Memo: reasonably anticipated threats to protected health information

What are possible threats to protected health information (PHI), electronic (ePHI) or otherwise?

The US Department of Health and Human Services defines a threat as “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Threats are broken down into three categories:

  • Environmental: referring to immediate physical environments, such as offices or data centers
  • Natural: referring to weather, natural disasters, mass human events, and Acts of God
  • Human: referring to individuals who could cause harm, either inadvertently or negligently, or intentionally and maliciously

Aligned Risk Management has identified the following reasonably-anticipated threats to the security, privacy and availability of ePHI.

  1. Environmental Threats
    1. Internet outage: Failure of application server to connect to internet, failure of DNS servers to resolve server domain name, upstream connection failure, and other internet outages.
    2. Power outageFailure of power systems at the data center, failure of power supply to the data center, and other power outages.
    3. Hardware failureFailure of any hardware component of the server or data center where the application is hosted. Refers to failures caused by wear, age, design flaws, and other inherent hardware weaknesses.
    4. Software failureFailure of any application, operating system or other software component to operate as intended. Includes malware infections, data corruption, functional failures.
    5. Site pollutionFire, spills, accidents, etc.
  2. Natural Threats
    1. Floods, earthquakes, tornadoes, landslides, etc.Any unpredictable large-scale threat over which humans have no control. Also includes mass human events, such as war, terror attacks, strikes, epidemics, alien invasions, zombie apocalypse, etc.
  3. Human Threats
    1. Internal threatsAuthorized users, staff, Business Associates, trusted advisors, etc. The least dramatic but most common threats to the security, privacy and availability of ePHI.
      1. Inadvertent disclosure of ePHIUnintentional action by authorized user or failure of Application that inadvertently discloses any ePHI to any unauthorized user
      2. Inadvertent data entry, modification or deletionUser error. Accidental and unintentional action or omission by an authorized user that causes damage to the security or availability of ePHI
      3. Malicious disclosure of ePHI by authorized userDeliberate disclosure by authorized user who intends to obtain some personal gain or to cause harm
      4. Malicious destruction of ePHI by authorized userDeliberate sabotage by authorized user who intends to cause harm
    2. External threatsEx-employees, hackers, thieves, etc.
      1. Unauthorized observation of ePHIUnauthorized person is able to observe improperly-controlled ePHI
      2. Unauthorized person gains access using genuine credentialsAttacker successfully logs into a controlled system using a genuine username and password or other credentials of an authorized user
      3. Technological attack against a controlled systemAttacker exercises a technological vulnerability of an ePHI system still controlled by the covered entity
      4. Technological attack outside any control or responseAttacker gains indefinite physical control of an ePHI system and is able to exercise vulnerabilities without detection or intervention by covered entity
      5. Social engineeringAttacker uses psychological manipulation to induce authorized users to act against security policies or divulge confidential information
      6. Malicious destruction of ePHI by unauthorized userDeliberate sabotage by attacker who intends to cause harm
  4. Compliance Gaps
    1. Civil liability for failure to implement HIPAA-mandated specificationFailure to implement or adequately document certain required polices and procedures
    2. Civil liability for failure to follow documented policiesFailure to implement or adequately document certain required polices and procedures