NIST SP 800-66r2 ipd INITIAL PUBLIC DRAFT
688
IMPLEMENTING THE HIPAA SECURITY RULE: A CYBERSECURITY RESOURCE GUIDE Table 2 – Common Threat Sources
Type
Examples
Natural
Floods, earthquakes, tornados, landslides, avalanches, electrical storms, and other such events
Human
Events that are either enabled by or caused by human beings, such as unintentional acts (e.g., inadvertent data entry) or deliberate actions (e.g., network-based attacks, malicious software upload, unauthorized access to confidential information)
Environmental
Long-term power failure, pollution, chemicals, liquid leak
Regulated entities may make use of various sources 16 when identifying relevant threats. Some of the resources listed in Appendix F may help regulated entities identify common threats relevant to small, medium, and large organizations. Internet searches, vendor information, insurance data, and crime statistics are also viable sources of threat data. Ultimately, regulated entities should identify all threats to ePHI. Examples of some common threat sources are listed in Table 2. Regulated entities can also use Tables 8 to 10 in Appendix C as resources for identifying relevant threat events and threat sources.
689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704
3. Identify Potential Vulnerabilities and Predisposing Conditions. For any of the various threats identified above to result in an impactful risk, each needs a vulnerability or predisposing condition that can be exploited. The identification of vulnerabilities or conditions that a threat could use to cause impact is an important component of risk assessment. While it is necessary to review threats and vulnerabilities as unique elements, they are often considered at the same time. Many organizations will consider a given loss scenario and evaluate both. What threat sources might initiate which threat events? What vulnerabilities or predisposing conditions might those threat sources exploit to cause an adverse impact?
705 706 707 708 709 710 711 712 713 714
The regulated entity develops a list of vulnerabilities (flaws or weaknesses) that could be exploited by potential threat sources. This list should focus on realistic technical and nontechnical areas where ePHI can be disclosed without proper authorization, improperly modified, or made unavailable when needed. Regulated entities should use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results (e.g., penetration tests), and audit reports. External sources may include internet searches, vendor information, insurance data, and vulnerability databases, such as the National Vulnerability Database [NIST NVD]. In Appendix F, a suggested (but not all-inclusive) resource list is provided that organizations may wish to use in vulnerability identification.
16
Regulated entities may benefit from [IR 8286A], specifically Section 2.2.2, when identifying threats to ePHI.
13
