5).Withinthistab,youwillseefourfields, labeled“Name,”“Type,”“HasePHI,”and“Assignee.”These fields have no field length. Theywill allow you to input asmuch information as needed(Figure12).
Figure12.TheAssetsTab
Under “Name,” provide the name for the information asset, for example, “Electronic HealthRecord(EHR)”or“PracticeManagementSystem.”Inthefieldlabeled“Type,”describethetypeofasset.Forexample,youcanlabelit“anapplication”andexplainhowePHIistransmittedorstored.AcopymachinemayalsostoreePHIandthereforemaybeanexampleofanasset.Thenextfield,labeled“HasePHI,”allowsyoutodocument if theasset receives, transmits,orstoresePHI.Thelast field, “Assignee,” allows you to document who in your organization is responsible for thisparticularasset.
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure5
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure12
SRAToolUserGuide
13
3.5. SRAToolLoginandQuestionWindow
Tologin,selectthe“Users”tab.Selectthe“LogIn”buttonlocatednexttoyourusernameontheloginscreen(Figure4).Afteryoulog in,thefirstscreenyouwillseeexplainstheAdministrative,Physical, and Technical Safeguards under the HIPAA Security Rule (Figure 13). Read thedescriptions and disclaimer. In the lower right corner, you will see three options, “ImportAssessment,”“CreateNew,”and“ContinueCurrent.”
• ImportAssessment–DatacanbeexportedfromtheSRAToolintoanSRAfile.TheSRAfilecan thenbestoredasanofflinebackupor transferred toanothercomputer.AnSRA filecan be imported to another copy of the SRA Tool. This option allows you to import apreviouslyexportedSRAfile. ImportingandexportingSRAfiles isuseful, forexample, fortransferring riskassessmentsbetweencomputers. Formore informationon importingorexportingSRAfiles,pleaseseeSection3.10.
• CreateNew–Thisoptionallowsyoutocreateabrandnewassessment.Ifthisisyourfirsttimeusingthetool, thiswillbetheonlyoptiontoselect.NOTE: Ifyoualreadyhavedataenteredintothetool,selectingthe“CreateNew”optionwilleraseexistingdatainthetool.
• ContinueCurrent–Ifyouhavepreviouslyimportedanassessmentorhavealreadystartedanassessment, thisoptionallowsyou to continueworkingon that assessment.NOTE: Ifyou have previously entered data (even using a prior version of the tool), you shouldalreadyhavedatathetoolcanaccess,sousethisoptionifyouwanttoaddinformationtoyourpreviousassessment.
Figure13.Administrative,Physical,andTechnicalSafeguardsScreen
Onceyouselectoneofthethreeoptions,youwillbeplacedontheSRAToolQuestionWindow(Figure14)
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure4
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure13
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure14
SRAToolUserGuide
14
Figure14.SRAToolQuestionWindow
Thefirstquestionappearswithinthegrayboxontheleftsideofthetool.ThequestioncitestheSecurity Rule and displays if the item is “Standard,” “Required,” or “Addressable.” Under theSecurityRule,thesetermsaredefinedas:
• Standards – measures a covered entity must take ensure the confidentiality,integrity, and availability of ePHI while in the custody of covered entities andbusiness associates as well as while in transit. Covered entities and businessassociates must comply with the applicable Standards provided in the SecurityRulewithrespecttoallePHI.
• Implementation Specifications – may be either Required or Addressable. TheseareinstructionsforimplementingSecurityRuleStandards.
• Required– ImplementationSpecificationsmustbe implementedby the coveredentityorbusinessassociate.
• Addressable – The concept of “addressable implementation specifications” wasdeveloped to provide covered entities additional flexibility with respect tocompliancewith the security standards.However, “addressable”doesnotmean“optional.”ForImplementationSpecificationswhichareaddressable,thecoveredentityorbusinessassociatemustassesswhethertheimplementationspecificationis a reasonable and appropriate securitymeasure to applywhen analyzedwithreference to the likely contribution it would make to protecting ePHI in theorganization’s own environment. If it is, the entity must implement thespecification; if not, the entity must document why it is not, and put in placealternative procedures (if reasonable and appropriate). For example, theinformation access management standard includes the addressable AccessEstablishmentandModification implementationspecification.Asolopractitionerwithtwoemployeesmaydeterminethatitisnot“reasonableandappropriate”to
SRAToolUserGuide
15
implement policies and procedures to modify “…a user’s right of access to aworkstation, transaction, program or process” because all three workforcemembersrequirethesameaccesstoePHI.Thecoveredentitymustdocumenttherationale for deciding these particular measures were not reasonable andappropriate and what alternative measures are in place to comply with theInformationAccessManagementstandard.
