How to Conduct Your 2019 Security Risk Analysis: Steps 7 & 8


You have to conduct a periodic security risk analysis to make sure your organization is handling patient data securely. Plus, if you’re participating in the Medicare Promoting Interoperability Program, you have to conduct an SRA by the end of 2019.

To help you prepare, this SRA series has covered 8 steps designed to help you identify, prioritize, and address risks to your data. Throughout this series, we’ve given examples of how you can organize your SRA and prepare yourself to strengthen your security posture.

Catch up on this series:

This blog post will help you wrap up your security risk analysis with steps 7 and 8: assessing risk probability and documenting your findings. We will also look at how to get started on a risk management plan after you complete your risk analysis.

Important Definitions

  • Risk Probability. The likelihood that a threat could exercise a vulnerability.
  • Risk Tolerance. Whether or not an organization will accept a risk or mitigate it.

7. Assess Risk Probability

From the last step, you know the impact a threat exploiting a discovered or known vulnerability may have on your organization’s assets. The next step is to evaluate the likelihood that a threat event will happen in the first place.

Assessing risk probability helps you assign priority to the riskiest areas as you develop your risk management plan after the analysis (more about that later).

To assign risk probability, you will:

  1. Reference your list of discovered and known vulnerabilities and threats, as well as any threat models you’ve completed (see steps 3 & 4).
  2. Reference your list of security controls that lessen the likelihood of a threat exploiting a vulnerability (see step 5).
  3. Use this data to assign the likelihood (in qualitative or quantitative terms) that each possible threat event could take place.
  • Qualitative: Assign likelihood as Low, Medium, or High
  • Quantitative: Use a scale, such as 5 representing high risk and 1 representing low risk

Example: How likely is it that a hacker (threat source) will send a phishing email to an employee and the employee will open the email and trigger the malware (threat event)? If you have email safety training for your employees and strong anti-malware protection on your computers (controls), the risk probability for this particular threat event will be fairly low. If you don’t have any training or have weak systems (vulnerabilities), then the risk probability will be high.

See how all the previous steps in your risk analysis have led up to this step?

8. Document Your Findings

The final step of the security risk analysis is to document your findings in each step. You can compile the information in a single report or multiple reports. No matter how you choose to report your findings, make sure the documentation can be easily understood by all stakeholders who may need to read it.

You must maintain a record of your SRA for 6 years. If the Office for Civil Rights (OCR) investigates your organization, they will want to see that you’ve conducted an accurate and thorough risk analysis. That’s why it’s important to put together a clear and comprehensive report.

The OCR will also want to see how you’ve addressed risks following the SRA. Read on….

After the Security Risk Analysis

After the risk analysis, you’re not done yet! You need to create a risk management plan.

A risk management plan is an actionable plan to mitigate risks according to how you prioritized them. You will first address the risks you identified as high-impact and high-probability because these risks will be destructive if they happen and are likely to happen if they go unmitigated.

In some cases, you will have to simply accept risks that can’t be mitigated or that have a low impact or low probability. Whether or not you mitigate risks or choose to accept them is known as risk tolerance. Risk tolerance is determined by all the steps you’ve taken up until now.

Keep in mind, risk management is an ongoing process. Your risk management plan serves as a guideline to deal with known risks between your periodic risk analyses.Risk management is also a board-level activity; it should involve multiple departments with cross-functionality. In other words, security involves everyone at your organization.

Still feel overwhelmed by security risk analyses? We get it. The risk analysis is a huge responsibility, but an important one that you can’t afford to ignore. Our HIPAA experts can conduct a security risk analysis for your organization and put together a risk management plan based on our findings. To learn about our SRA service, contact us at

Are you up to date with HIPAA?

Check out our cheat sheet for staying up to date with changing regulations!

READ MORE: Your Security Risk Analysis in 2019: Tips and Tools

Request A HIPAAtrek Demo

HIPAAtrek User
Compliance is complicated. Your compliance software doesn’t have to be. Schedule your demo today!

You Might Also Like

Double Extortion: What It Is, and How You Can Prevent It

If organizations refuse to pay their ransom, attackers are threatening to release the data publicly. This will of course include sensitive information and PHI. Before Double Extortion, we assumed that hackers could not actually access our data and were only with-holding it from victims to disrupt the ability to continue their work. Now we know they can extract this information and publish it online, breaching our patient’s security.

Read More »

Cybersecurity During COVID-19

Watch out for COVID-19 cyber scams Sarah Badahman, CHPSE, Founder/CEO, HIPAAtrek Bethany Baty, Digital Marketing Director, HIPAAtrek Margaret Scavotto, JD, CHC, President, MPA The Department

Read More »