Ward documentation

A quick guide to running your HIPAA Security Risk Assessment.

Getting started

  1. Open the app. It runs entirely in your browser — no signup. Your data is saved locally.
  2. Name your entity. Use the "Client / entity" selector at the top. MSPs add one entry per client.
  3. Work through the 7 sections on the Assessment tab. Each question has plain-English guidance under "What this means & what to do."
  4. Answer honestly: In place / Partially / Not in place / N/A. Anything partial or not-in-place becomes a risk.
  5. Rate your gaps. For each gap, pick a threat and rate likelihood and impact — Ward computes the rating.
  6. Check the 2026 Readiness tab and export your reports.

How risk ratings work

Ward uses the NIST-aligned method the ONC SRA Tool uses. You rate each gap on two scales:

The two multiply into a score: 1–5 = Low, 6–12 = Moderate, 13–25 = High. (HIPAA and NIST say "Moderate," not "Medium.") The Risk Register tab shows them ranked, with a likelihood × impact heatmap.

The 2026 readiness meter

The meter maps your answers to the ten headline obligations of the proposed 2026 HIPAA Security Rule — encryption everywhere, MFA on ePHI, the end of "addressable," scans & pen tests, asset inventory, BA verification, tested backups, rapid breach handling, audit logging, and an annual written risk analysis. Each shows Ready / Partial / Gap with what to do.

Exporting & reports

The Reports tab produces a full SRA, an executive summary, and (from the Risk Register) a POA&M and CSV risk register. "Print / Save as PDF" renders an audit binder in your browser — your patient data never leaves your machine.

Integrations

The Integrations tab can import a posture export (a sample is included) to auto-answer technical/physical questions. Publishing to the DosanjhLabs evidence graph and full connector auto-answers are on the roadmap — see STATUS.md in the repo.

Launch the free SRA →