April 25

10 Steps to Conducting a HIPAA Risk Assessment and Building a Risk Management Plan



In the healthcare industry, protecting patient information is critical for maintaining trust and confidentiality.  To ensure HIPAA compliance, covered entities must conduct risk assessments and develop risk management plans.  In this post, we’ll provide a practical guide for healthcare providers on conducting a HIPAA risk assessment and building a risk management plan.

Step 0: Understanding the Risk Assessment

Before conducting a HIPAA risk assessment, it’s important to understand what it is and why it’s necessary.  A HIPAA risk assessment is a comprehensive evaluation of your organization’s security controls and processes that handle PHI.  It’s designed to identify potential risks and vulnerabilities that could lead to a breach of patient information.  HIPAA requires covered entities and business associates to conduct a risk assessment to identify and mitigate potential risks to PHI.  Conducting a HIPAA risk assessment is not only a legal requirement, but it’s also a critical component of a robust information security program that protects patients’ privacy and confidentiality.

Step 1: Determine the Scope of the Risk Assessment

To start the risk assessment process, it’s important to decide which parts of your organization will be included in the assessment.  This could include specific departments, locations, or information systems. It’s crucial to ensure that all systems and departments that handle PHI are included, such as your billing and coding department.  Conversely, departments such as maintenance that don’t handle PHI may be excluded.  However, it’s important to consider any potential indirect risks to PHI, such as HVAC and electrical systems, that may impact your on-site servers.

Step 2: Identify Your Assets

To effectively manage risk, it’s important to identify all of your organization’s assets, including hardware, software, and data, such as electronic health records and medical devices used to store and transmit patient information.  It’s essential to determine to what degree each asset contains, transmits, or interacts with PHI.  For instance, a file server that stores multiple files containing PHI should be classified as “High,” whereas a portable EKG machine that doesn’t store PHI may be classified as “Low.”  This step helps prioritize which assets need the most attention in terms of risk management.

Step 3: Identify Potential Threats

Once you have identified your assets, you must identify potential threats to those assets, such as malware, natural disasters, and human error.  Identify all the potential threats that your organization may face, both technical and non-technical.

Threats always come from a threat source.  NIST defines four general types of threat sources: 1) hostile cyber or physical attacks; 2) human errors of omission or commission; 3) structural failures of organization-controlled resources (such as hardware, software, and/or environmental controls); and 4) natural and man-made disasters, accidents, and failures beyond the control of the organization.

Make a list of the potential threats that your organization potentially faces, along with the asset or assets that the threat could affect.  We’ll assign some values to these threats a little later.

Step 4: Identify Potential Vulnerabilities

A vulnerability refers to a flaw or weakness in an information system, security procedure, internal control, or implementation that could potentially be exploited by a threat source.  This could be a computer on your network that has not had critical security updates installed.  Not all vulnerabilities are technical in nature.  If your organization does not have a formal risk management program and/or does not perform regular risk assessments, that is a vulnerability as well.

It’s also important to briefly address another factor: predisposing conditions.  There are myriad such conditions, such as the location of your organization (e.g., being located in a hurricane-prone area).  The most pressing predisposing condition, though, is the fact that your organization handles PHI.  Medical information is extremely popular amongst cybercriminals.  Indeed, many reports indicate that the value of a medical record is worth more than ten times a credit card number.  Like it or not, the medical industry has a huge target painted on them just by virtue of being a medical institution.

Step 5: Assess Current Security Measures

The existing security measures in your organization need to be assessed to determine their efficacy.  The HIPAA Security Rule sets forth three types of safeguards: administrative, physical, and technical.  A risk gap analysis is a process that is designed to compare your existing controls & measures against the HIPAA-mandated safeguards.  Although an important step, for the purposes of this article, we’re just going to focus on identifying what measures & controls are in place now.

Here are a couple of questions you should ask while assessing existing security measures:

  • What technologies are currently in use that are protecting our systems?
    • Possible answers are firewalls, antivirus, scheduled automatic updates, and web filtering.
  • What policies are currently in force that are designed to protect our data?
    • Possible answers are the Acceptable Use Policy, Email Policy, and Security Awareness Training.

Step 6: Analyze Risks

Analyze the potential risks to your assets, considering the likelihood of each risk and the potential impact on your organization.  This analysis will help you prioritize risks and determine how to allocate resources to mitigate them.

There are two common approaches to assessing risk: qualitative and quantitative.  It is beyond the scope of this article to dive into extreme detail on these approaches.  However, you can find further information regarding these approaches in the NIST SP 800-30 (Section 2.3.2).  Let’s summarize the two approaches.

Quantitative Assessment

A quantitative assessment involves employing a set of statistical models, data analysis, and other objective measures to assess the likelihood and potential impact of each risk.  This method provides a more precise and objective estimate of risk, and it involves assigning numerical values to the impact of identified risks based on the computational methods noted above.  These values are estimates based on the available data and statistical models used to analyze the data.  Quantitative assessments are typically more rigorous but also more expensive and time-consuming.

Qualitative Assessment

A qualitative assessment uses methods for assessing risk based on categories or levels rather than numerical values.  These are typically easier to communicate to decision-makers and stakeholders since the categories/levels are easier to understand.  It is important to ensure that the levels (such as high, medium, and low) and categories of impact (such as very likely, somewhat likely, and unlikely) are clearly defined in order to provide as much objectivity as possible.

Throughout the rest of this article, we will be using a qualitative approach in our examples.

Risk Matrices and Formulae

Let’s return to the threats we identified in step 3.  We must now assign some values to these threats that will inform our decisions on risk mitigation.  There are two values we must determine: likelihood and impact.


The likelihood of occurrence is a weighted factor based on analyzing the probability that a particular threat is able to be exploited given a vulnerability (identified in step 4).  When assessing likelihood, it is common to employ the following three-step process to determine the threat event’s overall likelihood:

  1. The likelihood that threat events will be initiated (for adversarial threat events such as hacking) or will occur (for non-adversarial threat events such as human error or environmental disaster).
  2. The likelihood that the threat events, once in motion, will result in adverse impacts or harm to the organizational operations, assets, or individuals.
  3. The overall likelihood (by combining the likelihood of occurrence and the likelihood of adverse impact).


The impact level from a threat is the degree of harm that can be expected to result from that threat.  Here are a couple of examples of assessing impact:

  • The threat of a malicious insider stealing 2,000 medical records of an organization might have a very high impact on the organization.
  • The threat of an act of nature causing a power outage lasting less than 4 hours might have a medium impact on the organization.
  • The threat of a computer on the network not being updated within 30 days might have a low impact on the organization.

Once the likelihood and impact have been determined, we can use a simple function of multiplication to arrive at our total risk.  That formula is:

Risk = Likelihood x Impact

As previously discussed, there are several ways you can score/rank these factors.  You can use a “high, medium, low” classification for likelihood and impact.  Or you can use a numerical value (1 being low, 5 being high).  The graphic below shows the matrix using the “high, medium, low” classification.  The NIST SP 800-30 Appendix D has examples of assessment scales.

Risk Assessment – Risk Matrix

Step 7: Develop a Risk Management Plan

A risk management plan involves creating and implementing a formal process for managing identified risks.  A multi-faceted approach, including the development and enforcement of policies & procedures, regular employee security awareness training, and technical safeguards, is required.  While developing a risk management plan involves many different elements, conducting a risk assessment is a vital first step.

Addressing Risk

One of the key components of a risk management plan is determining how you will handle identified risks.  In risk management, there are generally four ways to deal with risk.

Risk Avoidance

This involves taking steps to avoid or eliminate the risk altogether.  This can be done by ceasing the activity that is causing the risk or by implementing controls to prevent the risk from occurring in the first place.  A common activity to determine whether to engage in risk avoidance for an identified risk is to do a risk-benefit analysis.  If the risks outweigh the benefits, then it might be worth considering ceasing the activity causing the risk.  For example, if you are using a non-HIPAA-compliant email platform and the cost and level of effort to procure & implement a HIPAA-compliant platform is unnecessarily prohibitive, you could elect to stop using email for patient communications altogether.

Risk Reduction/Mitigation

This involves taking steps to reduce the likelihood or impact of the risk.  This is typically done by implementing controls or safeguards that minimize the risk to an acceptable level.  For example, if your organization does not currently use multi-factor authentication (MFA) to sign into programs with PHI, you could elect to implement an MFA solution, thus enhancing your access controls and making it harder for hackers to gain access to a system.

Risk Transfer

Risk transfer involves transferring the risk to another party (typically an insurance company).  This can be done by purchasing insurance policies that cover the potential losses from the risk.  Many insurance companies offer cyber insurance policies, which help cover costs associated with responding to a breach, such as notifying patients, conducting forensic investigations, and providing credit monitoring services to affected individuals.

Risk Acceptance

Risk acceptance involves accepting the risk and potential consequences.  Risk acceptance is, as you would imagine, inherently risky.  As such, it should be reserved for only those issues that cannot be resolved using any of the other three methods.  Risk acceptance is tangentially related to risk avoidance, except that the activity causing the risk is not avoided; it is accepted.

There is also typically a level of risk still present even after applying other methods such as risk mitigation.  This “residual risk” is common for organizations to accept the residual risk once it is mitigated or otherwise addressed.  Using our MFA example above, there is still a residual risk that an internal bad actor could access PHI and steal the data.  Your organization may decide that the methods implemented decrease the risk to such a level that it is willing to accept that residual risk.

Step 8: Implement Risk Management Plan

Once you develop a plan to manage the risk, it is time to put it into action and deploy the measures you’ve elected to address the risk.  This will typically involve making necessary updates to policies and procedures, employee training, and technical safeguards.  This will involve working with IT staff, human resources, and other departments to ensure that the plan is properly implemented.  Care should be taken to roll out changes in a phased approach, especially when implementing technical safeguards such as new firewalls or other solutions that will block suspicious activity.

Step 9: Monitor the Risk Management Plan

Once your risk management plan has been implemented, you should continuously monitor the effectiveness of the plan and make updates as needed.  This may involve ongoing training and education and continuous monitoring of security measures.

Step 10: Reassess Risks Periodically

Conducting a risk assessment is an ongoing process, and a risk management plan is not a “set it and forget it” activity.  New threats emerge regularly, organizational structure changes and individuals join and leave the organization over time.  As a result, it is vital that you regularly reassess risks to ensure that your organization continues to stay on top of emerging threats and remains HIPAA compliant.  Risk assessments should be conducted at least annually, though every six months is optimal.  Your risk management plan should be a living document that is updated and optimized after each risk assessment.


Developing, conducting, and reviewing regular risk assessments is a daunting process, and it is not something to be taken lightly or done in a haphazard manner.  The security of your patient’s PHI should be at the top of your organization’s priority list.

By following these ten steps, you can conduct a thorough HIPAA risk assessment and develop a risk management plan that meets HIPAA requirements and protects patient information.  Remember, HIPAA compliance is an ongoing process, so it’s important to regularly assess and update your risk management plan to stay up-to-date with the latest threats and vulnerabilities.

At Axeleos, we understand the importance of effective risk management in healthcare, and we’re here to help.  Our MediGuard service offers comprehensive risk assessments and ongoing risk management support to help healthcare organizations comply with HIPAA regulations and protect patient data from cyber threats.  Contact us today to learn more about how MediGuard can help safeguard your organization’s information security and protect your patients’ sensitive information.


You may also like

Unlock Your Potential: Axeleos Empowers You to Make Your Mark

Contact us today to schedule a free initial consultation!