Cyber threats to healthcare settings, and aging services providers in particular, are an ever-present concern for LeadingAge members. Ensuring their organizations can fend off potential attackers, keep data protected, and maintain cybersecurity resiliency is critical. How best to do that?

Preparation, education, and a commitment to continuous improvement, say experts Jennifer Griveas and Michael Gray. Both are leaders at Eliza Jennings Senior Care Network and served as hosts of “Healthcare Cybersecurity: Strategies to Protect Your Organization,” a LeadingAge 2025 Annual Meeting session.

Ransomware, phishing, and credential theft are among the common challenges for senior care providers. “If we’re not aware of those risks, and our staff don’t know what those risks are, we can’t really defend against them,” says Gray, vice president of information technology and chief compliance officer.

Step one, says his colleague Griveas, vice president and chief legal officer: a Health Insurance Portability and Accountability Act (HIPAA) security rule risk analysis.

The HIPAA Security Rule risk analysis is, according to federal guidance from the U.S. Department of Health and Human Services (HHS), a systematic review of an organization’s information technology (IT) environment. The review identifies where electronic protected health information (e-PHI) is stored, what threats exist, and how those risks can be managed. It is not a one-time checklist, but an ongoing effort to catalog systems, assess your organization’s weak spots, and put in place safeguards.

HIPAA Security Risk Assessment Tool Makes Analysis Easy

The HIPAA Security Risk Assessment (SRA) Tool helps healthcare organizations walk through the security risk assessment required under the HIPAA Security Rule. This free, downloadable resource was developed by the Office of the National Coordinator for Health Information Technology (ONC) in collaboration with the HHS Office for Civil Rights.

The tool uses a structured, question-based approach to guide organizations through evaluating how e-PHI is created, received, maintained, and transmitted. It prompts users to assess administrative, physical, and technical safeguards; identify potential threats and vulnerabilities; and document current security practices. Throughout the process, the tool applies risk-scoring logic to help organizations understand the relative level of risk in different areas.

For aging services providers, the SRA Tool can serve as a practical starting point for understanding cybersecurity posture, supporting internal discussions with leadership and IT partners, and documenting due diligence. While the tool does not guarantee HIPAA compliance or replace legal or professional advice, it can help organizations organize their thinking, prioritize risks, and maintain records that demonstrate a good-faith effort to address security requirements.

What’s On The  Tool Landing Page:

Overview of the Security Risk Assessment Tool

• A brief explanation of what the tool is, who it’s for, and how it supports the HIPAA Security Rule risk assessment requirement.

Two versions of the tool

• A Windows desktop application that installs locally
• An Excel workbook version for broader system compatibility

User Guide

• A downloadable guide with step-by-step instructions, FAQs, and tips for using either version of the tool.

What’s new in the latest version

• Highlights of recent updates, including improvements to documentation, alignment with National Institute of Standards and Technology terminology, and enhanced reporting features.

Core features

• Guided, question-based assessment
• Coverage of threats, vulnerabilities, assets, and vendor considerations
• Built-in risk scoring
• Ability to save and print assessment reports

Important notes and disclaimers

• Clarifies that use of the tool does not ensure HIPAA compliance, does not replace legal or professional advice, and that information entered into the tool is not transmitted to HHS and remains local to the user’s system.

Additional LeadingAge CAST Resources

In addition to the above, LeadingAge Cybersecurity resources included in our CAST Safety Technology Online Selection Tool–a Cybersecurity White Paper, case studies, and a Benchmarking Questionnaire to help providers identify where they may be at risk– can also help. After reviewing the white paper to understand the planning and requirements identification process, the online selection tool can help you to learn which of the reviewed products might address your needs.

In addition to that tool, our LeadingAge Learning Hub has practical on-demand content to help members partner with their IT teams to strengthen cybersecurity preparedness and better arm their organizations to fend off threats.