To say, there is some debate in the security community among the experts surrounding the definitions of Risk, Threats and Vulnerabilities is a slight understatement. Prestigious organizations such as ISO, IEC, NIST and ENISA seem to disagree, and the Information Security industry also offers various definitions.   Here’s today’s big tip – Adopt YOUR standard set of definitions and stick with them… learn more…


The graphic on the left illustrates how fine-tuned the terminology and discussion may get…vulnerabilities, threats, threat-sources, actors, motivation, etc. can make for lengthy intellectual discussions.  A primary focus of our risk analysis methodology is to make it practical, tangible and actionable… fast.

Therefore, we have worked to simply the process while not compromising the ultimate outcome.

We start where there is agreement:  security safeguards must be designed to manage risk, and risk exists as a function of at least threat and vulnerability.

It is true that a threat-source does not represent a risk when there is no vulnerability that can be exercised or exploited.  It is also true that in determining the likelihood of a threat, one must consider threat-sources, potential vulnerabilities, and existing controls.

At the same time, we encourage you not to become bogged down in definitional debate that may cause you to miss the mission at hand which is ultimately to develop a prioritized list of security risks that need to be addressed with a risk mitigation action, based on an informed decision.

It is in In the Risk Determination of a Risk Analysis where threats and vulnerabilities must be considered.  You should focus on reasonably likely threats to ePHI and the risks they create without compromising the ultimate outcome of the Risk Analysis process.  Your goal is to determine risks to information assets that create, receive, maintain and transmit ePHI, then prioritize those risks from highest-to-lowest and, ultimately, make risk management decisions that include implementing additional reasonable and appropriate safeguards.

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – What’s a Threat Again?HIPAA Security Risk Analysis Tips – Make a Plan and Commit >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.