Building a Culture of Health IT Privacy and Security

Aja Williams; Julia Chua and Kathryn Marchesini | October 23, 2014

Cybersecurity is a shared responsibility. You’ve probably heard this many times during National Cybersecurity Awareness Month, as well as throughout the year. It’s an important principle — one that we at ONC firmly believe.

Cybersecurity can only be achieved in a culture where privacy and security are valued. All of us have a role to play in creating such a culture. We at ONC focus on helping our stakeholders, specifically health care providers in small practices, discover how to promote and adopt a culture of privacy and security.

There are three things that can help small provider practices in particular build a privacy and security culture:

  1. ONC Educational Resources
  2. Risk Assessments
  3. National Institute of Standards and Technology (NIST) Cybersecurity Framework

ONC Educational Resources

ONC has designed a variety of easy-to-use tools and educational resources specifically for small practice settings.  These materials include:

We also collaborate with the HHS Office for Civil Rights (OCR) — the office that enforces the Health Information Portability and Accountability Act Security Rule (HIPAA) — to develop educational resources. These tools help providers better understand and employ effective security for their Electronic Health Records (EHRs), policies, processes, and procedures.

The most recent result of our collaboration is the Security Risk Assessment (SRA) Tool (beta), released in March, 2014 and downloaded  nearly 40,000 times. The tool guides providers and their office staff through the HIPAA Security Rule standards and helps them document their risk mitigation strategies in a thorough, organized fashion.

More ONC educational resources and materials are available at

Risk Assessments

Conducting a risk assessment is also an important way for a care facility to support a culture of privacy and security. Under HIPAA, a risk assessment is a thorough review and analysis of how a covered entity goes about protecting and securing electronic protected health information (PHI). Risk assessments also include documenting how the organization will mitigate and address risks.

Covered entities are required to perform a risk assessment as part of the HIPAA Security Rule requirements. By conducting a risk assessment, providers can uncover technical, physical, and administrative vulnerabilities in their security policies, processes, and systems. When providers address these issues, they can potentially prevent data breaches or other adverse security events.

Small practices conduct risk assessments primarily to stay HIPAA-compliant or to qualify for Meaningful Use incentive payments. Really, these results are just bonuses. The main goal or “prize” of a risk assessment is having secure PHI and an awareness of the practice’s overall security posture – making sure that patient information is safe and secure from prying eyes.

Visit to learn more about Risk Assessment and to use ONC’s free SRA Tool.

NIST Cybersecurity Framework

The National Institute of Standards and Technology (NIST) has developed a Cybersecurity Framework that offers a set of standards, best practices, and methods for addressing cyber risk. Its risk management approach aligns with the HIPAA risk assessment.

The Framework provides a starting point for health care providers to think about the cyber risks relevant to their specific situation. Providers do not need to apply every security measure or control in the Framework; decisions should be based on their specific situation.

ONC, NIST and OCR are working closely to develop additional resources to help providers and their offices better understand how the Framework connects with HIPAA Security Rule requirements. ONC is committed to promoting the use of the Framework and emphasizing the relevance of cybersecurity risk to the healthcare environment.

Viewing educational resources, conducting risk assessments, and adopting the Cybersecurity Framework are about more than gaining HIPAA compliance or Meaningful Use incentives. The end goal is a growing culture of privacy and security, where PHI is protected and secure and cybersecurity is realized. If providers have this mindset, we are headed in a secure direction.

Visit for more information.