Doctor's offices, hospitals, and other healthcare organizations deal in sensitive patient information on a daily basis. This sensitive patient information may include, for example, information descriptive of treatment a patient has undergone, payment the patient has made for treatment, and the patient's past, present, and predicted future health. Given the importance and private nature of sensitive patient information, healthcare organizations implement a variety of security measures to both share and protect it. These security measures include both physical security measures and cybersecurity measures. Physical security measures restrict physical access to sensitive patient information and equipment dealing therewith. For example, physical security measures may include file cabinet locks, door locks, and security systems. Cybersecurity measures restrict access to digitized sensitive patient information and equipment dealing therewith. Cybersecurity measures include encrypting sensitive patient information and requiring entry and verification of authentication credentials prior to granting a user access to a computer system or network in which sensitive patient information is stored.
The physical security measures and cybersecurity measures employed by healthcare organizations may meet the requirements of any of a variety of information security standards. Examples of these standards include, for example, ISO/IEC 15408 as defined the International Organization for Standardization (ISO), standards defined by regulations promulgated under the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and standards defined by regulations promulgated under the Federal Information Security Management Act of 2002 (FISMA). For instance, FISMA provides the legal basis for certain federal government facilities, such as Veteran's Administration hospitals, to require that equipment processing sensitive patient information be compliant with the Federal Information Processing Standard (FIPS). To be certified FIPS compliant, equipment that processes sensitive patient information must undergo a rigorous process that ensures the equipment meets the requirements of at least one of four security levels defined by the FIPS.