Answer:

The risk analysis process will identify potential security risks to electronic protected health information (EPHI), also called threats. The threats a covered entity decides to address will depend on which threats would affect the confidentiality, integrity, and/or availability of EPHI. Threats may affect information (data) and systems. The National Institute for Standards and Technology (NIST) provides information security guidance materials for federal agencies. Some NIST documents may not be relevant to small organizations, as they are intended more for large, governmental organizations. One such document, Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems categorizes threats into three common categories: Human, Natural, and Environmental. The list below is adapted from this NIST SP and is not comprehensive, but rather a sampling of possible threat categories and associated threats.

1. Natural: Floods, earthquakes, tornadoes, landslides, avalanches, electrical storms, and other such events.
2. Human: Events that are either enabled by or caused by human beings, such as unintentional acts (inadvertent data entry) or deliberate actions (network based attacks, malicious software upload, unauthorized access to confidential information).
3. Environmental: Long-term power failure, pollution, chemicals, and liquid leakage.

An example of a natural threat is the occurrence of a hurricane. Depending on the geographic location of the entity, the likelihood of that occurrence could be low, medium, or high, and one of the risks of the occurrence may be that the power could fail and the information systems could be unavailable. Based on the assessment conducted, the organization should develop a strategy to deal with the potential threat.