This entry is part 18 of 60 in the series HIPAA Security Risk Analysis Tips

In determining whether risk exists, three key ingredients are required: 1) an asset; 2) a threat to that asset; and, 3) a vulnerability that the threat may exploit or trigger. An adapted definition of vulberability, from NIST SP 800-30, is “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Here’s today’s big tip — Learn how to define and identify threats! 


A vulnerability is a flaw or weakness in a system. It is often a lack of a safeguard or control… lack of training, lack of policies and procedures, lack of a technical safeguard such as encryption or anti-virus software, etc.

Using the threat of the theft of a laptop, as an example again, a vulnerability or weakness may be that the ePHI is not encrypted.

Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of ePHI. Vulnerabilities may be grouped into two general categories, technical and nontechnical.

  1. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines.
  2. Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.

External sources of information about vulnerabilities include hardware and software vendor Web sites that might describe incidents others have had and provide patches or service packs to mitigate some of these. Many security associations produce online and print newsletters. Even local business groups, colleges or universities, and the police department may be good sources of information. Hint: Review of the Health and Human Services Data Breach Notification website should provide ideas about vulnerabilities that may exist to various information assets.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – What’s a Threat?HIPAA Security Risk Analysis Tips – Risk Determination >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.