top of page
Search

HIPAA Security Risk Analysis: This Holiday, Sleigh Your Digital Security Risk

  • Writer: Sam Khan
    Sam Khan
  • 3 days ago
  • 12 min read
ree

Overview


As healthcare organizations prepare for the holiday season, cybercriminals are ramping up. The FBI and CISA have repeatedly warned that cyberattacks surge during holidays and weekends, when staffing is reduced and defenses are weakest.[1] A recent study found that 86% of healthcare organizations that experienced ransomware attacks in the past year were targeted during weekends or holidays,[2] yet 73% of surveyed healthcare organizations still reduced their security operations center staffing by 50% or more during these high-risk periods.[3] With Thanksgiving behind us and the year-end holidays approaching, now is the time to take stock of your organization's security posture. It’s a good time of the year to conduct the HIPAA Security Risk Analysis (SRA), whether it's your routine update or if you've never done it before, to do it for the first time. Remember, it’s better late than never.


I'm sure you've probably heard this before, but it's still worth mentioning that an SRA is not a check-the-box exercise. It's a comprehensive evaluation of how your organization protects, or does not protect, electronic protected health information (ePHI). The U.S. Department of Health and Human Services, Office for Civil Rights (OCR) requires covered entities and business associates to regularly review administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of ePHI. The SRA is the foundational element of Security Rule compliance. It's the "first step," according to OCR, and is essential for any HIPAA compliance program.


OCR investigations and enforcement actions highlight the importance of conducting an SRA. OCR commonly requests a copy of an organization's SRA following reported breaches of unsecured PHI or alleged Security Rule violations. Failure to properly conduct an SRA is a frequently identified deficiency. A 2016-2017 OCR compliance audit concluded that only 14% of covered entities were substantially fulfilling their regulatory responsibilities to safeguard ePHI through risk analysis activities. In late 2024, OCR launched its Risk Analysis Initiative specifically to address this pervasive gap, and by mid-2025, the initiative had already resulted in nearly $900,000 in combined settlement payments from eight healthcare organizations.[4]


This Article outlines a practical approach to conducting an SRA that aligns with regulatory standards, OCR guidance, and industry best practices.


Why Conduct a HIPAA Security Risk Assessment?


Before we dive in, let’s briefly talk about why organizations should conduct an SRA. Beyond satisfying HIPAA's Security Rule requirement, conducting a thorough SRA serves various compliance and business objectives. Key reasons include:


  • Regulatory compliance and audit readiness: HIPAA requires covered entities and business associates to evaluate risks and implement appropriate safeguards. Conducting an SRA ensures the organization is prepared for OCR audits and can avoid hefty penalties.

  • Scalability: A robust compliance function enables greater scalability. That’s the executive buy-in.

  • Enhanced trust and business opportunities: Demonstrating a strong security posture and compliance can enhance customer trust and expand opportunities with partners and vendors who require proof of an SRA as part of due diligence. In mergers and acquisitions, a competent buyer's due diligence review of a HIPAA-subject target typically includes evaluating whether the target has conducted a compliant SRA. This also applies to IPOs and successful exits. Basically, SRA compliance increases the monetary value of your business. For executives, that is music to their ears.

  • Proactive risk mitigation: By identifying vulnerabilities and threats, SRAs allow organizations to address issues before they result in breaches, protecting patient data and maintaining operational continuity.

  • Financial and reputational protection: Healthcare breaches reportedly cost an average of $10.1 million per incident in 2024, the highest among industries. Without sufficient insurance coverage, the cost of a HIPAA breach could potentially close a small medical practice.


For more reasons to ensure the privacy and protection of ePHI, check out this article: “Cybersecurity Resilience in an Increasingly Digitalized Healthcare Landscape: The Best Defense is a Good Offense.”


Methodology


The HIPAA SRA should be grounded in recognized baselines and sources. Controls should map directly to the HIPAA Security Rule (45 CFR §164.308, §164.310, §164.312, and §164.316) and may be supplemented with HHS 405(d) recommendations and Office of Inspector General (OIG) audit guidance.