If the implementation specification is reasonable and appropriate, then thecovered entity or business associate must implement that addressableImplementationSpecification.
If the implementation specification is determined to not be reasonable andappropriate, the covered entity or business associate must document why itwould not be reasonable and appropriate and implement an equivalentalternativemeasure if reasonable andappropriate (seeAppendixAAddressableandRequiredSpecifications).
TheyellowbaraboveeachassessmentquestionislabeledaccordingtothetypeofSecurityRulecategorythequestioncovers.Forexample,“A”standsfor“Administrative;”“T”forTechnical;and“P-H”for“Physical.”Questionsarenotinpresentedinnumericalorder.Instead,similarquestionsaregroupedbytopicacrosstheadministrative,technical,andphysicalsections.
Above the yellow bar is a progress bar to indicate how much of the assessment you havecompleted(Figure15).
Figure15.ProgressBar
Atbottomrightarefivebuttonsthatcanhelpyouusethetool(Figure16):
• Report–ThisbuttoncreatesaPDForMicrosoftExcelformattedreportofthedatayouhaveenteredintotheSRATool.Formoreinformationonreporting,pleaseseeSection3.7.
• Glossary–ThisbuttondisplaysaglossaryoffrequentlyusedtermsintheSRATool
• Navigator–Thisbuttondisplaysthe“NavigatorView.”FormoreinformationontheNavigatorView,pleaseseeSection3.8.
• RelatedInfo–Thisbuttondisplaysthe“ThingstoConsider,”“ThreatsandVulnerabilities,”and“ExamplesofSafeguards”tabs.Youmayfindthesetabsusefulwhenansweringquestionsinthetool.FormoreinformationontheRelatedInfobutton,pleaseseeSection3.6.
• Export–ThisbuttonexportsdatainthetoolintoanSRAfile.SRAfilescanbeusedtoback
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme BodyYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure15
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure16
SRAToolUserGuide
16
upyourriskassessmentdata,ortosendtoanotherusertoopenontheircomputer.Formoreinformationonexporting,pleaseseeSection3.9.
Figure16.NavigationButtons
3.6. AnsweringSRAToolQuestionsOnceyouhave logged intothetoolandareviewingthequestionwindow(seeSection3.5),youarenowreadytoanswertheassessmentquestionsinthetool.Toansweraquestion,selecteither“Yes”or“No”belowthequestion(Figure17).Youcanalsoselectthe“Flag”optionifyouwanttocallattentiontoaquestion.Flaggingcanbedonetoremindyoutoreviewthequestionagainlaterortoindicatetoanotherpersoninyourorganizationthatyouneedthemtorevieworanswerthequestion.
Figure17.AnsweringaQuestion
Ifyouransweris“No”,thenfourradiobuttonssuggestingthebestreasonforanswering“No”willbedisplayed:“Cost,”“PracticeSize,”“Complexity,”and“AlternateSolution”(Figure18).
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure17
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure18
SRAToolUserGuide
17
Figure18.ReasonsforAnswering“No”
NOTE: If an implementation specification is described as “required,” the specification must beimplemented. Addressable means that if implementing the specification is not reasonable andappropriate, an alternative solution may be implemented that effectively safeguards theconfidentiality, availability, and integrity of the protected health information (PHI). To betterunderstandtheelementsofaddressablespecifications,seetheAppendixonpage24.Once you answer the assessment question (either “yes” or “no”), space is provided for you to:describe your current activities (i.e., what you are doing to meet the requirement), add anyadditionalnotes,orexplainhowyouplantoaddressorremediateidentifiedshortcomings(Figure19).Selecttheappropriatetabforeachcategory.Theinformationyouprovidewillappearinyourriskassessmentreport.
Figure19.CurrentActivities,Notes,andRemediationTabs
Theradiobuttonsbelowthespaceallowyoutodocumentthelikelihoodthataparticularthreatcould affect your ePHI. You can also rate the impact or level of harm that could occur if thestandardorrequirementstatedinthequestionisnotmet(Figure20).
