For General Inquiries, call: 614.889.6555 | Get your "Cybersecurity TIP of the Week"

Computer screen showing global COVID-19 cases, deaths, and recoveries with detailed maps and statistics.

The Importance of Regular Security Risk Assessments for Healthcare Organizations

July 16, 2025

In long-term care, we do risk assessments all the time—for falls, nutrition, infections. But how often do we check the risks hiding in our tech systems?

Security risk assessments (SRAs) are more than a HIPAA checkbox. They're a cornerstone of your facility's broader risk management program. Like any good clinical program, it starts with policy and ends with action.

The policy defines who is responsible for assessing cybersecurity risks, how often reviews happen, and how findings are documented and addressed. From there, the assessment process should include: - A checklist of technical, physical, and administrative controls - A review of system access and password policies - Identification of outdated software and hardware - Tests of backup systems and security alerts

Once you identify gaps, you can build a POAM—a Plan of Action and Milestones. It's a roadmap to remediation, with timelines and responsible parties noted. It shows regulators (and your board) that you're not just spotting issues—you're resolving them.

HIPAA requires regular SRAs. According to Healthcare IT Today, 58% of healthcare data breaches occur due to gaps that would have been identified in a current assessment.

A Columbus-based assisted living facility does quarterly SRAs with their MSP. In one recent review, they found: - A network printer with admin access still enabled - An unused vendor login that hadn't been disabled - An expired SSL certificate on their medication system

All of these issues were resolved within a day—none caused harm. But any one of them could have.

"The first step in solving any problem is recognizing there is one." - David Rendall

Another facility nearby skipped their 2023 SRA due to turnover. They later suffered a phishing attack that accessed billing records. Because an old vendor login had never been removed, the attacker walked right in. The fallout included breach reporting, a CMS survey, and two staff resignations.

"Small leaks sink big ships." - Jim Collins

A risk assessment isn't just a report—it's a living document that supports every compliance program you run. Done right, it gives your team a shared understanding of what needs to be fixed—and how to get there.

When was your last risk assessment? And did it lead to real change?

Learn more about Affiliated's healthcare-specific IT Support and Services in Columbus and the Central Ohio areas by clicking here.

Fill Out The Form Below To Request a Free Consultation

 

Recent Articles

Orange business continuity toolkit with icons for backup, strategy, recovery, remote access, and failover systems.

Business Interrupted: The Unexpected Disaster Your IT Provider Should Be Planning For

 Autonomous container transport vehicles moving cargo containers at a shipping terminal emphasizing the importance of cyber security in supply chain logistics.

Logistics, Compliance & Cyber Risks: What Supply Chain Leaders Need to Know

 Modern automated industrial machinery line in a clean, spacious manufacturing facility with overhead piping and lighting.

The Real Cost of Downtime in Regulated Tech Manufacturing