The HIPAA standard is "reasonable and appropriate" given the size and complexity of the organization. Early-stage organizations receive partial credit if safeguards are reasonable and working, with plans to close gaps. Rapid scaling must be matched by scaling compliance to prevent erosion of reasonableness. In other words, as organizations grow, security controls and compliance processes must evolve proportionally.


An “accurate and thorough” assessment generally consists of two categories (data security and physical security) that, by design, sufficiently capture all requirements of the Security Rule:


  • Data Security Program: Evaluates technical and administrative safeguards, such as access controls, encryption, endpoint protection, incident response procedures, and security policies.

  • Physical Security Program: Examines physical site/server controls, as well as remote-work practices, including facility access, workstation security, and work-from-home procedures.


Understand the Regulatory Framework


  • Review the HIPAA Security Rule and any recent updates, such as proposed rules on AI and data security, including the 2025 proposed security rule changes briefly discussed below. The AI-related proposed updates are outlined in Navigating AI Liability in Healthcare: Key Considerations for Health System Leaders.

  • Identify how the HITECH Act and state laws intersect with HIPAA requirements.

  • Assign responsibility for the SRA to a designated person or team. While risk management is predominantly the responsibility of management-level staff, the outcomes and decisions following the assessment affect the entire organization.

  • Emphasize that the HIPAA Security Rule's purpose is to safeguard the confidentiality, integrity, and availability of ePHI against reasonably anticipated threats, hazards, and impermissible uses or disclosures.

  • Note that the Security Rule "does not prescribe a specific risk analysis methodology, recognizing that the methods will vary depending on the organization." Organizations can implement any security measures that reasonably and appropriately meet the standards, considering the organization's size, complexity, and capabilities.


2025 Proposed Security Rule Changes


On January 6, 2025, OCR published a Notice of Proposed Rulemaking proposing significant updates to the HIPAA Security Rule, the first major update in over a decade. While the final rule is projected for May 2026, organizations should be aware of potential changes:


  • Elimination of "addressable" standards: All implementation specifications would become required, removing the distinction that some entities misinterpret as optional.

  • Annual compliance audits: Regulated entities would be required to perform and document compliance audits at least annually.

  • Technology asset inventory and network map: Organizations would be required to create and annually revise an accurate written inventory of all technology assets affecting ePHI.

  • Mandatory encryption: ePHI encryption requirements would be expanded significantly.

  • Vulnerability scans and penetration tests: Vulnerability scans would be required every six months, and annual penetration tests would be mandatory.

  • Business associate notification requirements: Business associates would be required to notify covered entities within 24 hours of contingency plan activation or changes to workforce member ePHI access.


Plan and Scope the Assessment


Define scope and objectives:


  • Identify each legal entity of the organization that is a HIPAA Covered Entity (CE) or Business Associate (BA). These entities will be in the scope of the SRA. The SRA process does not materially differ between a CE and a BA.

  • Define the scope: list all systems, applications, and vendors that store or transmit ePHI, including telehealth platforms, electronic health records, scheduling and billing systems, patient portals, analytics environments, backups and disaster recovery platforms, clinician devices, and connected medical devices. Without knowing where your ePHI is held and the security measures in place to protect that information, compliance is virtually impossible.

  • Ensure the scope covers all legal entities and third-party vendors with ePHI access. Consider your entity structure, business model, and strategic initiatives when tailoring the scope. An SRA for two or more related CEs or BAs may be combined into a single SRA if they share common IT assets, processes, policies, procedures, and infrastructure.

  • Clarify the SRA objectives: perform an accurate, thorough assessment of risks and vulnerabilities to ePHI; document the scope, threats, vulnerabilities, likelihood, impact, and resulting risk levels; develop prioritized corrective action plans with assigned owners and timelines; and deliver a final report.