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme BodyYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure19
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure20
SRAToolUserGuide
18
Figure20.RiskLikelihoodandImpact
Ontherightsideofthequestion,therearethreetabsthatcanhelpyouunderstandandanswerthequestion (Figure21). “Things toConsider”givesyou factors to thinkaboutwhenevaluatingyourpractice.“ThreatsandVulnerabilities”offersinformationtohelpyouunderstandwhatsomeoftherisksareandtheirpotentialimpact.“ExamplesofSafeguards”providessomepotentialwaysof reducing or eliminating risks or vulnerabilities. You may hover your mouse pointer overunderlinedwordstoviewatooltipbubblewiththeword’sdefinition.
Figure21.ThingstoConsiderTab
3.7. ReportingThe“Report”buttononthequestionwindow(Figure16)opensuptheReportSummaryscreen(Figure22).Thisscreenletsyouseethecurrentstatusoftheassessmentresults.
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure21
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure16
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:12 pt, Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure22
SRAToolUserGuide
19
Figure22.ReportSummaryScreen
TheSRAToolalsoprovidesoptionstocreateaportabledocumentformat(PDF)orMicrosoftExceldocument report of the data you have entered into the tool. To create a PDF or Excel report,selectthe“CreatePDF/Excel”buttonontheReportSummaryScreen.ThiswilldisplaytheReportOptionsscreen(Figure23).OntheReportOptionsscreen,youmayselect:
• ReportFormat–EitherPDForExcelformat
• Report Sections – Your responses to the SRA Tool questions are always included in thereport.Inaddition,youmayselectthatusers,businessassociates,andyourassetinventoryareincludedinthereportaswell.Also,ifyouaregeneratingaPDFreport,youmaychoosetohavethetoolgeneratecharts(Figure26).
• ReportOptions–Theseoptions letyoufilterwhat informationisproducedinthereport,suchastherisklevel,notes,citation,orlastedit.
Figure23.ReportOptionsScreen
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure23
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure26
SRAToolUserGuide
20
Whenyouarefinishedselectingyourreportoptions,clickon“Create”tocreateyourPDForExcelreport.Youwillbeprompted to selecta location to save the reportusinga standard“SaveAs”dialog(Figure24).
Figure24.“SaveAs”DialogforReportCreation
Onceyouselectafilelocationtosavethereport,thetoolwillcreateyourreport.IfyoucreatedaPDFreport,theReportPreviewScreenwillpop-up(Figure25).Withinthiswindowyouwillbeableto scroll down to see the report. To close the pop-up window, simply click on the “X” buttonlocatedatthetoprightofthewindow.
Figure25.ReportPreviewScreen
To open the saved report, simply locate the filewithin the folderwhere you saved the report.
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure24
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure25
SRAToolUserGuide
21
NOTE:makesuretoviewyourreportbeforeprintingit.Ifyouhaveselectedalotofcolumns,thereportmaybeverylongorspanmanypages.
Thereportcanalsobeviewedinachartform(Figure26).ThechartcanalsobecreatedinaPDFbyselectingthe“Charts”optionontheReportOptionsScreen(Figure23).
Figure26.ChartReport
3.8. UsingtheNavigatorTheNavigatorviewallowsyoutobothseehowmanyquestionsarecompletedineachsectionandalso navigate to a particular section at any time (Figure 27). This allows you to answer thequestionsinanyorderyoudesire.Whileyoumayanswerquestionsinanyorder,thereportwillalwaysdisplay/printintheorderoftheHIPAASecurityRule.ToaccesstheNavigatorview,clickonthe“Navigator”buttonontheSRAToolquestionwindow(Figure14).
Figure27.NavigatorView
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure26
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not Bold
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure23
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure27
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure14
SRAToolUserGuide
22
Tomove through the navigator sections, select the small grey arrow symbol and the questioncategorywillexpandtodisplaytheAdministrative,PhysicalandTechnicalsections(Figure28). Itwillalso indicatehowmanyquestionsare ineachsectionandhowmanyof thequestionshavebeenanswered.
