Too many organizations believe risk analysis can only be done at a point in time. What often happens is that a large amount of work is done in a short period of time, often during the end of the year. This approach has two related negative impacts: organizations rarely have the bandwidth to risk analyze all of their information systems at once, and their resources are depleted from the effort, leading to risk response being delayed or not given the thorough attention it deserves. 

Here’s the part most people miss: risk analysis and risk management must cover all information systems that handle ePHI, but they don’t have to be done all at once. If you try to, you can truncate your scope or exhaust your teams, leading to potential gaps. By approaching risk management incrementally throughout the year, you smooth out the process, gaining efficiency, comprehensiveness, and timeliness.  

My recommendation: once you’ve identified all your ePHI assets, implement a process to assess subsets throughout the year. Start with top priority systems and ensure you follow each sprint by planning responses to identified risks. It won’t solve everything overnight, but it sets the foundation for meaningful progress.