Security Risk Assessment: A Step-by-Step Guide for Medical Practices

The Security Risk Assessment (SRA) is the single most important compliance activity a medical practice can undertake. Required under 45 CFR 164.308(a)(1)(ii)(A), the SRA is not optional — it is an explicit requirement of the HIPAA Security Rule. Despite this, the Office for Civil Rights (OCR) consistently finds that failure to conduct an adequate SRA is the most common deficiency cited in audits and enforcement actions. This guide walks you through the process step by step so your practice can complete a thorough, defensible risk assessment.

Why the SRA Matters

The SRA is more than a checkbox exercise. It is the foundation of your entire HIPAA security program. Every safeguard you implement — from encryption to access controls to backup procedures — should be traceable to risks identified in your SRA. OCR has made it clear that they view the SRA as the cornerstone of compliance. In settlement after settlement, the agency has cited absent or inadequate risk assessments as a primary factor. The SRA is also required for Meaningful Use / Promoting Interoperability attestation and MIPS reporting, making it a financial imperative as well.

Step 1: Define the Scope

Before you begin identifying risks, you must define the boundaries of your assessment. The scope should include every system, device, and location where electronic protected health information (ePHI) is created, received, maintained, or transmitted. This includes your EHR system, practice management software, email systems used for patient communication, medical devices that store patient data, portable devices like laptops and smartphones, cloud services and hosted applications, paper-to-electronic conversion processes, and backup systems. Document every asset in an inventory. Many practices undercount their ePHI touchpoints — do not forget fax servers, voicemail systems, patient portals, and billing clearinghouses.

Step 2: Identify Threats and Vulnerabilities

For each asset in your inventory, identify the threats it faces and the vulnerabilities that could be exploited. Threats are potential events that could harm ePHI — examples include ransomware attacks, unauthorized access by former employees, stolen laptops, natural disasters, and phishing emails. Vulnerabilities are weaknesses that a threat could exploit — unpatched software, weak passwords, lack of encryption, absent access controls, and untrained staff. The goal is to create a comprehensive list of threat-vulnerability pairs for each asset. Use resources like the NIST Cybersecurity Framework and the HHS Security Risk Assessment Tool as starting points.

Step 3: Assess Current Controls

Document what safeguards you already have in place for each identified risk. This includes technical controls (firewalls, encryption, multi-factor authentication), administrative controls (policies, training, access management procedures), and physical controls (locked doors, badge access, security cameras). Be honest in this assessment. The purpose is not to paint a rosy picture but to accurately understand your current security posture. For each control, note whether it is fully implemented, partially implemented, or not implemented at all.

Step 4: Determine Likelihood and Impact

For each threat-vulnerability pair, estimate the likelihood that the threat will exploit the vulnerability (considering your existing controls) and the potential impact if it does. Use a consistent rating scale — for example, High, Medium, and Low for both likelihood and impact. The combination of likelihood and impact gives you a risk level. A high-likelihood, high-impact risk (such as a ransomware attack against an unpatched EHR system) demands immediate attention, while a low-likelihood, low-impact risk can be addressed in due course. Document your rationale for each rating.

Step 5: Prioritize and Remediate

With your risks ranked, create a remediation plan that addresses the highest risks first. For each risk, decide whether to mitigate it (implement additional controls), accept it (document why the residual risk is acceptable), transfer it (purchase cyber insurance), or avoid it (eliminate the activity that creates the risk). Assign responsibility for each remediation action, set deadlines, and track progress. The remediation plan is a living document — it should be updated as actions are completed and new risks emerge.

Step 6: Document Everything

Documentation is critical. OCR does not accept verbal assurances that a risk assessment was conducted. Your SRA documentation should include the date of the assessment, who participated, the scope and methodology, the asset inventory, the threat and vulnerability analysis, the risk ratings and rationale, the remediation plan, and management sign-off. Retain this documentation for at least six years as required by the HIPAA Security Rule. The SRA should be reviewed and updated at least annually, or whenever significant changes occur in your environment — such as a new EHR implementation, office relocation, or security incident.

How GuardWell Compliance Helps

GuardWell provides medical practices with a structured, guided Security Risk Assessment workflow that walks you through each step described above. The platform maintains your asset inventory, tracks identified risks with severity ratings, generates remediation plans with assigned owners and deadlines, and produces the documentation you need to demonstrate compliance during an audit. Rather than starting from a blank spreadsheet, your practice can complete a defensible SRA using GuardWell's built-in framework and maintain it as a living document year after year.