DotSec - dot com security

A while back, DotSec presented at the National e-Health Privacy and Security Symposium.

DotSec presented a paper entitled, "Holistic, or full of holes? PCI, HIPAA and experiences in implementing secure computing systems"

Presentation Abstract

The Payment Card Industry (PCI) Data Security Standard (DSS) v1.1 was released in the US in September, 2006. The PCI DSS is mandated by the PCI Security Standards Council, an industry group which was founded by American Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International. PCI DSS seeks to protect sensitive payment-card information, by improving payment account data security.

The Health Insurance Portability and Accountability Act (HIPAA) was enacted in the US in 1996, and the Administrative Simplification provisions of HIPAA have a number of aims which include protection of the privacy and security of certain health information. In addition, the CFR 45 (Code of Federal Regulations number 45) includes a “Security Rule”, which is a set of standards for the protection of sensitive Electronic Personal Health Information (EPHI).

There is no equivalent to HIPAA or CFR 45 in Australia at this time, although it does seem likely that a similar set of standards will eventually be required in the future, if on-line and electronic health records are to be appropriately protected. However, PCI DSS is now mandatory for an increasingly-large group of merchants in Australia. Merchants are categorised into various levels (which reflect an general assessment of risk) and must comply with a range of security requirements, where the exact requirements are dictated based on the merchant's level. Requirements range from an externally managed, detailed, on-site data-security assessments, down to the completion of self-assessment questionnaires.

From an information-security perspective, PCI DSS and CFR 45 have many similar goals and compliance requirements and, although there is no demand for HIPAA-related compliance assessment in Australia, the presenter has helped a number of on-line merchants and payment-providers to achieve their PCI DSS requirements. This presentation describes how PCI DSS compliance requires a holistic approach to IT security, and describes some of the compliance issues (both procedural and technical) that have been encountered "in the field". While using experiences with PCI DSS as examples, the presenter is confident that the lessons learned will be just as applicable to an audience that is focussed on electronic and on-line health security issues.

[Continue > ]

[ < Back to Links]

Accreditation!

 
DotSec is now a signatory to the Qld State Government's GITC information technology supplier agreement. Our GITC number is Q-2554. See the GITC web page.




DotSec has been selected for inclusion in the Critical Network Vulnerability Assessment (CNVA) program, for the provision of computer network vulnerability assessments and related work. The CNVA program is managed through the Attorney-General's Department.