Being a security practitioner requires you to be intimately familiar with the steps someone could take to protect themselves: one must understand the burden on the user, learn how to communicate those steps effectively, and, most importantly, define the “protection” offered by implementing certain controls (eg. “Security keys can help which persons to protect what information from which threats in which contexts?”). At this early stage in the course, we don’t expect you to already know every reason why the clinic’s information system is setup in the above manner, but you should be asking yourself why you took certain steps and, perhaps, questioning why or how certain decisions were made.