The U.S. Department of Health and Human Services Office for Civil Rights (OCR) and the Office of the National Coordinator for Health Information Technology (ONC) have released version 3.4 of their Security Risk Assessment (SRA) Tool.

The SRA Tool is designed to help healthcare providers conduct a risk analysis as required by the HIPAA Security Rule. Identifying and assessing potential risks and vulnerabilities to electronic protected health information (ePHI) are foundational elements in the implementation of security measures that protect ePHI. As hacking and ransomware attacks continue to increase within the health care sector, it is more important than ever for organizations to understand their risk exposure and use that understanding to improve their cybersecurity.

The downloadable SRA Tool is a desktop application that walks users through the security risk assessment process using multiple-choice questions, threat and vulnerability assessments, and asset and vendor management. References and additional guidance are given along the way. Reports are available to save and print after the assessment is completed.

The latest version contains a variety of feature enhancements based on user feedback and public input. New features include:

1) A Remediation Report to help track  responses within the tool
2) A Glossary and “Tool Tips” help
3) Updated references to Health Industry Cybersecurity Practices (HICP) for 2023 Edition
4) Bug fixes and stability enhancements