Gives a model and a method of categorising automated healthcare information systems in the context of security and privacy. Security means preservation to an acceptable level of data availability, confidentiality, and integrity. A corresponding set of protection recommendations and requirements for each system category specified is given and is appropriate to the level of risks inherent in that category.