Is simply installing a certified EHR fulfills the security risk analysis MU requirement?

No. Even with a certified EHR, you must perform a full security risk analysis. Security
requirements address all electronic protected health information you maintain, not just what
is in your EHR.
Certification does not guarantee performance or reliability of these security functions.
• The security functions may be “off” or the settings could be at a suboptimal level, either of which can create vulnerabilities.
• You and your staff should become familiar with the security settings in your EHR. Most of these are accessible to whoever has administrator privileges. Learning how to configure these settings, for example, will help when staff leave or join your practice. While nationally accepted standards on these configurations have not yet been developed, there are industry best practices. Your health information organization that facilitates electronic exchanges may have specific requirements.
• Your risk analysis should specifically examine the adequacy of your EHR security safeguards as it transmits, stores, and allows modifications to protected health information.