healthcare cybersecurity best practices, HIPAA remediation plan, HIPAA security risk assessment

October Is For Cybersecurity Awareness Month: Essential HIPAA Security Risk Assessment


Please support’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.

When considering healthcare cybersecurity best practices, HIPAA security risk assessments and HIPAA remediation plans are essential. With October being “Cybersecurity Awareness Month,” security education and planning should be at the top of the list for many healthcare businesses. 

Healthcare Cybersecurity Best Practices

Several years ago, the Department of Health and Human Services (HHS) released guidance to help healthcare practices improve cybersecurity. The HHS list of healthcare cybersecurity best practices include:

  1. Email protection systems: measures put in place to secure email communications. Email protection includes encryption, access controls, user authentication, and audit logs.
  2. Endpoint protection systems: measures put in place to secure devices (computers, mobile devices, tablets) connected to the Internet. Examples of endpoint protection include password protection, encryption, and antivirus software.
  3. Access management: measures put in place to limit access to sensitive information. To implement access management, an organization must:
    • Give users unique login credentials
    • Restrict users from sharing their login with others
    • Enforce the use of secure passwords
    • Monitor logon and logoff activity
  4. Data protection and loss prevention: measures put in place to prevent data loss in case of a breach or natural disaster. HIPAA requires organizations to keep exact copies of files at an offsite data backup facility.
  5. Asset management: an inventory list of devices used to track and maintain devices with access to patient information. The inventory list should include the device name, employee(s) name(s) that use the device, and the age of the device. Including the device age will facilitate business operations as it ensures that outdated systems, no longer supported with updates, are replaced.
  6. Network management: measures put in place to keep a network secure. Examples of network management include password protection and encryption.
  7. Vulnerability management: measures to address known vulnerabilities to patient information (vulnerabilities to patient data are identified by completing a security risk assessment). Examples of vulnerability management include network scanning, firewall logging, and penetration testing.
  8. Incident response: a system for detecting, responding to, and reporting breaches. Depending on the size of the incident, breach notification requirements differ slightly. Breaches that affect more than 500 individuals must be reported within 60 days of discovery. The incident must be reported to the OCR, affected individuals, and the media. Breaches that affect less than 500 individuals must be reported by the end of the calendar year. The incident must be reported to the OCR and affected individuals. To prevent future incidents from occurring, organizations must develop corrective action plans. Corrective action plans must address the gaps in security measures that allowed the breach to occur.
  9. Medical device security: measures to secure medical devices that connect to the Internet. Many medical devices connect to healthcare networks, posing a cybersecurity risk. It is important to keep devices secure by installing software updates as they become available.
  10. Cybersecurity policies: guidelines for implementing security measures to protect patient information. There are three main goals of the guidance and best practices:
    • Minimize cybersecurity risks for healthcare organizations in a cost-effective manner
    • Promote the voluntary implementation of the Cybersecurity Act recommendations
    • Provide relevant and easy-to-follow cybersecurity advice for healthcare organizations of varying sizes

Each healthcare cybersecurity best practice listed above addresses areas where sufficient security measures are often lacking. To ensure that protected health information (PHI) is secure, it is essential to implement measures to address each vulnerable area.

HIPAA Security Risk Assessment and Remediation Plans

The HHS recommended cybersecurity best practices also tie into the requirement to complete a security risk assessment. A HIPAA security risk assessment aims to improve healthcare cybersecurity by identifying security gaps. By completing an SRA, you ensure PHI’s confidentiality, integrity, and availability by reviewing your current security measures against HIPAA standards.

Behavioral health providers must complete an annual HIPAA security risk assessment (SRA). 

Security risk assessment includes six elements:

  • Collecting Data
  • Identifying and Documenting Potential Threats and Vulnerabilities
  • Assessing Current Security Measures
  • Determining the Likelihood of Threat Occurrence
  • Determining the Potential Impact of Threat Occurrence
  • Determining the Level of Risk

HIPAA also requires healthcare organizations to use the findings from their SRA to create remediation plans. HIPAA remediation plans create specific guidelines for how deficiencies will be addressed and a timeline for remediation. Organizations that fail to create HIPAA remediation plans are vulnerable to healthcare breaches and fines.

Find out more about completing your annual HIPAA security risk assessment here.

Contributed by Compliancy Group

Need assistance with HIPAA compliance? Compliancy Group can help! They help you achieve HIPAA compliance with Compliance Coaches® guiding you through the entire process. Find out more about the HIPAA Seal of Compliance® and Compliancy Group. Get HIPAA compliant today!

HIPAA Compliant Cybersecurity for Professionals

Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.

Disclaimer: offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Privacy Policy and Terms and Conditions.

Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x