Skip to the main content.

4 min read

Missing the Mark: 80 percent of Covered Entities Fail Their Security Risk Analysis

Missing the Mark: 80 percent of Covered Entities Fail Their Security Risk Analysis

Healthcare providers and their business associates remain one of the most highly regulated businesses in the country. One U.S. Department of Health and Human Services (HHS) audit found over 80% of covered entities and business associates failed to conduct a proper Security Risk Analysis (SRA). 

Who Requires an SRA? 

Organizations that create and access medical records (covered entities) and organizations that have access to medical records (business associates) are required to conduct an accurate and thorough SRA to identify security and privacy risks within their organization. 

An SRA is one of the most important tasks to be completed by covered entities and business associates to protect their patients and business. 

What the Law States 

The U.S. Department of Health and Human Services (HHS) states in: §164.308 

(a) A covered entity or business associate must, in accordance with § 164.306:  


(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.  

(ii) Implementation specifications:  

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.  

(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a)… 

The HHS Audit 

The Health Information Technology for Economic and Clinical Health Act (HITECH) requires HHS to conduct periodic audits on covered entities and business associates to verify they have implemented Health Insurance Portability and Accountability Act of 1996 (HIPAA) rules and that they are complying with requirements.  

In 2016 and 2017 HHS audited 166 covered entities and 41 business associates to see if they were following selected HIPAA standards. SRAs were one of the specific standards that HHS selected to audit. 

What was most intriguing about the protocol element (S2) were the responses the organizations provided and results to the element. 

HHS asked the organizations to submit documentation as evidence that they had completed an SRA. 

They asked for: 

  • Policy and procedure for their risk analysis process 
  • Results from a current Security Risk Analysis (SRA)  
  • Policies and procedures showing the implementation of the SRA, people responsible for conducting it, and evidence showing it is periodically reviewed and updated.  

They received: 

  • Information that described a patients insurance prescription coverage and their rights. 
  • A pharmacy fraud, waste and abuse, and conflict of interest and code of conduct employee sign-off page. 
  • Security activities of a third-party security vendor without documentation of any risk analysis. 

Making Sense of the Results 

Only 14% of the covered entities were able to demonstrate they correctly implemented and conducted routine SRAs. The audit indicated covered entities continue to struggle to conduct SRAs. 

Analyzing the audit shows some organizations may have: 

  • misinterpreted the law; 
  • don’t understand how to conduct an SRA; 
  • used a third-party audit to simply ‘check the box’ 
  • Business associates also struggled to comply with the required standard. 

Only 17% of business associates provided proof they followed the requirements and 34% admitted they misinterpreted the law and some business associates failed to provide any documentation. 

Should You Use a Third-Party Risk Assessment Agency? 

Using a third-party risk assessment agency to perform an SRA is not unusual as organizations are able to leverage outside expertise when it comes to completing an analysis. Yet third-party assessors can harm the organization if the risk assessments fail to meet the Security Rule requirement. 

Third-party assessments, when done correctly, can be a powerful tool. However, it is still the organization's responsibility to comply with the standard by consistently completing and managing these assessments. Finding the right third-party partner to navigate this process can be difficult but leads to success when both parties have a clear understanding of the requirements. 

Repercussions for Organizations, Patients and Business Partners 

Covered entities and business associates may have legitimate and valid reasons for not being able to comply with the SRA requirement. The Office for Civil Rights (OCR) within HHS takes these reasons into consideration, but it remains a mandatory obligation to be fulfilled. If not, there are repercussions to the organization. 

Failing to complete an SRA can cause reputational damage and inflict financial penalties to their business. 

Additionally, failure to comply with the standard means an organization is allowing their patients’ or business partners’ confidential information to be exposed to potential threat actors, a serious cybersecurity concern. 

The Solution: Hire a Reputable Advisory Team with a Strong Cybersecurity Background 

Partnering with a reputable third-party healthcare advisory team that understands cybersecurity has a variety of benefits for organizations when implemented correctly, strengthening their compliance programs, and reducing overall costs. 

Here are four benefits of partnering with a trusted advisory team: 

Securely Processing and Storing Patients’ and Business Partners’ Confidential Information 

HIPAA shouldn’t be seen as a burden. The regulation serves as a benefit providing safeguards for private healthcare information (PHI). 

Each time your organization creates, receives, maintains, or transmits PHI you are faced with the opportunity to expose or protect the information. 

Implementing HIPAA into policies and procedures ensures your organization is taking effective measures to protect your patients and business partners. 

Those who implement cybersecurity-focused policies and procedures can feel confident operating online and sharing information to business partners. 

Reducing Legal Risks 

Noncompliance with HIPAA regulations can lead to lengthy and invasive OCR audits, steep financial penalties, potential lawsuits, and irreparable reputational damage. 

In particular, violations may lead to legal consequences, including highly publicized and expensive class action lawsuits, as is the case with Excellus Health Plan Inc. for a data breach affecting over 9.3 million members, subscribers, patients, and customers. 

In 2021 Excellus Health reached a $5.1 million settlement to resolve a class action lawsuit that was filed in relation to a cyberattack discovered in 2015. 

“We know that the most dangerous hackers are sophisticated, patient, and persistent. Health care entities need to step up their game to protect the privacy of people’s health information from this growing threat,” said OCR Director Roger Severino. 

Establishing a Positive Culture 

Embedding regulatory compliance into business practices allows employees, patients, and business partners to build stronger relationships and establishing a positive, proactive, and protective culture over a reactive and blame-filled one. 

Reducing Costs 

Using a dedicated healthcare advisory team provides organizations of all sizes affordable access to consultants that have years of experience and expertise assessing an organization’s governance, risk management and compliance (GRC). 

An in-house IT-focused GRC Analyst averages about $79,000 a year, according to ZipRecruiter data. 

Using a project-based advisory team allows organizations to invest in GRC where needed and avoid adding headcount. 

Additionally, trustworthy advisors will implement processes to help an organization continuously improve, not just perform a check-the-box assessment. 


The HHS audit found that over 80% of covered entities and business associates fail to conduct proper security risk assessments, indicating just how difficult it can be to conduct a proper SRA. With federal and state mandates growing for healthcare organizations, prioritizing security is essential. 

If you have questions about SRAs or how to implement cybersecurity-focused procedures and policies, reach out to us. We’re happy to jump on a call to discuss your organization’s current state of compliance and where we may be able to help.

Written by Todd Welfelt, Senior Systems and Security Engineer and Sheri Garver, Senior Advisor of Regulatory Compliance at PacketWatch.

Security Leadership: Is it Worth it to be a CISO?

3 min read

Security Leadership: Is it Worth it to be a CISO?

Chief Information Security Officers (CISOs) are under fire right now and with good reason.

Read More
Top Cyber Insurance Loss Trends of 2023

5 min read

Top Cyber Insurance Loss Trends of 2023

This month, PacketWatch CEO Chuck Matthews discusses the top three trends in cyber insurance losses. Read on to learn how to protect your...

Read More
Cybersecurity Awareness Month: The 8% Solution?

2 min read

Cybersecurity Awareness Month: The 8% Solution?

Since 2004, the President of the United States and Congress have declared the month of October as Cybersecurity Awareness Month. A month dedicated to...

Read More