The Repository @ St. Cloud State

Open Access Knowledge and Scholarship

Date of Award


Culminating Project Type


Degree Name

Information Assurance: M.S.


Information Assurance and Information Systems


Herberger School of Business

First Advisor

Dennis Guster

Second Advisor

Balasubramanian Kasi

Third Advisor

Erich Rice

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.

Keywords and Subject Headings

"HIPAA" "risk assessment" "cyber security" "information security" "healthcare" "clinic"


Cyber security risk assessments in the healthcare industry are legally required and demand an ongoing investment of time and resources. Small healthcare clinics are less likely to have streamlined processes in place to meet these requirements. This work presents two case studies featuring qualitative Health Insurance Portability and Accountability Act (HIPAA) security risk assessments of small dental clinics using the free Security Risk Assessment (SRA) tool provided by the US Department of Health and Human Services. One clinic used a cloud service provider to safeguard protected health information (PHI) while the other used an on-premises server. The data revealed detailed information relating to the cyber risk posture of each organization within the scope of the HIPAA Security Rule. Analysis included suggestions to mitigate the compliance gaps and vulnerabilities within the environment. Based on the data gathered, a comparative analysis of using the cloud vs. on-premises to manage PHI was conducted to provide insight into the need to balance security with other business requirements. This work provides greater context to the process of conducting HIPAAcompliant security risk assessments, including the responsibilities that small healthcare providers must own to protect their business reputation in the event of a major security incident.