ONC SRAT v3.3
Back in October of 2018, we created a post following the Office of the National Coordinator for Health Information Technology's (ONC) version 3 Security Risk Assessment Tool (SRAT). Our readers may recall that we could not recommend the tool in its current form for any medium or large sized organization, nor to anyone new to HIPAA or risk management. As almost four years and three minor upgrades have passed since our review, we feel it is time to give the software another test drive. This post will primarily focus on what has changed and we'll leave our legacy post up if a more comprehensive review is desired.
As we started driving SRAT after such a long absence, it became clear that we don't remember every nuance, nook, or cranny, so this is our caveat out in the event that we accidentally report something new that is not. The user interface is smooth, but still suffers from some of the previously documented issues (e.g. we were able to list an asset whose status is active, but input a disposal date, etc.). We used two locations for our fictitious risk assessment and it would have been nice to see those data elements included as a pull-down choice in the Asset Location field. On a positive note, we inputted a placeholder EHR system and marked it as unencrypted; the software immediately provided a red "x" to guide us documenting or remediating the risk. Another item we don't recall seeing but are pleased to see now is the software asking "Have satisfactory assurances been obtained for this vendor?" and "Have additional risks been assessed for this vendor?" when adding a vendor (i.e. a business associate (BA)); both should clue this software users' that they need a BA contract, although notably there is no accompanying warning that such a contract needs to be signed before ePHI is created, maintained, accessed, transmitted, etc.
Once the Practice Info section is completed (organization, assets, vendors and documents), we jumped back in to the seven-section Assessment portion. We like the interface including a Details field to make notes; every risk assessment software should include such a feature so the user can qualify their responses. We don't remember seeing both the HIPAA, NIST and HICP references aside each question and consider this detail a plus. We would like to see the ability for the software to accept uploads for each question, instead that opportunity is presented at the completion screen for each interview section.
Continuing through Section One questions, we are presented with a list of vulnerabilities to choose from, however, these vulnerabilities don't necessarily match the previously asked eight questions (e.g. inadequate asset tracking was listed after asking about risk assessments and management), so we're a little confused by the correlation of this list. Having pointed this out, HIPAA doesn't provide the exacting details that validate or invalidate this option being listed. While not new, we're less than trilled to still see the option to not select a vulnerability after answering "no" to the questions' set. It's our opinion that vulnerabilities always exist and are exacerbated by the lack of a security control. The idea to skip the impact and likelihood phase of the risk assessment, following identified security control failures, is a red-flag, especially if a user doesn't understand the correlation between controls and vulnerabilities. After completing our risk assessment, the software dashboard listed four vulnerabilities (26 in the full report), as that's all we checked, despite also listing a 40% Risk Score and 44 Areas for Review - this information could be confusing to a less experienced user.
Given the choice of not doing a risk assessment at all, using more comprehensive software and / or a consultant, or using something free, we haven't seen a better free-tool than the SRAT. Having said that, the SRAT doesn't provide any policy and procedure documents, which are the basis of any HIPAA Security program. We also still don't know if a covered entity or business associate has completed a SRAT SRA and had to submit it to The Secretary (i.e. the Office of Civil Rights) for evaluation. We also believe that the knowledge gained through using a better tool and external expertise well pays for itself. You can click on the graphic below to evaluate the SRAT and draw your own conclusions.
Stay (HIPAA) safe,
Alan -
