3 Essentials for a Successful Security Risk Analysis

Beyond the inevitable loss of patient trust, there are two important reasons your practice should perform a yearly security risk analysis on the patient data held in your EHR and other electronic devices.

First off, security breaches can lead to serious financial losses. HIPAA penalties can cost as much as $50,000 for a single violation depending on the severity of the breach. Add this to any litigation brought forth by compromised patients, and the costs become astronomical.

Additionally, conducting a security risk analysis and correcting deficiencies is a core requirement for both Meaningful Use Stage 1 and Stage 2.

Today, we’ll break down how to conduct an effective security risk analysis into a three-step process that will keep your patients’ information protected, HIPAA satisfied and Meaningful Use attestation on track.

Review HIPAA Standards

Meaningful Use’s security risk analysis requirement is based on the HIPAA Security Rule of 1996. Even for those not looking to attest, it is the standard by which the federal government judges patient information protection. Therefore, familiarizing yourself with HIPAA standards is the first step to an effective analysis.

As with any piece of legislation, the security rule is lengthy. But HHS provides a much shorter summary overview of the rule, which includes any requirements your practice must comply with to avoid penalties.

Because the rule was updated in late 2013, it’s important to review it even if you’re familiar with it. Among other things, the Omnibus update altered the definition of business associate and increased patient access to protected health information (PHI).

Identify Vulnerabilities

Since the responsibility of protecting PHI falls solely on providers, even practices with Meaningful Use certified EHRs need to protect themselves against security breaches.

One area to look at is your EHRs user access controls. If not properly configured, unauthorized staff members or even an intruder may gain access to sensitive patient information.

Also focus on drafting a strong security policy. An ambiguous policy can result in processes that put patient information at risk. Not having a policy is even worse, as it can push you into legal issues.

Portable devices are another area where security can go awry. Seemingly, many security breach horror stories involve staff members leaving USB drives or laptops with patient information in places easily accessible to thieves. Make sure your staff avoids this at all costs.

Implement Updates

To meet Meaningful Use – and for patient data security in general – you’ll have to implement changes to fix identified security risks.

To ensure your patient access controls are up to HIPAA standards, every employee authorized to access your EHR should be given a unique username and password. Accessing the EHR while under another’s username should be strictly forbidden. Tying each employee to a particular username makes it easier to track the source of a security breach.

Make sure to include user access control protocols in your written policy. Other important areas to cover in your practice’s policy include data backup procedures, HIPAA rules for security breach notification and best practices for using portable devices.

If you’d like to avoid using portable devices altogether, consider adopting a cloud-based EHR. Since cloud technology offers providers remote access to patient records from any place with an Internet connection, the use of USBs and external hard drives is almost completely eliminated.

A preemptive security risk analysis should prevent your practices from falling victim to a security breach. Putting effort into protecting patient data ahead of time can save you from severe financial headaches down the line.


The material and information contained on this website is for general information purposes only. You should not solely rely upon the material or information on the website as a basis for making any business, legal, medical, or any other decisions. While we endeavor to keep all information up-to-date and correct, all information in this site is provided "as is," and CareCloud Corporation and MTBC Inc. make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the information contained on the website for any purpose. Any reliance you place on such material is therefore strictly at your own risk.

Do you know what you need when setting up a new medical practice?

Get our New Medical Practice Checklist

Download Now!

Start typing and press Enter to search