SRA Tool Webinar 07/30/2019


hello everyone and welcome to
the security risk assessment tool webinar today’s presentation is hosted
by the office of the National Coordinator for health information
technology the office for civil rights and Altarum the office of the National
Coordinator for health IT is at the forefront of the administration’s health
IT efforts and is a resource to the entire health system to support the
adoption of health information technology and the promotion of
nationwide health information exchange to improve health care the Office for
Civil Rights enforces federal civil rights laws conscience and religious
freedom laws HIPAA privacy security and breach notification rules and the
patient safety Act and rules ultram is a non-profit research and consulting
organization that creates and implement solutions to advance health among
vulnerable and publicly insured populations alt arm is the contractor
ONC selected to create the most recent version of the SRA Tool leading our
presentation today is Lisa steppin project manager with Altarum for the
purpose of today’s presentation we will reference the security risk assessment
tool as the SRA tool please note all attendees are muted by default so if you
have a question during the presentation please use the question box in the
GoToMeeting interface to ask it we will address questions in part two as the
presentation now I’ll turn it over to Lisa Thank You Ryan for the introduction
and thank you everyone for joining us today we’ve had overwhelming interest in
these webinars and so we’re so excited everybody has taken time out of their
very busy days to join us we’re thrilled that so many of you are interested in
the SRA Tool and want to learn more about it so thank you for your interest
and welcome our presentation today will be divided into two parts the first
portion will focus on an introduction to and an overview of the tool itself we’ll
briefly talk about the challenges the healthcare industry faces when
safeguarding protected health information and we’ll provide some
background on why SRA Tool was created in the first place
we host it after the first portion of the presentation you will all walk away
with an understanding of four main things the SRA tool and its basics on
how to use it how to add the necessary information on your organization’s
assets and the vendors you do business with how to complete a thorough security
risk assessment and finally how to understand the results and reports
provided by the tool throughout the presentation we’ll also cover some of
the benefits for using this tool and how organizations can thoroughly assess and
document the information security risks to ePHI in their organizations part two
will serve more as an open forum where our panelists including representatives
from ONC and OCR will address your questions and feedback so let’s get
started let’s first understand the challenge the healthcare industry
regularly faces regards to state in regards to safeguarding ePHI so we all
know that as technology evolves and scammers developed new increasingly
sophisticated techniques to obtain our most private data we all need to be
exceptionally diligent in our assessments of our security posture so
small to medium sized healthcare organizations are often the most
vulnerable to hacking attempts due to limited time and resources so the
solution here was to update and create an SRA tool that was simple to use for
small to medium size practices and provided a self-paced and thorough
assessment while also saving them time by asking them only the relevant
questions to their practice and environment and best of all free ONC
engaged Altarum to redesign and create an improved version of their existing
after a tool which was originally created back in 2014 an Altarum we
started off by assessing where that tool needed improvement so we conducted
usability testing and gathered feedback from the current user community in order
to identify key areas for improvement we were able to take that feedback and turn
it into new features within the other a tool version
3.0 which is the version of the tool currently available we built a workflow
with a wizard-based branching logic making it easier and less time-consuming
for practices to evaluate their security risk the SRA Tool though is not a
do-it-all tool and merely using this tool and checking the boxes without
truly assessing your risk would not be enough to document HIPAA compliance with
the risk assessment requirement but when properly used
SRA Tool can aid in the security assessment process the SRA tool was
designed to help covered entities and business associates
but handle patient information to identify and assess risks and
vulnerabilities to the confidentiality integrity and availability of protected
health information in their environment the HIPAA Security Rule requires
healthcare providers health plans and business associates to conduct a risk
analysis and implement technical physical and administrative safeguards
to protect ePHI our goal in developing the revised version of the SRA Tool was
to assist providers and business associates with meeting their
responsibilities to protect ePHI the tool guides users through an assessment
based on the HIPAA Security Rule and it is a self-paced questionnaire that
includes a variety of reports for users to track their progress and assessment
results question responses are grouped into areas of success and areas for
review questions sorted into areas for success do not indicate compliance with
the HIPAA Security Rule but rather that your organization is aligned with the industry security standards and the recommended actions that help you
protect and safeguard ePHI any known potential risks not address
directly within the other a tool should be documented by your practice or
elsewhere within the tool now let’s talk about the content within the tool the
author raised assessment content was generated from these sources we will
