2 minute read
Table 2 – Common Threat Sources
688
689 690 691 692 693 694 695
Advertisement
696 697 698 699 700 701 702 703 704
705 706 707 708 709 710 711 712 713 714
Table 2 – Common Threat Sources
Type Examples
Natural
Floods, earthquakes, tornados, landslides, avalanches, electrical storms, and other such events Human Events that are either enabled by or caused by human beings, such as unintentional acts (e.g., inadvertent data entry) or deliberate actions (e.g., network-based attacks, malicious software upload, unauthorized access to confidential information) Environmental Long-term power failure, pollution, chemicals, liquid leak Regulated entities may make use of various sources16 when identifying relevant threats. Some of the resources listed in Appendix F may help regulated entities identify common threats relevant to small, medium, and large organizations. Internet searches, vendor information, insurance data, and crime statistics are also viable sources of threat data. Ultimately, regulated entities should identify all threats to ePHI. Examples of some common threat sources are listed in Table 2. Regulated entities can also use Tables 8 to 10 in Appendix C as resources for identifying relevant threat events and threat sources.
3. Identify Potential Vulnerabilities and Predisposing Conditions. For any of the various threats identified above to result in an impactful risk, each needs a vulnerability or predisposing condition that can be exploited. The identification of vulnerabilities or conditions that a threat could use to cause impact is an important component of risk assessment. While it is necessary to review threats and vulnerabilities as unique elements, they are often considered at the same time. Many organizations will consider a given loss scenario and evaluate both. What threat sources might initiate which threat events? What vulnerabilities or predisposing conditions might those threat sources exploit to cause an adverse impact?
The regulated entity develops a list of vulnerabilities (flaws or weaknesses) that could be exploited by potential threat sources. This list should focus on realistic technical and nontechnical areas where ePHI can be disclosed without proper authorization, improperly modified, or made unavailable when needed. Regulated entities should use internal and external sources to identify potential vulnerabilities. Internal sources may include previous risk assessments, vulnerability scan and system security test results (e.g., penetration tests), and audit reports. External sources may include internet searches, vendor information, insurance data, and vulnerability databases, such as the National
Vulnerability Database [NIST NVD]. In Appendix F, a suggested (but not all-inclusive) resource list is provided that organizations may wish to use in vulnerability identification.
16 Regulated entities may benefit from [IR 8286A], specifically Section 2.2.2, when identifying threats to ePHI.
