The process and procedures presented in this book are directed at the protection of information, indirectly or directly, that is designated by an organization to be Controlled but Unclassified Information (CUI). The word "Unclassified" is used within the context of federal government Information Systems. For the purpose of this discussion, however, 'Unclassified' information is any data deemed sensitive, company-confidential, or whose public disclosure would harm or interfere with normal business/organizational operations.
For example, in healthcare, patient information (per HIPAA) is considered electronic Protected Health Information (ePHI) which requires protection from unauthorized access or disclosure. In this context patient information is considered CUI since the principles for information security and protection apply.
While CUI does not directly apply to Operational Security (i.e., Internet of Things) the principles of information security and protection apply but are supplemented by additional security requirements involving data storage and transmission. It is further limited to Cybersecurity and privacy protection assessment & evaluation of IoT devices used by or for the healthcare sector as it relates to HIPAA1 and HITECH2 requirements for protection of electronic Protected Health Information (ePHI). It should be noted, however, that the security requirements outlined for Medical IoT devices (MIoT) are applicable to any IoT device.
This book does not address action(s) necessary for correction or mitigation (i.e., Reduce, Avoid, Accept, Transfer).
1. Health Insurance Portability and Accountability Act (HIPAA). 1996.
2. Health Information Technology for Economic and Clinical Health (HITECH). 2009.