HHS Seeking Input on Improving Security Risk Analysis ToolCritics Say the Tool Is Too Difficult to Use
The Department of Health and Human Services is seeking comments on how it can improve its security risk assessment tool, which is designed to help smaller organizations conduct assessments as required under HIPAA. Some critics have said the tool is too difficult to use.
HHS' Office for Civil Rights, which oversees HIPAA enforcement, and the Office of the National Coordinator for Health IT, which coordinates nationwide efforts to implement and use advanced health IT and electronic exchange of health information, are seeking user feedback.
HHS is seeking the feedback by July 31 via an an online survey.
Major Struggle for Many
Security risk assessments have long been a struggle for many covered entities and business associates.
Many OCR breach investigations and compliance reviews have determined that organizations never conducted a thorough risk assessment (see: Why Clinical Lab's HIPAA Settlement is Significant).
A report issued in December 2020 on findings from a HHS OCR HIPAA compliance audit also pointed to the frequent lack of a security risk analysis (see: At Last, Results from HIPAA Compliance Audit Program Revealed).
HHS OCR's guidance on risk analysis in the HIPAA Security Rule "describes nine very specific elements that are required for a risk analysis to meet the standard," notes Steve Cagle, CEO of privacy and security consultancy Clearwater.
"These include identifying and documenting all of the reasonably anticipated threats and vulnerabilities related to all information systems - and their components - which create, receive, transmit or maintain electronic protected health information and documenting controls in place to mitigate these risks," he says.
"In today’s complex technology and security environment, performing a risk analysis requires extensive knowledge of all vulnerabilities, threats and security controls and experience in determining risk," he says. The risk analysis must be updated as changes to the environment occur, he adds.
"Most organizations, and in particular small and mid-size organizations, lack the resources and expertise required to complete a comprehensive risk analysis that meets OCR’s guidance," Cagle says. "Some organizations simply choose not to invest in doing it the right way. Some are not performing it for all systems or are not conducting it on an on-going basis. Others simply don’t understand - or want to take the time to understand - what a risk analysis is, and what the best practices are."
Kate Borten, president of privacy and security consultancy The Marblehead Group offers a similar assessment.
"Simply performing a security risk assessment continues to be challenging for most small and some mid-size organizations, both covered entities and business associates," she notes. "First, these organizations are not likely to have inhouse expertise in the field of information security. Hence, they don't know the language. For example, security pros know that vulnerability plus threat leads to risk, and we know what threats and vulnerabilities are and how to identify them in the environment," she says.
"Similarly, security pros read the security risk assessment questions and understand the underlying intent. Typically, a question reveals a possible vulnerability in an organization's security program. Another challenge is ensuring the scope of the risk assessment is appropriately broad. Too often, organizations look only at their technology and overlook essential processes."
Less Is More
HHS made updates to the security risk assessment tool in late 2019, when it enhanced asset and vendor risks management features, and again in late 2020, when it improved the tool's navigation features.
But some security experts say that the current version of the tool is still complicated and time consuming to use, especially by smaller healthcare provider organizations.
The current version of the tool is "better than before, but way too much for a small provider organization like a physician practice to try and use," says Tom Walsh, president of privacy and security consulting firm tw-Security.
"Most small physician practices would only make it one-third of the way through before tossing in the towel and giving up."
Following all of the steps called for in the tool takes too long, Walsh says. "Many of the questions are assessing against compliance with HIPAA. If an organization’s only risk was an OCR audit for HIPAA compliance, then the SRA tool is fine. However, there are lots of other threats/risks that the tool does not address," he says.
"Less is more. The focus of the tool should be on the critical few versus the trivial many. There is a heavy focus on written policies as if a written policy will somehow thwart off a hacker. The emphasis - or weighted value for risk scoring - should be more on technical controls."
A Struggle for All
While the tool is geared toward smaller organizations, Walsh notes that healthcare sector entities of all sizes often struggle with their security risk analyses.
"Larger organizations have a significant number of applications and systems - each configured differently when it comes to things like access controls, authentication, account lockout after failed logon attempts, time settings for automatic logoff after a period of inactivity, etc.," he notes.
"There is not a ‘one size fits all’ approach to assessing security controls across a variety of systems. Risk assessments take dedicated resources to do it right the first time."