Top 5 Security Risk Analysis Myths & Facts

Conducting a security risk analysis is a required measure for all HIPAA covered entities. Eligible professionals must conduct or review a security risk analysis for each reporting period to ensure the privacy and security of their patients’ protected health information.

Top 5 Security Risk Analysis Myths & Facts 1

The latest HIPAA Audit Program results found that 83% of covered entities failed to perform an adequate SRA. Additionally, 94% failed to establish or maintain an information security risk management plan. Failure to perform a risk assessment or conducting an insufficient risk assessment is the leading cause of failing a HIPAA audit.

HIPAA security risk assessment requirements can be intimidating for any organization, and there are many myths surrounding the process and requirements. So let’s break down the top five SRA (Security Risk Analysis) myths, and provide facts and tips that can help you structure your risk analysis process.

MYTH: The security risk analysis is optional for small providers.
FACT:   All HIPAA “covered entities” are required to perform a risk analysis, regardless of practice size. Additionally, if you report for Meaningful Use or you plan to attest for MACRA you run the risk of incurring additional penalties/consequences if you are audited and have failed to perform a risk analysis.

MYTH: My EHR vendor took care of my SRA.
FACT:   Your EHR vendor may be able to provide information, assistance,and training on the privacy and security aspects of the EHR product. However, it is solely your responsibility to have a complete risk analysis conducted.

MYTH: A checklist will suffice for the risk analysis requirement.
FACT:   Checklists can be useful tools,, but they fall short of performing a systematic security risk analysis or documenting that one has been performed. Many practices are guilty of performing a “check the box” SRA and not taking the actual steps to prevent a security breach. A checklist approach is regarded by auditors as being just as bad as a missing risk assessment.

MYTH: My security risk analysis only needs to look at my EHR.
FACT:  All electronic devices that store, capture, or modify electronic protected health information must be reviewed. This includes, but is not limited to: tablets, computers, cell phones, and even copiers/fax machines.

MYTH: I only need to do a risk analysis once.
FACT:  To comply with HIPAA, you must continue to review, correct or modify, and update security protections.

Risk analysis is the first step in an organization’s HIPAA compliance efforts. Risk
analysis is an ongoing process that should provide the organization with a detailed
understanding of the risks to the confidentiality, integrity, and availability of e-PHI.

Taking your security initiatives to the next level, Breadcrumb Cybersecurity moves your organization beyond compliance to actively defending against breach. Utilizing real-world strategies, Breadcrumb helps you protect your patients’ data, while ensuring you meet all HIPAA/MACRA regulatory requirements.

Breadcrumb Cybersecurity helps organizations protect their infrastructure, critical data, and reputation from today’s advanced cyber threats. Based in California, Breadcrumb offers comprehensive cybersecurity services for organizations throughout the U.S. Our services include regulatory compliance, risk assessments, digital forensics, penetration testing, incident response, technical/staff training, 24/7 security operations, and on-going advisory services.
Breadcrumb uses cookies and other tracking technologies to offer you a better browsing experience, analyze our website, and assist with our promotional and marketing efforts. If you continue browsing, you are agreeing to the use of cookies. To learn more about our cookie use, see our Privacy Policy for more details.