HIMSS: Security risk assessment tool confusing, clunky

The security risk assessment tool (SRAT) developed by the U.S. Department of Health & Human Services to help providers in small- and medium-sized offices determine vulnerability to potential privacy attacks needs some work, say officials at the Healthcare Information and Management Systems Society.

In a letter sent May 27 to National Coordinator for Health IT Karen DeSalvo, Tom Leary and Lisa Gallagher--HIMSS vice presidents of government relations and technology solutions, respectively--call the tool confusing and say its not user friendly. The tool is supposed to aid providers in determining their security standing, particularly with HIPAA audits slated to begin later this year.

One example: Questions within the SRAT are full of legalese with which users who are not attorneys likely will struggle, they say.

"From a legal perspective, it may seem sufficient to rephrase the language of the regulation into a question," Leary and Gallagher write. "However, a layperson may have little knowledge about the meaning of the words used in the regulations, including what the significance of a standard or an addressable or required implementation specification."

What's more, they say, accessing the questionnaire is not intuitive, while the questionnaire interface itself presents users with too many options.

"While there may be useful information ... a user will probably not access the information because there are too many items to click on in order to retrieve the information," Leary and Gallagher write. "In essence ... the multitude of choices is confusing."

The permanent HIPAA auditing program will be narrower in scope than the 2012 auditing pilot program, with fewer site visits. About 350 covered entities will receive data requests this fall, and 50 business associates will be notified in 2015.

While Office for Civil Rights contracted with consulting firm KPMG to conduct the pilot program, the permanent program will be carried out in-house.

Covered entity audits in 2015 will focus on issues including computing device and storage media security controls, transmission security and HIPAA safeguards such as procedures and staff training. The focus in 2016 will include physical access, encryption, decryption and other issues.

To learn more:
- read the letter to DeSalvo (.pdf)

Read more on