**5.1 Example risk assessment frameworks**

Currently, assessment frameworks are entirely intra-organization. In addition, accessing patient databases is impossible—luckily—in the USA due to HIPAA. That said, NIST has guidance on developing an actual risk-assessment process [14]. However, NIST 800–30, as seen in **Figure 5**, does not actually specify threat source, threat event, actual vulnerabilities, or impact. The actual language used to describe these components is entirely left up to each organization to develop. Even worse, each risk assessor on the team may, in fact, describe these components differently (i.e., use entirely different words). In such cases, making any kind of accurate meta-analysis about the organizational risk is entirely impossible. Therefore, we argue that risk assessment frameworks need a standardized library to describe the identified risk.
