Security Risk Analysis: A must for healthcare organizations in 2025

Cybersecurity threats will always evolve – but the fact remains that the healthcare industry remains a top target for ransomware and phishing attacks due to the vast amount of patient data handled. In 2024, organizations informed the US government about more than 700 healthcare data breaches affecting a total of over 180 million user records. This alarming trend underscores the urgent need for more robust cybersecurity measures within the healthcare sector.

Safeguarding patient information is more critical than ever – regardless of the size of practice. For small and medium private healthcare practices, conducting a Security Risk Analysis (SRA) is not just a regulatory requirement under the Health Insurance Portability and Accountability Act (HIPAA) but also a vital step in protecting patient data, maintaining trust, and ensuring business continuity.

An SRA helps identify potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI), enabling practices to implement appropriate safeguards and mitigate threats effectively. By conducting an annual SRA, private practices can ensure they have an accurate picture of their security posture and make any necessary updates to ensure data security measures are in place.  

Long story short - if your practice hasn’t completed an SRA or hasn’t properly documented one - now is the time to do so.

The History of HIPAA and Security Risk Analysis

By way of quick history - the Health Insurance Portability and Accountability Act (HIPAA) was signed into law on August 21, 1996, with the primary goal of improving the portability and accountability of health insurance coverage. As electronic health transactions became more prevalent, the need to protect health information grew. This led to the development of the HIPAA Privacy and Security Rules, which set standards for safeguarding Protected Health Information (PHI) and electronic PHI (ePHI)[1].

The HIPAA Security Rule, effective April 21, 2005, requires covered entities and business associates to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI[2]. This risk analysis is a cornerstone of HIPAA compliance, ensuring that healthcare organizations implement appropriate safeguards to protect patient data.

What is the HIPAA Security Rule?
The HIPAA Security Rule establishes national standards to protect individuals' electronic personal health information (ePHI) that is created, received, used, or maintained by a covered entity. The rule sets forth the administrative, physical, and technical safeguards that covered entities and their business associates must implement to ensure the confidentiality, integrity, and availability of ePHI.

The major tenets of the HIPAA Security Rule include:

1. Administrative Safeguards: These are policies and procedures designed to clearly show how the entity will comply with the act. They include the assignment or delegation of security responsibility to an individual and the implementation of security training for employees.

2. Physical Safeguards: These involve controlling physical access to protect against inappropriate access to protected data. This includes facility access controls, workstation use policies, and device and media controls.

3. Technical Safeguards: These are primarily the technology and the policy and procedures for its use that protect ePHI and control access to it. This includes access control, audit controls, integrity controls, and transmission security.

The Security Rule is designed to be flexible and scalable, allowing covered entities to implement policies, procedures, and technologies that are appropriate for their size, organizational structure, and risks to ePHI.

Who Needs to Conduct a Security Risk Analysis?

HIPAA applies to covered entities, including healthcare providers, health plans, and healthcare clearinghouses, as well as their business associates who handle ePHI – regardless of size. This requirement is outlined in 45 CFR § 164.308(a)(1)(ii)(A), which mandates that organizations implement policies and procedures to prevent, detect, contain, and correct security violations.

Small practices are not exempt from this requirement. These covered entities must conduct regular SRAs to identify and mitigate potential security risks. Failure to do so not only can result in significant penalties and jeopardize patient trust – it can put a healthcare practice at significant risk for cybersecurity attacks.

Enforcement Through Random HIPAA Audits

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) enforces HIPAA compliance through random audits. These audits focus on areas most vulnerable to hacking and ransomware attacks, such as risk analyses, access controls, and incident response plans[3]. If audited, organizations only have 10 calendar days to prepare the required documents, including policies and procedures, training records, and other relevant documentation. The intent of these audits is to ensure compliance with HIPAA's Privacy, Security, and Breach Notification Rules.

By conducting SRAs, private healthcare practices can proactively address vulnerabilities and demonstrate compliance during these audits.

The Top Ten Most Common HIPAA Violations

1. Snooping on Healthcare Records: Accessing patient records without a valid reason is a common violation. This includes snooping on records of family, friends, or celebrities[2].

2. Failure to Perform an Organization-Wide Risk Analysis: Not conducting a thorough risk analysis (a Security Risk Analysis) can lead to vulnerabilities in the security of ePHI[2].

3. Failure to Manage Security Risks / Lack of a Risk Management Process: Without a proper risk management process, healthcare practices may fail to address identified security risks[2].

4. Denying Patients’ Access to Health Records/Exceeding Timescale for Providing Access: Patients have the right to access their health records, and delays or denials can result in violations[2].

5. Failure to Enter into a HIPAA-Compliant Business Associate Agreement: Not having proper agreements with business associates who handle ePHI can lead to compliance issues[2].

6. Insufficient ePHI Access Controls: Inadequate access controls can result in unauthorized access to sensitive information[2].

7. Failure to Use Encryption or an Equivalent Measure to Safeguard ePHI on Portable Devices: Unencrypted portable devices pose a significant risk if lost or stolen[2].

8. Exceeding the 60-Day Deadline for Issuing Breach Notifications: Delays in notifying affected individuals and authorities about data breaches can lead to penalties[2].

9. Impermissible Disclosures of Protected Health Information: Sharing PHI without proper authorization is a common violation[2].

10. Improper Disposal of PHI: Failing to properly dispose of PHI can lead to unauthorized access and breaches[2].

 The New HISAA Proposed Regulation

In 2024, the Health Infrastructure Security & Accountability Act (HISAA) was introduced to strengthen security standards for health information. HISAA aims to address cybersecurity risks, require ongoing risk assessments, and establish new penalties for non-compliance. Key provisions of HISAA include:

• Enhanced security requirements for health information.

• Mandatory regular risk assessments and risk management plans.

• Increased civil penalties for non-compliance.

• Introduction of user fees to support data security oversight and enforcement activities.

If passed, HISAA will significantly impact private healthcare practices by imposing stricter security standards and increasing the frequency of audits. Practices must stay informed and compliant to avoid penalties and ensure the security of patient data.

Why work with a healthcare IT partner to conduct your SRA?

Partnering with a healthcare IT expert for your annual healthcare security risk analysis brings numerous advantages. These professionals possess specialized knowledge and experience in identifying and mitigating potential threats, ensuring your organization stays ahead of emerging cyber risks. By leveraging their expertise, you can achieve a comprehensive and thorough assessment of your security posture, tailored to the unique needs of the healthcare industry. Additionally, a healthcare IT partner can provide valuable insights and recommendations to enhance your security measures, helping you maintain compliance with industry regulations and standards. This collaboration not only strengthens your defenses but also allows your internal team to focus on core healthcare and private practice priorities and keep patient care front and center.

Conclusion

Conducting a Security Risk Analysis is essential for private healthcare practices in 2025. It not only strengthens the overall security posture of the organization, but also ensures compliance with HIPAA and prepares practices for random audits. With the potential enactment of HISAA, the importance of SRAs will only grow, making it imperative for healthcare practices to prioritize cybersecurity and protect patient information.

Endpoint works proactively with small and medium private healthcare practices to ensure they have modern, secure and compliant IT infrastructure and proactive management.  

Ensure compliance by scheduling your practice’s annual Security Risk Analysis with Endpoint today: Endpoint for Healthcare — Endpoint Utility Corp or email info@endpointutilitycorp.com or 406-884-2420.

Resources:

[1]: The Comprehensive History of HIPAA to the Current Day - HIPAA Journal [2]: 11062024 Top Ten HIPAA Violations Webinar by Endpoint [3]: HIPAA security rule & risk analysis - American Medical Association