Identifying HIPAA, PCI & SOX Data for Masking

Working for a company based in the UK (still currently a part of the EU) I had a lot of motivation to learn about the GDPR and what it means for data professionals. Further, the understanding that, through treaties and court precedent, the GDPR can apply to companies around the world also motivated me to learn about the privacy and protection mechanisms that it required.

However, there is privacy and protection much closer to home from the data and security definitions in HIPAA, PCI and SOX. I’ve been doing a bunch of research on all these to better understand how they, along with the GDPR, and a whole slew of new legislation coming from around the world, will impact the database. More specifically, I’ve been trying to understand how best to identify which data we have to protect in order to support shifting left within DevOps.

Protect Which Data?

For any of these laws and regulations, the core can be boiled down to: No production data in non-production environments. Understanding exactly which data you need to protect from these various compliance regimes really can be difficult. PCI is probably the easiest. Personal credit card info. Done. HIPAA is a pretty close second. The Privacy Rule boils it down to Personal Health Information (PHI), which pretty much consists of anything in your medical record along with your payment history. However, if you think about it very long, you’ll quickly start to wonder, exactly what defines both these? SOX is much harder to define, financial information. I’ve found the best definitions in Section 302 and Section 404, but there’s more scattered throughout the legislation. Again, what exactly defines financial data?

If you’re reading my blog, chances are you’re a data professional or a developer. Frankly, you’re not, as I’m not, going to have all the answers here. We are going to have to rely on the business to help us with the majority of these definitions. However, there are going to easily identifiable columns, data types, heck, even constraint definitions, that are going to SCREAM at us “Please mask me before exposing me in non-production environments”. If only there was a way to readily just get at this easy stuff and knock it off the checklist so that we can work with the business and legal teams within our organizations.

We’re Working On It

Redgate Software is on the job. We’re creating a tool for classifying data inside your database so that you can then use that classification to ensure you put appropriate protections in place. Frankly, we’d like your help. Therefore, I’m asking you to check out our initiative. If you can, please take part and help us create this tool. I’m positive it will prove useful with the vast amounts of regulation coming at us these days.

OK, fine, but what do you think?

This site uses Akismet to reduce spam. Learn how your comment data is processed.