Webinar | Building Organizational Clarity Through Compliance

July 17, 2025 at 11 a.m. PT

Register Now
Close

Security Risk Assessment (SRA) Essential To Reducing Cybersecurity Risks in Healthcare

Brian Williams, MHA, MBA
MedTrainer Tips For Improving Healthcare Security Risk Assessments

Today’s climate of cybersecurity risks in healthcare is bringing additional scrutiny, regulations, and enforcement. The OCR’s (Office of Civil Rights) Security Risk Analysis Initiative has resulted in eight enforcement actions in the first six months with organizations paying between $10,000 and $600,000 to settle.

OCR says conducting a comprehensive healthcare security risk assessment (SRA) significantly reduces the risk of ransomware attacks, however, many organizations fail to do this – it’s one of the most frequent violations of the HIPAA Security Rule (based on fines and resolution agreements). To increase SRA completion, OCR has stepped up enforcement and proposed additions to the HIPAA Security Rule to improve the clarity and requirements for healthcare security risk assessments, in addition to other changes designed to better protect patient information.

 There is no single method or best practice that guarantees compliance with the HIPAA Security Rule. But, a healthcare Security Risk Assessment (SRA) should be the first step in every organization’s Security Rule compliance efforts.  

2025 Healthcare Regulations

MedTrainer Live: HIPAA Hidden Risks

What Is a Healthcare Security Risk Assessment (SRA)?

A Security Risk Assessment (SRA) is required for covered entities and business associates as part of compliance with the HIPAA Security Rule. Plus, all providers who want to receive electronic health record (EHR) incentive payments must conduct a risk analysis.

A healthcare security risk assessment must accurately and thoroughly evaluate the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. The assessment will reveal:

  • The organization’s compliance with HIPAA safeguards
  • Areas where the organization could be at risk
  • Improvements that are needed to enhance cybersecurity and staff awareness 

Tips for Conducting a Healthcare Security Risk Assessment

The first time you conduct a Security Risk Assessment (SRA), it may seem a little difficult to answer each question with 100% confidence — but that’s alright. Getting through the process for the first time is a great starting point in how to reduce healthcare cybersecurity risk.

The SRA provides the framework for understanding Vulnerabilities, Threats, and Risks applicable to your organization. The intent of the SRA is to perform an analysis on an annual basis or anytime there is an incident or new threat discovered.

The SRA begins with answering basic questions about your organization and ensuring that you have identified all of the equipment that is capable of receiving, storing, and transmitting ePHI. 

Why is this important? Computers, servers, fax machines, copiers, and many types of medical equipment can store PHI.  

TIP 1: Keep an inventory of all electronic equipment and maintain a system to identify and manage all electronic equipment from the point of entry, how it is secured, assigned, and ultimately disposed

TIP 2: If personal smart phones and tablets are used by providers or staff, make sure to have clear policies on accessing, storing, and sharing PHI.

TIP 3: A trusted service or vendor that has actual or potential access to PHI should always have a written Business Associate Agreement (BAA) and transparency regarding how the business associate (BA) will protect PHI (download a BAA template here). Proper staff training at both organizations will help to create awareness and accountability.

TIP 4: Ask your BAs to complete their own SRA and share the results with your organization. This will offer insight into your risks and provide the opportunity for education. At a minimum, BAs should be ready and willing to verify that staff have been properly trained and that access to systems and equipment are monitored to ensure patient information is used for the intended purpose. BAs are directly liable for breaches.   

TIP 5: Store all SRAs in a healthcare document management system for easy access and reference when needed.

The healthcare security risk assessment must take into consideration how PHI is received, stored, and transmitted. An SRA with a score indicating high-risks and vulnerabilities should be taken very seriously. While it’s common for healthcare organizations to have “trusted vendors” that provide equipment or IT services, the SRA may reveal inadequate computer systems, questionable user activity, unconfirmed identities, or unsecure connections between the IT infrastructure and devices.

