Identifying HIPPA, PCI, SOX Data for Masking

However, there is privacy and protection much closer to home from the data and security definitions in HIPAA, PCI, and SOX. I’ve been doing a bunch of research on all these to better understand how they, along with the GDPR and a whole slew of new legislation coming from around the world, will impact the database. More specifically, I’ve been trying to understand how best to identify the data we have to protect in order to support shifting left within DevOps.

Protect Which Data?

For any of these laws and regulations, the core can be boiled down to no production data in non-production environments. Understanding exactly which data you need to protect from these various compliance regimes really can be difficult. PCI is probably the easiest. Personal credit card info — done. HIPAA is a pretty close second. The Privacy Rule boils it down to Personal Health Information (PHI), which pretty much consists of anything in your medical record along with your payment history. However, if you think about it very long, you’ll quickly start to wonder what defines both these? SOX is much harder to define, dealing primarily with financial information. I’ve found the best definitions in Section 302 and Section 404, but they're more scattered throughout the legislation. Again, what exactly defines financial data?

If you’re reading this post, chances are you’re a data professional or a developer. Frankly, you’re not, as I’m not, going to have all the answers here. We are going to have to rely on the business to help us with the majority of these definitions. However, there are going to be easily identifiable columns, data types, and even constraint definitions that are going to SCREAM at us “please mask me before exposing me in non-production environments.” If only there was a way to readily just get at this easy stuff and knock it off the checklist so that we can work with the business and legal teams within our organizations.