This entry is part 18 of 48 in the series HIPAA Security Risk Analysis Tips

In determining whether risk exists, three key ingredients are required: 1) an asset; 2) a threat to that asset; and, 3) a vulnerability that the threat may exploit or trigger. An adapted definition of vulberability, from NIST SP 800-30, is “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Here’s today’s big tip — Learn how to define and identify threats! 


A vulnerability is a flaw or weakness in a system. It is often a lack of a safeguard or control… lack of training, lack of policies and procedures, lack of a technical safeguard such as encryption or anti-virus software, etc.

Using the threat of the theft of a laptop, as an example again, a vulnerability or weakness may be that the ePHI is not encrypted.

Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of ePHI. Vulnerabilities may be grouped into two general categories, technical and nontechnical.

  1. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines.
  2. Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.

External sources of information about vulnerabilities include hardware and software vendor Web sites that might describe incidents others have had and provide patches or service packs to mitigate some of these. Many security associations produce online and print newsletters. Even local business groups, colleges or universities, and the police department may be good sources of information. Hint: Review of the Health and Human Services Data Breach Notification website should provide ideas about vulnerabilities that may exist to various information assets.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – What’s a Threat?HIPAA Security Risk Analysis Tips – Risk Determination >>

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.