PII and PHI Overview: What CISSPs Need to Know

May 12, 2017 by Aroosa Ashraf

As per the federal government, organizations need to identify Personally Identifiable Information (PII) as well as Protected Health information (PHI) for different reasons and handle them in a secure manner. Any unauthorized access or release of such information could result in severe consequences for the individuals whose data has been compromised. Moreover, as the government has a responsibility to safeguard this important information, it enacts and enforces legislation that regulates the usage of PII and PHI.

Understanding the importance and value of this data can be considered the first step in keeping them safe. Unauthorized access of PII or PHI can be harmful for both individuals and organizations. It is the duty of CISSP professionals to take the necessary steps to keep PII and PHI safe and secure from any external or internal threat.

Personally Identifiable Information (PII)

Personally Identifiable Information is any information that can be used for the purpose of identifying, locating or contacting any specific individual, either combined with other easily accessible sources or by itself.

PII can include data linked to any individual through medical, employment, financial, or educational records. Several of these information sets that might be utilized to identify a certain individual could consist of a name, email address, biometric data, telephone number, fingerprints or social security number.

Federal agencies have the responsibility of safeguarding any sensitive information, including the PII of an individual. CISSP professionals should therefore give key importance in keeping this data safe.

Protected Health Information (PHI)

Protected Health Information is any information related to the health status, health care provision or health care payment that can further be linked to any specific individual. However, PHI is rather broadly interpreted and includes any sort of medical payment history or records of a patient.

Recently, it has become more and more important to protect PII, although society has relied on it for so long without any major safety issue. This current problem of protecting PII came mainly because of the increased incidences of hacking attacks. With the technological advancements and use of computers, the protection of PII has become essential for every organization. Many important laws have been implemented in different forms to protect PII, such as FCRA, HIPAA, GLBA, Privacy Act, COPPA, and FERPA.

These laws are used as a vital means to attempt to ensure that organizations are restricted in sharing sensitive personal information with any third party. They further need to provide the necessary requirements to protect PHI in the most appropriate manner. CISSP professionals have to understand and safeguard the PHI of individuals against cyber attacks in related organizations where this data may be stored by the individuals for their own interest.

PII Examples and Why CISSPs Have a Role to Play

It is a profitable option to collect and sell PII on a legal basis, but unfortunately, PII is often exploited by criminals or malicious people wanting to steal the identity of a person or to commit crimes. Still, as per FBI statistics, identity theft is considered as one of the fastest growing offenses in the US, having the capacity to cause significant financial, as well as emotional, damage to victims. Many governments, therefore, have created legislations to limit the process of personal information distribution because of the threat imposed. Some examples of PII include:

  • PII includes an identification number of any individual, including credit card number, passport number, driving license number, patient identification number or social security number.
  • PII also includes the name of individuals, including mother’s maiden name, any alias used or their own maiden name.
  • Asset information, like IP or MAC address, and other static identifiers that might link a specific individual consistently are also considered in PII.
  • Address information, such as telephone numbers (business or personal), street addresses, and e-mail addresses fall under PII.
  • Personal or biological characteristics, including retina scans, fingerprints, distinguishing feature images, voice signature, x-rays, or face geometry come under PII.
  • Moreover, personal information such as geographical indicators, date of birth, place of birth, activities, religion, financial, medical or educational, is considered PII.

An individual’s identity becomes vulnerable under certain circumstances when one or more pieces of the above mentioned easily-accessible information are brought together, even though they may seem to be harmless if they remain by themselves. This is where CISSPs need to come forward in protecting this sensitive data.

Protected Health Information (PHI) Examples and the Role of CISSPs

The Health Insurance Portability and Accountability Act (HIPAA) requires the adoption of certain security regulations for the protection of personal health information. Usually, PHI is considered to be any information related to health that can be identified individually and produced or received by health care providers including health plan operators and health clearing houses.

PHI may be related to the present, past or future health of an individual, either in physical or mental terms. PHI may also include the current condition of an individual regarding health. In general, PHI can be utilized for the identification of any specific individual. Additionally, it refers to information which is maintained as well as transmitted in any given form such as electronics, paper or speech.

However, PHI does not refer to the records related to education which are covered by the EFRPA or the Educational Family Rights and Privacy Act. It also does not refer to records of employment maintained by any employer. The PHI regulations classically refer to a variety of different fields that can usually be used to identify an individual. These include:

  • Names
  • Every date linked directly to a person, such as date of birth, discharge date, date of death, and administration
  • Fax and telephone numbers
  • Email and street addresses (including geographic subdivisions such as country and zip codes)
  • Medical records, health plan beneficiary, certificate, social security and account numbers
  • Vehicle, biometric, voice, and fingerprint identifiers
  • Photographic images of recognizable features and the full face
  • Any other unique number, code or characteristic that may be helpful to recognize a person

CISSP professionals should therefore place emphasis on keeping this data safe. This is covered in Asset Security of Domain II in the CISSP exam.

