Only designated security and privacy officer can conduct risk analysis?

No. Your security officer should be able to work effectively with others to safeguard patient information. At various times, the officer will need to coordinate with your privacy officer (if a different person), practice manager, IT administrator or consultant, and your EHR vendor.