Don’t Try This at Work: Security Risk Analysis Is Not a Do-It-Yourself Project
By Sean Price Texas Medicine July 2019


For one Dallas pulmonologist, getting a risk analysis of his practice’s cyber security was like going to the doctor and finding out you’re sicker than you feel.

“It was eye-opening for us to see how many deficiencies we had, some more serious than others,” said the physician, who asked to remain anonymous.

The practice’s manager also thought she was handling cyber security pretty well. But the analysis she got with help from the Texas Medical Association’s practice consulting experts showed staff were counting too much on word of mouth to pass along vital information.

“It needed to be written down in a policies and procedures format,” she said.

Medicare’s Merit-Based Incentive Payment System (MIPS) requires practices to conduct a security risk analysis at least once a year. HIPAA requires at least one analysis, and annual check-ups are considered a best practice.

Many physicians find out through these reports that their practices have a lot of work to do to keep patient records safe, says Juliana Stanley, a TMA practice management consultant who specializes in security risk analysis.

Physicians are largely on an honor system to comply. But the stakes are high for patient privacy, and a security risk analysis is not a simple do-it-yourself project. (See “TMA Can Help With Your Security Risk Analysis,” page 39.)


The U.S. Department of Health and Human Services Office for Civil Rights, which enforces compliance, usually finds out about a missing risk analysis in one of three ways: the agency audits a practice, a patient files a privacy complaint against a practice, or a practice reports a cyber security breach, Ms. Stanley says.

Federal regulators tend to be understanding about the security capabilities of small and medium-size medical practices, says Cathy Bryant. She specializes in security risk for Texas Medical Liability Trust (TMLT), which provides cyber liability coverage. Regulators don’t expect Fort Knox-level security, but they do expect to see consistent efforts toward solving security problems, and that includes conducting an annual security risk analysis.

“It’s required,” she said. “And someday, the federal government is probably going to ask for the risk analysis, and [those who haven’t done one yet] aren’t going to have an answer for it.”

Serious about security

When it comes to these analyses, physicians tend to make one of two mistakes, says Shawn Tuma, a Plano lawyer who concentrates on cyber security issues at medical practices. They either ignore it altogether as an unnecessary hassle, or assume that their IT staff has taken care of it. Both approaches can lead to stolen, kidnapped, or corrupted data thanks to threats like phishing and ransomware.

“I have four cases on my desk right now where [medical practices] can’t get their records,” he said. “And I’ve had 20 to 30 in the last 12 months where they couldn’t get records back.”

Many physicians also assume that their practice is too small to be worth a hacker’s time, but all medical practices are potential targets, says John Southrey, TMLT director of product development and consulting services. (See “Are You Insured Against Cyber Attacks?” page 40.)

“It’s folly to think your computer system will never get hacked,” he said. “You have to assume [that hackers] are in your system already.”

HIPAA covers all types of patient privacy. But a security risk analysis zeroes in on one type of potential privacy breach — those tied to computers. Ms. Bryant says each analysis must cover three main areas:

  • Administrative rules: This includes writing out policies or job descriptions for staff and others who are instrumental in cyber security.
  • Physical safeguards: This is the physical security of the building. If everyone uses laptops in an office, can a stranger easily steal one?
  • Technical safeguards: This covers encryption, backups, and other security measures for all devices used by a practice.

Each of these areas poses security pitfalls, Ms. Bryant says. While many practices have excellent standards for protection, others show a surprisingly blasé attitude.

“We see practices that went to an electronic health record (EHR) in 2010, and there are employees who still have never changed their passwords to that EHR,” she said. “What you would consider the most basic measures for cyber security are not even being followed.”

Medical practices also should have backup computer files, but don’t.

“It was not there because they were not [creating a backup], or because the backup wasn’t working because [IT personnel] had never tested them,” she said.

In most cases though, security lapses occur at practices that simply find it difficult to keep up with the constant changes in electronics and software. Vital computer programs go for months or years without regular updates or patches. Or WiFi networks fail to get the newest security protection.

“There are known vulnerabilities, and the cyber criminals know those vulnerabilities,” Ms. Bryant said. “So they’re going to be searching for networks that have the wrong kind of encryption on their WiFi.”

Finding the flaws

A security risk analysis can identify these and other problems. Some practices try to handle the analysis on their own. But wading through the relevant U.S. government forms can be time-consuming for nonexperts, says Ms. Stanley, the TMA practice management consultant.

“For instance, if they go online and try to find out what a security officer [for a practice] has to do, they’re going to find a daunting document that’s in legalese written by the government. They really need someone with a little more knowledge, maybe a little more scope to be able to identify the differences in those questions.”

The Dallas pulmonologist has a background in cyber security, and even he found it hard to understand what was called for in a security risk analysis.

“I was a programmer and a systems administrator for a long time, and so I managed networks and servers and information security systems for a while,” he said. “Even with that background, the regulations and rules were not something I was always up to date with.”

TMA’s security risk analysis service works with Third Rock Inc. The company’s CyberCompass software translates the government requirements into layman’s terms, doing most of the heavy lifting for the analysis.

“You don’t have to know HIPAA inside and out,” said Third Rock CEO Robert Felps. “The tool has all that built in to speed that up for you.

The software walks a physician or staff member through about 160 questions designed to determine the practice’s level of cyber security.

“We downloaded the software and [TMA’s Ms. Stanley] actually came on site,” said the office manager at the Dallas pulmonology practice. “And then we went through every single question on that software together. We showed her what we had, and she showed us what we should have and helped us through the process.”

After that two-hour meeting was over, the Dallas practice received a report spelling out 69 items to address. It also identified top priorities and those items that could be done over time. Having gone through the process once, the office manager at the Dallas pulmonology practice feels confident she now can use the software without TMA’s help for next year’s security risk analysis.

Some practices choose to partly or completely ignore the results of their analysis, Ms. Stanley says. While that’s not the best course of action, just having one done is a huge mark in favor of any practice that draws the eye of federal inspectors.

Other practices, like the Dallas pulmonology practice, gradually work through the deficiencies outlined in their report. The office manager says it will take the practice about a year to address all of them. Many were simple administrative tasks. For instance, the practice did not have an inventory of its computers and devices listed by serial number.

The security threats most practices face start as small-bore break-ins, not sophisticated hacking schemes, Mr. Tuma, the Plano lawyer, says. For instance, employees who don’t get regular reminders about phishing emails inevitably click on the wrong link and expose the practice’s system.

“The reality is that 90 percent of the breaches that happen each year come from very simple, easy-to-solve problems,” he said. “They’re not big-ticket items. They’re learning basic hygiene. That’s where your risk analysis is most valuable.”


Tex Med. 2019;115(7):38-40 
 July 2019 Texas Medicine  Contents  
Texas Medicine  Main Page  

Last Updated On

August 02, 2019

Originally Published On

June 26, 2019

Related Content

HIPAA | Risk Management

Sean Price


(512) 370-1392

Sean Price is a reporter for Texas Medicine and Texas Medicine Today. He grew up in Fort Worth and graduated from the University of Texas at Austin. He's worked as an award-winning writer and editor for a variety of national magazine, book, and website publishers in New York and Washington. He's also helped produce Texas-based marketing campaigns designed to promote public health. Sean lives in Austin and enjoys hiking, photography, and spending time with his wife and two sons.

More stories by Sean Price