Cyber Security Risk Assessment Checklist for HIPAA-Covered Entities

This cyber security risk assessment checklist for HIPAA-covered entities helps you identify, prioritize, and treat risks that could compromise Electronic Protected Health Information (e-PHI). Use it to structure your program, document decisions, and demonstrate due diligence to leadership and auditors.

Risk Analysis Procedures

Scope and inventory

Start by defining the full scope of environments that create, receive, maintain, or transmit e-PHI. Build an asset inventory covering EHRs, billing systems, endpoints, servers, cloud services, medical devices, messaging tools, and backup platforms, including Business Associates that touch e-PHI.

• Map e-PHI data flows end to end, including ingestion, processing, storage, transmission, and disposal.
• Classify data sensitivity and identify where e-PHI co-mingles with other datasets.
• Note owners, locations, configurations, and dependencies for each asset.

Threats and vulnerabilities

Identify technical, administrative, and physical threats, along with exploitable weaknesses. Consider phishing, ransomware, misconfigurations, unpatched systems, weak authentication, unauthorized access, insider misuse, third-party failures, and environmental events.

• Review recent incidents and near-misses to reveal control gaps.
• Evaluate vendor risks linked to Business Associate Agreements and inherited controls.
• Assess processes such as provisioning, change management, and backup integrity.

Likelihood, impact, and risk rating

For each threat–vulnerability pair, estimate likelihood and business/clinical impact (patient safety, financial, legal, reputational). Combine them into a risk rating (e.g., Low/Moderate/High) that drives priorities and timelines.

• Define clear criteria for scoring so results are consistent and repeatable.
• Document assumptions, evidence, and residual risk after existing controls.

Documentation and review cadence

Produce a written risk analysis report, risk register, and data-flow diagrams. Update the analysis at least annually and whenever significant changes occur, such as new systems, mergers, or major process shifts.

• Maintain decision logs showing accepted, mitigated, transferred, or avoided risks.
• Retain artifacts that support conclusions and help track remediation progress.

Checklist

• Defined scope includes all e-PHI systems, locations, and users.
• Complete asset inventory and e-PHI data-flow mapping.
• Threats and vulnerabilities identified across people, process, and technology.
• Standardized likelihood/impact model with documented risk ratings.
• Written report, risk register, and scheduled review cycle.

Risk Management Implementation

Risk treatment planning

Translate analysis into action with a time-bound plan. For each high and moderate risk, select a treatment: mitigate, accept with justification, transfer via contract/insurance, or avoid by discontinuing the risky activity.

Controls and Access Control Mechanisms

Implement layered safeguards aligned to the risks and the HIPAA Security Rule’s administrative, physical, and technical controls. Emphasize strong Access Control Mechanisms and minimum necessary access.

• Identity and access: unique IDs, role-based access, multi-factor authentication, session timeouts, emergency access procedures.
• Endpoint and servers: hardening, EDR, patching SLAs, disk encryption, device inventory and attestation.
• Network: segmentation, least-route exposure, firewall rules, intrusion detection/prevention.
• Transmission Security Protocols: encrypt e-PHI in transit using current, industry-standard protections (e.g., TLS 1.2+); secure email and secure messaging for e-PHI.

Contingency Planning

Prepare for outages, cyberattacks, and disasters so you can quickly restore e-PHI availability and integrity. Document backup strategies, disaster recovery, and emergency mode operations, and test them regularly.

• Define recovery time and recovery point objectives for critical systems.
• Perform restore tests and tabletop exercises, then address findings.

Third parties and Business Associate Agreements

Evaluate vendors that handle e-PHI. Ensure Business Associate Agreements define obligations for safeguards, breach notification, subcontractors, and termination. Verify controls rather than relying solely on attestations.

Change and configuration management

Control changes to reduce unintended risk. Use approved baselines, peer review, and automated configuration monitoring to catch drift that could expose e-PHI.

Metrics and accountability

Track remediation status, control coverage, patch timelines, training completion, phishing failure rates, and incident mean-time-to-detect/respond. Report progress to leadership until risks are reduced to acceptable levels.

Checklist

• Documented risk treatment plan with owners, dates, and milestones.
• Access Control Mechanisms and encryption aligned to risk levels.
• Contingency Planning implemented and tested with evidence retained.
• Business Associate Agreements reviewed; third-party controls verified.
• Change management, metrics, and executive reporting in place.

Sanction Policy Enforcement

Policy and expectations

Establish a written sanction policy that defines unacceptable behaviors and graduated consequences. Communicate expectations during onboarding and regular training so everyone understands the stakes.

Consistent, fair application

Apply sanctions uniformly across roles to reinforce accountability. Coordinate among compliance, HR, legal, and management to avoid bias and ensure due process.

Documentation and remediation

Record violations, decisions, and corrective actions within your Security Incident Tracking system. Pair sanctions with coaching, retraining, or process changes to prevent recurrence.

Examples to address

• Sharing credentials or bypassing Access Control Mechanisms.
• Unauthorized access to e-PHI (“snooping”).
• Failure to follow Transmission Security Protocols when sending e-PHI.

