Over a million developers have joined DZone.

Identifying HIPPA, PCI, SOX Data for Masking

DZone 's Guide to

Identifying HIPPA, PCI, SOX Data for Masking

Forget the GDPR. Check out this post on tighter security and data definitions in HIPAA, PCI, and SOX. Click here to learn more about how to protect your data.

· Security Zone ·
Free Resource

Working for a company based in the UK (still currently a part of the EU), I had a lot of motivation to learn about the GDPR and what it means for data professionals. Furthermore, the understanding that, through treaties and court precedents, GDPR can apply to companies around the world also motivated me to learn about the privacy and protection mechanisms that it required.

However, there is privacy and protection much closer to home from the data and security definitions in HIPAA, PCI, and SOX. I’ve been doing a bunch of research on all these to better understand how they, along with the GDPR and a whole slew of new legislation coming from around the world, will impact the database. More specifically, I’ve been trying to understand how best to identify the data we have to protect in order to support shifting left within DevOps.

Protect Which Data?

For any of these laws and regulations, the core can be boiled down to no production data in non-production environments. Understanding exactly which data you need to protect from these various compliance regimes really can be difficult. PCI is probably the easiest. Personal credit card info — done. HIPAA is a pretty close second. The Privacy Rule boils it down to Personal Health Information (PHI), which pretty much consists of anything in your medical record along with your payment history. However, if you think about it very long, you’ll quickly start to wonder what defines both these? SOX is much harder to define, dealing primarily with financial information. I’ve found the best definitions in Section 302 and Section 404, but they're more scattered throughout the legislation. Again, what exactly defines financial data?

If you’re reading this post, chances are you’re a data professional or a developer. Frankly, you’re not, as I’m not, going to have all the answers here. We are going to have to rely on the business to help us with the majority of these definitions. However, there are going to be easily identifiable columns, data types, and even constraint definitions that are going to SCREAM at us “please mask me before exposing me in non-production environments.” If only there was a way to readily just get at this easy stuff and knock it off the checklist so that we can work with the business and legal teams within our organizations.

security ,hipaa ,sox data ,masking ,data ,secure ,database

Published at DZone with permission of

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}