Why HIPAA Security Risk Analyses Still Fall Short

Former HHS Strategist Rachel Seeger on Addressing Often-Overlooked Risks Marianne Kolbasuk McGee (HealthInfoSec) • January 22, 2026

Weak and incomplete security risk analyses have long been sore spots cited in federal audits, health data breach investigations and enforcement actions involving HIPAA-regulated entities. That's often because organizations still neglect to expand their analysis very far beyond their electronic health records, said Rachel Seeger, a former longtime strategist in the U.S. Department of Health and Human Services.

See Also: On-Demand | NYDFS MFA Compliance: Real-World Solutions for Financial Institutions

"Many covered entities solely focus their risk analysis on the EHR, and the EHR only. And, in today's ecosystem there are just many different points where bad actors know that they can get in through the back door, through the front door, internet of things and everything in between," said Seeger, founder of North Country Communications, a compliance and data breach response ...