Checklist

• Published sanction policy aligned to HIPAA requirements.
• Escalation tiers with clear criteria and HR/legal involvement.
• Security Incident Tracking with evidence of consistent enforcement.
• Retraining and process fixes linked to each violation.

Information System Activity Review

Audit Logs coverage

Enable comprehensive Audit Logs across EHRs, databases, applications, endpoints, identity providers, and network devices. Log successful and failed access, administrative actions, changes to permissions, and e-PHI exports.

Monitoring and analysis

Aggregate logs for correlation and alerting. Use baselines and behavioral analytics to spot anomalous access, excessive downloads, off-hours activity, or logins from unusual locations.

Retention and integrity

Protect log integrity with restricted access, time synchronization, and tamper-evident storage. Retain logs per policy to support investigations and compliance reviews.

Security Incident Tracking and response

Define triage workflows, severity levels, and communication paths. Investigate alerts quickly, document findings, and close the loop with root-cause analysis and control improvements.

Checklist

• Audit Logs enabled for all systems handling or protecting e-PHI.
• Regular reviews with documented evidence and follow-up actions.
• Retention standards and tamper resistance implemented.
• Security Incident Tracking with metrics for detection and response.

Security Official Responsibilities

Designation and accountability

Designate a Security Official with authority and resources to run the security program. This person owns the risk analysis, risk management, policies, and incident response efforts.

Program leadership

• Maintain policy lifecycle and ensure workforce adherence.
• Oversee Business Associate Agreements and vendor risk management.
• Direct incident handling, breach assessment, and notifications as required.
• Champion Contingency Planning and periodic testing.

Reporting and governance

Provide regular briefings to executives on risk posture, key metrics, open issues, and resource needs. Align security objectives with clinical operations and business priorities.

Checklist

• Named Security Official with defined responsibilities and authority.
• Documented charters, policies, and governance cadence.
• Regular leadership reporting and issue escalation pathways.

Workforce Security Measures

Onboarding and clearance

Screen new hires as appropriate and assign access based on job duties. Require confidentiality agreements and baseline security training before granting system access.

Role-based access and ongoing validation

Use least-privilege roles, periodic access reviews, and just-in-time elevation. Enforce strong authentication and session controls through your Access Control Mechanisms.

Supervision and accountability

Monitor adherence to policies and provide channels to report concerns. Reinforce expected behaviors with positive recognition and timely feedback when issues occur.

Termination and role change

Upon separation or transfer, promptly revoke access, recover devices, and update group memberships. Document each step to ensure no lingering exposure to e-PHI.

Remote work and BYOD

Allow only managed or compliant devices to access e-PHI. Require device encryption, screen locks, up-to-date patches, and Transmission Security Protocols when connecting remotely.

Checklist

• Defined workforce clearance, authorization, and supervision procedures.
• Periodic access reviews and rapid termination workflows.
• Controls for remote work and BYOD with enforced encryption.
• Training and acknowledgment records retained.

Security Awareness and Training Programs

Program design

Develop a role-based curriculum that covers e-PHI handling, phishing defense, password hygiene, secure use of cloud tools, mobile security, and incident reporting. Update content as threats and technologies evolve.

Delivery and reinforcement

Combine onboarding modules, annual refreshers, microlearning, and just-in-time tips. Use realistic scenarios to help staff apply policies, including Transmission Security Protocols and Contingency Planning basics.

Exercises and simulations

Run phishing simulations and tabletop drills tied to your incident response plan. Share lesson learned and update procedures to strengthen resilience.

Measuring effectiveness

Track completion rates, quiz scores, phishing metrics, and incident reporting trends. Target extra coaching to higher-risk roles and teams.

Documentation

Keep training materials, attendance records, and proof of comprehension. Link training outcomes to sanctions or recognition programs to reinforce desired behaviors.

Conclusion

By following this cyber security risk assessment checklist for HIPAA-covered entities, you systematically analyze risk, implement controls, enforce policies, review activity, and build a vigilant workforce. Consistent execution and evidence-driven improvements protect e-PHI and sustain compliance over time.

FAQs.

What is the purpose of a cyber security risk assessment under HIPAA?

The purpose is to identify where e-PHI could be exposed, estimate the likelihood and impact of those exposures, and determine appropriate safeguards. A documented assessment prioritizes remediation, informs executive decisions, and provides evidence that you are meeting HIPAA’s risk-based security requirements.

How often should risk assessments be conducted for HIPAA compliance?

Perform a comprehensive assessment at least annually and whenever significant changes occur—such as deploying new systems, engaging new Business Associates, shifting to new workflows, or after notable incidents. Interim, targeted reviews keep the risk picture current between full assessments.

What are the key components of an effective risk management plan?

Core components include a risk register with owners and timelines, Access Control Mechanisms, encryption and Transmission Security Protocols, Contingency Planning with tested backups and recovery, vendor oversight with Business Associate Agreements, change management, training, and metrics that track remediation progress and residual risk.

How do sanction policies support HIPAA security requirements?

Sanction policies deter risky behavior and reinforce accountability. When violations are handled consistently, documented in Security Incident Tracking, and paired with corrective training or process fixes, the workforce clearly understands expectations—strengthening overall compliance and reducing the chance of repeat issues.