The False Sense of Completion Completing a HIPAA Security Risk Assessment (SRA) is required. Full stop. But too many practices treat the SRA like their annual Holiday Shopping – to be done once a year.  You may have completed yours in the last 6-8 weeks. However the environment has already changed. New users have been added, devices move on and off the network, staff create workarounds under pressure, phishing emails land in inboxes, and vendor access quietly persists without review. And yet leadership sleeps better because “we did our SRA.”  That sense of relief, and the accompanying complacency, is one of the most dangerous situations in healthcare security. Diagnosis vs. Defense The HIPAA SRA exists to identify risk, not to resolve it. It doesn’t fix anything, reduce exposure on its own, or protect patients. Its value only shows up after the assessment, when findings are translated into ownership, decisions, and an ongoing security program. Not only that, as we have pointed out in numerous other blogs, HIPAA is actually pretty ineffective in actually minimizing real-world risk. When practices confuse documentation with defense, they create a false sense of safety that lasts right up until a breach, audit, or incident forces reality back into focus. Security rarely fails because an SRA wasn’t completed; it fails because everything stopped once it was. Why Compliance Alone Breaks Down HIPAA compliance is often treated like an annual exercise, but security doesn’t work that way. Threats evolve continuously, staff behavior changes daily, and attackers don’t care what your last assessment said. In fact they’re counting on your complacency and false sense of…security! This is why modern frameworks, including those from the National Institute of Standards and Technology (NIST), assume constant change rather than stable environments. They emphasize regular access reviews because stale credentials are a leading cause of breaches, tested incident response plans because unused plans fail under pressure, and controls that align to real workflows instead of ideal ones no one actually follows. For example, many practices document “role-based access” during their SRA and move on. Months later, a contractor still has an active account, a staff member keeps elevated permissions after changing roles, and credentials are quietly shared during busy clinics. Frameworks like NIST assume this drift will happen, which is why they emphasize periodic access reviews and least-privilege enforcement, not one-time configuration. Security is not a yearly technology project. It’s an operational discipline that touches every role in the practice. When it lives only in a binder or in a vendor portal no one revisits, it becomes performative. And performative security is easy to bypass. The Risk That Technology Can’t Fix Most healthcare breaches don’t begin with sophisticated attackers with sophisticated tools. They begin inside the practice. Untrained staff clicking links, sharing credentials to save time, unauthorized chart access, and well-intentioned shortcuts during busy clinics. The “bad guys” know all this and are crafting increasingly-sophisticated threats designed to take advantage of complacency, busyness and familiarity. That email from the “CEO” to the “CFO” asking for another copy of last month’s bank statement looks sooo benign.  Frameworks like NIST assume this reality, which is why people and process matter as much as technology. You can deploy every security product on the market and still fail if policies are unclear, processes are inconsistent, and staff aren’t supported with ongoing education. Technology cannot compensate for misalignment. What Real Security Actually Requires Effective security programs move beyond the SRA and align with what frameworks like NIST actually emphasize in practice: Policies, Processes, People, and Products. Clear policies set expectations for how ePHI is protected. Repeatable processes turn those policies into day-to-day behavior. Ongoing investment in people, through training and awareness addresses the human risk no technology can eliminate. And products are used to support and reinforce the first three, not to replace them. Miss any one of these, and the entire structure weakens. You can document policy without process, deploy tools without training, or train staff without enforcing standards and still remain exposed. This work is rarely flashy. It doesn’t sell well in vendor demos or come neatly packaged as a “HIPAA-compliant” solution. But it’s what actually reduces risk, because it changes how the practice operates every day instead of relying on security theater to create a false sense of protection. The Work Starts After the SRA The HIPAA Security Risk Assessment is required, and it should be taken seriously. But it is only the beginning. Real security shows up in governance and ownership, follow-through on findings, ongoing education, regular review, and leadership engagement, not delegation. Using a framework like NIST provides a cadence to allow your practice to work on security throughout the year, continuously improving your security posture.    Don’t go to sleep because you checked the box six weeks ago. Take ownership. Build a program. Treat security as a living part of how your practice operates, not a once-a-year compliance exercise. That’s what actually protects patients, providers, and the business.