  • Explain that the SRA will adhere to OCR guidance and serve as the basis for a risk management plan; it must be accurate, thorough, and "reasonable and appropriate" given the organization's size and complexity.

  • Position the organization for counterparty due diligence with clear CFR mapping and evidence.

  • Identify core participants, including the legal team (with the privacy officer), the security officer or CISO, IT and technical teams, product leadership, clinical operations, and HR (for training and attestations). Involving legal and/or compliance is crucial not only for their expertise but also for the benefit of attorney-client privilege as applicable.


Consider engaging third-party vendors to assist in conducting an SRA if internal resources lack sufficient familiarity with the process. When engaging a vendor, ensure they understand the SRA process described in the OCR Guidance and that their deliverables align with accepted guidelines. Leverage internal or external counsel to vet the vendor's processes before engagement. Note that platforms such as Compliancy Group Guard or the free OCR/ONC SRA Tool can be used to execute the SRA and manage evidence, questionnaires, and assessments.


Evidence Expectations


Collect comprehensive evidence to support the assessment, including:


  • Written policies and procedures (e.g., security policies and incident response plans).

  • Technical proof (e.g., logs, configurations, EDR/AV status, MFA evidence, and encryption settings).

  • Vendor documentation (e.g., business associate agreements, SOC 2 or ISO reports, and Standardized Information Gathering (SIG) questionnaires). Pay particular attention to third-party vendors. Your security posture is only as strong as the weakest link. Over 80% of recently stolen protected health information records were taken from third-party vendors, software services, business associates, and nonhospital providers, not hospitals.[5] Also, for more on this, check out the article titled "Third-Party Cybersecurity and Privacy Risk Management in an Increasingly Interconnected and Digital Healthcare Ecosystem: You Are Only as Strong as Your Weakest Link." Compile a list of all business associates and confirm which ones are covered by executed business associate agreements.

  • Remediation decisions and tasks linked to specific controls.

  • Documentation of actions taken when anomalies are detected.


Inventory Assets and Data Flows


The goal is to determine how much PHI there is, what type it is, where it rests within the organization, which systems handle it, and who has access.


  • Catalogue all hardware, software, and cloud services that handle ePHI. Generate a comprehensive list of asset categories regardless of the particular medium.

  • Map data flows to understand how information moves within your network and to third parties. Create PHI diagrams showing how PHI enters the network, the systems it touches as it flows through the network, and any points at which it may leave the network.

  • Collect detailed asset information (e.g., systems, applications, and data stores that create, receive, maintain, or transmit ePHI) and map data flows across systems and vendors. Assets include mobile devices, laptops/computers, routers, servers, software, hardware, operating systems, databases, clinical equipment, physical storage, and removable devices.


The 18 PHI Identifiers


HIPAA defines 18 specific identifiers that, when linked to health data, make it PHI. Make sure your team knows what these are. It may be helpful to share this information before going through the risk scoring process, as explained below. Remember, even one of these identifiers, when combined with health information, is considered PHI and must be protected:


1.  Name

2.  Geographic subdivisions smaller than a state (street address, city, ZIP code)

3.  All elements of dates (except year) directly related to an individual

4.  Telephone numbers

5.  Fax numbers

6.  Email addresses

7.  Social Security numbers

8.  Medical record numbers

9.  Health plan beneficiary numbers

10.  Account numbers

11.  Certificate/license numbers

12.  Vehicle identifiers and serial numbers (including license plate numbers)

13.  Device identifiers and serial numbers

14.  Web URLs

15.  IP addresses

16.  Biometric identifiers (fingerprints, voiceprints)

17.  Full-face photographs and comparable images

18.  Any other unique identifying number, characteristic, or code


Risk Scoring Methodology


Risk scoring methodologies multiply the likelihood of a threat by its impact to prioritize mitigation. Organizations use this formula to classify risks as high, medium, or low and to allocate resources accordingly. It is prudent to define likelihood levels (e.g., unlikely, possible, and likely) based on threat intelligence and control strength. Threat levels are the driving factor in prioritizing and determining compliance mitigation needs.


