To say, there is some debate in the security community among the experts surrounding the definitions of Risk, Threats and Vulnerabilities is a slight understatement. Prestigious organizations such as ISO, IEC, NIST and ENISA seem to disagree, and the Information Security industry also offers various definitions. Here’s today’s big tip – Adopt YOUR standard set of definitions and stick with them… learn more…
The graphic on the left illustrates how fine-tuned the terminology and discussion may get…vulnerabilities, threats, threat-sources, actors, motivation, etc. can make for lengthy intellectual discussions. A primary focus of our risk analysis methodology is to make it practical, tangible and actionable… fast.
Therefore, we have worked to simply the process while not compromising the ultimate outcome.
We start where there is agreement: security safeguards must be designed to manage risk, and risk exists as a function of at least threat and vulnerability.
It is true that a threat-source does not represent a risk when there is no vulnerability that can be exercised or exploited. It is also true that in determining the likelihood of a threat, one must consider threat-sources, potential vulnerabilities, and existing controls.
At the same time, we encourage you not to become bogged down in definitional debate that may cause you to miss the mission at hand which is ultimately to develop a prioritized list of security risks that need to be addressed with a risk mitigation action, based on an informed decision.
It is in In the Risk Determination of a Risk Analysis where threats and vulnerabilities must be considered. You should focus on reasonably likely threats to ePHI and the risks they create without compromising the ultimate outcome of the Risk Analysis process. Your goal is to determine risks to information assets that create, receive, maintain and transmit ePHI, then prioritize those risks from highest-to-lowest and, ultimately, make risk management decisions that include implementing additional reasonable and appropriate safeguards.
As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. (July 2010). We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016