The free ONC/HHS Security Risk Assessment Tool is the credible baseline — but it only runs on Windows (or as an Excel workbook), it's single-user, and it stops at the SRA. Ward keeps the rigor, runs anywhere, and adds the 2026 readiness report.
Ward deliberately mirrors the ONC SRA Tool's 7 sections, ~120 rubric-scored questions, threat/vulnerability catalog, and likelihood × impact rating, so it's familiar and audit-credible. Then it closes the gaps clinics complain about — and adds the modules the 2026 rule turns into requirements: a severity-weighted readiness meter, a per-mandate POA&M, an asset inventory and data map, policy management, and recurring-test cadence tracking.
| Capability | ONC/HHS SRA Tool | Ward |
|---|---|---|
| Price | Free | Free (local tier) |
| Runs on Mac & Linux | No (Windows / Excel only) | Yes — browser + Mac/Win/Linux desktop |
| 7 sections, rubric-scored questions | Yes | Yes — same structure & 45 CFR citations |
| Threat/vulnerability catalog | Yes | Yes — extended with 2026-era threats |
| Likelihood × impact rating | Yes (Low/Mod/High) | Yes — identical NIST-aligned math |
| Plain-English guidance per question | Limited | Yes — written for a non-technical Security Officer |
| PHI stays on your machine | Yes | Yes — local-first by default |
| 2026 Security Rule readiness report | No | Yes — live, severity-weighted, per-mandate (proposed/final labeled) |
| Per-mandate & per-question POA&M | No (analysis only) | Yes — owner / target / status, overdue flags |
| Asset inventory & data map | No | Yes — the 2026-required inventory, flags unencrypted ePHI |
| Policy templates + versioning + attestation | No | Yes — 10 CFR-cited templates, local version history |
| Scan / pen-test / IR cadence tracking | No | Yes — due dates + overdue reminders |
| Vendor / BAA tracking | Vendor list only | Yes — BAA status + 2026 verification |
| Import an in-progress ONC file | n/a | Yes — JSON migration importer (CFR/text mapping) |
| Multi-user / MSP multi-client | No | Yes (cloud tiers) |
Why this matters: the ONC tool's biggest real-world complaints are "it won't run on our Macs," "only one person can use it," "it tells me what's wrong but not what to do about it," and "it doesn't tell me about 2026." Ward fixes all four — it runs anywhere, turns every gap into a tracked, owned remediation item, and ships a live 2026 readiness meter — without giving up the local-first PHI model that makes the gov tool trustworthy.
.xlsx/proprietary-binary import is on the roadmap; see the repo STATUS for current state.Run a complete HIPAA Security Risk Assessment on any machine — free, local-first, with a built-in 2026 readiness report.
Start your free SRA