HHS Seeking Input on Improving Security Risk Analysis Tool
Critics Say the Tool Is Too Difficult to Use
… The current version of the tool is “better than before, but way too much for a small provider organization like a physician practice to try and use,” says Tom Walsh, president of privacy and security consulting firm tw-Security.
“Most small physician practices would only make it one-third of the way through before tossing in the towel and giving up.”
Following all of the steps called for in the tool takes too long, Walsh says. “Many of the questions are assessing against compliance with HIPAA. If an organization’s only risk was an OCR audit for HIPAA compliance, then the SRA tool is fine. However, there are lots of other threats/risks that the tool does not address,” he says.
“Less is more. The focus of the tool should be on the critical few versus the trivial many. There is a heavy focus on written policies as if a written policy will somehow thwart off a hacker. The emphasis – or weighted value for risk scoring – should be more on technical controls.”
A Struggle for All
While the tool is geared toward smaller organizations, Walsh notes that healthcare sector entities of all sizes often struggle with their security risk analyses.
“Larger organizations have a significant number of applications and systems – each configured differently when it comes to things like access controls, authentication, account lockout after failed logon attempts, time settings for automatic logoff after a period of inactivity, etc.,” he notes.
“There is not a ‘one size fits all’ approach to assessing security controls across a variety of systems. Risk assessments take dedicated resources to do it right the first time.”