In determining whether risk exists, three key ingredients are required: 1) an asset; 2) a threat to that asset; and, 3) a vulnerability that the threat may exploit or trigger. An adapted definition of vulberability, from NIST SP 800-30, is “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” Here’s today’s big tip — Learn how to define and identify threats!
A vulnerability is a flaw or weakness in a system. It is often a lack of a safeguard or control… lack of training, lack of policies and procedures, lack of a technical safeguard such as encryption or anti-virus software, etc.
Using the threat of the theft of a laptop, as an example again, a vulnerability or weakness may be that the ePHI is not encrypted.
Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of ePHI. Vulnerabilities may be grouped into two general categories, technical and nontechnical.
- Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines.
- Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.
External sources of information about vulnerabilities include hardware and software vendor Web sites that might describe incidents others have had and provide patches or service packs to mitigate some of these. Many security associations produce online and print newsletters. Even local business groups, colleges or universities, and the police department may be good sources of information. Hint: Review of the Health and Human Services Data Breach Notification website should provide ideas about vulnerabilities that may exist to various information assets.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017