You could have a staff member fill it out. Most of it is just inventory. It really makes you think about the security of the data on your network. Something that should've been considered before implementing the EMR.
For example, running on a P2P system, lots of people have Everyone in their permissions for AC to work. Meaning anyone who gets on the network can get access. How would you resolve something like that?
Most of these should've been factored in before implementation.