What are some examples of threats that covered entities should address when conducting their risk analysis in order to comply with the Security Rule?


The risk analysis process will identify potential threats to, and vulnerabilities of, systems containing electronic protected health information (e-PHI). The risks a covered entity decides to address, and how the covered entity decides to address the risks, will depend on the probability and likely impact of threats affecting the confidentiality, integrity, and/or availability of e-PHI. Threats may affect information (data) and systems. The National Institute for Standards and Technology (NIST) provides information security guidance materials. NIST Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems categorizes threats into three common categories: Human, Natural, and Environmental. The list below is adapted from this NIST SP and is not comprehensive, but rather a sampling of possible risk categories and associated threats.

1. Natural: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.

2. Human: Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).

3. Environmental: Long-term power failure, pollution, chemicals, and liquid leakage.

An example of a natural threat is the occurrence of a hurricane. Depending on the geographic location of the entity, the likelihood of that occurrence could be low, medium, or high, and one of the risks associated with the occurrence may be that the power could fail and the information systems could be unavailable. Based on the assessment conducted, the organization should develop a strategy to manage the risks associated with the potential of such a threat.

Content created by Office for Civil Rights (OCR)
Content last reviewed