Data breaches across the healthcare industry, including senior living communities that provide healthcare services or manage sensitive resident data, stand as a serious threat to providers and systems. The past few years have highlighted the increased cybersecurity challenges facing the industry.
Small- to mid-size providers with limited cybersecurity infrastructure are at greater risk, as are those that work with vendors and partners, such as cloud storage providers and billing firms.
The consequences of these attacks can be devastating, with compromised Protected Health Information (PHI), Personally Identifiable Information (PII), financial and billing data, resident records, and imaging, as well as long-term reputation damage. Taking precautions against these attacks has become more challenging as ransomware attacks become more sophisticated, targeting backup systems and exploiting vulnerabilities in third-party vendors.
HIPAA-covered senior living providers and their third-party vendors are required to conduct regular risk analyses, including a Security Risk Assessment (SRA), a crucial step in evaluating and strengthening security practices. Even senior living organizations that are not HIPAA-covered benefit from conducting SRAs as a best practice to protect resident information and reduce regulatory and reputational risk. An SRA is one step of a larger comprehensive risk management strategy, but it lays the foundation of a strong system by identifying existing and potential vulnerabilities.
What is a Security Risk Assessment?
To support HIPAA-covered healthcare organizations, including many senior living providers, the Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) co-created a HIPAA Security Risk Assessment tool, a tool that specifically helps small and medium-sized organizations.
An SRA allows providers and third-party providers to identify system risk areas. These assessments also help providers prepare for cyberattacks and integrate those plans into a broader risk management framework.
Typically, SRAs include components such as:
· Assessment of storage regarding all electronic protected health information (ePHI)
· Identification of where ePHI is stored, received, maintained, or transmitted.
· Documentation of any anticipated threats to ePHI unique to their entity.
· Evaluation of current security measures, whether in-house or with a third-party provider.
· Detailed consideration of consequences if a data breach occurs.
· Identification of risk levels for threats that an entity has identified during the conduct of the SRA.
· Documentation of the steps of the SRA.
· Determination of a process for reviewing and updating the entity’s risk assessment.
These assessments are considered best practice and are also recognized by the Office of Inspector General (OIG) as a critical component of an effective compliance program for healthcare entities. It is essential that senior living organizations conduct SRA’s and do them well, which for a larger organization will likely include working with a third-party consultant. For smaller and mid-size organizations, these may be conducted internally, which is why understanding the OCR’s requirements – including the approach and timing is important.
HIPAA-Covered Providers Are Subject to Audits and Enforcement Actions
HIPAA-covered senior living providers are subject to audits and enforcement actions by HHS Office for Civil Rights (OCR). These organizations are responsible for safeguarding the confidentiality, integrity, and availability of electronic protected health information (ePHI) and for identifying and mitigating potential security threats.
There is some interpretation in how organizations implement security measures depending on the size, complexity, technical infrastructure, and costs of security measures. Still, every organization is required to take reasonable and appropriate electronic PHI and record safety measures they are taking.
Practical Ways to Use the Security Risk Assessment Tool
The OIG strongly encourages healthcare organizations, and senior living providers that operate as HIPAA-covered entities, to conduct SRAs as part of a complete compliance and security program. Regular, thorough risk assessments demonstrate that an organization has a strong compliance program, and failing to conduct them indicates willful neglect.
For small and medium-sized organizations, the ONC and the HHS OCR created an SRA tool to help healthcare entities conduct the assessment. This tool is available on a desktop computer and walks through the process of conducting an SRA through a self-guided approach, providing references throughout and reporting upon completion.
For larger entities, hiring a third-party Information Technology (IT) consultant is often necessary.
How Tabletop Exercises Can Help
One way for a senior living organization to test their HIPAA security plan is to conduct a periodic tabletop exercise. This exercise is a simulated scenario where team members discuss their roles and responsibilities during a cyber incident.
Benefits of a tabletop exercise include:
· Testing the organization’s response plan in a low-stakes environment.
· Clarifying roles and responsibilities among clinical, IT, administrative, and compliance teams.
· Identifying delays or bottlenecks in emergency workflows.
· Reinforcing communication plans internally and with families, regulators, and vendors.
Tabletop exercises should include scenarios such as ransomware attacks and vendor-related outages. After the scenarios are played out, your team should debrief after each session and update your response plans accordingly.
The Cybersecurity and Infrastructure Security Agency provides free customizable resources to organizations looking to conduct these types of exercises: https://www.cisa.gov/resources-tools/services/cisa-tabletop-exercise-packages
What Happens if You Don’t Take SRAs Seriously
In 2024 and 2025, OCR focused its enforcement actions related to ransomware incidents on HIPAA-covered organizations, particularly whether they conducted a compliant risk analysis. Repercussions for failing to conduct a robust risk analysis include civil money penalties and settlements. While OCR recognizes its part in educating HIPAA-regulated entities in what marks compliant processes, it noted in its October 2024 cybersecurity conference that it will not consider a checklist or one-size-fits-all form of assessment as compliant and noted during the conference that its own security risk assessment template is just a starting point and alone is not sufficient.
Conducting SRAs is no longer considered just best practice. This foundational step in building a strong HIPAA compliance program ensures your organization can mitigate potential vulnerabilities through a proactive approach. While not all senior living communities are subject to HIPAA, many handle sensitive resident health and personal information. Conducting an SRA is best practice across senior living to support resident trust, operational finesse, and the ability to respond effectively to cybersecurity threats.
If your organization is attempting to complete this assessment in-house, make sure they have the expertise and resources to do it well to prevent a breach or enforcement action. Organizations that lack internal subject matter experts should strongly consider working with a qualified third-party consultant.
Sources:
https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html
https://www.ecfr.gov/current/title-45/subtitle-A/subchapter-C/part-164/subpart-C/section-164.306
https://www.healthit.gov/topic/privacy-security-and-hipaa/security-risk-assessment-tool

Angele Tran
Angele Tran, OTR/L, CHC, CAPS, is a compliance manager at AQORD Compliance Collaborative in Blue Bell, Pennsylvania. She is a licensed occupational therapist in Pennsylvania.