soon be adding specific reference to the NIST Cyber Security Framework to each assessment question where relevant our team of security
analysts compared these guides cross-referencing each to create a
content map to cover all essential areas creating a robust content set of
questions for the assessment section of the tool one feature the tool offers is
dynamic content so as the security rule or NIST guidelines evolve over time new
questionnaire content can be downloaded and pulled into the SRA Tool tool easily by
users assessment content was broken down and grouped into seven main sections
each with a series of questions and branching logic built within section 1
of the assessment covers security risk assessment basics
so essentially what your security management process is today section 2
covers security policies procedures and documentation so how does your
organization define your policies and procedures and do you keep them on hand
section 3 covers security and your workforce so how do you define or manage
access to systems and how is your workforce trained on that security
section 4 covers security and your data so what are the technical security
procedures you have in place section 5 cover security in your practice so
physical security procedures such as using key fob lock doors to access the
physical building your organization operates out of section 6 covers
security and your vendor so all of the business associate agreements you have
on hand and the vendors you do business with who may have access to your PHI
and section 7 covers contingency planning so what is your plan for
backups and data recovery since the assessment contains branching logic the
subsequent questions within each section may be different depending on how you
answer the current question you’re on so let’s cover how to download and
obtain the SRA Tool users can download the tool from HealthIT.gov and it can
be installed on Windows machines running Windows 7 8 and 10
administrative rights are required for installing the tool since it is a
recommended security best practice that a security evaluation take place at the
organizational level prior to installation of any new software however
users do not need admin privileges to run the tool once it’s been installed
the SRA Tool runs from the local install directory and does not transmit
any information to the Department of Health and Human Services ONC or OCR
once the tool is installed users can launch it directly from the icon on
their desktop upon launching the SRA Tool users will need to first select
whether they are beginning a new SRA or opening an existing one to continue
work already started on an SRA to start a new SRA users will first enter
their name select a location for their SRA files to save locally and review the
disclaimer information before beginning the assessment if you select to continue
in sra the system will prompt you to locate and select the SRA file you have
already started from your local directory the tool will then take you to
the last place you left off please note though if you have been using SRA 2.0 you won’t be able to upload the results into SRA 3.0 the tool
can support multiple user accounts and offers collaborative file sharing so
multiple people can have access to the tools and their own versions of the tool
and still open or access sra files that are in progress if you attempt to enter
a username that is already in use for specific sra file the tool will alert
you to select a new username usernames are used as an audit log for your sra so
it’s recommended to simply enter your first name and last name as your
username this will identify who within your organization completed specific
sections or questions of the assessment again all user entered data is saved
locally within the secure .sra file format and is only accessible for
decryption by the SRA Tool application the SRA Tool is set up
similar to Windows Office programs in the way that it saves an open file so
for example when you want to open a Word document you navigate within your
directory to find it and you open it the SRA tool works very similar to this so
when you first launch the tool and select to continue in SRA the tool will
prompt you to select the file you want to open it will then ask you to identify
yourself by selecting your username again this is for audit tracking
purposes to save an SRA in your preferred location simply click on the
area or icon where it says take a spot to save your SRA file this way users
can save progress as they go through the assessment by just clicking the Save
button and the SRA file will save to your preferred location once you have
created a new SRA file you then come to the home screen the
home screen gives users a brief description of what’s to come and what
to expect when filling out your assessment the main navigation panel is
located on the left side of the screen but users can also navigate using the
next and back buttons near the bottom of the home screen the left navigation menu
allows users to jump between certain areas the tools such as the practice
info section the assessment section and summary section but due to the branching
logic within each assessment section some navigation relies solely on the use
of the next and back buttons at the bottom of the screen the summary section
becomes available once assessment sections 1 through 7 have been completed
we are currently working on options to change this and can discuss further on
in part two of the webinar entering practice information one of the
first steps in the answer a process is documenting your practice information so
this is done in the practice info section practice info captures your
basic contact information for whom the SRA is being completed for there is also
an option to document contact information for multiple
location if your practice or organization operates
