Problem
Protecting Patient Health Information (PHI) is a critical requirement for Database Teams at healthcare organizations. Their fiduciary responsibility is to protect the patients they serve, meeting Health Insurance Portability and Accountability Act (HIPAA) regulations and the stringent expectations of their business partners. This is often further complicated by internal business requirements to maintain a realistic development and test environment for future product development. Achieving this level of compliance and agility to support the business has been a daunting task for a handful of SQL Server Database Professionals at a U.S. healthcare organization supporting 50+ databases totaling 7 TB of data in their environment. How do they properly protect and enable the business to achieve new goals?
Solution
As a healthcare organization responsible for shipping medications nationwide, whether pain medication or specialty drugs relevant to specific diagnoses, they assist nurses and facilities with medication management across the United States to best support their patients in their time of need.
With thousands of records pouring into their databases per minute, the data volume has grown to more than 7 TB across 50 databases in each of their Production, Test, and Development SQL Server environments. With the volume of highly sensitive PHI data, there are numerous challenges. This data is managed and secured by a “very small team to support a large data environment,” according to the Database Manager at one particular healthcare organization.
Let’s learn how this team addresses HIPAA requirements related to protecting medical records, PHI, and business partner requirements, balanced with internal product development needs.
Data Protection
When it comes to data protection, the Database Manager is quick to comment that “health care data is sensitive and cannot be compromised. The stakes are too large for any data loss or a data breach.” He has emphasized this to his team over the last 10 years of his tenure. He continues, “We need to protect the data from the internal world and external world…we have to be very, very careful about how we use patient information.” As a best practice, this organization separates its network into the PHI Zone and Lower Life Cycle, which limits access to sensitive resources. But, as data professionals, they realize “[my team] needs to protect clients and organizations [and] abide by the law.”
With a solid set of security and access controls in their Production environment, the IT department meets those needs. Challenges that arise for the Database team are related to:
- Protecting 50+ SQL Server databases totaling 7 TB of data for both Test and Development environments.
- Incrementally loading data on-demand expeditiously to support internal product development.
- Obfuscating data from Production to Test and Development environments.
- Ensuring that the Test and Development data is meaningful and representative for troubleshooting and new product development.
- Having the agility to support unexpected requests and short timelines to enable the Developers to meet application requirements.
- Automating the data masking process with the realization that the environment changes regularly, and the small team has numerous responsibilities.
- Identifying PHI and obfuscating it as the database environment changes.
The Database team knows the criticality of these challenges – “[Our business partners] will not do business with us if we are not compliant.”
So, how does the Database team meet and exceed these expectations?
DataVeil Data Masking
Over seven years ago, the Database Manager started with a free trial of DataVeil, and as he said, “The rest has been history.” DataVeil is a data obfuscation solution with a tremendous amount of functionality and flexibility, enabling the Database team to successfully meet a stringent set of requirements.
First, DataVeil obfuscates the data in such a way that the data is contextually correct. The data is consistent across databases based on DataVeil’s deterministic feature. According to one Developer, “We know if we change a person’s name in one database, that person’s name will be changed correctly across all databases,” based on the deterministic feature. Further, the Database team configured the DataVeil projects such that a change to a name, address, SSN, medications, diseases, facilities, etc., is in a contextually useful manner while also protecting the data, i.e., it cannot be deciphered. This is imperative to balance troubleshooting, debugging, query tuning, and more with HIPAA, PHI, and business partner requirements.
Second, automation is a key factor for the small Database team to support business needs. They use DataVeil’s XML-based project files, which the DBAs and Developers have leveraged to dynamically build projects. They do so by reading the SQL Server metadata to identify HIPAA-protected data and push changes to the Development and Test environments. One DBA mentioned, “If the DataVeil Project files had been encoded, this would not have been possible.” To take things a step further, DBAs execute the build of the XML-based DataVeil Project files in batches, then execute them in an unattended manner for considerable time savings and flexibility. The IT Project Management notes, “A lot of time, care, and collaboration among this talented team has made a significant impact to the organization.”
Third, the Database Manager has stressed that “…bring[ing] in fresh data with a large dataset is very difficult.” Due to time constraints, it is not possible to quickly perform a complete environment refresh of 7 TB of data. The Database Team opts for incremental refreshes where data loads in a Staging area in the PHI Zone, then obfuscates before loading to the Development or Test environments. This methodology provides the team with on-demand support for current data loading. Once again, based on DataVeil’s deterministic feature and XML-based project files, the Database Team is able to obfuscate the data in a meaningful way across all databases and automate the process.
Conclusion
For more than seven years, DataVeil has been a core technology for the Database Team at an industry-leading healthcare organization to meet HIPAA compliance, partner requirements, and business needs for new application functionality. The organization is committed to protecting sensitive patient and facility data. The Database Manager is proud to say, “Patients and clients are happy. We are able to abide by the law and save a lot of time and money with DataVeil.”
If your organization is facing regulatory compliance, needing to protect PHI, or experiencing a cumbersome lower life cycle database refresh process, consider DataVeil as a solution to help meet these needs and more.
Next Steps
- To get started with DataVeil, visit Registration.
- Review the DataVeil User Guide.
- Download the DataVeil Community Edition.
- DataVeil Pricing.
- Learn more about DataVeil’s functionality – SQL Server Static Data Masking with DataVeil.
Jeremy Kadlec is a Founder, Editor and Author at MSSQLTips.com with more than 300 contributions and 25+ years of SQL Server experience. Jeremy leads a team of more than 300 authors helping millions of SQL Server professionals around the globe every second of the day for the last 20 years. He is also the CTO @ Edgewood Solutions and a six-time SQL Server MVP based on his community contributions. Jeremy brings 25+ years of SQL Server DBA and Developer knowledge to the community and holds a bachelor’s degree from SSU and master’s degree from UMBC.
