"You Ask. We Answer." Blog

Responsive and relevant insights into the questions our partners have.

Why Does My Healthcare Organization Need a Security Risk Analysis?


For the ninth year in a row, healthcare organizations had the highest costs associated with data breaches at $6.45 million – over 60 percent more than the global average of all industries.

The Security Risk Analysis —  it's a process that healthcare organizations often avoid just as their patients do their own medical check-ups or procedures.

This Security Risk Analysis (SRA) is thorough assessment of the potential risks and vulnerabilities associated with electronic protected health information (ePHI) created, received, maintained and transmitted by your organization. ePHI  is critical to your business and vital to the care of your patients. The SRA isn't just a mandatory task. It's a smart business practice. It's a necessary annual check-up. 

To some, a SRA may seem overwhelming. To smaller facilities, it may seem unnecessary. But for any healthcare organization serious about protecting confidential patient information, it’s the best medicine for initiating and maintaining long-term HIPAA compliance and security.

5 Reasons Your Healthcare Organization Needs a Security Risk Analysis: 

1. It’s not optional.

All providers who are “covered entities” under HIPAA are required to perform a risk analysis … even small facilities. In addition, all providers who want to receive EHR incentive payments must conduct a risk analysis.

2. It's invaluable in protecting against breaches.

Identifying security weaknesses within a healthcare organization is the core purpose for the government requirement associated with a SRA. 

A thorough risk analysis, from a reputable IT partner, includes:

  • Data collection on document workflow
  • Identification of potential risks and threats
  • Assessment of current security measures
  • Determination of the likelihood of security threats
  • Determination of the level of risk
  • Final documentation of risk assessment

2019 has produced a distressing number of data breaches: According to Health IT Security, more than 31 million patient records have already been breached in the first half of 2019, with hacking causing the majority of security incidents and breaching the most patient records.

This year has already seen twice the amount of breached records from 2018's total of 15 million.

3. It’s a crucial first step in a long-term cybersecurity plan.

A SRA will uncover your current security weaknesses. But ongoing HIPAA Compliance & Security is a fluid process.

By partnering with a Certified HIPAA Professional to perform a SRA, your organization can leverage tools to view assets and current risk levels, as well strategically detect ongoing vulnerabilities through everyday processes. A Managed Compliance Services program helps facilitate ongoing compliance and security.

In other words, HIPAA security becomes a methodical process, not a mammoth undertaking.

4. It could affect your reputation.

Though initially mandated by HIPAA, the SRA is further enforced government programs such as the Medicare Access and CHIP Reauthorization Act (MACRA).

Essentially, MACRA rewards physicians for providing higher quality care at lower costs and improving health outcomes for patients, while penalizing those who fail to do so. One pathway to higher reimbursement is the Merited-based Incentive Payment System (MIPS).

Among the four categories of the MIPS program, the SRA falls under the “Promoting Interoperability” component. Without completing a SRA, medical facilities cannot score a single point under PI.

What could that mean? It could mean a reputation hit. The public posting of facilities’ scores (via star rating), found can be found on the Medicare website Physicians Compare.

For a patient in need of serious treatment and is actively searching for physicians, such scores can positively or negatively impact quality reputation.

5. It could cost you a boatload of money.

Forget IT security costs or penalties associated with non compliance. The cost of a breach could put you out of business.

According to the Ponemon Institute's 2019 Cost of a Data Breach report, for the ninth year in a row, healthcare organizations had the highest costs associated with data breaches at $6.45 million – over 60 percent more than the global average of all industries.

In truth, the SRA is an important step — but it's only the initial one. Are you ready to begin your HIPAA Compliance journey on the right path, starting with that SRA? The journey starts here, with Managed Compliance Services. Our FREE eBook poses eight crucial questions to help your healthcare organization assess your current strategies and challenges, and determine crucial next steps toward long-term security and compliance.

Download our Free eBook by clicking below!



About Sherry Lee

Sherry Lee serves as a Solutions Consultant for Datamax Arkansas. Sherry works closely with account representatives in evaluating workflow challenges and technology initiatives in our clients’ offices. Sherry is a Certified HIPAA Professional (CHP).

Topics: HIPAA Network Security Cybersecurity Managed Compliance Services