Security Risk Assessment (SRA) Essential To Reducing Healthcare Cybersecurity Risk

Brian Williams, MHA, MBA
security icons with keyboard

Today’s climate of healthcare cybersecurity risks has many organizations feeling vulnerable and ill-prepared to address the daily threats and ongoing compliance requirements. In November 2024, the Department of Health and Human Services settled two investigations into HIPAA violations following ransomware attacks on providers. An Oklahoma-based ambulance company had to pay a $90,000 fine for failing to conduct a Security Risk Analysis (SRA).

The U.S. Office for Civil Rights (OCR) notes that many — if not most — healthcare organizations struggle to effectively manage cybersecurity. In fact,  the Oklahoma company isn’t alone in failing to conduct an accurate and thorough risk assessment and analysis. The OCR says it is one of the most frequent violations of the HIPAA Security Rule (based on fines and resolution agreements). 

It’s not just HIPAA that organizations need to maintain compliance with. Stricter data protection measures are being implemented through state consumer privacy laws in state after state, increasing the compliance burden and making it difficult for compliance professionals to know what is required. 

image-cta-privacy-checklist

Use this checklist to ensure your organization is meeting all healthcare data privacy laws.

There is no single method or best practice that guarantees compliance with the HIPAA Security Rule. But, a Security Risk Assessment (SRA) should be the first step in every organization’s Security Rule compliance efforts. 

What Is a Security Risk Assessment (SRA)?

A Security Risk Assessment (SRA) is required for covered entities and business associates as part of compliance with the HIPAA Security Rule. Plus, all providers who want to receive electronic health record (EHR) incentive payments must conduct a risk analysis. The assessment must accurately and thoroughly evaluate the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization. The assessment will reveal:

  • The organization’s compliance with HIPAA safeguards
  • Areas where the organization could be at risk
  • Improvements that are needed to enhance cybersecurity and staff awareness 

Tips for Conducting a Security Risk Assessment

The first time you conduct a Security Risk Assessment (SRA), it may seem a little difficult to answer each question with 100% confidence — but that’s alright. Getting through the process for the first time is a great starting point. The SRA provides the framework for understanding Vulnerabilities, Threats, and Risks applicable to your organization. The intent of the SRA is to perform an analysis on an annual basis or anytime there is an incident or new threat discovered.

The SRA begins with answering basic questions about your organization and ensuring that you have identified all of the equipment that is capable of receiving, storing, and transmitting ePHI. 

Why is this important? Computers, servers, fax machines, copiers, and many types of medical equipment can store PHI.  

TIP 1: Keep an inventory of all electronic equipment and maintain a system to identify and manage all electronic equipment from the point of entry, how it is secured, assigned, and ultimately disposed

TIP 2: If personal smart phones and tablets are used by providers or staff, make sure to have clear policies on accessing, storing, and sharing PHI.

TIP 3: A trusted service that has actual or potential access to PHI should always have a written Business Associate Agreement (BAA) and transparency regarding how the business associate (BA) will protect PHI. Proper staff training at both organizations will help to create awareness and accountability.

TIP 4: BAs should be ready and willing to verify that staff have been properly trained and that access to systems and equipment are monitored to ensure patient information is used for the intended purpose. BAs are directly liable for breaches.   

TIP 5: Choose an all-in-one compliance platform with the SRA included. Completing the SRA electronically, alongside all policies and educational content will smooth the process.

The security risk assessment must take into consideration how PHI is received, stored, and transmitted. An SRA with a score indicating high-risks and vulnerabilities should be taken very seriously. While it’s common for healthcare organizations to have “trusted vendors” that provide equipment or IT services, the SRA may reveal inadequate computer systems, questionable user activity, unconfirmed identities, or unsecure connections between the IT infrastructure and devices.

What Else Is Needed To Comply With the HIPAA Security Rule and Reduce Healthcare Cybersecurity Risk?

There isn’t a one-size-fits-all solution to healthcare cybersecurity risk due to the complexity of HIPAA compliance and the overwhelming need for improving cybersecurity preparedness. There are distinct advantages to sharing patient information, but it means everyone in the healthcare organization plays a role, including compliance teams. Below, find three key compliance activities that help protect patient information.

1. Develop reasonable and appropriate security policies.

To reduce healthcare cybersecurity risk, healthcare organizations should have comprehensive policies for employees to follow and the policies should be easily accessible. Specifically related to HIPAA, organizations should have a policy manual that includes the following:

  • Patient Request for Electronic Health Records
  • Authorization for Disclosure of Health Information (Mental Health, SUDs, HIV/AIDS Related Information as allowed by law)
  • Revocation of Restriction of Use and Disclosure of Protected Health Information
  • Request for Correction or Amendment of Protected Health Information
  • Request for Restrictions of Use and Disclosure of Protected Health Information
  • Personal Representative Request
  • Certificate of Destruction
  • Privacy and Security Audit (Addressable & Required Protections)

2. Consistently review and modify security measures.

It’s important to share and elicit feedback from appropriate stakeholders on both your Security Risk Assessment results and on policies and other potential risks. In fact, a March 2023 update to the Health Sector Cybersecurity Framework Implementation Guide suggests a broader, more collaborative approach to risk analysis that will enhance the ability to effectively identify and manage organizational risk, safeguard patient privacy, and protect business value. Staff can provide excellent perspectives regarding cybersecurity risk at the point of care and by including a wide range of employees in your risk assessments, you can more easily identify healthcare cybersecurity risks. For example, employees can point out on computer screens where protected health information (PHI) can be seen by patients. It’s a simple fix to add a privacy screen, but you can’t fix what you don’t know about.

3. Provide employee training on cybersecurity and the HIPAA Security Rule.

The HIPAA Security Rule requires covered entities to maintain reasonable and appropriate administrative, technical, and physical safeguards for shielding electronic protected health information (ePHI). This includes ensuring compliance by their workforce. There is no single standardized program that could appropriately train employees of all entities; however, employees must be trained on HIPAA as it applies to their role, responsibilities, and access to PHI. The Department of Health and Human Services (HHS) states that best practice for the frequency of training is annually and every other year is acceptable. But beyond that is an indication of non-compliance and will be taken into consideration if there is a breech and fines are imposed.

Using an online learning management system, healthcare organizations can greatly simplify training assignment, completion, and reporting. When choosing a compliance learning provider, ensure the courses will meet established standards and that there are a variety of training options. MedTrainer offers 30+ courses on HIPAA, including a four-course microlearning series (each course is 10 minutes) specifically related to the Security Rule:

  • The HIPAA Security Rule
  • Cybersecurity & HIPAA: Electronics and Cloud-Based Systems
  • HIPAA Compliance & Cybersecurity: Protecting PHI
  • Cybersecurity & HIPAA: Ransomware, Phishing, and Cyberattacks

Reducing Healthcare Cybersecurity Risk

Healthcare organizations are targeted by cyberattacks because of the volume and value of the information they possess. The compliance team plays a key role in mitigating the risk with planning and training. Use the updates to the Health Sector Cybersecurity Framework Implementation Guide as an opportunity to review your processes, complete an SRA, and ensure HIPAA-related training is up-to-date for all providers.

Need help with your Security Risk Assessment? MedTrainer offers the SRA Tool right within its all-in-one compliance platform, along with a 15-minute tutorial, which provides a risk score and suggestions for improvement after answering the questions. Learn more.