Using Acceletest to Detect Sensitive Data in Non-Production Environments
It is common practice to replicate production data to lower environments in support of development and testing efforts. While there are several challenges associated with this practice, the biggest issue is the risk associated with exposing sensitive data, since lower environments are not typically controlled and governed with the same rigor as production. To identify sensitive data risk exposure in lower environments, Meridian was tasked with auditing a large Health Insurance organization for the presence of Protected Health Information (PHI) and Personally Identifiable Information (PII) in non-production systems.
Data elements in scope of the audit consisted of PHI identifiers categorized by the HIPAA Privacy Rule. Meridian Technologies Acceletest audit engine was configured to uniquely identify an individual and match PHI identifiers between lower and production databases. Matches were performed at the record level on tables as large as 9 billion rows and databases as large as 200TB. At audit conclusion, Acceletest produced comprehensive results reports of toxic data requiring remediation, and configurations were automated for reuse in scheduled and ad-hoc intervals to alleviate risk exposure in remediated datasets.
Acceletest confirmed the presence of PHI and PII in non-production environments that required remediation. Due to exposure risk, Meridian recommended Data Security guidelines and standards to de-identify data in accordance to the Safe Harbor De-identification requirements in section §164.514(b) of the HIPAA Privacy Rule using Acceletest and suggested application-specific obfuscation requirements for lower environment data refreshes. Acceletest reduced the time and effort required to audit our client’s environment by 80% and decreased the risk for a data breach that could have led to financial losses and reputational damages.
Download the pdf. Acceletest Case Study – Audit Detail