The HHS updated its HIPAA Security Risk Assessment Tool with a number of new features requested by users to enhance usability.
The HHS Office of the National Coordinator for Health Information Technology (ONC) in cooperation with the HHS’ Office for Civil Rights (OCR) created the HIPAA Security Risk Assessment Tool.
The Security Risk Assessment Tool could benefit small to medium-sized healthcare companies when doing comprehensive, company-wide risk assessments to determine the risks to the integrity, confidentiality, and availability of protected health information (PHI).
Healthcare organizations that use the tool can determine and evaluate risks and vulnerabilities and then employ that data to enhance their protection against ransomware, malware, botnets, viruses, and other forms of cyberattack.
The risk analysis is a basic requirement of the Health Insurance Portability Act Security Rule. By performing a risk analysis, healthcare companies could determine areas that put PHI at risk. After identifying the risks, they are assessed, prioritized, and managed to reduce to a fair and acceptable level.
Since the initial release of the tool, there have been several updates to enhance usability and include more functions. The most recent version of the Risk Assessment Tool, Version 3.1, was launched to coincide with National Cybersecurity Awareness Month and comes with a number of user-requested enhancements:
- Validation of threat and vulnerability
- Integration of NIST Cybersecurity Framework references
- Enhanced asset and vendor management
- Question flagging and a new Flagged Report
- Capability to export Complete Reports to Excel
- Solutions for a number of reported bugs to enhance stability
The tool for Windows devices is downloadable from the HHS. However, the most recent version of the tool for a Mac OS is not available.
The HHS remarks that the tool is just as valuable as the work involved in the performance and documentation of a risk assessment. The usage of the tool doesn’t ensure that the risk assessment specifications of the HIPAA Security Rule will be complied with. Using the tool will simply assist in the periodic conduct of risk assessments by HIPAA-covered entities and their business associates.