It is important to understand the boundaries of the asset you are trying to protect. Where does it begin and where does it end? You cannot calculate the threat to an asset either quantitatively or qualitatively until you have determined what specifically is the subject of the threat. In other words, you need to know what is being threatened, and in order to know that you need to understand the subject's boundaries. In the case of HIPAA, aside from the systems they reside on, the data contained within the systems include the medical code sets, the national payer ID, the national provider ID, the national patient ID, the first report of injury , the enrollment dates and expirations, the treatment plans, and other unique identifies (discussed in chapter X) are all potential subjects of possible threats.
Attributes that typically mark the boundaries of a system, network, or other type of subject at risk are items that:
Are under the same administrative jurisdictions
Have the same mission functions
Have the same operating systems
Have the same hardware platforms
Have the same access control privileges
Are individual databases
Assets that reside in the same data center or physical location
If boundaries are not clearly apparent, you'll want to clearly delineate them and define them before you start your risk analysis project.