Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Open the gate a little: strategies to protect a...

Open the gate a little: strategies to protect and share data

Can you name a more terrifying set of three words in software development than "HIPAA violation fines"? I bet you can't.

We know we must protect access to our information at all costs, sometimes we need to provide access for legitimate reasons to our production data and this brings a dilemma to us: how to do it while minimizing the risks of data leakage.

In this talk I'll share some strategies that can give you some guidance on when to close the door, when to open the door and when to open the door to your information a little

Fernando Perales

May 19, 2022
Tweet

More Decks by Fernando Perales

Other Decks in Technology

Transcript

  1. @FerPer a lesM #r a ilsconf2022 Open the gate a

    little: strategies to protect and share data Fern a ndo Per a les
  2. @FerPer a lesM #r a ilsconf2022 Hi! 👋 • Fernando

    (Fer) Perales • Perales is Spanish for Pear Trees (🍐🌳🌳🌳) • I don’t like pears 🤷 • From Guadalajara, Mexico 🇲🇽 • 8 years doing RoR consulting • Developer @ thoughtbot #boost • Host Ruby MX community • 5th RailsConf, 1st as speaker 🥳 Illustration by instagram.com/@layered_space
  3. @FerPer a lesM #r a ilsconf2022 You have access to

    a production server or database
  4. @FerPer a lesM #r a ilsconf2022 You would feel more

    comfortable *not* having access to a production server or database
  5. @FerPer a lesM #r a ilsconf2022 You are comfortable with

    the security measurements your organization takes
  6. @FerPer a lesM #r a ilsconf2022 You have had a

    copy of production data in your machine
  7. @FerPer a lesM #r a ilsconf2022 Someone from your organization

    has asked you for a copy of production data
  8. @FerPer a lesM #r a ilsconf2022 You have provided a

    copy of production data to someone in your organization
  9. @FerPer a lesM #r a ilsconf2022 You are concerned about

    copies of production data being in someone’s hands
  10. @FerPer a lesM #r a ilsconf2022 If you answer yes

    to at least one, this is the talk for you
  11. @FerPer a lesM #r a ilsconf2022 What is considered PHI?

    • Name • Address (anything smaller than a state) • Dates (except years) related to an individual -- birthdate, admission date, etc. • Phone number • Fax number • Email address • Social Security Number • Medical record number • Health plan bene fi ciary number • Account number • Certi fi cate or license number • Vehicle identi fi ers, such as serial numbers, license plate numbers • Device identi fi ers and serial numbers • web URL • Internet Protocol (IP) address • Biometric IDs, such as a fi ngerprint or voice print • Full-face photographs and other photos of identifying characteristics • Any other unique identifying characteristic.
  12. @FerPer a lesM #r a ilsconf2022 If the device contained

    PHI, and you cannot document that the device was encrypted, you will need to follow the requirements of the HIPAA Breach
  13. @FerPer a lesM #r a ilsconf2022 Am I safe If

    my app is not health-related?
  14. @FerPer a lesM #r a ilsconf2022 Nice thing of consulting

    is that you may work with clients from outside USA
  15. @FerPer a lesM #r a ilsconf2022 = You have to

    worry about local legislation
  16. @FerPer a lesM #r a ilsconf2022 Federal Law on Protection

    of Personal Data Held by Individual
  17. @FerPer a lesM #r a ilsconf2022 Applying masking rules Shu

    ffl ing a column Adding noise to a column
  18. @FerPer a lesM #r a ilsconf2022 ➡ Applying masking rules

    Shu ffl ing a column Adding noise to a column
  19. @FerPer a lesM #r a ilsconf2022 Applying masking rules ➡

    Shu ff l ing a column Adding noise to a column
  20. @FerPer a lesM #r a ilsconf2022 Applying masking rules Shu

    ffl ing a column ➡ Adding noise to a column
  21. @FerPer a lesM #r a ilsconf2022 Understand the reasons why

    someone needs data before saying yes or not
  22. @FerPer a lesM #r a ilsconf2022 If justi fi ed,

    provide only what is needed without risking your users information
  23. @FerPer a lesM #r a ilsconf2022 Regardless of the tool,

    be careful with the data you have: once our of the server, it’s hard to protect
  24. @FerPer a lesM #r a ilsconf2022 Thanks! 🤖 P.S. We

    are hiring in Americas, Europe, Middle East and Africa 🤖 thoughtbot.com/jobs @FerPeralesM [email protected]