1. Power outage:
Describes the potential for loss of electricity to exploit one or more vulnerabilities (usually more). However, as with almost all the Threat categories described herein, your thinking needs to be broader than the loss of electricity at your main facility. The loss of electricity at the principal locations of key partners will almost certainly have a negative impact on your operational environment.
A denial-of-service attack (DoS attack) is a cyber-attack in which the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to the Internet. Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled. The intent is to cripple the targeted computing system.
3. Workforce Exfiltration:
Workforce Exfiltration is similar to data exfiltration but broader; data exfiltration, also called data extrusion, is the unauthorized transfer of data from a computer within an organization to one outside of it. However, data exfiltration is too narrowly defined to cover all potential use cases. Many times data walks out the door with a human being as the transfer agent. Such a transfer may be manual and carried out by someone with physical access to a computer, or it may be automated and carried out through malicious programming over a network. Exfiltration may be acute at a certain time, such as when an employee leaves their current employment - voluntarily or involuntarily. This is especially true if the employee left on bad terms. However, one of the worst exfiltrations in the history of the CIA was carried out by Aldrich Ames, who was an employee in good standing right up to the time he was caught.
Describes the potential of a Fire to your Facility (or other assets) that may (probably will) exploit one or more vulnerabilities within your operational environment. However, Fire could impact you in many more ways that are not readily apparent on their face. For example, a Fire at your cloud storage provider is likely to have a significant impact on your operational environment. The same holds true for Fires at the facilities of other key partners.
Media is physical storage of data that should be encrypted and securely stored. Impairments to Media (e.g. hard drives) is generally the primary cause for essential computing equipment to fail (e.g. servers).
Consider how Personnel may exploit lack of regulatory compliance. Generally, exploitations by Personnel come in two forms: (1) intentional; and (2) negligent. It is nearly impossible to prevent intentional bad conduct by trusted Personnel. However, the impact of said conduct can be reduced dramatically by following best practices as dictated by the Security Rule. Further, negligent conduct is suspect to being virtually eliminated with the proper training and organizational commitment.
7. Weather or Natural Disaster:
Consider how weather or natural disaster may exploit lack of regulatory compliance. Weather is notorious for finding vulnerabilities to exploit. At its worst, Weather is capable of eliminating all redundancies and leaving us at its mercy. However, with the advent of cloud computing, most of the egregious negative impacts that Weather may have on an organization's operational environment may be minimized, if not eliminated. Consider how easy it is to mirror cloud-based data on two remote locations, unlikely to experience weather events at the same time. If all your apps and data live on the Cloud, then you need to get key Personnel out of harm's way and into locations where their access devices will function (e.g. phones, laptops, pads, etc.).
8. Theft or Lost Device:
Consider how theft or a lost device may exploit lack of regulatory compliance. Devices are lost or stolen all the time. Human proclivities for losing and misplacing things have caused a significant number of non-trivial breaches. Given the amount of data that a thumb drive can now hold provides insight to the magnitude of potential breaches of PHI that can occur using portable devices. Mobile devices should be limited to access only tools, and by exception, when used to store PHI the latter should be encrypted. Portable devices should NEVER be used as permanent storage devices for PHI. On an exception basis and for temporary use (e.g. data analytics), they should be deployed carefully and then "wiped" after the temporary use is no longer required.
9. Direct Access Attack:
A direct attack by hackers to access your network, computers or software. This is what the lay public usually refers to as "hacking." It may come as a surprise that "hacking" attacks are not your organization's largest source of Risk. Although it is becoming easier by the day to "hack" (i.e. with dozens of "rootkits" available on the Internet) you can look elsewhere for the low-hanging fruit that will help you achieve the most bang-for-the-buck. There is a consensus in the security community that the "perimeter is dead;" which translates into - you have to assume that your perimeter defenses can be compromised and rely on such strategies as minimizing "dwell time" to reduce Risk.
10. Identity Theft:
Consider how identity theft may exploit lack of regulatory compliance. Identity theft has become a multi billion-dollar industry with the end (or flattening) of growth nowhere in sight. Widespread use of two-factor authentication is emerging as a viable option for curbing its growth. As the name implies, two-factor authentication requires at least two factors: (1) something you know (e.g. user id and password); and (2) something you have (e.g. a smartphone). Because smartphones are ubiquitous among computer users, they have become the de facto "something you have" factor. Although, two-factor authentication is highly recommended (understatement) it, like any other control, is not foolproof. Two-factor authentication can be hacked, BUT it requires a very sophisticated hack usually incorporating a social engineering phishing attack to achieve its objective.
11. Social Engineering or Intrusion:
Social Engineering or Intrusion deals with inappropriate access to your network or computers through some form of psychological manipulation. Consider how social engineering or intrusion may exploit lack of regulatory compliance. Social engineering, in the context of information security, refers to psychological manipulation of people into performing actions or divulging confidential information. A type of confidence trick for information gathering, fraud, or system access, it differs from a traditional "con" as it is often one of many steps in a more complex fraud scheme. The term "social engineering" as an act of psychological manipulation of a human, is also associated with the social sciences, but its usage has caught on among computer and information security professionals. We aggregate Social Engineering with Intrusion to exploit vulnerabilities. It matters little how the "bad guys" were able to penetrate your perimeter. What really matters is that they "got in." There are literally millions of vectors for penetrating a perimeter. A number so large that it makes little sense to attempt to attack a wicked problem such as regulatory compliance by dealing with millions of variables.
The problem needs to be "rationalized" before it can be managed. There are no perfect solutions. Moreover, the law does not require perfection. Generally doing what is "reasonable and appropriate" is sufficient. Unfortunately, too many in the healthcare industry have elected the "Ostrich Strategy" instead of making a good faith attempt at compliance. I will clue you in on a little secret: "Complaining to HHS about not having enough HIPAA education from them is NOT going to help a scintilla next time a Breach occurs in your organization.