The HHS / OCR final guidance on completing a HIPAA Security Risk Analysis is based on the NIST Special Publication 800-30 which covers the subject of Risk Management.  As the guidance states, “Organizations must identify and document reasonably anticipated threats to ePHI.”   Here’s today’s big tip – Better know what a threat is!… learn more…


An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”

In security, therefore, a threat is anything that could harm information or systems creating, receiving, maintaining or transmitting that information by exercising a vulnerability.

There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include:

Natural threats such as floods, earthquakes, tornadoes, and landslides.

Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions.

Environmental threats such as power failures, pollution, chemicals, and liquid leakage.

It is in In the Risk Determination of a Risk Analysis where threats and vulnerabilities must be considered.  You should focus on reasonably likely threats to ePHI and the risks they create without compromising the ultimate outcome of the Risk Analysis process.  Your goal is to determine risks to information assets that create, receive, maintain and transmit ePHI, then prioritize those risks from highest-to-lowest and, ultimately, make risk management decisions that include implementing additional reasonable and appropriate safeguards.

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – Present Security ControlsHIPAA Security Risk Analysis Tips – Risk Threats and Vulnerabilities, Oh My >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.