Updated: Oct 30, 2018
Following the National Coordinator for Health Information Technology’s security risk analysis version 3 (v3) update broadcast, we felt it responsible to review the free-for-download v3 tool and provide more than just an echoed announcement.
As we downloaded v3, we read the same disclaimer language previously offered on the ONC website (and found again within the application). Their qualification didn’t exactly inspire confidence, but after our review we better understand why ONC advertises that the tool doesn’t guarantee compliance (with the HIPAA Security Rule).
Disclaimer: The Security Risk Assessment Tool at HealthIT dot gov (sic) is provided for informational purposes only. Use of this tool is neither required by nor guarantees compliance with federal, state or local laws.
Upon initializing the program, we were treated to a much-improved user interface from the version-1 software that we previously evaluated.
How the Tool Works
Once open, v3 prompts to save a risk assessment file (or open an existing file). We create our risk assessment file and are walked through inputting basic “Practice Information”. Following this step, v3 offers us the option to upload assets, vendors and documents. As we believe in an asset-centric risk analysis that includes equipment, people and processes, we were excited to see ONC share this approach.
v3 offers Microsoft Excel compatible CSV file templates to upload information lists that are
prepopulated with fields matching those captured in the program. For example, the inventory template includes: type, assignment, ID, asset state, ePHI, encryption, comments, disposal status and disposal date.
Once the Practice Information section is complete, a seven section Assessment section presents with instructions and a “What is the HIPAA Security Rule?” link. Each of the seven sections prompts to answer questions based on HIPAA Security Rule citations. v3 offers a Security Rule reference in the question screen’s lower right-hand corner and an “Education” tip in the upper right-hand corner. Based on how each question answers, v3 may ask more in-depth questions.
Following each section, v3 presents selectable vulnerabilities identified by our question responses. v3 then opens a likelihood and impact matrix with low, medium and high selections corresponding to each selected vulnerability. We select levels for likelihood and impact, which v3 later uses to compute an associated vulnerability risk level.
Upon concluding each sections’ questions and based on the responses, v3 presents a section summary and re-displays the questions into two categories: Areas of Success and Areas for Review. On this screen v3 provides an opportunity to add documents or type additional information. Once all seven assessment sections were completed, v3 presents a Security Risk Assessment Summary dashboard with risk score, areas for review and vulnerabilities. Lastly, v3 generates a risk report and detailed report to present all of the information collected and computed.
Why v3 Arrives with a Caveat
Our biggest issue by far with this software, and the reason we speculate it is offered with a disclaimer, is that v3 fails to generate risk based on question responses. Instead, v3 only provides a selectable vulnerabilities list – despite that the vulnerabilities should be be triggered by the lack of a security control. A person using v3 who is unfamiliar with normal risk elements can unknowingly fail to generate an accurate risk register. Additionally, v3 offers an Areas for Review section, which further complicates the experience.
The impact of this fault is that a clinic manager with limited risk management or HIPAA Security experience could reasonably believe that they have completed a bona fide risk assessment; the reality is that v3 presents the illusion of a completed process – which is a vulnerability to a Covered Entity (CE) or Business Associate (BA) HIPAA Security program and to their patient’s ePHI.
We were also dismayed at some of the simpler anomalies that v3 presents. Having previously worked in a software development organization, we know that software is supposed to be formally tested for functionality and to remove simple errors that can reduce the user’s product confidence. At least one time we felt as though the coders don’t even work in the HIPAA space, (as noted in our final list entry) below:
Preformatted fields (e.g. phone numbers, etc.) are an easy and frankly expected, detail to program.
Lack of CSV file Excel Data Validation selections that match the program’s pull-down menus.
Lack of field-relationship intelligence: for example, we were able to select a “Not Disposed” disposal status for one inventory item but then also input a disposal date.
No allowance for multiple yes responses when they are applicable (e.g. an “all of the above”-type question where more than one response may be appropriate).
The apostrophe character failed to display properly (it displays as a character set box), and
The help screen describing the HIPAA Security Rule’s sections and composition only described a portion of the HIPAA Security Rule.
In well educated hands, the ONC tool can be employed to complete a basic HIPAA-required risk analysis for a small CE or BA environment. Given the software’s flaws and the importance of a well performed risk analysis, we cannot recommend this tool for any larger CE or BA, or anyone new to HIPAA or risk management. OCR has failed 90% of all major breaches’ risk analyses and v3 is probably not going to reduce this statistic. We’re curious how OCR will respond to a future breached organization that submits a v3 risk analysis report.
A second note is aimed at v3’s output. It is our repeated experience that healthcare leadership doesn’t want to see a simple chart with risk levels or scores; they want to instead understand their risk exposure profile. Maybe when more software vendors understand this very important detail, more healthcare entities will better manage their ePHI-risks and HIPAA Security compliance programs.
If you want to learn how to present an OCR-ready risk analysis instead of risking your patients’ ePHI with immature approaches like v3, contact us using the information on this website.