Security Awareness Blog

Security Awareness Topics - PCI DSS versus HIPAA

I have been working a lot with PCI DSS and HIPAA lately. One thing that has surprised me about these two topics, from a security awareness perspective, is just how similar they are. In the past I've blogged on how most security awareness programs share the same 70% of content. Many of the threats and best practices are the same, regardless of who you are or where you are in the world. One of the key areas where I find awareness programs differe is their data protection policies. What I'm starting to see is that even here, those policies can also be similar. PCI DSS is an international standard developed by the Payment Card Industry. Any organization that stores, processes or transfers cardholder data must follow this standard. PCI DSS outlines 12 key areas that every organization must follow to protect cardholder data. HIPAA is similar, but instead of credit cards it focuses on patient data (known as Protected Health Information). HIPAA was passed by US Congress and includes regulations on how patient data must be protected. Any health care organization in the United States that handles patient data is required by law to follow these regulations. Both regulations focus on protecting the privacy and integrity of data. What surprised me is how similar many of those requirements are. Examples include using only authorized systems to store or process protected information, only sharing with those who have a need to know, transferring information should be done with encryption, destroying protected data when it is no longer in use, etc. While there are differences (unlike cardholder data, patient data is designed to be shared with others making patient data more difficult to secure) I was surprised by how many similarities these regulations shared.

What awareness topics do you find to be the most unique for organizations?


Posted September 19, 2010 at 11:41 PM | Permalink | Reply


Hi Lance-good point, once again. The overlap is huge between many of these ''regulatory' systems. When I went to PCI training earlier this year, the instructor kept on stressing the fact that PCI was mostly ''best security practices' and barest minimums in some cases. This was, I imagine to convince those naysayers that insisted that regulations are a hindrance, not a boon. The range of viewpoints during the two days was staggering.
One thing I am fascinated by, though, is how the extra cost(financial and man hours/thought hours etc) and complexity of these systems is impacting staff. Is hyper-vigilance a good thing for people? And is it ultimately sustainable? Can their implementation ever be simple enough? Does the necessary complexity lead to more risk or less?

Posted September 19, 2010 at 11:52 PM | Permalink | Reply


Excellent point on your concerns about over burdening people. This is one of my biggest concerns with traditional awareness programs. Many organizations simply cram as many topics as they can, putting no thought into which topics have the greatest return on investment. I firmly believe that awareness programs, just like any other awareness program, should have a risk analysis to determine which key topics have the most ROI, then focus on those topics. By reducing what you teach, not only is it simpler for employees to remember those points (at a lower cost to organizations) but it makes it simpler (and more effective) for you to reinforce those points throughout the rest of the year.
It is definitely an issue, and one that I agree is not discussed enough. Thanks!

Posted September 21, 2010 at 7:27 PM | Permalink | Reply


Hi Lance-definitely agree with regards to the ''a little, often' approach to helping people gain awareness.
Also, getting them to discuss the actual topics is often a way of unearthing some great knowledge from their perspective-which in my mind means that they can disseminate info with each other.
I'm proud to hear people at my compnay gently admonishing each other about sharing passwords or using their cats' names for passphrases or not securing their personal info.
I like asking people what their concerns are when it comes to security before trying to think about how to get the message across; sometimes, they already have the message, they just don't have practical ways of utilising it. News stories are often a good conversation germination source. Especially if they concern FB or other social networking system-ie relevant issues. From there, stepping stones to business issues are usually easier to find.
One final thing, and slightly veering loff course, I have to admit that I've been questioning the whole ROI framework that so many things are squeezed into. I keep trying to understand how the metrics for these cost to value ratios are worked out when hidden costs and hidden values are so prevalent. Sometimes I can break down value to a simple "that works," Sometimes I can't. I often think the figures and the process of showing it, is like some kind of placebo for management. Proving ROI can be very diffcult, even for my own work. So much seems to come down to other people's perceptions of my impact. Maybe I'm just really good at skewing their perceptions, haha.
Thanks mate.