Figure28.ExpandedNavigatorView
3.9. ExportingDatafromtheSRATool
Datacanbeexported fromtheSRATool intoanSRAfile.TheSRAfilecanthenbestoredasanofflinebackuportransferredtoanothercomputer.AnSRAfilecanbeimportedtoanothercopyoftheSRATool.Toexportdata,usethe“Export”buttonlocatedontheSRAToolquestionwindow(Figure14).Whenyouclickonthe“Export”button,astandard“SaveAs”dialogwillappearthatallowsyoutoselectalocationtosavetheSRAfile(Figure29).
Figure29.ExportinganSRAFile
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure28
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure14
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure29
SRAToolUserGuide
23
ONCstronglyrecommendsthatyouregularlyexportdatafromthetoolandsavetheexportedSRAfileasabackupofyoursecurityriskassessment. Ideally,backupsshouldbestoredinaseparatelocation from the computer where the SRA Tool is installed. As exported SRA files are notencrypted, you shouldprotect themwith strong access controls or use yourownencryption toprotecttheexportedfiles.
If you havemultiple facilities that require separate security risk assessments, you can use theexportfeaturetoworkonmultiplesecurityriskassessmentsatatime.
3.10. ImportingDataintotheSRATool
If you have previously exported data from the SRA Tool, you can import the data from theAdministrative,Physical,andTechnicalSafeguardsscreen(Figure13).Whenyouclickthe“Import”button, a standard system “Open” dialog will appear that allows you to select a previouslyexportedSRAfile.Whenyouselectafile,thedatawillbeimportedintotheSRATool.Pleasenote,thatimportinganSRAfilewilloverwriteanyexistingdatainthetool.Ifyoudonotwanttoloseexistingdata,besuretoexporttoaseparateSRAfilebeforeyouimportanewone.FormoreonexportingSRAfiles,seeSection3.9.
3.11. LoggingOutoftheSRATool
To log out of the SRA Tool, select the “Logout” link located at the upper right of the SRA Toolquestionwindow(Figure30).Whenyoulogout,allanswersarestoredforthenexttimeyoulogin.Youcancontinueworkingonyourassessmentbyclicking the“ContinueCurrent”buttonontheAdministrative,Physical,andTechnicalSafeguardsscreen(Figure13).
Figure30.SRAToolLogoutButton
4. UninstallingtheSRAToolTouninstalltheSRATool,firstremoveanydatacachedinthetool.Todothis,logintothetoolandselect “CreateNew” from the Administrative, Physical, and Technical Safeguards screen (Figure
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure13
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:Not BoldYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure30
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme BodyYuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure13
Yuanyuan Zhang� 9/6/2016 9:54 AMFormatted: Font:+Theme Body
SRAToolUserGuide
24
13). This will remove any data that is cached in the tool. Next, you may delete the SRA Toolprogramthatyoudownloadedtoyourcomputer.Thisuninstallstheapplication.
AppendixAAddressableandRequiredSpecificationsIn meeting standards that contain addressable implementation specifications, a covered entitymustdooneofthefollowingforeachaddressablespecification:(a) implementtheaddressableimplementationspecification;(b) implementoneormorealternativesecuritymeasurestoaccomplishthesamepurpose;or(c) notimplementeitheranaddressableimplementationspecificationoranalternative.However,inallcases,thecoveredentityorbusinessassociatemustmeetthestandard.
Thecoveredentity’schoicemustbedocumented.Thecoveredentitymustdecidewhetheragivenaddressable implementation specification is a reasonable and appropriate security measure toapplywithin itsparticular security framework.Acoveredentitymust implementanaddressableimplementationspecificationifitisreasonableandappropriatetodoso,andmustimplementanequivalent alternative if the addressable implementation specification is unreasonable andinappropriate,andthereisareasonableandappropriatealternative.
Thisdecisionwilldependonavarietyoffactors,suchas,amongothers,theentity'sriskanalysis,risk mitigation strategy, what security measures are already in place, and the cost ofimplementation.Thedecisions thata coveredentitymakes regardingaddressable specificationsmustbedocumented.UsersmayusethespaceprovidedintheSRAtoolandtheradiobuttonstodocument how the organizationwill implement addressable specifications.More information isavailablefrom:http://www.hhs.gov/ocr/privacy/hipaa/faq/securityrule/2020.html
Yuanyuan Zhang� 9/6/2016 9:54 AMDeleted: Figure13