You have been hired as the privacy and security director of a rural community hospital in southern Maine with 45 beds. You decide to begin by reviewing the policies and procedures already in place against what is required under HIPAA. You are dismayed to find that although there are a number of policies and procedures in effect a security risk assessment was never performed. Create a 9 step plan for conducting the security risk assessment.