HIMSS Officials Criticize HHS Security Risk Assessment Tool
May 29, 2014 in News
On Tuesday, Healthcare Information and Management Systems Society officials sent a letter to National Coordinator for Health IT Karen DeSalvo arguing that a new security risk assessment tool, or SRAT, developed by HHS is confusing and not easy to use, FierceHealthIT reports.
SRAT was created by HHS to help providers in small- and mid-sized offices determine how vulnerable they are to potential privacy attacks.
The tool also is designed to help providers assess their security before HIPAA audits begin later this year.
Such audits will focus on issues such as:
- Computing device and storage media security controls;
- HIPAA procedures and staff training; and
- Transmission security.
In the letter, HIMSS Vice President of Government Relations Tom Leary and HIMSS Vice President of Technology Solutions Lisa Gallagher wrote that the tool is confusing and not user-friendly.
For example, they noted that the questions within the tool are full of legal terms that users who are not attorneys may have trouble understanding.
They wrote, “From a legal perspective, it may seem sufficient to rephrase the language of the regulation into a question.” They added, “However, a layperson may have little knowledge about the meaning of the words used in the regulations, including what the significance of a standard or an addressable or required implementation specification.”
In addition, they noted that the questionnaire is not intuitive for users, as its interface presents users with a “multitude of choices ” that may be “confusing” (Bowman, FierceHealthIT, 5/28).
They wrote, “We believe that … SRAT is a step in the right direction, but additional steps need to be taken in order to continue improvement of … SRAT and provide users with a practical pathway to meaningful compliance through effective risk management” (HIMSS letter, 5/27).