Recent data security enforcement actions by the U.S. Department of Health and Human Services consistently sound an important theme: Failure to conduct an adequate risk assessment is itself a violation of the security rule promulgated under the Health Insurance Portability and Accountability Act. The lesson of these cases applies beyond protected health information.
Across the patchwork quilt of cybersecurity regulation in the U.S., enforcement agencies — including the Federal Trade Commission, Federal Communications Commission and Transportation Security Administration — agree that any entity's cybersecurity program should address issues identified in a risk assessment. And since system inventories, attacker tactics and the state of the art in cybersecurity controls change over time, the agencies agree the risk assessment must be regularly updated.
There are, however, some noteworthy differences in the way agencies approach their oversight of the risk assessment process.
Especially noteworthy in the HHS cases is a practice that other regulators might want to adopt: Once HHS has concluded that an entity violated the security rule, it will oversee the entity's risk assessment until satisfied it is complete and will then engage in an iterative review of the entity's data security practices until those are deemed sufficient to respond to the identified risks. The FTC and the FCC, in contrast, impose lengthy lists of cybersecurity practices before the first risk assessment is done.
Moreover, neither the FTC nor the FCC reviews the risk assessment; instead, both agencies rely on the report of an assessor hired by the regulated entity. It would be interesting to know whether such an assessor has ever found an entity's risk assessment inadequate. Finally, HHS's practice of reviewing annual risk assessments to ensure that controls are well-matched to risk may help the FTC address concerns that it is locking settling entitles for extended periods of time into sets of cybersecurity controls that may become outdated.
Cybersecurity starts with a thorough risk assessment
Since at least October 2024, when it first referred to a “Risk Assessment Initiative,” HHS has made risk assessment a priority in its data security enforcement activity. This trend has continued and even accelerated under the new administration: HHS's Office for Civil Rights, which enforces the HIPAA privacy and security rules and the federal standards for notification in the case of breach of protected health information, focused on insufficient risk analysis in 10 of the 11 matters involving alleged violations of the security rule it has resolved since 20 Jan. 2025. In six of the 11 cases, the only alleged violation was failure to conduct an adequate risk analysis.
But from that one violation flows HHS oversight of an entity's entire cybersecurity program.
Consider, for example, the resolution agreement that OCR entered into 7 July with Deer Oaks Geriatric Services. In December 2021, HHS received a complaint alleging that Deer Oaks had impermissibly disclosed personal health information, including patient names, birthdates, identification numbers and diagnoses, by making patient discharge forms publicly accessible online. In addition, Deer Oaks experienced a breach in August 2023, when a threat actor exploited a vulnerability in Deer Oaks' network to exfiltrate PHI and demanded payment to not post it on the dark web.
After investigation, HHS identified two violations: (1) Deer Oaks had "disclosed" PHI in a manner not required or permitted by the privacy rule, citing 45 C.F.R. § 164.502(a), and (2) Deer Oaks had not conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of the electronic PHI it held, as required under § 164.308(a)(1)(ii)(A) of the security rule.
To settle the matter, Deer Oaks agreed to a corrective action plan. The details of the agreement are striking. It requires Deer Oaks to conduct and complete "an accurate and thorough analysis of security risks and vulnerabilities that incorporates all electronic equipment, data systems, programs and applications controlled, administered, owned, or shared by Deer Oaks that contain, store, transmit or receive" ePHI. As part of this process, Deer Oaks shall include a complete inventory of all electronic equipment, data systems, off-site data storage facilities, and applications that contain or store ePHI, which will then be incorporated in its risk analysis. In addition, Deer Oaks must renew its analysis annually.
Everything then flows from the risk analysis.
Under the agreement, Deer Oaks must “develop an enterprise-wide risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis." Then, it shall develop, maintain and revise written cybersecurity policies and procedures, which it must distribute to all employees responsible for their implementation and enforcement. And Deer Oaks shall train all members of its workforce who have access to ePHI on the security policies and procedures.
A similar emphasis on the centrality of risk assessment is found in HHS's July 2025 settlement with Syracuse ASC, an ambulatory surgery center in New York, its May 2025 settlement with Comstar, a business associate providing billing, collection, consulting, data hosting and client/patient services for nonprofit and municipal ambulance services, and a May resolution agreement with the health care provider Vison Upright MRI. In all three cases, OCR found that the regulated entities failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to ePHI they held. In all three, as in the Deer Oaks matter, the corrective action required by HHS began with a thorough risk assessment, followed by iterative HHS review to develop a risk management plan.
