NIST SP 800-66r2 ipd INITIAL PUBLIC DRAFT
743 744 745 746 747 748 749 750 751
IMPLEMENTING THE HIPAA SECURITY RULE: A CYBERSECURITY RESOURCE GUIDE
5. Determine the Impact of a Threat Exploiting a Vulnerability. The regulated entity determines the impact that could occur to ePHI if a threat event exploits a vulnerability. As with likelihood determination, a regulated entity may choose to express this impact in qualitative terms, such as “low,” “moderate,” and “high” or using any other scale that the entity chooses. When selecting an impact rating, the regulated entity may consider how the threat event can affect the loss or degradation of the confidentiality, integrity, and/or availability of ePHI. Table 4 provides a brief description of each security objective (i.e., confidentiality, integrity, and availability) and the impact of it not being met. The regulated entity should select an impact rating for each identified threat/vulnerability pair.
752 753 754 755 756 757 758
Impact information can sometimes be obtained from existing organizational documentation, such as business impact and asset criticality assessments. A business impact assessment prioritizes the impact levels associated with the compromise of an organization’s information assets based on a qualitative or quantitative assessment of the sensitivity and criticality of those assets. An asset criticality assessment identifies and prioritizes the organization information assets (e.g., hardware, software, systems, services, and related technology assets) that support the organization’s critical missions.
759 760 761 762 763 764 765 766 767
Some tangible impacts can be measured quantitatively in terms of lost revenue, the cost of repairing the system, or the level of effort required to correct problems caused by a successful threat action. Other impacts – such as the loss of public confidence, the loss of credibility, or damage to an organization’s interest – cannot be measured in specific units but can be qualified or described in terms of “high,” “moderate,” and “low” impacts, for example. Qualitative and quantitative methods can both be used to determine the impact of a threat event exploiting a vulnerability to cause an adverse impact. Regulated entities may consult Table 5 to assist in identifying potential adverse impact and to subsequently assign an impact rating to each threat/vulnerability pair.
768
Table 4. Security Objectives and Impacts
Security Objective
Impacts
Loss of Confidentiality
System and data confidentiality refers to the protection of information from unauthorized disclosure (i.e., the data or information is not made available or disclosed to unauthorized persons or processes). The impact of an unauthorized disclosure of confidential information can range from the jeopardizing of national security to the disclosure of Privacy Act data. Unauthorized, unanticipated, or unintentional disclosure could result in the loss of public confidence, embarrassment, or legal action against the organization.
Loss of Integrity
System and data integrity refers to the requirement that information be protected from improper modification (i.e., data or information have not been altered or destroyed in an unauthorized manner). Integrity is lost if unauthorized changes are made to the data or system by either intentional or accidental acts. If the loss of system 15