This project used a tailored version of OCTAVEsm, a self-directed information security risk assessment method, to design a teleradiology system that complied with the regulation implementing the security provisions of the Health Insurance Portability and Accountability Act (HIPAA) of 1996 and protected against threats and vulnerabilities to the privacy and security of protected health information.. By using OCTAVEsm, Georgetown identified the teleradiology program's critical assets, described threats to the assurance of those assets, developed and ran vulnerability scans of a system pilot, evaluated the consequences of security breaches, and developed a risk management plan to mitigate threats to program assets and implement good information assurance practices. This case study illustrates a basic point: prospective, comprehensive planning to protect the privacy and security of an information system strategically benefits program management as well as system security.