Healthcare is a heavily regulated industry, with state, local, and federal mandates, such as the Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health (HITECH), setting specific standards to protect the privacy and security of physical and electronic protected health information (PHI). The problem with HIPAA is that, while it tells healthcare providers what they should comply with, it doesn’t tell them how. To adequately protect data, organizations must instate effective information security measures, a process made easier by following a trusted security framework like the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF). This set of standards provides a cohesive framework and starting point for organizations to implement information security controls covering user access, infrastructure, and physical security— making compliance initiatives much easier to understand and prioritize.