This entry is part 17 of 48 in the series HIPAA Security Risk Analysis Tips

Risk management begins with the determination or identification of risks to assets. An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Here’s today’s big tip — Learn how to define and identify threats! 


In information security, a threat is anything that could harm information or systems creating, receiving, maintaining or transmitting information by exercising a vulnerability. A vulnerability is a flaw or weakness in a system.

As an example, theft of a laptop containing ePHI is a threat. Sending unsecured ePHI through email is a threat.

There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include:

  1. Natural threats such as floods, earthquakes, tornadoes, and landslides.
  2. Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions.
  3. Environmental threats such as power failures, pollution, chemicals, and liquid leakage.

Check out the Clearwater HIPAA Security Risk Analysis ToolKit™ to jump-start your program.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – 9 Essential ElementsHIPAA Security Risk Analysis Tips – What’s a Vulnerability? >>

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.