Protect Your Practice with a Security Risk Analysis

In a world facing daily cyberattacks and security vulnerabilities, do you know how secure your practice is?

The scary fact is that many practices don’t know if they have the correct safeguards in place, or they’ve chosen to wash their hands of cybersecurity responsibility and put the onus on the shoulders of their IT partner. Having a strong information security posture requires a full, 360-degree view of the organization, and often, that extends beyond the scope of an external IT partner.

A deep dive into your security infrastructure

If you don’t already do so, consider conducting a comprehensive annual security risk analysis (SRA) for your practice. Whether you manage this process internally or work with an external partner to conduct the security risk analysis, it’s critical to look at all aspects of your security. An SRA should include a comprehensive inventory of information security risks across all areas of your organization, including evaluating your practice’s administrative, physical and technical controls.

Protect your practice from compliance risks

A complete and comprehensive security risk analysis protects your organization from increased scrutiny by ONC/OCR over SRA attestations. Organizations that fail attestation face reduced Medicare reimbursement and reduced incentives under the Merit-Based Incentive Programs (MIPS). Don’t get complacent; ONC/OCR is cracking down hard on groups that choose not to conduct regular security risk analyses. When you conduct a comprehensive SRA, you satisfy the Security Risk Analysis measure in the ACI portion of the MIPS program.


Editor’s note

Interested in a security risk analysis for your practice? Netgain’s SRA now includes FISASCORE™. It’s like your credit score, except it scores the strength of your security infrastructure. Each Netgain SRA includes:

  • A measured scorecard
  • An easy-to-understand executive summary
  • A detailed technical report
  • Recommendations to achieve a “best practice” or “acceptable” level of risk
  • A comprehensive action plan
  • Comparisons to industry averages

Contact our solutions team for more info: or 877.797.4700 x3.


Address gaps in security that can expose you to real threats

ONC/OCR’s increased scrutiny on practices that fail to attest isn’t meant to add another regulatory roadblock. It’s meant to force practices to prioritize their security posture to keep their patients’ data safe from the ever-increasing risk of cyberattacks. An SRA will review the risk of a breach of patient record confidentiality and audit a practice’s preparedness for malware-based data hostage scenarios. It will also assess how a viral or malware assault affects system availability and considers the risks posed by malicious insiders or hostile employees.

Insight without remediation is dangerous

When your SRA is complete, you should walk away with a full analysis of what areas of your practice are secure and what specific areas require remediation to patch vulnerabilities. So, while having completed an SRA will keep you compliant with ONC/OCR, but it will only identify risks. The important next step is to create an action plan based on these results. What processes will you improve? What policies will you create? What changes will you make to your technical infrastructure/partnerships? This critical thinking step is key.

With an action plan in hand, now it’s time to act. Find low-hanging fruit that you can address immediately and quickly correct. Then, begin the initial steps of fixing more complex vulnerabilities. After you’ve made all recommended changes, consider conducting a follow-up SRA to make sure your security posture has strengthened and there aren’t any outstanding vulnerabilities.

Do you currently conduct SRAs? Did you uncover (and address) any hidden security risks that you weren’t previously aware of? Have you intentionally chosen to not conduct an SRA? Start a chat with us.

Follow Us