HIPAA Vulnerabilities, Threats and Risks
To help you better understand the HIPAA Security Risk Analysis and Risk Management processes, Covered Entities (CEs) and Business Associates (BAs) should familiarize themselves with several important terms, including HIPAA vulnerabilities, threats and risks and the relationship between the three terms.
These terms are not specifically defined in the Security Rule. Rather, the following definitions are consistent with common industry definitions and are from documented sources, such as NIST SP 800-30*.
A risk analysis identifies potential threats to and vulnerabilities of information systems and the associated risk.
What is the meaning of HIPAA Vulnerabilities, Threats and Risks?
A Vulnerability* is defined as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”
Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as an inappropriate use or disclosure of electronic protected health information (ePHI).
Vulnerabilities may be grouped into two general categories, technical and non-technical.
- Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines.
- Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.
A Vulnerability triggered or exploited by a Threat equals a Risk.
An adapted definition of threat* is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental.
Examples of common threats in each of these general categories include:
- Natural threats may include floods, earthquakes, tornadoes, and landslides.
- Human threats triggered by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions.
- Environmental threats may include power failures, pollution, chemicals, and liquid leakage.
The definition of risk is clearer once threat and vulnerability are defined. An adapted definition of risk* is:
“The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur.
…[R]isks arise from legal liability or mission loss due to—
1. Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
2. Unintentional errors and omissions
3. IT disruptions due to natural or man-made disasters
4. Failure to exercise due care and diligence in the implementation and operation of the IT system.”
This means that risk is not a single factor or event, but rather it is a combination of factors or events ( threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.
Risk is a function of:
- the likelihood of a given threat triggering or exploiting a particular vulnerability, and
- the resulting impact on the organization.
Covered Entities and Business Associates need to understand patients are entrusting them with their most private and intimate details, they expect it to remain secure.
Besides, it is YOUR practice, YOUR patient’s, YOUR reputation and YOUR legacy! Why are you leaving yourself wide open to their risks?
Don’t know where or how to start or update your HIPAA security compliance program? Let’s chat about your compliance program – schedule a call with HIPAA alli today!