HIPAA Security Implementation, Version 1.0
10.5 SCOPE THE SUBJECT OF THE THREAT
It is important to understand the boundaries of the asset you are trying to protect. Where does it begin and where does it end? You cannot calculate the threat to an asset either quantitatively or qualitatively until you have determined what specifically is the subject of the threat. In other words, you need to know what is being threatened, and in order to know that you need to understand the subject's boundaries. In the case of HIPAA, aside from the systems they reside on, the data contained within the systems include the medical code sets, the national payer ID, the national provider ID, the national patient ID, the first report of injury , the enrollment dates and expirations, the treatment plans, and other unique identifies (discussed in chapter X) are all potential subjects of possible threats.
Attributes that typically mark the boundaries of a system, network, or other type of subject at risk are items that:
-
Are under the same administrative jurisdictions
-
Have the same mission functions
-
Have the same operating systems
-
Have the same hardware platforms
-
Have the same access control privileges
-
Are individual databases
-
Assets that reside in the same data center or physical location
If boundaries are not clearly apparent, you'll want to clearly delineate them and define them before you start your risk analysis project.