For now, risk assessments seems to be a core focus of HHS enforcement. As newly-appointed OCR Director Paula Stannard said in a press release accompanying theDeer Oaks resolution, "An accurate and thorough HIPAA risk analysis can minimize the exposure of ePHI from both malicious actors and inadvertent errors. Based on OCR's experience enforcing potential HIPAA Security Rule violations, the covered entity or business associate under investigation will often have deficient risk analysis practices." Stannard went on to say that common deficiencies include lacking a risk analysis entirely or failing to update existing risk analyses when implementing new technologies or expanding operations that affect the security of ePHI.
Assessing the risk assessment
There is an important aspect of HHS's approach to cybersecurity enforcement that may be relevant to other agencies: Once HHS concludes that an entity has violated the security rule, it will insist on a multistage process of reviewing an entity's risk analysis and will send it back for revision until the agency is satisfied.
Thus, for example, HHS required Deer Oaks, before it performs its risk analysis, to submit to HHS the scope and methodology by which it proposes to conduct the analysis for HHS to determine whether the proposed scope and methodology is consistent with § 164.308 (a)(l)(ii)(A) of the security rule. Then, after HHS's approval of the scope and methodology, Deer Oaks must provide its risk analysis to HHS to review and recommend changes. Upon receiving HHS's recommended changes, Deer Oaks has 60 days to submit a revised risk analysis. This process will continue until HHS provides final approval of the risk analysis. Then, security controls and policies can be constructed and those also go through an iterative review process until approved by HHS.
We see a similar approach at the Transportation Security Administration, with some key differences. HHS reviews risks assessments and security programs only after it receives notice of a breach and conducts an investigation, which happens only for a small percentage of entities covered by HIPAA.
In contrast, the TSA, which regulates the cybersecurity of a much smaller universe of entities, acts comprehensively and prospectively.
The TSA's slightly similar approach
The TSA security directive for pipelines doesn't quite begin with a risk assessment the way HHS does. Instead, the TSA directive requires an owner/operator to develop a cybersecurity implementation plan and submit it to TSA for approval. TSA reviews and must approve in advance a pipeline's determination of what is a critical cyber system; the directive specifically states that TSA may notify an owner/operator that it must add additional critical cyber systems in its cybersecurity implementation plan.
Then the directive requires an owner/operator to develop a cybersecurity assessment plan for those critical cyber systems to ascertain the effectiveness of its cybersecurity measures and to identify and resolve device, network or system vulnerabilities. An owner-operator must submit this cybersecurity assessment plan on an annual basis for TSA approval. It must also submit an annual report of the results of assessments conducted in accordance with the plan.
The end result? TSA reviews and approves an entity's determination of what assets deserve protection, the plan for protecting those assets, and the annual assessment of the effectiveness of those controls. The TSA directive also specifies that, at least once every two years, pipelines must verify and validate network traffic and system log review and analysis to identify cybersecurity vulnerabilities related to network design, configuration and inter-connectivity to internal and external systems, although there is no requirement to submit that analysis to the TSA.
However, other cybersecurity regulators, while they recognize the essentiality of the risk assessment to the development of a sound cybersecurity program, do not seek to verify the adequacy of risk assessments.
The FTC and GoDaddy
For example, the Federal Trade Commission, in its May settlement with web hosting company GoDaddy, required the company, as it has required all other entities settling cybersecurity matters, to assess, document and update at least once every 12 months internal and external risks to the security, confidentiality, or integrity of its hosting service and the customer data it holds. Then the order requires the company to design, implement, maintain and document safeguards that control for the identified risks.
The FTC does not require respondents to submit their risk assessment for approval. This leaves open the possibility that an entity will underestimate its risk, leaving it with controls that are too weak for the reality of its risk profile.
However, the FTC does require that respondents undergo an assessment of the effectiveness of their information security program by an objective, independent third-party assessor. Since the risk assessment is part of the respondent's mandated information security program, the third-party assessment presumably assesses the risk assessment. The respondent's initial assessment report is not due until 15 months after a settlement is finalized, and there is no indication that the FTC has ever found that an assessment report uncovered an inadequate risk assessment.
Nevertheless, in GoDaddy, the FTC took a unique and important step toward ensuring that a risk assessment is adequate. The commission specified in its final order that GoDaddy must assume, in designing its safeguards: "(1) a high likelihood of unauthorized access to (its) Hosting Service; (2) a high risk of harm to customers of the Hosting Service and to users of websites operated by customers of the Hosting Service should unauthorized access … occur; (3) customers operating websites in the Hosting Service are likely to maintain or collect sensitive information in or through the Hosting Service; and (4) a high risk of unauthorized access to sensitive information maintained on the Hosting Service or collected by customers of the Hosting Service, through websites they operate, should unauthorized access to the Hosting Service occur."
