Imagine you're the Information Security Manager for a healthcare organization. The company is evaluating the adoption of a new cloud-based patient record system. Which of the following criteria would be the most crucial when determining the security robustness of this new system?