The Airius Risk Maturity Knowledgebase is intended to give you a snapshot of those things in the world affecting information risk for April 29th through May 5th, 2023.
From HealthIT . . .
The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable Security Risk Assessment (SRA) Tool to help guide you through the process. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.
HHS offers a tool "SRA TOOL" (Security Risk Assessment Tool | HealthIT.gov). It is a way to guide senior management within medical practices to act more responsibly with risk.
The problem is that it is only available for Windows. It is built in JAVA and could run anywhere. The packager makes it an MSI, and only that is proprietary.
There are no license restrictions at all, so it is potentially public domain. The big problem is that it is closed. The source code is not shared. The design documents are not available for review. For the SRA tool to run, it needs to be installed on a Windows computer and used by someone that has access to lots of risk information regarding a healthcare practice. A free software application without any information regarding its constituent parts, how it operates and what the license obligations are can impose unanticipated risks on a practice risk manager.
A covered entity is fully responsible for ALL of the ePHI that is created and managed. As a result, vendor risk, and risk imposed through third party applications, solutions, software and hardware, needs to be carefully assessed.
This is a five year old project, built using Open Source JAVA packages, but with license information hidden.
The problem is that it is only available for Windows. It is built in JAVA and could run anywhere. The packager makes it an MSI, and only that is proprietary.
Our team used Checkmarx to FINALLY do the one thing that has not been done in 5 years. Scan what is in this code.
.
Our friends at Revenera helped us to assess the extracted source code further.
They found 50 Open sourced projects with licenses including GPL2, Apache, BSD, MIT and more. The source is currently not available, there is no published license information and there is no third party attribution required by the licenses.
The SRA Toolkit was built using a number of open sourced frameworks.
We built the Security Risk Assessment Toolkit online.
While it is admirable that the HHS and the ONC combined to make HIPAA compliance tools available, it is a shame that their effort was ill advised and potentially introduces significant risk to a user.
Our research used a number of tools:
The commercial and open sourced tools took a great deal of expertise to operate. This project took six weeks and involved ten engineers at three different companies. All of the commercial tools were properly licensed, and the realistic cost for this project would quickly exceed $70,000.
If you need help with achieving HIPAA compliance, you can contact us at info@airius.com.
We are a team of experts who can provide you with customized solutions and support for your HIPAA compliance needs. We can help you with:
Don’t wait until it’s too late. Contact us today and let us help you achieve HIPAA compliance with confidence and ease.
We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources to helping us provide up-to-date information. Send your stories and announcements to knowledgebase@airius.com.
The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information.
The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information. Can you translate the blog? Please reach out.
If we can help you with risk management, SOC reporting, an emergency or you just need guidance with INFOSEC, please reach out to us.
Book a Free Consultation Today
Book Now