This entry is part 17 of 60 in the series HIPAA Security Risk Analysis Tips

Risk management begins with the determination or identification of risks to assets. An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Here’s today’s big tip — Learn how to define and identify threats! 


In information security, a threat is anything that could harm information or systems creating, receiving, maintaining or transmitting information by exercising a vulnerability. A vulnerability is a flaw or weakness in a system.

As an example, theft of a laptop containing ePHI is a threat. Sending unsecured ePHI through email is a threat.

There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include:

  1. Natural threats such as floods, earthquakes, tornadoes, and landslides.
  2. Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions.
  3. Environmental threats such as power failures, pollution, chemicals, and liquid leakage.

Check out the Clearwater HIPAA Security Risk Analysis ToolKit™ to jump-start your program.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – 9 Essential ElementsHIPAA Security Risk Analysis Tips – What’s a Vulnerability? >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.