Different Ways CISSPs Can Keep PII and PHI Safe against Malicious Attacks

Security baselines and their uses

A “Security Baseline” is a set of basic security features which must be completed by any given system or service. These features or objectives do not involve technical measures and are chosen to be complete and pragmatic. Thus, there should be a separate “Security Implementation Document” having the details of how different security objectives can be fulfilled through any specific service or system. These details usually depend on the service or system’s operating environment it is deployed into. Further, it may use and apply relevant security measures creatively. Baseline derogations are quite possible and expected. Any derogation should be marked explicitly.

Scopingon the other hand is an ongoing assessment system of any situation, which is generally carried out through discussion, consultations, and monitoring.

Tailoring is adapting needs or specifications as per the current operational requirements through supplementation, modification and/or deletion without getting deviated from the norms.

Data ownership

The act of having total control and legal rights over any single piece or data elements set is known as Data ownership. It actually defines and gives information regarding the rightful owner of any specific data asset and the policy of its use, acquisition, and distribution implemented by the owner of the data.

Data remanence

Residential representation of the digital data is known as data remanence, which remain even after attempts to remove or erase them.

Collection limitation

The use of privacy frameworks may be thought of as tools to help you think regarding data privacy and help frame the discussions on privacy to understand its requirements.

There is a forum for “countries committed to democracy and the market economy” called The Organization for Economic Co-operation and Development (OECD). The motto of the organization is to provide a setting for governments to compare experiences of policies to have the answers to common problems and identify best practices by coordinating different international and domestic policies.

The OECD Privacy Principles internationally give the privacy framework that is most commonly used. The privacy networks are reflected in the emerging as well as existing laws on privacy and data protection, thereby serving as the basis for the production of top practice privacy programs and other additional principles.

The Privacy Principles: What CISSPs Must Know

The privacy principles, according to Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data, are as follows:

Collection Limitation Principle

There has to be limits for personal data collection and any such information must be obtained through fair and lawful means. Further, where appropriate, the data should be obtained with the consent or knowledge of the data subject.

Data Quality Principle

Any personal data obtained have to be pertinent to the purposes of their use, and only to the extent essential for those purposes. The data used must be complete, accurate, and kept up-to-date.

Purpose Specification Principle

The personal data collection purposes have to be specified not later than during the time of collection and at the time of every subsequent use. Moreover, it is limited to the fulfillment of the purposes for which it is taken and is not incompatible with the purposes when there is the occasion of a change in the purposes.

Use Limitation Principle

Personal data cannot be made available, disclosed, or otherwise used for purposes other than those in accordance with the laws and the consent of the data subject.

Security Safeguards Principle

Personal data have to be protected against potential risks such as unauthorized access, use, modification, distribution, and disclosure or loss by implementing reasonable security safeguards.

Openness Principle

There must be a general openness policy regarding practices and developments with respect to personal information. There should be readily available means to establish the nature and existence of personal information, the key purposes of their use, and the identity with the usual residential address of the data controller.

Individual Participation Principle

Every individual must have the following rights:

  1. Obtaining information from the data controller, and confirming whether the data controller has any information relating to him;
  1. Of having communicated to the data controller for data relating to him:
  1. Within a practical time;
  1. At a charge (not excessive);
  1. In a reasonable way; and
  1. In a readily intelligible form;
  1. Of giving reasons upon request made under the above-mentioned subparagraphs (a) and (b) is denied, and of capacity to challenge such denial;
  1. Of challenging data relating to him and having the data amended, completed, rectified or erased if the challenge is successful.

Accountability Principle

Every data controller has to be accountable to comply with the measures giving effect to the above-stated principles.


Posted: May 12, 2017


We've encountered a new and totally unexpected error.

Get instant boot camp pricing

Thank you!

A new tab for your requested boot camp pricing will open in 5 seconds. If it doesn't open, click here.

Articles Author
Aroosa Ashraf
View Profile

Aroosa Ashraf is a trained and registered pharmacist from the Government College University of Faisalabad (GCUF). She completed her graduation in 2013. She is an experienced researcher and technical writer and for the last 4 years, she is working as a writer on different platforms. Currently, she is writing many technical and non-technical articles for her national and international clients.