What Else Is Needed To Comply With the HIPAA Security Rule and Reduce Cybersecurity Risk in Healthcare?

There isn’t a one-size-fits-all solution to healthcare cybersecurity risk due to the complexity of HIPAA compliance and the overwhelming need for improving cybersecurity preparedness. There are distinct advantages to sharing patient information, but it means everyone in the healthcare organization plays a role, including compliance teams.

Below, find three key healthcare cybersecurity compliance activities that help protect patient information.

1. Develop reasonable and appropriate security policies.

To reduce cybersecurity risk and improve healthcare cybersecurity compliance, organizations should have comprehensive policies for employees to follow and the policies should be easily accessible. Specifically related to HIPAA, organizations should have a policy manual that includes the following:

  • Patient Request for Electronic Health Records
  • Authorization for Disclosure of Health Information (Mental Health, SUDs, HIV/AIDS Related Information as allowed by law)
  • Revocation of Restriction of Use and Disclosure of Protected Health Information
  • Request for Correction or Amendment of Protected Health Information
  • Request for Restrictions of Use and Disclosure of Protected Health Information
  • Personal Representative Request
  • Certificate of Destruction
  • Privacy and Security Audit (Addressable & Required Protections)

2. Consistently review and modify security measures.

It’s important to share and elicit feedback from appropriate stakeholders on both your healthcare Security Risk Assessment results and on policies and other potential risks.

A March 2023 update to the Health Sector Cybersecurity Framework Implementation Guide suggests a broader, more collaborative approach to risk analysis that will enhance the ability to effectively identify and manage organizational risk, safeguard patient privacy, and protect business value.

Staff can provide excellent perspectives regarding cybersecurity risk at the point of care and by including a wide range of employees in your risk assessments, you can improve healthcare cybersecurity compliance. For example, employees can point out on computer screens where protected health information (PHI) can be seen by patients.

It’s a simple fix to add a privacy screen, but you can’t fix what you don’t know about.

3. Provide employee training on cybersecurity risks in healthcare and the HIPAA Security Rule.

The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for shielding electronic protected health information (ePHI). This includes ensuring compliance by their workforce.

There is no single standardized program that could appropriately train employees of all entities; however, employees must be trained on HIPAA as it applies to their role, responsibilities, and access to PHI.

The Department of Health and Human Services (HHS) states that best practice for the frequency of training is annually and every other year is acceptable. But beyond that is an indication of non-compliance and will be taken into consideration if there is a breech and fines are imposed.

Using an online learning management system, healthcare organizations can greatly simplify training assignment, completion, and reporting. When choosing a healthcare compliance learning provider, ensure the courses will meet established standards and that there are a variety of training options.

MedTrainer offers 30+ courses on HIPAA, including a four-course microlearning series (each course is 10 minutes) specifically related to the Security Rule:

  • The HIPAA Security Rule
  • Cybersecurity & HIPAA: Electronics and Cloud-Based Systems
  • HIPAA Compliance & Cybersecurity: Protecting PHI
  • Cybersecurity & HIPAA: Ransomware, Phishing, and Cyberattacks

Make it Easy for Staff to Comply With HIPAA

Healthcare organizations are targeted by cyberattacks because of the volume and value of the information they possess. Employees want to protect their patient’s information and keep the organization safe, but they’re relying on education and processes to know how. Make it easy for them with a single healthcare compliance platform, like MedTrainer. With compliance training, policy management, and incident reporting under one login, with an easy-to-use interface, it’s simple for employees to contribute to healthcare cybersecurity compliance.

MedTrainer’s team of researchers ensure HIPAA training is engaging and up-to-date with the latest guidelines. Plus, it’s easy for you to record your own organization-specific training on HIPAA policies or even share the results and plan from your healthcare security risk analysis.

Learn how to reduce healthcare cybersecurity risk with MedTrainer.