Case Study: HIPAA Masking on Oracle & AS400 DB2
INTRODUCTION
This leading health care company works with payers and providers to improve quality and lower costs by managing patient care to the home. In 2016, they generated over $1 billion in revenue and served thousands of members in their homes. Their established IT infrastructure consists of both custom and packaged applications using Oracle and AS400 (i- Series) storing data in DB2 and flat files.
CHALLENGE
- Client is required to protect patient data in compliance with HIPAA guidelines but these regulations provided no firm requirements as to how sensitive data attributes should be masked
- Client needed to mask billions of rows of data on the AS400 platform and Oracle databases
- Client discovered that data flagged for masking was inconsistent and often wrong, requiring further sensitive data analysis and training of masking specialists
- Data attributes were being stored in different formats (e.g. all upper case, mixed case, all lower case) but needed to be masked consistently across platforms in the expected case
SOLUTION
The Axis Data Privacy Services team was engaged to deliver masking of the in-scope applications in order to meet aggressive deadlines.
Our team accomplished the following:
- Reviewed and streamlined the sensitive data inventories for approval by client application subject matter experts (SMEs)
- Masked personal health information (PHI) identified in all database schemas and files to comply with HIPAA regulations and application requirements
- Used an innovative masking strategy to improve performance and avoid key field limitations on AS400
- Delivered the project on time and within budget including documentation of best practices and custom job configurations required for the client information security and application teams to support masking moving forward
RESULTS
The Axis Data Services team delivered outstanding results:
- Profiled and masked 301 tables and files with PHI data in various formats including delimited, fixed- width/positional, and Excel
Masked billions of rows of data across multiple, different technologies
Met aggressive masking deadline and prevented interruption to client’s test team - Integrated client’s corporate data security standards with minimal impact on the software development process Client extended the engagement to provide additional transition support and masking expertise for other systems
Axis was able to handle masking across heterogeneous environments including the complexity of the AS400 environment as well as the billions of rows of data in the Oracle environment with a single effective and integrated solution.