Likelihood of Threat Occurrence

  • Rare: Almost never (exceptional) – 0-5%

  • Unlikely: Low probability – 6-25%

  • Possible: Moderate chance – 26-50%

  • Likely: High probability – 51-90%

  • Almost Certain: Almost definitely will happen – 90-100%


Impact Dimensions

Define impact categories across four dimensions with calibrated thresholds (e.g., what is "catastrophic" for your organization):


  • Clinical Impact: Assess how risks affect patient outcomes and safety.

  • Operational Impact: Evaluate the implications for organizational processes and efficiency.

  • Reputational Impact: Understand how risks may influence public perception and trust.

  • Financial Impact: Analyze the potential financial consequences of risks on the organization. One effective tool is a financial risk matrix that maps the likelihood of a threat to its potential financial impact. Establishing impact categories (e.g., minimal, moderate, and major) with estimated dollar ranges tied to service disruptions, breach notification costs, and reputational damage.


Example:

ree

 

The key is to develop a scoring system that your leadership team understands and supports. This buy-in ensures that remediation resources are allocated proportionally to the business risk and that security investments are viewed as strategic rather than purely compliance-driven.


A robust HIPAA SRA should translate technical findings into business language that resonates with executive leadership involving:


  • Multiplying likelihood and impact scores to assign a risk rating that drives remediation priorities and investment decisions.

  • Presenting the matrix to stakeholders such as finance, operations, and the board to agree on thresholds for acceptable and unacceptable risk.

  • Documenting leadership approval of the matrix and updating it annually to reflect changes in costs, threat trends, and business objectives.


Phased Assessment Process


Structure the SRA across several phases:

 

  • Kickoff and scoping: Establish roles and responsibilities (RACI), confirm privilege under counsel, inventory systems, and define assessment scope. Hold a kickoff meeting to align on scope and expectations, establish a secure evidence repository, gather resources (including relevant policies, network diagrams, and vendor contracts), and send stakeholder questionnaires.

  • Data collection and control evaluation: Begin gathering evidence such as policies, logs, and contracts, and enter this information into your chosen SRA tool or platform. Map controls to HIPAA requirements, interview stakeholders, and assess current control status (e.g., started, in progress, or satisfied). Schedule a midpoint update to discuss preliminary findings and adjust priorities as needed.

  • Risk scoring and prioritization: Assign likelihood and impact scores to identified threats and vulnerabilities; calculate risk levels and prioritize remediation based on criticality.

  • Reporting and readout: Prepare a privileged risk register and final report; present findings to executives and legal counsel; schedule follow-up assessments.

  • Remediation planning: Develop a 6–12-month remediation plan to move controls from, for example, "started" to "in progress" to "satisfied."


Ongoing Communication

  • Hold weekly working sessions with core participants to review progress, share updates, and align on next steps.

  • Provide weekly updates and maintain continuous alignment with the Office of the General Counsel throughout the assessment.

  • Transition remediation tracking to operations and maintain regular working sessions to ensure progress and alignment.


Sample Timeline

  • Week 1 – Kickoff and Scope: Initiate the risk assessment program, establish RACI, and begin system inventory.

  • Week 2 – Detailed Inventory: Collect asset information, compile business associates list, and map ePHI data flows.

  • Weeks 3-4 – Assessment: Complete assessment of data security and physical security programs and identify threats and vulnerabilities.

  • Week 5 – Remediation Planning: Develop corrective action plans and begin implementing quick wins.

  • Week 6 – Reporting: Finalize risk register, prepare privileged report, hold executive readout.


Deliverables


A well-documented SRA produces a variety of deliverables that serve both internal stakeholders and external partners. You will need to determine which ones make the most sense and the order in which to produce them based on your organizational needs.


