Breaking Down Threats, Vulnerabilities, and Risks

Threats, Vulnerabilities, and Risks

Breaking Down Threats, Vulnerabilities, and Risks

Today I am breaking down threats, vulnerabilities, and risks into byte-size portions to help you understand how they are significant to your organization. Before I can break down today’s topic, I first should set the stage. 

Setting the Stage for Threats, Vulnerabilities, and Risks

The Security Management Process, 45 § 164.308, requires regulated entities to evaluate threats, vulnerabilities and risks in their environments and to implement policies and procedures to prevent, detect, contain, and correct security violations. Regulated entities should be familiar with these three terms and the relationship between them:

  1. Vulnerability
  2. Threat
  3. Risk

Note: These terms are not specifically defined in the HIPAA Security Rule. The definitions in this paper are provided to put the Risk Analysis and Risk Management discussion in context.

Threat, Vulnerability, and Risk Definitions


The Guidance for Conducting Risk Assessment by the National Institute of Science and Technology (NIST), NIST 800-30, defines a threat as:

Any circumstance or event with the potential to adversely impact organizational operations and assets, individuals, other organizations, or the Nation through an information system via unauthorized access, destruction, disclosure, or modification of information, and/or denial of service.

Threat events are caused by threat sources. A threat source is characterized as:

  1. (i) the intent and method targeted at the exploitation of a vulnerability; or
  2. (ii) a situation and method that may accidentally exploit a vulnerability.

In general, types of threat sources include:

  1. Hostile cyber or physical attacks
  2. Human errors of omission or commission;
  3. Structural failures of organization-controlled resources (e.g., hardware, software, environmental controls); and
  4. Natural and man-made disasters, accidents, and failures beyond the control of the organization.


The Guidance for Conducting Risk Assessment by the National Institute of Science and Technology (NIST), NIST 800-30, defines a vulnerability as:

A vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.

Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as an inappropriate use or disclosure of electronic protected health information (ePHI).

Vulnerabilities may be grouped into two general categories, technical and non-technical.

  • Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines.
  • Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.

Remember: A vulnerability triggered or exploited by a threat equals a risk.

Vulnerabilities can also be found in external relationships such as: 

  • Dependencies on particular energy sources
  • Supply chains
  • Information technologies
  • Telecommunications providers 
  • Poorly defined mission/business processes
  • Poor enterprise/information security architecture decisions


The Guidance for Conducting Risk Assessment by the National Institute of Science and Technology (NIST), NIST 800-30, defines a risk as:

A measure of the extent to an entity is threatened by a potential circumstance or event, and typically a function of:

  1. The adverse impacts that would arise if the circumstance or event occurs; and
  2. The likelihood of occurrence.

This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.

Remember: A vulnerability triggered or exploited by a threat equals a risk.

Something to Ponder ...

Something to Ponder

Here are four questions for you to ponder. Does your organization addresses the following:  

  1. Does your organization have a resource dedicated Compliance Officer responsible for enforcing and maintaining HIPAA Privacy and Security policies?
  2. What are your policies for data segregation and encryption?
  3. Have you applied all applicable security patches?
  4. Does your employees and third-party vendors training include security best practices?