These are terms one should know as they consider a HIPAA Security Risk Analysis. A complete understanding of these terms will help you to perform a complete Risk Analysis.
Availability means the property that data or information is accessible and useable upon demand by an authorized person.
Confidentiality means the property that data or information is not made available or disclosed to unauthorized persons or processes.
Integrity means the property that data or information have not been altered or destroyed in an unauthorized manner.
Vulnerability is defined as a flaw or weakness in system security procedures, design, implementation, or internal controls that could be accidentally triggered or intentionally exploited and result in a security breach or a violation of the system’s security policy.
- Vulnerabilities may result in security breaches and inappropriate access or disclosure of ePHI. .
- Vulnerabilities may be grouped into two general categories, technical and non-technical.
- Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines.
- Technical vulnerabilities may include holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.
A threat is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” There are many threats that may occur within an operating environment or the information system an organization operates. Threats may be grouped into general categories such as natural, human, and environmental.
- Examples of natural threats are floods, earthquakes, tornadoes, and landslides.
- Human threats may include intentional or unintentional actions. Examples of the first would be network and computer-based attacks, malicious software upload, and unauthorized access to e-PHI. Unintentional actions may be inadvertent data entry or deletion and inaccurate data entry.
- Environmental threats could be power failures, pollution, chemicals, and liquid leakage.
Risk is defined as the impact considering the possibility that a particular threat will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and the resulting impact if this should occur.
Risks arise from actions due to:
- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man- made disasters
- Failure to exercise due care and diligence in the implementation and operation of the IT system.”
Risk can be understood as a function of the likelihood of a given threat triggering or exploiting a particular vulnerability, and the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.