The Datamax Thinking Blog

Educating, collaborating, and sparking ideas for maximizing the technology that matters.

The Elephant in the (Waiting) Room: Why Your Healthcare Facility Needs a Security Risk Analysis Now


Whether they are complying with HIPAA or attesting to the Merit-based Incentive Payment System (MIPS) under MACRA for positive incentives, healthcare professionals cannot avoid (and certainly cannot AFFORD to avoid) the Security Risk Analysis.

For many health organizations, the elephant in the waiting room is still seated there, anxiously anticipating when it might be acknowledged or tended to.

That elephant is the Security Risk Analysis (SRA). Originally mandated by HIPAA and subsequently further enforced by government programs such as Meaningful Use and now the Medicare Access and CHIP Reauthorization Act (MACRA), the SRA is a vital component to both healthcare facilities’ ultimate livelihood and the confidential information of their clients.

Whether they are complying with HIPAA or attesting to the Merit-based Incentive Payment System (MIPS) under MACRA for positive incentives, healthcare professionals cannot avoid (and certainly cannot AFFORD to avoid) the Security Risk Analysis. After all, premium patient care absolutely depends upon the secure exchange of patient data by healthcare facilities.

Data breach and subsequent exposure of private information can often result in legal and financial consequences, and given changes under the current MIPS program, practices can have their reputations compromised publically through a new online scoring website.

Ray Koons, Medicare Quality Payment Program Consultant for Datamax Texas, says that a SRA is a requirement medical facilities should never consider avoiding.

“So often, this is overlooked,” Koons said. “First of all, HIPAA required it long before MIPS did. The really important point I would make is, if you don’t get that security audit, and you get hacked, the penalties far exceed any penalties or negative incentives you’ll get through MIPS…. It might put you out of business.”

A Certified HIPAA Professional can help you comply with personal data privacy standards and security requirements, as well as implement security updates as necessary while identifying deficiencies.

A thorough risk analysis for HIPAA compliancy includes:

  • Data collection on document workflow
  • Identification of potential risks and threats
  • Assessment of current security measures
  • Determination of the likelihood of security threats
  • Determination of the level of risk
  • Final documentation of risk assessment

Konica Minolta’s All Covered IT Services division outlines a list of potential management services covered under a thorough analysis, which include:

Vulnerability Assessment

Analyze your document workflow to pinpoint possible internal and external security weaknesses.

Data Protection

By carefully examining your physical and virtual server systems, PCs and laptops, data protection can ensure that patient healthcare data is protected as it flows through your facility.

Message Protection

Provide email antivirus protection, spam filtering, encryption and more – including email tracking, archiving and maintenance of required email continuity.

Endpoint Protection

You’ll have antivirus protection, anti-malware, DNS filtering, web content filtering and other security services to safeguard your stored health data.

Cloud Hosting Services

Cloud services include enterprise-class, Windows-based servers, offsite data storage, and cloud backup and disaster recovery services so medical facilities maintain access to data in the event of a power outage.

Help Desk Support

Provide live support via telephone or remote access from staff based in the United States. If remote remediation is not possible, dispatch of field staff on-site will be provided on request.

Project Services

All Covered project services include consulting, design, implementation and training for healthcare security projects such as network integration and security initiatives, office and data center moves, and hardware or software upgrades.

Technology Planning

To keep you ahead of fast-changing demands, such planning can help you plan for timely migration to innovative technologies that save time and money while enhancing the security of healthcare information.

Get With the (MIPS) Program. Your Reputation is at Stake.

Healthcare providers that accept Medicare are likely aware of the acronyms MACRA and MIPS. Essentially, MACRA rewards physicians for providing higher quality care at lower costs and improving health outcomes for patients, while penalizing those who fail to do so.  One pathway to higher reimbursement is MIPS.

Among the four categories of the MIPS program, the SRA falls under the “Promoting Interoperability” component. Without completing a SRA, medical facilities cannot score a single point under PI.

What could that mean? It could mean a reputation hit. New in 2018, Koons says, is the public posting of facilities’ scores (via star rating), found at the website: Koons sees this new public scoring system as a way of forcing providers into getting with the program (literally).

“Let’s say all the sudden I’ve found out that I have something wrong with my heart. I just might be wise enough to go to that website to see what kind of quality the providers have,” Koons said. “Personally, I wouldn’t choose a provider to treat my heart condition that doesn’t care about getting with the program and has a zero ranking.”

When all is said and done, the government programs and their positive/negative incentives both have impacts. But these pale in comparison to the impact of data exposure and the legal/financial consequences.

“The fines can simply be catastrophic,” Koons said.

Are you ready to learn about potential vulnerabilities your facility might face? Get in touch with a Datamax Certified HIPAA Professional today to learn more.

Schedule A Meeting with a Certified HIPAA Professional today ›

Topics: Security Healthcare Solutions HIPAA Cybersecurity