Internal Deliverables

  • A detailed risk register documenting threats, vulnerabilities, likelihood, and impact scores, and prioritized remediation tasks.

  • Control-by-control assessment results across administrative, technical, and physical safeguards mapped to HIPAA requirements, including the number of controls evaluated and their compliance status (e.g., started, in progress, satisfied).

  • A privileged risk register and analysis summarizing all identified risks, their scores, and supporting evidence.

  • A privileged corrective action plan outlining remediation tasks, responsible owners, and timelines (typically, 6-12 months) to move controls from “started” to “satisfied.”

  • An operational implementation package to guide teams in executing remediation tasks and updating controls.

  • A final privileged SRA report for internal stakeholders summarizing methodology, findings, risk register, and remediation plan.

  • Executive readout and presentation materials summarizing key findings, risk levels, and recommended investments for senior leadership and the board.

  • And of course, the fun part, actually doing the remediation (e.g., updating policies, procedures, and training materials to address identified gaps).


External Deliverables

  • Attestations or summary reports confirming that an annual HIPAA SRA has been completed, for sharing with customers, partners, and vendors during due diligence.

  • Proof-of-compliance letters or compliance statements tailored to satisfy contractual requirements when working with payers, suppliers, or technology partners.


These deliverables highlight the SRA's dual role: meeting legal obligations and achieving business objectives like assuring third parties of the organization's security risk management.


'Tis the Season for Security


By following a structured approach, healthcare organizations can conduct a HIPAA Security Risk Assessment that not only meets regulatory expectations but also strengthens their overall cybersecurity posture. A thorough SRA helps identify gaps before attackers exploit them, demonstrating a proactive commitment to protecting patient information.


The SRA is an in-depth and time-consuming process, especially for organizations doing it for the first time. It will take time, but subsequent assessments will be much easier and less time-consuming after the initial SRA is completed. As a practical matter, the goal isn't to make the environment bulletproof across the board. Instead, consider the 80/20 rule, which can be effective when applied proficiently. The aim is to maximize utility under the risk management plan, tailored to specific needs and risks.


With proper resource allocation and executive support, organizations can achieve and maintain HIPAA Security Rule compliance while protecting the ePHI entrusted to their care. The organization's commitment to the "accurate and thorough" standard, scaled to its size and complexity, will ensure sustainable compliance as it continues to grow.


As we enter the holiday season, when cyberattacks historically spike and defenses typically weaken, there's no better time to conduct or revisit your Security Risk Assessment. Don't let your organization become another statistic. Start the new year with a clear understanding of your risk posture and a roadmap to stronger security.


Season's breachings? Not on your watch...








[1] CISA, "Ransomware Awareness for Holidays and Weekends," Cybersecurity Advisory AA21-243A, available at: https://www.cisa.gov/news-events/cybersecurity-advisories/aa21-243a.

 

[2] Becker's Hospital Review, "Cyberattacks on healthcare rise during holidays," December 2024, 

 

[3] TechTarget HealthTech Security, "Report: Healthcare cyberattacks surge on holidays, weekends," https://www.techtarget.com/healthtechsecurity/news/366634663/Report-Healthcare-cyberattacks-surge-on-holidays-weekends.

 

[4] National Law Review, "HHS Intensifies HIPAA Risk Analysis Enforcement in 2025," April 2025, https://natlawreview.com/article/hhs-ocr-risk-analysis-enforcement-initiative-continues-under-new-administration.


[5] American Hospital Association (AHA), "2025 Cybersecurity Year in Review, Part One: Breaches and Defensive Measures," AHA Cyber Intel, October 7, 2025, https://www.aha.org/news/aha-cyber-intel/2025-10-07-2025-cybersecurity-year-review-part-one-breaches-and-defensive-measures.


SIGN UP AND STAY UPDATED ON NEW HEALTH LAW CONTENT!

The views shared on this blog belong to the author and should not be taken as legal advice.

© 2025 Talking Health Law. All Rights Reserved.

bottom of page