DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
  1. DZone
  2. Data Engineering
  3. Data
  4. Identifying HIPPA, PCI, SOX Data for Masking

Identifying HIPPA, PCI, SOX Data for Masking

Forget the GDPR. Check out this post on tighter security and data definitions in HIPAA, PCI, and SOX. Click here to learn more about how to protect your data.

Grant Fritchey user avatar by
Grant Fritchey
·
Aug. 09, 18 · Analysis
Like (2)
Save
Tweet
Share
2.82K Views

Join the DZone community and get the full member experience.

Join For Free

Working for a company based in the UK (still currently a part of the EU), I had a lot of motivation to learn about the GDPR and what it means for data professionals. Furthermore, the understanding that, through treaties and court precedents, GDPR can apply to companies around the world also motivated me to learn about the privacy and protection mechanisms that it required.

However, there is privacy and protection much closer to home from the data and security definitions in HIPAA, PCI, and SOX. I’ve been doing a bunch of research on all these to better understand how they, along with the GDPR and a whole slew of new legislation coming from around the world, will impact the database. More specifically, I’ve been trying to understand how best to identify the data we have to protect in order to support shifting left within DevOps.

Protect Which Data?

For any of these laws and regulations, the core can be boiled down to no production data in non-production environments. Understanding exactly which data you need to protect from these various compliance regimes really can be difficult. PCI is probably the easiest. Personal credit card info — done. HIPAA is a pretty close second. The Privacy Rule boils it down to Personal Health Information (PHI), which pretty much consists of anything in your medical record along with your payment history. However, if you think about it very long, you’ll quickly start to wonder what defines both these? SOX is much harder to define, dealing primarily with financial information. I’ve found the best definitions in Section 302 and Section 404, but they're more scattered throughout the legislation. Again, what exactly defines financial data?

If you’re reading this post, chances are you’re a data professional or a developer. Frankly, you’re not, as I’m not, going to have all the answers here. We are going to have to rely on the business to help us with the majority of these definitions. However, there are going to be easily identifiable columns, data types, and even constraint definitions that are going to SCREAM at us “please mask me before exposing me in non-production environments.” If only there was a way to readily just get at this easy stuff and knock it off the checklist so that we can work with the business and legal teams within our organizations.

Payment card industry Data (computing) Masking (Electronic Health Record)

Published at DZone with permission of Grant Fritchey, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Using the PostgreSQL Pager With MariaDB Xpand
  • Continuous Development: Building the Thing Right, to Build the Right Thing
  • Secrets Management
  • What Is Policy-as-Code? An Introduction to Open Policy Agent

Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: