How to Conduct Your 2019 Security Risk Analysis: Steps 5 & 6


You have to conduct a periodic security risk analysis to make sure your organization is handling patient data securely. Plus, if you’re participating in the Medicare Promoting Interoperability Program, you have to conduct an SRA by the end of 2019.

To help you prepare, this SRA series covers 8 steps designed to help you identify, prioritize, and address risks to your data. Throughout this series, we give examples of how you can organize your SRA and prepare yourself to strengthen your security posture.

Catch up on this series:

This blog post will guide you through steps 5 and 6 of the security risk analysis: assessing security controls and assessing risk impact.

Important Definitions

  • Controls. Safeguards to control, mitigate, or prevent a vulnerability from being exploited.
    • Safeguards include policies, procedures, and processes designed to control or prevent threats exploiting vulnerabilities.
  • Risk Impact. The effect on an organization if a vulnerability is exploited. Impacted areas could include:
    • Availability of systems and/or data
    • Financial cost
    • Legal repercussions
    • Reputational harm

5. Assess Security Controls

After identifying your vulnerabilities and threats in the last post, the next step is to assess what security controls you currently have in place or plan to put in place.

Security controls include, but are not limited to:

  • Restricted access to electronic protected health information (ePHI) to only those who need it to do their jobs
  • Procedures for responding to security incidents
  • An emergency response plan
  • Business associate agreements with all vendors who handle your ePHI
  • Restricted access to your facilities and equipment
  • Workstation security practices
  • Procedures to account for, dispose of, reuse, backup, and store devices and media containing ePHI
  • Unique user identification, automatic logoff, and encryption to protect workstations and devices
  • User authentication
  • Secure transmission of ePHI over networks

LEARN MORE: 9 Q&As That Explain HIPAA Security Rule Safeguards

The goal of this step is to evaluate how efficient your current safeguards are at protecting your facility, operations, and technology from threats. Ask yourself: Do these controls minimize or eliminate risk to ePHI, or are they ineffective?

Create a checklist or questionnaire to guide you as you review all required policies, procedures, controls, and safeguards (contact us if you would like a checklist). Taking a full inventory of your current security controls helps reduce your organization’s vulnerabilities.

6. Assess Risk Impact

Next, you will need to assess the risk impact – the negative repercussions your organization would face if a threat were to exploit a vulnerability.

You do so by conducting an asset sensitivity and criticality assessment. In this assessment, you identify and prioritize the sensitive information assets that support your organization’s critical functions (e.g. hardware, software, systems, and services).

Prioritizing means assigning an impact level (low, medium, or high impact) that your organization would suffer in a threat event. Would there be financial loss, legal repercussions, or reputational harm?

Example: You will assign a higher impact level to your electronic health records system because the EHR is critical for your organization to operate and it contains highly sensitive information. On the other hand, you will assign a lower impact level to a peripheral application that would do little damage if compromised.

Use the following to help you assess risk impact:

  • The list of vulnerabilities you discovered
  • Any threat models you used
  • Your security controls assessment

In Summary

In this stage of the security risk analysis, you are evaluating how prepared your organization currently is to prevent or mitigate threat events you may face. You are also assessing the impact these threat events would have if you were unable to prevent or mitigate them.

Don’t skip any steps! Each of the steps of an SRA are designed to help you get a full picture of your organization’s readiness to handle risks. This, in turn, helps you address high-risk/high-impact issues and strengthen your security posture.

Our HIPAA experts can conduct your security risk analysis for you. To learn about our SRA service and methodology, contact us at

Stay tuned for next week’s blog post, which wraps up our risk analysis series with the last two steps: assessing risk probability and documenting your findings.

Are you up to date with HIPAA?

Check out our cheat sheet for staying up to date with changing regulations!

READ MORE: Your Security Risk Analysis in 2019: Tips and Tools

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »