New research: 2026’s riskiest devices, ranked. See everything. Take control.

CYBERSECURITY A-Z

HIPAA Security Risk Assessment

What Is a HIPAA Security Risk Assessment?

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and their business associates conduct a risk assessment of their healthcare organization, according to the Assistant Secretary for Technology Policy (ASTP) of the National Coordinator for Health IT.

A risk assessment helps organizations ensure compliance with HIPAA’s security rules. An assessment also helps reveal vulnerabilities and areas where an organization’s protected health information (PHI) could be at risk.i

The Office for Civil Rights (OCR) – part of the Department of Health and Human Services  – is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule outlined in Title 45 of the Code of Federal Regulations (45 C.F.R. §§ 164.302 – 318). It mandates security measures for electronic PHI (ePHI) and details the administrative, physical, and technical safeguards that covered entities, and their business associates must implement to ensure its confidentiality, integrity, and availability.ii

To be more specific, a regulated entity must implement procedures to regularly review its records to track access to the information and detect security incidents,iii periodically evaluate the effectiveness of security measures put in place and modify such security measures as necessary,iv36 and regularly reevaluate potential risks.v

 

The Objectives of Risk Assessments

As described in CFR 45 § 164.306, they aim to:

  • Ensure the confidentiality, integrity, and availability of all electronic PHI the covered entity or associate creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part (the HIPAA Privacy Rule).
  • Ensure compliance with the HIPAA Security Rule by its workforce (via training and the enforcement of a sanctions policy).

 

Why Are HIPAA Assessments Necessary?

The Healthcare industry has become a major target and favored industry among cyber criminals. From 2022 to 2024, the industry reported to OCR more than 700 large data breaches per year, and 2024 was the worst-ever year in terms of breached records. Shockingly, a total of 276,775,457 records were breached, representing 81 percent of the 2024 population of the United States.vi

According to the risk analysis requirement in section 164.308(a)(1)(ii)(A), a risk analysis is the first step in identifying and implementing protections that comply with and carry out the standards and implementation specifications in the rule.vii

 

In 2024, there were 14 data breaches involving more than 1 million patient records, including the biggest industry data breach of all time that affected an estimated 190,000,000 million individuals. If this trend continues, the industry could end up in turmoil, unable to perform its core mission of caring for people’s health.

 

Upcoming Rule to Become Stricter, Mandatory

On January 6, 2025, the U.S. Department of Health and Human Services published a notice of proposed rulemaking (NPRM) that could have a major impact on how organizations perform their security risk assessments. If enacted, the NPRM would force organizations to implement a range of measures to improve their security posture. The proposed update includes: Multifactor authentication, encryption for data at rest and in transit, mitigating known vulnerabilities, segmenting networks, maintaining an accurate asset inventory, and testing security.

“The proposed HIPAA Security Rule should go a long way toward reducing … data breaches and will help OCR hold … organizations accountable for security failings and insufficient investment in cybersecurity,” wrote Steve Alder of the HIPAA Compliance Journal.viii

 

Who Must Perform the Assessments?

The following entities must follow The Health Insurance Portability and Accountability Act (HIPAA) regulations and perform security risk assessments. The law refers to these as “covered entities”:

  • Health plans
  • Most health care providers, including doctors, clinics, hospitals, nursing homes, and pharmacies
  • Health care clearinghouses

As noted, HIPAA also applies to associates (i.e., third parties that perform certain functions or activities that require the use of PHI including, for example, claims processing or administration). Entities that provide data transmission of PHI on behalf of a covered entity (or its business associate) and that require access on a routine basis to that PHI (such as regional Health Information Organizations (HIOs)) are considered to be business associates under HIPAA. Organizations that facilitate the exchange of electronic PHI primarily for treatment purposes between and among several health care organizations.ix

At first glimpse, it may seem like overreach that associates must perform risk assessments. But consider this: in 2024, of the 14 data breaches involving more than 1 million patient records, 8 of those incidents involved associates of HIPAA-covered entities.x

While HIPAA doesn’t mandate a specific frequency, it recommends “regular” analysis of protections. The standard translation of “regular” is “annually.”

Small and Medium-Sized Organizations Have a Helpful SRA tool

Recognizing that small and medium sized organizations may need assistance in performing their risk assessments, The ASTP and the Office of the National Coordinator (ONC) collaborated with OCR, which enforces the HIPAA Rules, to develop a tool – the Security Risk Assessment (SRA) tool – to assist providers and associates with meeting their responsibility to protect data Organizations can use the tool to assess and document their information security risks to information within their own organizations.

The SRA Tool takes organizations through each section by presenting a question about the organization’s activities. Answers will show you if the organization should take corrective action for that item or continue with current security activities. If corrective action is suggested, the tool provides guidance on the related HIPAA Rule requirement or security reference and suggestions on how to improve.iv

Note: The SRA Tool runs on your computer. It does not transmit information to the Department of Health and Human Services, The Office of the National Coordinator for Health IT, or The Office for Civil Rights. It is available at no cost and can be used with Windows 7/8/10/11 operating systems.xii

What Must Covered Entities Do Today?

The rule mandates the covered entities and their associates perform the following key measures.

Risk Analysis & Management.

A regulated entity must implement procedures to regularly review its records to track access to ePHI and detect security incidents periodically evaluate the effectiveness of security measures put in place and modify such security measures as necessary, and regularly reevaluate potential risks.

Information Access Management

HIPAA’s Privacy Rule includes a “minimum necessary” standard that limits uses and disclosures of PHI, while the Security Rule requires a regulated entity to implement policies and procedures for authorizing access to this data only when such access is appropriate for the user or recipient’s role.xiii

Security Incident Procedures

A regulated entity must implement policies and procedures to address security incidents. It must identify and respond to suspected or known security incidents and mitigate, to the extent possible, harmful effects of known security incidents, and document security incidents and their outcomes.xiv

Technical Safeguards

Five core ones have been mandated by OCR to ensure that potential compromises of data are addressed on a regular basis. They include the following:

  • Access Control. A regulated entity must implement technical policies and procedures for its electronic information systems that maintain information to allow only authorized persons to access the data.xv
  • Audit Controls. A regulated entity must implement hardware, software, and/or procedural mechanisms to record and examine activity in information systems that contain or use the data.xvi
  • Policies & Procedures. A regulated entity must implement policies and procedures to ensure that data is not improperly altered or destroyed. Electronic measures must be put in place to confirm that the information has not been improperly altered or destroyed.xvii
  • Authentication. A regulated entity must implement procedures to verify that a person seeking access to this data is who they say they are.xviii
  • Transmission Security. A regulated entity must implement technical security measures to guard against unauthorized access to information that is being transmitted over an electronic network.xix

 

How Forescout Helps

As organizations seek to protect their valuable information and properly assess their security risks, the value of the Forescout 4D Platform™ becomes clear.  Not only does it enable organizations to better assess and identify risks, but it also helps to manage risk and respond to any security incidents that may occur. Here are the major capabilities which organizations leverage in the Forescout platform to assess, manage, and respond to risks and incidents:

  • Risk Management: Gain full visibility into IT, OT, IoT, and IoMT assets, both managed and unmanaged, to reduce the risk of potential attacks. Pair this with the Forescout Platform’s comprehensive capabilities for network security, risk and exposure management, and extended detection and response to strengthen supply chain security with all your business associates.
  • Incident Management: Forescout facilitates rapid threat detection and response to security incidents with automated solutions. Real-time monitoring and incident response capabilities empower organizations to adhere to HIPAA mandates for timely and accurate reporting.
  • Operational Resilience Testing: Forescout’s continuous asset monitoring and threat detection and response capabilities help organizations meet operational resilience requirements. By continuously assessing and adapting their security posture, organizations can maintain compliance and operational strength.
  • Third-Party Risk: The Forescout 4D Platform supports organizations by providing enhanced visibility over their third-party support organizations, enabling them to manage and secure these critical links the patient care and management value chain.
  • Information Sharing: Securely share incident reports, logs, and audit data with stakeholders. Plus, benefit from Vedere Labs’ threat intelligence, which is integrated into the Forescout 4D Platform and shared with the broader community.

 

Schedule a demo to see how the Forescout Platform continuously identifies, protects and ensures the compliance of all managed and unmanaged cyber assets without disrupting patient care.

[i] ASTP. Security Risk Assessment Tool, Assistant Secretary for Technology Policy. Accessed April 10, 2025 from the following source: https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

[ii] HHS (2019). Guidance on Risk Analysis, July 22, 2019. U.S. Department of Health and Human Services. Accessed April 10, 2025 from the following source: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

[iii] 45 CFR 164.308(a)(1)(ii)(D).

[iv] 45 CFR 164.306(e); 45 CFR 164.308(a)(8).

[v] 45 CFR 164.306(b)(2)(iv); 45 CFR 164.306(e).

[vi] Alder, Steve, The HIPAA Journal (2025). The Biggest Healthcare Data Breaches of 2024, March 19, 2025, The HIPAA Journal. Accessed April 10, 2025 from the following source: https://www.hipaajournal.com/biggest-healthcare-data-breaches-2024/#:~:text=In%202024%2C%20there%20were%2014,an%20estimated%20190%2C000%2C000%20million%20individuals

[vii] HHS (2019). Guidance on Risk Analysis, July 22, 2019. U.S. Department of Health and Human Services. Accessed April 10, 2025 from the following source: https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html

[viii] Alder, Steve, The HIPAA Journal (2025). The Biggest Healthcare Data Breaches of 2024, March 19, 2025, The HIPAA Journal. Accessed April 10, 2025 from the following source: https://www.hipaajournal.com/biggest-healthcare-data-breaches-2024/#:~:text=In%202024%2C%20there%20were%2014,an%20estimated%20190%2C000%2C000%20million%20individuals.

[ix] ASTP. Frequently Asked Questions, Assistant Secretary for Technology Policy. Accessed April 10, 2025 from the following source: https://www.healthit.gov/faq/who-must-follow-hipaa

[x] Alder, Steve, The HIPAA Journal (2025). The Biggest Healthcare Data Breaches of 2024, March 19, 2025, The HIPAA Journal. Accessed April 10, 2025 from the following source: https://www.hipaajournal.com/biggest-healthcare-data-breaches-2024/#:~:text=In%202024%2C%20there%20were%2014,an%20estimated%20190%2C000%2C000%20million%20individuals

[xi] ASTP/ONC/OCR (2023). Security Risk Assessment Tool v3.5 User Guide, August 18, 2023, ASTP. Accessed April 10, 2025 from the following source: https://www.healthit.gov/sites/default/files/page/2024-10/SRA_Tool_User_Guide_Version_3_5_Final.pdf

[xii] Ibid.

[xiii] 45 CFR 164.308(a)(4)(i).

[xiv] 45 CFR 164.308(a)(6).

[xv] 45 CFR 164.312(a).

[xvi] 45 CFR 164.312(b).

[xvii] 45 CFR 164.312(c).

[xviii] 45 CFR 164.312(d).

[xix] 45 CFR 164.312(e).

Demo RequestForescout PlatformTop of Page