Defines a methodology for defining, selecting and expressing a communication protection profile (CPP) specification, and provides a standard way to express healthcare user needs in relation to communication, and a standard method of successive refinement of policy statements that help to identify standardised security implementation specification that can be used to meet the security needs.