In this way, the FTC specified certain risks that GoDaddy cannot ignore or minimize. It will be interesting to see if this approach becomes a regular feature of FTC data security settlements.
Moreover, it seems the list of mandatory cybersecurity controls that that the FTC includes in its settlements is becoming more targeted to the business model and risk profile of the specific respondent. For example, the specific cybersecurity controls required of GoDaddy are quite different from those required in the final order regarding Drizly.
GoDaddy is required to disconnect all hardware assets with software that is no longer being updated or patched by its developer, a provision lacking in the Drizly order. Meanwhile, Drizly is required to restrict inbound connections to those originating from approved IP addresses, a requirement not in the GoDaddy order.
This suggests that the commission, based on its own assessment of a respondent's risk profile, is customizing the controls that it insists upon. Currently, those controls are mandated for 20 years, with no specified requirement for revisiting them in light of the risk assessment — and no risk-based way for the FTC to determine what controls may be missing from the initial order.
The FCC and cybersecurity enforcement
The Federal Communications Commission also has not sought to review and approve the risk assessments of the telecommunications providers against which it has recently brought data security enforcement actions.
For example, while the order the FCC entered into with T-Mobile requires the carrier to maintain, and regularly review and revise as necessary, a risk assessment program reasonably designed to identify, assess, prioritize, and manage material cybersecurity risks to the their networks, the FCC did not insist on reviewing and approving the risk assessment. The T-Mobile order specifies that the company's risk assessment program must include methods and criteria for assessing material cybersecurity risks that are consistent with a risk assessment method that is provided by a nationally recognized information security body.
The risk assessment method must provide, at a minimum, that the company assess and document, at least annually and at a level appropriate to the risk, internal and external material cybersecurity risks to the confidentiality, integrity and availability of customer information. However, like the FTC, the FCC relies on a third party to assess the carrier's risk assessment, as part of an overall annual review of T-Mobile's compliance with the terms of the settlement order.
An order against TracFone requires the company to maintain, and regularly review and revise as necessary, a risk assessment process reasonably designed to identify, assess and remediate risks to the web applications. TracFone (owned by Verizon) must implement Verizon's quantitative risk management platform for the assessment and prioritization of risks.
The third enforcement action, involving AT&T, required the company to perform assessments, reviews and other oversight of its vendors, taking into account risks posed to the security of customer data processed by vendors, but it did not contain a direct requirement that AT&T perform a risk assessment of its operations as a whole.
Taking risk assessment seriously
Cybersecurity is risk-based. Consequently, the risk assessment is simultaneously the foundation of any cybersecurity program and its potentially weakest point. If an entity lowballs its risk assessment, it will almost automatically adopt controls that are inadequate. Conversely, when a regulator imposes detailed cybersecurity controls before a risk assessment has been done, it is possible that some of the controls are unnecessary, imposing burden without addressing a real risk.
It is easy to see the strategy of the regulators that impose long lists of cybersecurity controls and practices before a risk assessment has been completed. There are a core set of practices and controls that every company processing personal information should adhere to. After all, the National Institute of Standards and Technology's cybersecurity framework is intended to apply across a wide range of entities and sectors.
After the basics of a program are established, an agency that retains multiyear jurisdiction over enforcement of a settlement order should actually look at the mandated annual risk assessment and match it up with the specific implementation of control categories, whether drawn from the NIST framework or elsewhere. This would benefit both the regulated entity and the consumers whom a settlement is intended to protect.
Last August, in a statement concurring with the FTC's settlement with security camera firm Verkada, Commissioner Melissa Holyoak expressed concerns that the Commission's data security settlements had become ever more prescriptive, mandating that settling entities implement particular controls for 20 years, a long period over which such specific prescriptions may become dated as technology and threats evolve. She recommended that the FTC should promote "a flexible, risk-based approach to data security that creates incentives for efficient investment in data security."
One way to do that is to take risk assessments seriously, using them annually to readjust security controls to scale with size, sensitivity or evolving threats. That will involve more effort by the FTC. It cannot defer to the reports of third-party assessors. The learning that will come from actually assessing the risk assessments of regulated entities, and then seeking to match cybersecurity controls to identified risk, could dramatically improve our understanding of what is effective — and thus "reasonable" — cybersecurity.
Jim Dempsey is the managing director of the IAPP Cybersecurity Law Center.