in different physical locations only one a survey needs to be completed across
all of your organization the information captured here is included in your
detailed report which is a printable PDF version of your full assessment tracking
practice assets tracking your organization’s assets is a critical
component to evaluating areas of risk the SRA Tool allows users to track
their organization’s access in two ways one by uploading multiple assets at once
by use of our template or two by adding them individually users can track and
see details on their assets at the individual asset level including whether
the asset has access to ePHI the encryption level for that asset the
asset assignment and even asset location so depending on how you
categorize and track your assets that can all be monitored and managed within
the sra asset section the table view at the bottom of the
screen allows users to see at a glance their total assets by type at that
status ePHI access encryption level and assignment it allows users to select and
move the columns into any order and source the information according to
their preference there is also tracking as to whether you have disposed of the
device so if you want to track on whether it was disposed properly or the
disposal date you can track that as well management of your asset inventory is a
vital piece of your security risk assessment and the SRA Tool
provides an easy-to-use interface for uploading your asset list overall asset
management and tracking your asset security here we’re going to show a
brief video of how to download the asset template for bulk upload of asset
information into the tool first you’ll navigate to the asset section and
download the template save it locally and name the file so in this instance
we’re just saving to the desktop and naming it asset template once
you’ve clicked and saved it you can then open it and start to add your asset
information manually within the template following the column as designated or if
you have that information elsewhere in another excel file for example you can
do a copy and paste as long as the information is kept within the same
columns and information that we’ve designated in the template you can save
it and then simply go back into the sra tool and click to upload it navigate to
where you saved the template with the completed information keeping that CSV
file format and once you click upload it appears in the tool you can then click
to edit any of the information that you’ve just uploaded using the template make sure to keep the CSV file format
though because the SRA Tool will not import from an excel format in
addition you’ll want to make sure that the completed template is saved in a
secure location on your network and password-protected since it is a
comprehensive list of your assets or delete the file once you’ve uploaded it
into the tool here we’re going to show the specific fields the us are a tool
prompts users to fill out when they’re adding assets individually the tool
includes several areas of classification for asset types including
desktops servers tablets and cell phones we include EKG EEG machines and
radiology and imaging machines we even include EHR EMR systems and databases
network equipment and media backup tapes thumb drive etc the tool does include a
generic other for the asset type classification if the provided
classifications do not cover the asset types your organization’s have the HIPAA
Security rule risk analysis requires an accurate and
thorough assessment of the potential risk and vulnerabilities
to all of an organization’s ePHI including ePHI on all forms of
electronic media so it’s extremely important to think about where your
organization has assets across your entire organization and all forms of
electronic media that may have access to ePHI
so for example networked devices such as routers firewalls infrastructure
applications like virtual machines all of the Internet of Things devices they
should all be securely protected and administrative rights and passwords on
those devices updated regularly it was our goal for this section to provide a
simple method for tracking and managing all forms of electronic media that may
have access to PHI so moving on to tracking your vendor so the asset
tracking section of the tool and the vendors tracking section of the tool are
very similar in terms of layout and functionality anyone your organization
does business with can be tracked and evaluated within this section of the
tool you can opt to add them individually or download the vendor
template as we show with the asset section and fill in their information in
bulk the layout of the screen is extremely similar you’ll see at the
bottom here the table view has vendor name vendor type and then two columns to
identify whether you’ve done a satisfactory assurances or assessed
additional risks for that particular vendor when entering your vendor and
business associate information individually the tool prompts users to
complete the form shown here basic point of contact information is captured but
users can also indicate whether those satisfactory assurances have been
obtained for each vendor or whether additional risks have been assessed if
users are unsure of what satisfactory assurances are clicking on that blue
underlined text provides the definition there is also a comment box which allows
users to insert comments or notes specific to that business associate
or vendor it is important to remember that even when using the template for
the vendor screen or the asset screen it must be kept in that CSV format the
tool does not accept excel files so please be sure to keep those files in
that csv extension type so here we’re showing the practice documentation
screen the practice documentation screen allows and serves as a place
to demonstrate accuracy and thoroughness of responses and other information as
necessary to demonstrate accuracy and thoroughness of your SRA so for
