How to Conduct Your 2019 Security Risk Analysis: Steps 7 & 8


You have to conduct a periodic security risk analysis to make sure your organization is handling patient data securely. Plus, if you’re participating in the Medicare Promoting Interoperability Program, you have to conduct an SRA by the end of 2019.

To help you prepare, this SRA series has covered 8 steps designed to help you identify, prioritize, and address risks to your data. Throughout this series, we’ve given examples of how you can organize your SRA and prepare yourself to strengthen your security posture.

Catch up on this series:

This blog post will help you wrap up your security risk analysis with steps 7 and 8: assessing risk probability and documenting your findings. We will also look at how to get started on a risk management plan after you complete your risk analysis.

Important Definitions

  • Risk Probability. The likelihood that a threat could exercise a vulnerability.
  • Risk Tolerance. Whether or not an organization will accept a risk or mitigate it.

7. Assess Risk Probability

From the last step, you know the impact a threat exploiting a discovered or known vulnerability may have on your organization’s assets. The next step is to evaluate the likelihood that a threat event will happen in the first place.

Assessing risk probability helps you assign priority to the riskiest areas as you develop your risk management plan after the analysis (more about that later).

To assign risk probability, you will:

  1. Reference your list of discovered and known vulnerabilities and threats, as well as any threat models you’ve completed (see steps 3 & 4).
  2. Reference your list of security controls that lessen the likelihood of a threat exploiting a vulnerability (see step 5).
  3. Use this data to assign the likelihood (in qualitative or quantitative terms) that each possible threat event could take place.
    • Qualitative: Assign likelihood as Low, Medium, or High
    • Quantitative: Use a scale, such as 5 representing high risk and 1 representing low risk

Graphic of collected data.

Example: How likely is it that a hacker (threat source) will send a phishing email to an employee and the employee will open the email and trigger the malware (threat event)? If you have email safety training for your employees and strong anti-malware protection on your computers (controls), the risk probability for this particular threat event will be fairly low. If you don’t have any training or have weak systems (vulnerabilities), then the risk probability will be high.

See how all the previous steps in your risk analysis have led up to this step?

8. Document Your Findings

The final step of the security risk analysis is to document your findings in each step. You can compile the information in a single report or multiple reports. No matter how you choose to report your findings, make sure the documentation can be easily understood by all stakeholders who may need to read it.

You must maintain a record of your SRA for 6 years. If the Office for Civil Rights (OCR) investigates your organization, they will want to see that you’ve conducted an accurate and thorough risk analysis. That’s why it’s important to put together a clear and comprehensive report.

The OCR will also want to see how you’ve addressed risks following the SRA. Read on….

After the Security Risk Analysis

After the risk analysis, you’re not done yet! You need to create a risk management plan.

A risk management plan is an actionable plan to mitigate risks according to how you prioritized them. You will first address the risks you identified as high-impact and high-probability because these risks will be destructive if they happen and are likely to happen if they go unmitigated.

In some cases, you will have to simply accept risks that can’t be mitigated or that have a low impact or low probability. Whether or not you mitigate risks or choose to accept them is known as risk tolerance. Risk tolerance is determined by all the steps you’ve taken up until now.

Screenshot of HIPAAtrek's risk tolerance assessment spreadsheet.

HIPAAtrek combines information about discovered vulnerabilities, threats, impact, and controls to calculate risk tolerance.

Screenshot of recommended mitigation for vulnerabilities to determine risk tolerance.

HIPAAtrek’s risk tolerance assessment allows you to plan your mitigation efforts around specific threats and vulnerabilities, as well as assign priority.

Keep in mind, risk management is an ongoing process. Your risk management plan serves as a guideline to deal with known risks between your periodic risk analyses.Risk management is also a board-level activity; it should involve multiple departments with cross-functionality. In other words, security involves everyone at your organization.

Still feel overwhelmed by security risk analyses? We get it. The risk analysis is a huge responsibility, but an important one that you can’t afford to ignore. Our HIPAA experts can conduct a security risk analysis for your organization and put together a risk management plan based on our findings. To learn about our SRA service, contact us at

READ MORE: Your Security Risk Analysis in 2019: Tips and Tools

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like