example this would be a location where you could add vulnerability scans
penetration test results or maybe your mitigation plans these are all documents
that can be linked to your SRA to show and demonstrate accuracy and
thoroughness of the SRA clicking the add a document link just basically links the
supporting documentation to your assessment and this section also
collects and lists any documents that you linked to your assessment from some
of the section summaries which we can show you as we move on in the webinar so
here we’re showing the assessment screen so all assessment sections are set up in
this screen layout with the section category and title at the top the
question in the middle there in the grey and then your answer options just below
in white with education and reference information on the right side as I
mentioned before the assessment section of the tool contains seven sections so
these are all multiple choice questions and it also contains self rated threats
and vulnerabilities areas after each assessment section the education panel
provides the guidance that’s related to each response given and that is dynamic
so as you make different selections on a given question that guidance may change
and the reference panel links each question to the related HIPAA
Security Rule citation and it will soon show the NIST cybersecurity framework
references as well so the SRA tool users the resources to understand the context
of each question by using plain language throughout the assessment questionnaire
it helps users consider the potential impacts to ePHI on your environment via
our threats and vulnerabilities sections which we’ll show next and also allows and
helps users identify relevant security references via the education and
references provided after users have completed the questionnaire portion of
each assessment section there are threats and vulnerabilities selection
and rating screens these are shown here users are asked to select from a list of
vulnerabilities that may be applicable to their practice or organization and
then rate the likelihood or impact should they occur important to note here
is that any known vulnerabilities or potential threats not addressed by the
SRA tool should be documented of where or added to the section summary notes
area thorough evaluation of the likelihood and impact of known risk
should be documented as part of your SRA for example there are many times there
are areas of risks that are present that we as everyday users don’t always
identify and assess such as maybe a third-party app that would be installed
on your facility managers iPhone or Android each section summary ends with a
section summary review the section summary shows that questions that were
presented the selected responses by the user and the education content relevant
to that question again questions are divided into areas of success and areas
for review questions sorted into the areas of success are those which
represent a thorough and/or accurate assessment was completed and aligns with
the industry best practices questions that are sorted into areas for review
represent responses that could use some improvement or need to be revisited in
order to increase your security posture so let’s talk a little bit about
conducting a thorough assessment conducting a thorough risk assessment
requires users to evaluate potential risks and vulnerabilities the HIPAA
Security rules risk analysis requirement specifies that organizations perform an
accurate and thorough assessment of the potential risk and vulnerability to all
of the ePHI the organization creates receives maintains or transmits so for
example when responding to questions regarding passwords and authentication
authentication should be considered throughout your organization that is
it’s not enough to only consider Microsoft Active Directory
password requirements but the organization should also consider how
authentication is managed in other areas including authenticating to a network
and infrastructure tools and devices or authenticating to computer and
application administrative accounts or remote access authentication for example
the SRA Tool may not address all risks relevant to your practice or
organization and if risks are known but not addressed within the tool they can
and should be documented outside the tool and linked to the tool using that
add a document feature we showed earlier supporting documentation should be
provided to prove a thorough risk assessment was conducted this can also
be linked to the tool using that section summary notes practices who have known
risks but those risks are unaccounted for within the answer a tool can you to
utilize that comment section or note section I was just referencing for
example an organization may decide that there is higher potential risk posed by
remote access versus internal password or authentication controls however when
responding to the passwords authentication questions during the
assessment they responded with respect to only the internal controls and not
remote access so in this instance the organization’s should document the risks
of remote access in the notes or comments section at the end of the
relevant assessments action and/or attach supplemental
documentation regarding its identification and assessment of those
risks with respect to remote access in the add a document feature the level of
information put into the SRA will impact the final result and the tool is only as
good as the information you put into it so let’s talk a little bit about what
you get from the tool once you’ve completed your assessment here we’re
showing the summary reports after all assessment sections are completed the
summary report becomes available this is a cumulative high-level report showing
your full assessment results important to note here is how your summary scores
are calculated each section summary score is broken down in terms of risk
percentage not compliance percentage the SRA Tool does not calculate the
assessment questionnaire in terms of compliance the risk score is a
calculated percentage of the number of questions that fell into that area for
review which is then divided by the total number of questions you were
presented this is due to the branching logic this means that the tool is scoring
the areas where your answer options were sorted into areas for review the other
two scores seen here are just a total of the number of questions that fell into
the area server view and the total number of vulnerabilities selected as
applicable to your organization you also see here at the bottom each sections
risks for in terms of that risk percentage one of the reports the SRA Tool offers is a risk report the risk report
shows you where you have risk and what areas require review or improvement each
vulnerability you selected as applicable to your organization is shown
here along with the combined risk rating for the selected likelihood and impact
of the threats you rated the risk breakdown is the sum of threat rating in
each risk category the categories are low medium high or critical
and our color-coded so users can see at a glance what categories have the
highest score the risk assessment rating key is in the upper right hand
corner of this report and shows how threats and vulnerabilities are ranked
in terms of that likelihood and impact at the bottom of the risk report each
vulnerability selected and threat rated is shown for your review as well as the
questions that fell into the areas for review category the tool shows them by
section and question and also shows your answer and education so you know how to
improve your security in this area finally we get to the detailed report
this is the last report and output from the SRA tool after your assessment is
completed the detailed report is a collection of all data collected within
your assessment and each question response option all selected
vulnerabilities and threat ratings are captured within this report as well as
all of the practice information assets and vendor information added at the
beginning of your assessment this report also serves as your audit log so each
user who contributed to the completion of the assessment will be shown within
this report along with a date and timestamp of when they answered each
question please remember that this is only a tool to assist an organization
with its review and documentation of its risk assessment and therefore it is only
as useful as the work that goes into performing and recording the risk
assessment process once you have assessed your security risks using this
tool you may need to take appropriate steps to remediate any area found
wanting use of this tools does not mean that
your organization is compliant with the HIPAA Security Rule or other federal
state local laws and regulations it does however help you comply with the HIPAA
Security Rule requirement to conduct a periodic security risk assessment the
PDF button near the top of this report allows you to print it and keep this
report elsewhere for your records to continue to improve the SRA tool we
have several planned enhancements on our product roadmap please be on the lookout
for these upcoming releases and new features we’re looking to add highlights
to the threats and vulnerabilities rating and selection screens as well as
a mechanism to select multiple and delete all for the assets and vendors
screens we’ll be adding the NIST cybersecurity framework references to
each question we’ll also be looking to add an Excel export of the detailed
reports and an in process reporting functionality that allows
users to flag questions to skip and review at a later point now we’re moving
on to part 2 of our webinar which we’d like to address questions and feedback
from the field please use the question box to ask your question in the GoToMeeting interface while
we wait for some incoming questions there are a few example questions here
from our SRA hepdesk that we’d like to address as they’re frequent questions we
receive from our users so the first question here is how do I revisit a
specific question so with this once you’ve logged into your SRA file that’s
in progress to revisit a specific question you’ll need to click into the
assessment section and click the next button to get to the section where you
were last left off in and then you would click the back button to back up to the
specific question you wanted to return to you can at any time back up through
the entire assessment and changing answers but being the please be mindful
that as you do so that may change your branching logic and take you down a
different path or subset of questions question two here says do I need to
submit my completed assessment no assessments do not need to be submitted
to any governing organization but you should keep them on file for your own
records to demonstrate accuracy and thoroughness of an assessment
and that a periodic assessment was completed question three here how often
should I conduct a security risk assessment so this one is a little
broader requirements differ in terms of the timing and scope based on why the
assessment is being performed HIPAA has more of a broad scope and does not
explicitly require a timeframe however MACRA or meaningful use has a more
narrow scope and states that a security risk assessment should be completed
annually question for here is do I need to start a new assessment each time I
conduct an SRA you know again this is a more tricky question to address because
it really depends on the timing and scope of why you’re performing an SRA if
you have had a change to your environment or a change in your
organizational process a new SRA be conducted but you can leverage some
of the information such as asset tracking and vendor information from a
prior year and keep that if no changes have been made to those assets or to the
vendor information you have on file

Leave a Reply